Data Protection

Chol International Arts
www.wearechol.co.uk

Effective from:

1. Purpose

2. Scope

3. What Data We Collect

4. Lawful Bases for Processing

5. Data Use

6. Data Sharing

7. Data Storage and Retention

8. Children and Young People

9. Data Subject Rights

10. Responsibilities

11. Data Breaches

12. Policy Review

1. Purpose of this Policy

Chol is committed to protecting the personal data of the individuals and organisations we work with. This policy outlines how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant legislation.

2. Scope

This policy applies to:

  • All personal data processed by Chol, including data relating to children, young people, teachers, school contacts, project participants, audiences, and supporters.
  • All staff, freelancers, volunteers, trustees, and partners working with Chol.

3. What Data We Collect

Chol may collect and process the following types of personal data:

  • Contact details: Names, email addresses, phone numbers of participants, teachers, and partners.
  • Demographic information: Age, gender, school year, postcode (only where relevant and with consent).
  • Educational context: School or institution names, class details (for project delivery).
  • Photography and video: Images or recordings of participants (with consent).
  • Project data: Feedback, evaluations, and contributions to creative activities.
  • Supporter data: For newsletter sign-ups or event registrations.

Special category data (e.g. health or ethnicity) will only be collected when necessary and with explicit consent.

4. Lawful Bases for Processing

Chol processes data under the following lawful bases:

  • Consent: Where individuals have actively agreed (e.g. image use).
  • Contract: To deliver services or partnerships (e.g. school projects).
  • Legal obligation: Where required to meet legal responsibilities (e.g. safeguarding).
  • Legitimate interests: Where data is necessary for Chol’s operations and does not override individuals’ rights.

5. Data Use

Chol uses personal data to:

  • Plan, deliver, and evaluate projects and workshops.
  • Communicate with participants, schools, and partners.
  • Report to funders and stakeholders (anonymised where appropriate).
  • Promote our work (only with consent for images and quotes).
  • Maintain internal records and monitoring.

6. Data Sharing

Chol does not sell or share personal data with third parties for marketing purposes. We may share data with:

  • Service providers (e.g. email platforms or cloud storage providers), under strict data processing agreements
  • Funders, for reporting purposes, in anonymised or aggregated formats.
  • Project partners (e.g. schools, museums) when necessary for project delivery, with participants consent.

7. Data Storage and Retention

Personal data is stored securely, both digitally and physically. We use password-protected devices and secure cloud storage. Data is retained only as long as necessary:

  • Project data: typically retained for up to 5 years for monitoring and reporting.
  • Consent forms: retained for up to 3 years after project end, unless longer retention is required (e.g. safeguarding).
  • Mailing list data: retained until individuals unsubscribe.

8. Children and Young People

Chol takes special care when handling the data of children and young people. We obtain parental or school consent where required and ensure all data is processed with sensitivity and respect.

9. Data Subject Rights

Individuals have the right to:

  • Lodge a complaint with the Information Commissioner’s Office (ICO).
  • Access their personal data.
  • Request correction or deletion of inaccurate or outdated data.
  • Withdraw consent at any time (where consent is the basis for processing).
  • Object to or restrict certain types of processing.

10. Responsibilities

All Chol staff, freelancers, and volunteers are expected to understand and comply with this policy. Regular training and guidance are provided. Chol’s designated Data Protection Lead is responsible for overseeing compliance and responding to data requests.

11. Data Breaches

In the event of a data breach, Chol will assess the risk and report to the ICO where required, within 72 hours. Affected individuals will be notified if there is a high risk to their rights or freedoms.

12. Policy Review

This policy is reviewed annually or in line with changes to data protection legislation.

Last reviewed:
Next review due: August 2026