Hawkshead Market Hall Trust is registered in England and Wales, as a Charity.

Hawkshead Market Hall Trust understands that your privacy is important to you and that you care about how your personal data is collected, stored and used. We respect and value the privacy of everyone to whom we provide services and will only collect and use personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under UK privacy legislation and UK GDPR.

Please read this Privacy Notice carefully and ensure that you understand it. Your acceptance of our Privacy Notice is deemed to occur upon your first interaction with the organisation, including enquiries for further information and bookings.

This Privacy Notice describes why and how we collect and use your personal data and provides information about your rights. Please also use the Key Terms Glossary to understand the meaning of some of the terms used throughout this Policy.

A Privacy Notice is a legal requirement of the Data Protection Act (2018), Part 2, within the UK GDPR ‘Right to be Informed’. This Privacy Notice should be read alongside any additional company Terms and Conditions.

You can find our contact details in sections 3.6, 5.6, 5.7, and 11.5.

This Privacy Notice was last updated in August 2025.

1.0 Key Terms

1.1 Whilst every effort has been made to outline our responsibilities to you in as clear, concise, and easy to understand manner as possible, we do need to use certain terms throughout this Privacy Notice.

1.2 We will now provide an easy-to-understand definition of each term:

➢ Data Controller: A Data Controller has the responsibility of deciding how personal data is processed, the purpose for the data processing, and how to securely protect the personal data.

➢ Data Processing Agreement (DPA): Whenever a Data Controller uses a Data Processor to process personal data on their behalf, a written contract needs to be in place between the parties. Similarly, if a processor uses another organisation (i.e. a Sub-Processor) to help it process personal data for a Data Controller, it needs to have a written contract in place with that Sub-Processor. This is commonly referred to as a DPA.

➢ Data Processor: In a similar way to Data Controllers, Data Processors must protect people’s personal data. However, they only process it in the first place on behalf of the Data Controller. They would not have any reason to have the personal data if the Data Controller had not asked them to do something with it.

➢ Data Protection Act (DPA 2018): The DPA 2018 sets out the legal data protection framework in the UK. It contains three separate data protection regimes:

o Part 2: sets out a general processing regime (the UK GDPR);

o Part 3: sets out a separate regime for law enforcement authorities; and

o Part 4: sets out a separate regime for the three intelligence services.

➢ Data Subject: A Data Subject is a living person who can be identified from personal data.

➢ Data (Use and Access) Act (DUAA 2025): The DUAA 2025 is a new Act of Parliament that updates some laws about digital information matters. It changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protects data subjects (people) and their rights.  The changes will be phased in between June 2025 and June 2026.

➢ Individual Rights: In UK data protection law, individuals have rights over their personal data. These rights allow the individual to ask the Data Controller to do something or stop doing something with their personal data. There are eight individual rights.

➢ Information Commissioner’s Office (ICO): The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights.

➢ Lawful Basis: A lawful basis is the legal reason or legal grounds relied upon for the processing of an individual’s personal data. There are six lawful bases to choose from: consent, contract, legal obligation, legitimate interest, public task, and vital interests.

➢ Personal Data: Personal data is information about who you are, where you live, what you do, and more. It is all information that identifies you as a Data Subject.

➢ Privacy and Electronic Communications Regulations 2003 (PECR): PECR sits alongside the DPA 2018 and the UK GDPR. This legislation gives people specific privacy rights in relation to electronic communications, and electronic processing of their personal data.

➢ Processing: Processing means taking any action with someone’s personal data, including processing the data for a specific purpose, storing the data, and archiving the personal data.

➢ Sub-Processor: A Sub-Processor acts under the instructions of the Data Processor, meaning that they may process individual’s personal data on behalf of the Data Processor. CVL will always seek the permission of the Data Controller before appointing any Sub-Processors.

➢ UK GDPR: This stands for General Data Protection Regulation (GDPR), the UK’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018).

2.0 Scope

2.1 The scope for Hawkshead Market Hall Trust is any data subject, whose personal data is processed, in line with the requirements of the DPA (2018), PECR, DUAA 2025, and UK GDPR.

2.2 We also acknowledge any additional responsibilities requested by the UK’s independent body set up to uphold information rights, the Information Commissioner’s Office (ICO).

2.3 We also may have to adhere to additional codes of conduct, aside from UK data privacy legislation (e.g. The Charity Commission for England and Wales).

2.4 The DPA (2018), DUAA 2025, and UK GDPR have a material scope covering personal data that is processed either electronically or is processed as part of a physical filing system. For example, any personal data that may processed electronically via email or personal data stored in a structured paper filing system.

2.5 Hawkshead Market Hall Trust will adhere to the UK GDPR data processing principles when handling personal data. They are:
➢ Lawfulness, fairness, and transparency
➢ Purpose limitation
➢ Data minimisation
➢ Accuracy
➢ Storage limitation
➢ Integrity and confidentiality (security)
➢ Accountability

2.6 All trustees and associates of Hawkshead Market Hall Trust who interact with data subjects are responsible for ensuring that this privacy notice is drawn to the data subject’s attention, at the earliest available opportunity.

3.0 Lawfulness

3.1 Hawkshead Market Hall Trust is a charity, registered under charity number 521117, based in England, complying with the laws of England and Wales.

3.2 Hawkshead Market Hall Trust acts as a Data Processor and Data Controller. We are responsible for the personal data that we process (on behalf of the Data Subject), and have our own measures for ensuring compliance with the UK data controller regulations (personal data we are responsible for).

3.3 Hawkshead Market Hall Trust also determines the scope of the personal data processing, what personal data we process, and for what purpose.

3.4 From time to time we may appoint Data Processors on behalf of Hawkshead Market Hall Trust. We will always ensure that a written Data Processing Agreement (DPA) is in place with each of our Data Processors documenting how personal data will be processed, safeguarded, and stored. Hawkshead Market Hall Trust has the overall responsibility for all Data Processors.

3.5 Hawkshead Market Hall Trust has a duty of care acting as a Data Controller to appoint a Data Protection Officer (DPO). We have a legal obligation to notify the ICO of their name and contact details. Our appointed Data Protection Officer (DPO) is CSRB Limited. They can be contacted via email at dpo@csrb.co.uk.

3.6 Hawkshead Market Hall Trust uses lawful bases, as set out in UK GDPR Article 6, when we process your personal data:

➢ Contract – the processing is necessary for Hawkshead Market Hall Trust to fulfil the obligations of an agreement or contract for the provision of rented space for meetings, theatre, lectures, coffee mornings, jumble sales, concerts, receptions, and parties;

➢ Legal Obligation – personal data is processed by us to meet a requirement set out in UK law or statute. For example we are legally required to meet The Payment Services Regulations 2017, UK anti-money laundering regime requirements as set out in the Proceeds of Crime Act 2002 (POCA) (as amended by the Serious Organised Crime and Police Act 2005 (SOCPA)), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the Terrorism Act 2000 (TA 2000) (as amended by the Anti-Terrorism, Crime and Security Act 2001 (ATCSA 2001) and the Terrorism Act 2006 (TA 2006)); and

➢ Legitimate Interests – personal data is processed by us to communicate with you regarding important business or commercial information (such as updates to this Privacy Notice), and to inform you of complementary services provided by the trust.

3.7 Hawkshead Market Hall Trust does not transfer any personal data outside of the UK.

3.8 Hawkshead Market Hall Trust undertakes additional online security and information governance activities each year, in order to ensure maximum security of personal data processing for all data subjects.

 

4.0 Fairness

4.1 Hawkshead Market Hall Trust processes personal data in a fair way. We do this by putting the individual’s rights at the heart of all processing with regards to personal data.

There are eight individual rights:

➢ Right to be informed – Data Subjects have the right to know why we are collecting and processing personal data, this right is met by the provision of this Privacy Notice and any subsequent privacy documentation;

➢ Right of access – you have the right to know what personal data we have on record and request a copy;

➢ Right of rectification – you have the right to correct personal data that we hold about you that is inaccurate or incomplete;

➢ Right to be forgotten – in certain circumstances you can ask for the personal data we hold about you to be erased from our records;

➢ Right to restriction of processing – where certain conditions apply you have a right to ask us to only process your personal data for certain processing activities;

➢ Right of portability – you have the right to have the personal data we hold about you transferred to another Data Controller;

➢ Right to object – you have the right to object to certain types of data processing such as marketing; and

➢ Right to object to automated processing, including profiling – you also have the right to object to the legal effects of automated processing or profiling.

4.2 Hawkshead Market Hall Trust will only handle personal data in ways that individuals would reasonably expect and not use it in ways that have unjustified adverse effects on them.

4.3 Hawkshead Market Hall Trust will obtain personal data in a fair way. We will seek explicit consent from the Data Controller and/or Data Subject or securely transfer personal data into the charity where a lawful base for processing can be identified from Article 6 of the UK GDPR, as identified in clause 3.6 above.

4.4 Hawkshead Market Hall Trust always considers the rights and freedoms of Data Subjects when processing personal data. This could be for individuals or those part of a wider group.

5.0 Transparency

5.1 Transparency is fundamentally linked to fairness. Hawkshead Market Hall Trust will always be clear, open, and honest with people from the start about who we are, and how and why we need to use your personal data.

5.2 Hawkshead Market Hall Trust wants individuals to have a choice about whether they wish to enter a relationship with us. We tell data subjects from the outset the types of personal data we may need to process, within our privacy notice and business terms and conditions.

5.3 Hawkshead Market Hall Trust processes the following personal data types as a minimum:

➢ Names;
➢ Email address;
➢ Residential Address;
➢ Telephone number;
➢ Date of Birth (DOB);
➢ Identification Documentation (e.g. Driving licence, passport) ;
➢ Payment information;
➢ Feedback you provide regarding the services provided and/or received; and
➢ Any other information that you choose to share during the course of communicating with us.

5.4 We believe if individuals know at the outset what we will use their personal information for, they will be able to make an informed decision about whether to enter into a relationship with Hawkshead Market Hall Trust.

5.5 Hawkshead Market Hall Trust informs individuals about all personal data processing in a way that is easily accessible and easy to understand, using clear and plain language. We do this via this privacy notice.

5.6 Hawkshead Market Hall Trust hope we can resolve any query or concern you raise about our use of your personal data. You can contact Amal Loring at Hawkshead Market Hall Trust in the first instance at any time via email at hmh.bookings@outlook.com.

5.7 Hawkshead Market Hall Trust has appointed a certified Data Protection Officer (DPO) to act in the interests of all parties. Should you require further information with regards to personal data processing and the protection of your personal data, please contact our nominated DPO at CSRB Limited. They can be contacted via email at dpo@csrb.co.uk.

5.8 Should we not be able to resolve the complaint, you have the right to lodge a complaint with the lead authority. The lead authority in the UK is the Information Commissioner’s Office (ICO), who may be contacted by telephone on 0303 123 1113 or by visiting www.ico.org.uk.

6.0 Purpose Limitation

6.1 Hawkshead Market Hall Trust will always be clear about what our purposes for processing are from the start.

6.2 Hawkshead Market Hall Trust will record our purposes for data processing as part of our contract and proposal documentation obligations. We will also specify them in any additional privacy documentation provided.

6.3 Hawkshead Market Hall Trust specifically process your personal data for the following purposes:
➢ Processing your hall bookings;
➢ Identification, to ensure all hall bookings, are made in accordance with our terms and conditions;
➢ Managing payments for all hall bookings;
➢ Personalising and tailoring our hall booking services to you;
➢ Communicating with you regarding the management of the rental of the hall for your event;
➢ Communicating with you regarding supplementary hall booking services;
➢ Supplying you with service communications regarding the hall booking service;
➢ Supplying you with any electronic newsletters and targeted direct marketing, which you can opt-out of at any time;
➢ Communicating with you reference after sales service, service feedback, and any complaints;
➢ Supplying you with trust communications required by law, such as updates to this Privacy Notice.
➢ Communicating with you regards to any suspected data breaches, security incidents, and responses to any received Subject Access Requests (SARs).

6.4 Hawkshead Market Hall Trust will only use your personal data for a new purpose if this is either compatible with the original purpose, or we obtain consent, or we have a clear lawful obligation, or function set out in UK law.

6.5 Where relevant, Hawkshead Market Hall Trust, may also share personal data with third parties, such as:
➢ Trusted third party partners who we work alongside and who process personal data on our behalf, with regards to agreements and contracts, or for the provision of supplementary support services (e.g. caterers). Disclosure of the nominated trusted third-party partner would be provided at the agreement/contract stage and a relevant Data Processing Agreement (DPA) would be put in place to protect all personal data, from a Data Controller, Data Processor, and Data Subject perspective;
➢ Fraud prevention agencies, money laundering agencies, and other professional associations; and
➢ Regulators and law enforcement agencies, including the Police, HM Revenue and Customs, or any other relevant authority who may have jurisdiction. We would always inform you ahead of acting on any instructions to proceed.

7.0 Data Minimisation

7.1 Hawkshead Market Hall Trust always ensures the personal data we are processing is:

➢ Adequate – sufficient to properly fulfil our stated purpose;
➢ Relevant – has a rational link to that purpose; and is
➢ Limited to what is necessary – we do not hold more than we need for that purpose.

The UK GDPR does not define these terms. As this is the case, Hawkshead Market Hall Trust accepts these terms may have a differing definition from one individual to the other, as the processing will depend on the specified purpose for collecting and using the personal data.

7.2 In order to assess whether we are holding the right amount of personal data, we demonstrate clearly why we need it, before any data processing activities take place.

7.3 We treat information security very seriously. We will take all reasonable technical and organisational measures to prevent the loss, misuse or alteration of your personal information. Personal data is held securely on our systems, and we limit access to your personal data to those who have a business need to know. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. No data transmission over the internet or any other network can be guaranteed as 100 per cent secure, but we take appropriate steps to try to protect the security of personal data.

7.4 Hawkshead Market Hall Trust undertakes an annual Data Protection Audit with an external certified Data Protection Service Provider, to review our personal data processing, and to check that the personal data we hold is still relevant and adequate for the stated purposes. We make this commitment, so there is no conflict of interest.

8.0 Accuracy

8.1 Hawkshead Market Hall Trust will take all reasonable steps to ensure the personal data we hold is accurate and up to date.

8.2 Hawkshead Market Hall Trust will take reasonable steps to ensure that personal data we hold is not incorrect. This may involve contacting you via our official communication channels, to ensure all personal data held is accurate.

8.3 Hawkshead Market Hall Trust will always record the source of where personal data came from and ensure the source is compliant with UK privacy laws, including the UK GDPR.

8.4 If we need to keep a record of a mistake, where we have clearly identified it as a mistake, we add this to our records of processing for audit purposes, and continuous improvement.

8.5 Hawkshead Market Hall records of processing clearly identify any matters of opinion, and where appropriate whose opinion it is, and any relevant changes to the underlying facts.

8.6 Hawkshead Market Hall Trust will comply with the individual’s right to rectification, and carefully consider any challenges to the accuracy of the personal data.

8.7 As a matter of good practice, we keep records of processing of any challenges to the accuracy of the personal data.

9.0 Storage Limitation and Deletion

9.1 Hawkshead Market Hall Trust will not keep personal data for any longer than is necessary to fulfil the original stated purpose for the processing of such personal data.

9.2 Hawkshead Market Hall Trust will only keep personal data for the period outlined to meet the requirements of the contract, legal obligation, or legitimate interest identified.

9.3 Any retention of personal data will be carried out in compliance with legal, professional body, and regulatory obligations. These data retention periods are subject to change, due to any revisions of associated legislation, regulations, or requirements.

9.4 Hawkshead Market Hall Trust acknowledges that UK privacy legislation does not determine how long personal data needs to be kept. This is up to the Data Controller to determine and document accordingly at the earliest possible opportunity.

9.5 Hawkshead Market Hall Trust has a personal Data Retention Policy in place, which documents the categories of personal data we hold, what we use it for, and how long we intend to keep it.

9.6 Hawkshead Market Hall Trust periodically reviews the personal data we hold, and erases or anonymises it, when we no longer need to process it for the original purpose.

9.7 Hawkshead Market Hall Trust also considers any challenges to the retention of personal data. We understand that individuals have a right to erasure if we no longer need their personal data.

9.8 Hawkshead Market Hall Trust acknowledges there are exceptions to retention periods. Here we can keep personal data for longer if we are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. We would always inform you if this was the case, along with our lawful basis for retention.

9.9 When Hawkshead Market Hall Trust is provided with an instruction to destroy data it must be destroyed irretrievably either in paper or electronic formats. Paper records will be destroyed by an approved contractor who can provide evidence of destruction and a certificate of destruction. Hawkshead Market Hall Trust will retain this certificate.

9.10 Hawkshead Market Hall Trust also has secure destruction procedures and processes for any of the devices it has used for the storage of personal data. Hawkshead Market Hall Trust will retain evidence of any equipment destruction and confirms that the destruction is beyond any prospect of retrieving data stored within the device.

10.0 Data Transfer and Confidentiality (Security)

10.1 Hawkshead Market Hall Trust will undertake an analysis of the risks presented by our personal data processing and use this to assess the appropriate level of security we need to put in place. We review our Business Continuity Plan (BCP) and Incident Response Plan (IRP) annually.

10.2 We have an Information Security Policy and take steps to make sure the policy is implemented. We also undertake annual Information Security Reviews. We make sure that we regularly review our information security policies and measures and, where necessary, improve them.

10.3 Hawkshead Market Hall Trust make sure that we can restore access to personal data in the event of any data incidents or personal data breaches, by the implementation of an appropriate data backup procedure.

10.4 We ensure that any Data Processor we engage implements appropriate technical safeguards for all data.

10.5 All personal data processed and shared by Hawkshead Market Hall Trust is processed within an encrypted environment.

10.6 Hawkshead Market Hall Trust does track website behaviour in order to offer Data Subjects an enhanced client experience and for organisational analytics. The UK GDPR and PECR interprets data collected by cookies as personal. It prohibits the collection of personal data without consent, which means a website is only allowed to collect information that the user voluntarily inputs. This includes name, email address, phone number, or any other information that the user shares with the website. The cookie consent must be freely given, specific, informed, and unambiguous.

11.0 Accountability

11.1 Accountability is one of the UK GDPR data processing principles. Hawkshead Market Hall Trust takes our accountability commitments with the UK GDPR very seriously, as documented by this Privacy Notice.

11.2 Hawkshead Market Hall Trust has put in place several measures that we can, and in some cases must take, including:
➢ adopting and implementing data protection policies and procedures;
➢ taking a ‘data protection by design and default’ approach;
➢ putting written contracts in place with those whose personal data we control and process;
➢ maintaining documentation of our processing activities;
➢ implementing appropriate security measures;
➢ recording and, where necessary, reporting personal data breaches;
➢ carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individual’s interests;
➢ ensuring all Hawkshead Market Hall Trust associates and trustees undertake UK GDPR and privacy legislation training;
➢ appointing an external and independent Data Protection Officer; and

11.3 Hawkshead Market Hall Trust understand that accountability obligations are ongoing. We review and, where necessary, update the measures we have put in place. For example, we continually enhance our privacy management framework, as this can help embed our accountability measures and create a culture of privacy across the trust.

11.4 Hawkshead Market Hall Trust understand that being accountable can help build trust with individuals and may help mitigate any gaps in compliance, and thus any potential regulatory enforcement action.

11.5 If you have any questions or concerns about how we process and protect your personal data not covered in this Privacy Notice please contact Hawkshead Market Hall Trust Data Protection Officer (DPO) by email at dpo@csrb.co.uk.

August 2025 PN
Version 1.0
Hawkshead Market Hall Trust