Introduction

BAFTA has always believed in being open about what data we collect from people and organisation we interact with and what we do with that data. The UK GDPR sets out comprehensive requirements for handling personal data of EU citizens. This includes a number of things we must tell you of when we collect data about you. We have provided all the information you need as simply and clearly as possible through this Privacy Policy using a question-and-answer format.

This general policy sets out how we will store data we receive by email which relates to living people. If you are a BAFTA member, or have signed up to one of our newsletters then another privacy policy may well apply more specifically to our relationship with you.

What data do you hold about me?

We will retain any data that you have sent us in any emails. This includes: the email body itself; any attachments; the name address your email was sent from; and any other email headers. We do this to safeguard BAFTA’s legitimate interests.

What do you use my data for?

We will use the data you provide in your email only for the purposes related to the matter being corresponded about or any related topic that we feel may be relevant to you or in BAFTA’s legitimate interests. If you have provided the same information to us elsewhere (e.g. as part of a membership application) then a different privacy policy may apply which might mention other uses – if this is the case we will have made you aware of that other policy at the time you gave us the information or shortly afterwards.

Who is responsible for my data?

Any data collected about you will be kept under BAFTA’s control. BAFTA is registered charity (No. 216726) and can be contacted using the following details:

Postal: The Data Controller, BAFTA, 195 Piccadilly. W1J 9LN.

Email: [email protected]

How long will you keep my data for?

Email is used for a very wide variety of business contexts. Many of these (e.g. agreeing to a contract) mean that the email might need to be kept for some considerable length of time (e.g. the duration of the contract). However, many emails related to short-lived projects can be deleted much sooner.

Email protocols have no built-in mechanism for categorising their content. We rely on the judgement of our staff to decide how long each email should be kept for. BAFTA staff receive information security and data privacy training and are told not to retain any data (in email or elsewhere) for any longer than is required for the purpose that the data was provided for. We cannot, however, guarantee that any particular email will be deleted within any given timeframe. Similarly we cannot guarantee that any particular email will be retained for any specified period.

Where will my data be stored?

Once your email reaches BAFTA’s email systems your email will be stored in MimeCast and also in Microsoft 365 cloud storage.

As noted below (see “Who will have access to my data?“), your email may pass through a number of servers before it reaches any of BAFTA’s infrastructure. As a result your email may have been stored by any of these systems en-route. This is completely outside of BAFTA’s control.

Some of your data will also be stored by our cloud based service providers: MimeCast and Microsoft 365. For information about the security of your data stored by these cloud providers please see below:

Microsoft 365

What data: All emails

Purpose: Business operation

Data location: UK

More information: https://www.microsoft.com/en-gb/trust-center/privacy/gdpr-overview

MimeCast.com

What data: All incoming and outbound emails are stored for 1 year

Purpose: Backup and compliance

Data location: UK

More information: https://www.mimecast.com/company/mimecast-trust-center/gdpr-center/

Who will have access to my data?

Once your email arrives at BAFTA’s mail server then it will only be visible to BAFTA staff. Depending on whether the email is addressed to a named email account, or a generic mailbox, and the seniority of the member of staff the email is addressed to, your email may be accessed by just the addressee, but also possibly by other staff within BAFTA.

However it is worth noting that email is an inherently insecure medium. Email content will not typically be encrypted during transit. Furthermore, an email may make several “hops” from server to server before it reaches its final destination. Intermediate servers may be managed by your mail provider, BAFTA’s email infrastructure provider, or some other third party. Thus there are many points beyond BAFTA’s control where the contents of your email could be viewed, and even modified, by third parties.

If you are sending sensitive data you should take specific steps to encrypt it e.g. by sending data as an encrypted attachment, or by using a web based secure file transfer system.

Will you give my data to anyone else?

We will only give your data to someone else if:

  • you ask or authorise us to in any of the emails you send us
  • we are required to do so by law

What rights does the UK GDPR give me?

Here is a quick summary of the main provisions which are relevant to the type of data we hold about you:

  • Access: You have the right to view the data we hold about you and to receive copies of this data in digital format.
  • Accuracy/Rectification: If any of the data we hold about you is incorrect or incomplete then you can provide the correct or complete data and we must update the data we hold.
  • Erasure: You can request that we erase all the data we hold about you, but this is only available in some situations.
  • Restriction of processing: In some cases you can ask us to retain your data but not do anything with it.

How do I exercise my UK GDPR rights?

If you want to exercise any of your rights in relation to data BAFTA holds about you then please email: [email protected] or email or write to the Data Controller at the address given above (see “Who is responsible for my data?”)

Please provide details in your email/letter of what actions you would like us to take. Depending on the nature of the request and whether or not your request comes from the email address we have on file for you, we may need to verify your identity so that we don’t give out information to the wrong person, or delete the wrong person’s information. In most cases it helps if you are able to provide a contact phone number so that we can validate your identify and discuss the request with you.

What if I have a complaint?

If you are concerned about how we manage your data, or how we have handled a request to exercise your rights, then please get in touch with us to discuss it. To do this please send an email detailing your concerns to [email protected].

If you are still not satisfied with the response you can take your concern to the Information Commissioner’s Office. For details of how to do this please refer to the ICO website: https://ico.org.uk/