NEW WORLD THEATRE CLUB A.S.B.L. (NWTC or the Club) DATA PROTECTION NOTICE
(the POLICY)
The EU General Data Protection Regulation (2016/679) (GDPR) was designed to harmonize data protection laws within the European Union (EU) and to protect the personal data of natural persons within the EU. It entered into force within the EU on 25
May 2018.
It is important to NWTC to ensure that it respects the GDPR, and the Policy is put into place in order to explain to readers the methods in which NWTC complies with the GDPR. It is encouraged to read the Policy carefully.
Should you have any questions, please contact the Club at the address noted below under the section “Contact.”
All defined terms used within the Policy not defined in the Policy have the meaning ascribed to them in the GDPR.
NWTC is a non-profit association (association sans but lucratif) subject to the law of 21
April 1928 on a.s.b.l.s, as amended (the ASBL Law).
NWTC acts as data controller under the GDPR and can be contacted at its registered address:
New World Theatre Club A.s.b.l.
1, rue Evrard Ketten
L-1856 Luxembourg
or at: datacontoller@nwtc.lu
Concretely, NWTC is managed by its committee, which is composed of a minimum of five members of the Club (the Committee). The Committee, or one/some of its members, will have access to your data.
The Policy refers to all processing of personal data performed by NWTC. This includes, but is not limited to, audition forms, membership subscriptions, inscriptions on the mailing list, notices sent out to members of NWTC (Members) and on NWTC’s mailing list, having expressed an interest in NWTC, having collaborated with NWTC, or similar
1
Registered address: 1, rue Evrard Ketten
L-1856 Luxembourg
R.C.S. Luxembourg: F226
(Contacts). The Policy refers to both automated processing and paper files kept by
NWTC.
Personal data is any data relating to an identified or identifiable natural person who can be identified either directly or indirectly, for example, through the use of an identifier, such as identification number or a photo.
In the context of its activities, NWTC may collect personal information such as, but not limited to: names, addresses, email addresses, user names, birth dates, physical description (such as height, weight, eye or hair color), IP addresses, user names, nationalities, bank accounts, phone numbers, and photographs.
Information may be gathered when a person enrolls as a Member or asks to become a Contact. In particular, regarding Members, names, addresses, and nationalities will be collected and registered in accordance with the laws of the Grand Duchy of Luxembourg.
The above personal information may be processed and filed on the website and/or in paper form by NWTC. Email addresses may be collected, and user names on the NWTC website may be attributed upon Member initiative, in which case, personal information edited by Members would be processed on the website.
There are six possible legal grounds for the processing of personal data. They are the following:
• the consent of the individual concerned;
• an existing contractual obligation;
• national or EU legal obligation;
• the protection of the vital interests of an individual;
• the legitimate interests of the organization/association concerned;
• the exercise of public interest or official authority
NWTC processes personal information mainly based on the consent of the individual. When an individual consents to becoming a Member/ participate in an activity, he/she is asked whether or not he consents to his personal information being processed by NWTC and/or an external processor in the particular circumstances concerned.
An individual may withdraw his/her consent at any time by contacting NWTC in writing (including by email) at the address indicated below under the section “Contact” and specifying exactly which consent is withdrawn. It should be noted that withdrawal of consent does not affect the time period for which consent was given.
2
Registered address: 1, rue Evrard Ketten
L-1856 Luxembourg
R.C.S. Luxembourg: F226
NWTC further processes personal information based on legal obligation under the laws of the Grand Duchy of Luxembourg, in particular the ASBL Law, which requires it to annually update the list of its Members with the Luxembourg Business Register.
NWTC may further on a case-by-case basis be required to process personal data due to its contractual obligations, such as in the case of liability insurance or similar.
NWTC may process personal information based on the legitimate interests.
NWTC treats personal information confidentially. However, it may be necessary to share personal data in the operation of Club business.
As the Committee does not have the internal capabilities to fully manage its website, it engages service providers external to the Committee, but NWTC Members themselves, to operate the website (the NWTC Website Delegates). These NWTC Website Delegates have limited access to personal data.
The Committee may choose to mandate an external processor, as in the case of directors of plays, projects, or similar. In this case, such external processor will have limited access to personal data of the data subjects concerned. However, consent by the data subjects is obtained for such processing.
NWTC will endeavor to put in place confidentiality undertakings with any external processors, so as to restrict the further transfer of personal data.
The personal data gathered will be stored mainly in the Grand Duchy of Luxembourg. It is stored both physically in the form of paper files, as well as digitally on NWTC’s server located in the United States of America.
NWTC maintains a Facebook page, a google group, and several email lists.
Personal data may be processed outside of the Grand Duchy of Luxembourg, in which case appropriate contractual clauses will be negotiated with the third party ensuring that such personal data be processed in a manner which upholds the principles of Chapter 1, Article 5(1) of the GDPR and respects the Policy.
Personal data is partially processed by MailChimp (MailChimp), an online marketing platform operated by Rocket Science Group LLC, a company headquartered in Georgia (U.S.A.). NWTC has entered into a standard agreement with MailChimp, under which
3
Registered address: 1, rue Evrard Ketten
L-1856 Luxembourg
R.C.S. Luxembourg: F226
MailChimp acts as data processor with regard to certain personal data on NWTC members and Contacts. The standard agreement of Mailchimp contains a privacy policy deemed GDPR-compliant. Only NWTC Committee Members and the NWTC Website Delegates have access to MailChimp. An individual who no longer wishes to receive notifications by MailChimp With regard to the MailChimp notifications may simply click on “unsubscribe” and he/she will no longer receive such notifications.
Unless required by applicable law or regulations, personal data will generally not be transferred outside of the European Economic Area. Transfers of personal data may in such case take place to third countries which the European Commission judge as ensuring an adequate level of protection or in case of appropriate standard contract clauses.
In any other case, a transfer of personal data to a third country shall require the prior explicit consent of the data subject upon such data subject having been informed of the risks of the transfer and the absence of appropriate safeguards.
Personal data shall be stored and processed in accordance with the applicable laws and regulations of the Grand Duchy of Luxembourg.
Personal information is restricted to members of the Committee. A Member has access to his/her own account on the website. He/she may edit the settings on the account, and may choose to share various amounts of information on the website. Members’ passwords are encrypted to ensure security. A Member may request to change his/her password through an automated process to further ensure security.
NWTC ensures protection of the Member personal data on the website by restricting access to the Committee and one specific NWTC Website Delegate.
On MailChimp, access is restricted to the Committee and the NWTC Website Delegates.
Information on Members stays on the website until a request from a Member for the erasure of his/her details is received and processed.
An individual choosing to “unsubscribe” from the MailChimp mailing list can do so and have his/her information deactivated automatically.
Personal data may be kept longer if required for contractual means or for the legitimate interests of the Club.
4
Registered address: 1, rue Evrard Ketten
L-1856 Luxembourg
R.C.S. Luxembourg: F226
Member information required by the ASBL Law and deposited with the Luxembourg Business Register is kept and updated in accordance with the applicable legal requirements.
Paper audition forms, telephone lists, etc. are shredded and securely disposed of once no longer needed.
Individuals have certain rights under the GDPR. These include:
• the right of access their personal information. The right to access of the personal information, unless manifestly excessive, will be free of charge.
• the right to correction of incorrect personal data and the right to deletion (“right to
be forgotten”). Regarding “the right to be forgotten” an assessment will be made whether or not reasons still exist for the processing of the information. the right to withdrawal of consent (if processing data on condition of consent). With regard to the MailChimp notifications one can simply click on “unsubscribe” and such notifications will no longer be received.
• the right to data portability (receiving data in a structured and commonly used format).
• the right to restriction of processing.
• the right to complain to a supervisory authority. In the Grand Duchy of
Luxembourg, the supervisory authority was established by the law of 1 August
2018 on the organization of the National Data Protection Commission and the general data protection framework. The supervisory authority in the Grand Duchy of Luxembourg is the National Data Protection Commission (Commission nationale pour la protection des données).
For more information or to make a request regarding these rights, please contact NWTC in writing at the address and indication given in the section “Contact” below. A request should normally be answered within one month.
NWTC does not make use of automated decision making and/or profiling.
The NWTC website uses cookies for the website CMS, for Google analytics, and for pop-up cookie notices. The website employs a cookie warning which notifies users that
cookies are used on the website.
Any links on NWTC’s website to external sites and resources shall not constitute endorsement, and NWTC takes no responsibility for any content of (or information contained within) any website to which it has links.
5
Registered address: 1, rue Evrard Ketten
L-1856 Luxembourg
R.C.S. Luxembourg: F226
The laws of the Grand Duchy of Luxembourg shall apply to the Policy.
For any questions arising from or regarding the Policy the courts of the city of
Luxembourg are exclusively competent.
For questions or concerns about the Policy, your Personal Data, or should you wish to file a complaint, you can contact us by mail at the registered office of the Club at:
1, rue Evrard Ketten
L-1856 Luxembourg
To the Attention of Data Protection
or by email at: datacontoller@nwtc.lu noting in the header “Data Protection”
6
Registered address: 1, rue Evrard Ketten
L-1856 Luxembourg
R.C.S. Luxembourg: F226