Published using Google Docs
creative industries group - GDPR Compliance v3
Updated automatically every 5 minutes


creative industries group.

GDPR Compliance and Privacy Policy.

v3 - 25th august 2023


creative industries group Group Ltd (creative industries group) collects personal data across the business to assist in its efficient day to day running. This document covers the polices that creative industries group has in place to ensure it is processing this data responsibly and in compliance with the GDPR.


introduction.        2

contents.        2

what is GDPR?        2

protected data.        2

data we collect.        2

lawful basis.        3

legal obligations.        3

legitimate interests.        3

contracts.        4

consent.        4

individual rights and how we comply.        6

the right to be informed.        6

the right of access/right to rectification.        6

the right to erasure (‘right to be forgotten’).        7

the right to data portability.        7

the right to restrict processing.        7

the right to object.        7

rights in relation to automated decision making and profiling.        7

governance.        8

data controller.        8

data protection officer.        8

data protection by design.        9

compliance monitoring.        9

data protection.        10

children’s data.        10

transfers of data outside of the EU.        10

required data.        11

personal data held.        12

additional policies.        14

enquiries and complaints.        14

what is GDPR?

Regulation (EU) 2016/679 of the European Parliament and Council, dated April 27, 2016 on the protection of natural persons regarding the processing of personal data and the free circulation of these data (hereinafter, the “GDPR”),

GDPR aims to give people greater control over their personal data and to simplify the regulatory environment for international businesses. It replaced the 1995 Data Protection Directive (Directive 95/46/EC).

It applies when any data is received from customers that are located within Europe. Unlike a directive, it does not require national governments to pass any enabling legislation and so it is directly binding and applicable to businesses all over the world.

protected data.

The data that is protected under GDPR is data concerning individuals (not companies). Personal Data extends to any information pertaining to an individual, whether it relates to their private, professional or public life. It can be anything from a name, to a home address, photo, email address, bank account details, posts on social networking websites, medical information, a computer's IP address and more.

data we collect.

creative industries group collects personal data from customers and the freelancers we work with, this varies between business areas.

In creative industries group we collect personal data specifically on the freelancers and clients we work with, which is held in a central database, and also to process payment invoices and for contracting.

creative industries group collects data from Cookies & Data Sent from Browsers/Devices and Data provided by the customer when ordering services or entering into a contract, therefore, several new features and functionalities have been introduced into creative industries group Digital’s Systems that are designed to assist with compliance.

changes to this Privacy Policy.

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the "Last updated" date and take any other steps required by applicable law.

how do we collect personal data?

In compliance with current regulations on the protection of personal data namely those around GDPR.

creative industries group collects personal data in its possession when the user:

  1. completes the forms of any of the websites associated with creative industries group, including but not limited to:
  1. subscribes to the newsletter on the above listed websites
  2. answers a poll or completes a web form on the above listed websites;
  3. completes a printed form;
  4.  sends an email or communicates by phone, which are then loaded in the corresponding forms;

A full list of data collected is seen below.

lawful basis.

Data can be processed under a number of lawful basis under GDPR. Below we outline the data we hold under each of these.

legal obligations.

Invoicing and payments: creative industries group holds the personal information of clients, suppliers, and customers for invoicing purposes on FreeAgent. We also process payments through Stripe and GoCardless. As we are obligated to produce taxation reporting and keep financial records we need to keep this data to allow us to fulfil these obligations.

Online payments and transactions: creative industries group process transactions and comply with the legal obligations to which creative industries group is subject, such as tax obligations. The data subject to treatment will not be used for purposes other than or incompatible with those mentioned above and that motivated its collection. Notwithstanding the foregoing, it is stated that the recorded data may be used, in addition to the purposes for which it was expressly collected, for the purpose of carrying out statistics, managing incidents or conducting market studies. However, in the event that personal data is processed for a purpose other than that initially specified when collecting said data, a compatibility analysis will be carried out by creative industries group in accordance with applicable regulations. The processing will only be authorised if the original purpose is compatible with the new purpose or allowed in accordance with an independent legal basis. In these cases, the user will be informed of the changes in purpose or legal justification for the processing of their data.

legitimate interests.

ePM: creative industries group manages a custom built database on Google AppSheets called ePM, this is used by our freelancers to help make production management easier. On this database it stores contact information for a number of freelancers, staff from venues and production companies in the industry who we have worked with, and suppliers. We hold this information beyond the run of the production that relates to them. This data is held beyond our contractual obligations, so we can contact these freelancers in the future regarding new work. For production companies and venues it is held to save double data entry. We may on occasion pass the data to other clients strictly for the purposes of providing additional work to these data subject. To meet the standards required for this justification creative industries group notes that:

On websites and hosting domains: Creative industries group holds data to improve its sites and the service offer of creative industries group, based on the legitimate interest of creative industries group in constantly improving its products and services.

Providing Products and Services. We use your personal information to provide you with the Services in order to perform our contract with you, including to process your payments, fulfill your orders, to send notifications to you related to you account, purchases, returns, exchanges or other transactions, to create, maintain and otherwise manage your account, to arrange for shipping, facilitate any returns and exchanges and to enable you to post reviews.


ePM: creative industries group holds personal data for those working on its productions on ePM, including freelancers, venues and production company staff, and suppliers, for the period of time that they are contracted to provide production management services to the production as they are required to contact those people throughout that period.

Digital services: In most cases, users register an account or have one registered as part of the process of submitting an order for services. In doing so, end users are entering a contract with us and our Service Providers for us and the Service Providers to provide services. In a scenario such as this it may mean asking users for consent is not required, however we will often have a GDPR Acceptance section within the order form which requires the customer to acknowledge and henceforth consent that we collect and process their personal data.


Email marketing: The email address that the user provides when completing the form on the relevant sites may be used to send information and updates on the request for services, as well as news about creative industries group (either occasionally or periodically), updates, information on related products or services, among others. The user is given individual flexibility and control over opting into marketing emails which can be used for newsletters and similar products. Users are asked to confirm and agree to our privacy policy when signing up.

Production Freelancer sign up form: We ask freelancers to provide us their information even if we haven’t worked with them using our freelancer sign up form. This data is voluntarily given for the use to contact them about future work opportunities and stored on our database for that purpose.

Digital services: When providing any digital services, a positive opt-in is given separate to other terms and conditions, and we do not bundle several uses under one consent. We specify clearly how we intend to use the data in our privacy policy and obtain the consent for each specific use when we attempt to obtain such consent. We also have simple ways for people to withdraw consent. WHMCS has a consent log that records each time the consent setting is changed. For each change, WHMCS will record the date/time of that change, who it was initiated by and the IP address of the user.

Digital Analytics: Cookies and usage data is collected on our website for various forms of analytics and spam protection, this allows us to understand how people are moving around our website and how they are accessing us. This is only collected if the data holder agrees to our privacy policy on the handling of this data.

data security.

creative industries group declares its intention to adopt the technical and organisational measures necessary to guarantee the security, integrity, and confidentiality of the data in accordance with the provisions of the RGPD in order to avoid its adulteration, loss, consultation or unauthorised processing. In particular, all the credit data provided is transmitted via SSL (Secure Socket Layer) and encrypted in the database of the payment platform of the provider of these payment services. It is stated that credit data (credit card number, among others) are not stored in the creative industries group servers or in Google Drive. In order to guarantee the confidentiality of the processing, the payment service provider is contractually obliged to respect the confidentiality of the information.

creative industries group does not guarantee absolute privacy in the use of our sites since the possibility that unauthorised third parties may have knowledge of it should not be ruled out. The user acknowledges that the existing technical means that provide security are not impregnable and that even when all reasonable security precautions are adopted, it is possible to suffer manipulation, destruction and / or loss of information. In the event that a security incident is detected and that it implies a significant risk for the owner of the data, such event will be communicated without delay to the competent control authority, together with the corrective and palliative measures implemented and / or to be implemented.

creative industries group is not responsible for the loss or deletion of data by users. Likewise, creative industries group does not accept any responsibility for possible damages caused by computer viruses.

Finally, the user must also take measures to protect their information. creative industries group insists that you take every precaution to protect your personal information while on the Internet. At least, you are advised to change your password periodically, using a combination of letters and numbers, and make sure you are using a secure browser.

individual rights and how we comply.

For anyone we hold data on creative industries group provides a single email address for contacting us on data enquiries, Any enquiry across the business will be managed through this email address.

We will consider each such request in accordance with all applicable data protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature. It should be noted that situations may arise where providing the information requested by a data subject would disclose personal data about another individual. In such cases, information must be redacted or withheld as may be necessary or appropriate to protect that person’s rights.

the right to be informed.

The right to be informed covers some of the key transparency requirements of GDPR. It is about providing individuals with clear and concise information about what you do with their personal data.

All emails from creative industries group accounts contain links to inform clients and customers of our privacy policy and how we handle their data.

For digital services, customers are required to agree to our Terms of Service in order to register an account and complete checkout. A user account cannot be created, and an order cannot be placed, without the user checking a box to confirm their agreement to our Terms of Service. That Terms of Service also includes a link to our Privacy Policy and any other important terms and service agreements that are necessary to complete an all-inclusive agreement.

Such policies are also available on all pages of the creative industries group website in the footer menu area, in relevant emails sent to customers and available to access directly with a link.

the right of access/right to rectification.

For the wider business we can be contacted by anyone to access and modify the data we hold on them through

For Okedia and Web Design for Actors we provide a self-service client portal that gives our customers access to login and view their personal information (profile data). The client portals also provide our customers with access to update their personal information including name, email address, postal address and phone number and most other data collected that is not required for historical/legal/systematic reasons (e.g. when an order was placed, or when acceptance was given for agreements). We do not charge an administration fee for this service.

the right to erasure (‘right to be forgotten’).

If we receive a request for erasure, we can perform a deletion of the records from our individual systems using built-in functionality. Using this feature removes all data relating to a given customer including, but not limited to, personal information in the user's profile, service and invoice history, activity log entries, support ticket and email history.

For Digital, we automate the enforcement of any data retention policies we have using WHMCS that allows us to define a period of time for which client records should be kept. We will a perform a right to erasure for any customer records that aren’t required to complete a contract/agreement.

the right to data portability.

Data portability means the right to receive personal data in a machine-readable format and to request for such data to be transferred directly from one controller to another. This will be offered for all services when any individual gets in contact with us. WHMCS allows us to generate a customizable export of data relating to a given client. This allows us to generate an export in JSON format containing the data entity types from a list of options.

the right to restrict processing.

The user may ask us to restrict processing by making a written request to us. In addition we ask website users to opt in to processing done from cookies and usage data.

the right to object.

Objections should be sent in a written request to us. We have provided full information about how we process data in this document, and our privacy policy.

rights in relation to automated decision making and profiling.

No personal data creative industries group processes is not used for profiling or automated decision making.


data controller. 

The assigned Data Controller for creative industries group is Ian Taylor (

The Data Controller’s responsibilities include:

data protection officer.

creative industries group notes that whilst it is not required to appoint a Data Protection Office, it has appointed one to act as a single contact within the business and to provide advice and support to those employed on all data protection matters. The Data Protection Officer for creative industries group is Dan Gosselin (


The data protection officer is responsible for:

data protection by design.

To ensure that all data protection requirements are identified and addressed when designing new systems or processes or when reviewing or expanding existing systems or processes, each of them must go through an approval process before continuing. This process should be conducted by the Data Protection Officer.

When required, creative industries group staff must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in cooperation with the Data Protection Officer, for all new and/or revised systems or processes for which it has responsibility. The subsequent findings of the DPIA must then be submitted to the Managing Director for review and approval.

compliance monitoring.

creative industries group will review its data protection policies for compliance on a yearly basis and will ensure any new system involving personal data is compliant from the outset.

data protection.

creative industries group will adopt physical, technical, and organisational measures to ensure the security of personal data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment. A summary of the personal data related security measures is provided below:

children’s data.

Children under the age of 14 are unable to consent to the processing of personal data for information society services (any service normally provided for payment, by electronic means and at the individual request of a recipient of services). Consent must be sought from the person who holds parental responsibility over the child. However, it should be noted that where processing is lawful under other grounds, consent need not be obtained from the child or the holder of parental responsibility.

transfers of data outside of the EU.

Individuals are entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organisation governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data. These are outlined below, and more specifically in our privacy policy.

In order to ensure the delivery of emails to customers, we use the Amazon Web Service Simple email Service to send emails from our support & billing system. Such emails are sent via SMTP and are encrypted using TLS but nevertheless, data is still transferred outside of the EU in this instance; the server endpoint is based in North Virginia, USA.

In order to ensure the upkeep of our online services, we split some of them over different servers and locations across the world. As mentioned above, some product-related emails are sent out via Amazon’s Simple Email Service from North Virginia. In addition to the e-mail services provided by Amazon, we also use an e-mail service with servers based in Texas and Bulgaria for all of our staff email accounts where data may be sent from time to time if it is sent in an -e-mail directly from a staff e-mail account.

Personal data collected via our website for the Billing and Support area is saved on servers which are based in the UK only, but may be backed up externally (though securely) by our Service Providers.

If we take card payments over the internet via the WHMCS Client Portal, the payment will be processed via Stripe who have servers across the world. Since we do not save the customers full card details, Stripe keeps a log of all of the customers details for future convenience. Such data may be stored outside of the EU since but can be removed upon request to either party. More information regarding what data Stripe saves is available further down this document.

required data.

As already outlined in this document, we require some personal data in order to complete services, agreements or contracts. You are entitled to fulfil your right to erasure, but we are also entitled to keep certain data providing that it is kept within the boundaries set by the GDPR and the DPA 2018. If you do not provide certain data upon the creation/start of such services/agreements, the agreement may be lawfully terminated at any time by either party.

personal data held.

information we obtain from third parties.

we may obtain information about you from third parties, including from vendors and service providers who may collect information on our behalf, such as:

Any information we obtain from third parties will be treated in accordance with this Privacy Policy. We are not responsible or liable for the accuracy of the information provided to us by third parties and are not responsible for any third party's policies or practices.

disclosure to third parties.

In certain circumstances, we may disclose your personal information to third parties for legitimate purposes subject to this Privacy Policy. Such circumstances may include:

additional policies.

Additional Policies that are directly and indirectly part of our overall GDPR compliance can be found at:

enquiries and complaints.

Any enquiries relating to the data that we collect, or if you would like to submit a lawful request to us, you can do so by emailing or calling +44 (0) 207 1128 903. There is also at least one relevant support/contact medium in all of our client portals that you can contact us by if you have access to them.

If you have any concerns that you do not want to discuss with creative industries group, or our DPO or DC, you can complain to a supervisory authority.

Prepared by dan gosselin