Contents
(a) Key Details
Policy prepared by: Data Protection Supervisor
Approved by CEO o.b.o Board on: May 25th, 2018
Policy became operational on: May 25th, 2018
Updated: May 25th 2022
Next review date: May 2023
(b) Introduction
Faber Music Ltd ("Faber Music", "we", "us") needs to gather and use certain information about individuals or "data subjects". These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. We are committed to protecting the privacy of our data subjects. We take our responsibilities regarding the security and legitimate use of personal information very seriously and are compliant with the Data Protection Act (“DPA”) 1998, UK General Data Protection Regulation (“UK GDPR”) 2020, and Privacy and Electronic Communications Regulations 2003 (“PECR”).
This Privacy Policy describes how personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law. It is important that all employees are aware of the policy and abide by its rules. Failure to do so could be deemed as a criminal offence and individuals may be subject to prosecution or disciplinary action.
The purpose of this data protection policy is to inform you of how Faber Music:
It is not our policy to employ a dedicated Data Protection Officer as, at present, the scale of personal data processed by Faber Music is not significant enough to meet this requirement. However, we have nominated a Data Protection Supervisor. If you have any concerns, questions or comments about this Privacy Notice, or the website, you can contact the data protection supervisor by following the instructions set out in section 9 below.
(a) Key Requirements
The DPA, UK GDPR and PECR describe how organisations – including Faber Music – must collect, process and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must:
(b) Legal Grounds for Processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) Policy Scope
This policy applies to:
It applies to all personal data that the company holds relating to identifiable individuals, including:
(b) Data Protection Risks
This policy helps to protect Faber Music and our data subjects from some very real data security risks, including:
(c) Responsibilities
Everyone who works for or with Faber Music has some responsibility for ensuring data is collected, stored and handled appropriately. Each department, team or individual that handles personal data must ensure that it is handled and processed in line with this Privacy Policy and data protection principles. Certain staff have particular responsibilities:
The Board of Directors is ultimately responsible for ensuring that Faber Music meets its legal obligations.
The Data Protection Supervisor is responsible for:
The IT Manager is responsible for:
The Head of Communications is responsible for:
(d) General Staff Guidelines
These guidelines have been created in order to help our employees to act in compliance with the data protection regulations. They must be read, understood and consulted should a query relating to data protection arise.
(a) Data Storage
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT Manager or Data Protection Supervisor.
When data is stored on paper:
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts, as follows:
(b) Data Retention
The DPA and UK GDPR state that personal data must not be held for any longer than necessary for the purposes for which they are processed. To this extent:
(c) Data Use
Personal data is of no value to Faber Music unless the business can make use of it. However, it is when this data is accessed and used that it can be at the greatest risk of loss, corruption or theft.
(d) Data Accuracy
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
It is important that everyone who works for or with Faber Music understands the rights belonging to data subjects, and can act upon them quickly and professionally if and when they are exercised. These include:
(a) The Right to Receive Information, Including:
The company has various Privacy Notices, which set out how data relating to different categories of data subject are used (for example, staff or online customers). These are available on request, and are published on each of the company’s websites.
*‘Profiling’ means any form of automated processing of personal data where it is used to evaluate certain personal aspects relating to the individual, in particular to analyse preferences, interests, behaviour, or location.
(b) The Right to Access: If a data subject would like to receive a copy of the personal data in our possession, we can arrange for an electronic copy to be sent securely to them. Subject access requests from individuals should be made by email, addressed to the data protection supervisor at dataprotection@fabermusic.com. Our response time may vary depending on the extent of the information they require, and we may need to verify their identity before sending anything out. One copy can be organised free of charge but we may need to charge for additional copies.
(c) The Right to Rectify Data: If a data subject needs to amend or update the personal data in our possession, we will arrange for this to be done promptly. Our response time will depend on the extent of the information required, and we may need to verify their identity before amending our records.
(d) The Right to Erase Data: If a data subject wishes us to completely erase the personal data in our possession, we will arrange for this to be done promptly. Our response time may vary depending on the extent of the information to be deleted. We may need to verify their identity before deleting a record. We must make the subject aware of any reason why we are legally obliged to retain the information.
(e) The Right to Restrict Processing: If a data subject has reason to believe that their personal data is inaccurate, unlawful, or no longer required, they can request that we restrict the processing and we will investigate the possibilities without delay. Our response time may vary depending on the extent of restrictions required, and we may need to verify their identity before making any restrictions.
(f) The Right to Withdraw Consent: If a data subject gave consent for their personal information to be processed by us, this consent can be withdrawn at any time. We must make them aware of any reason why we are legally obliged to retain the information.
(g) The Right to Data Portability: Data subjects have a right to forward a copy of the personal data in our possession to another party, or to request that we do so on their behalf, so long as we currently store it in an electronic format. Our response time may vary depending on the extent of data that required, and we may need to verify their identity before taking action.
(h) The Right to Object to Automated Individual Decision-Making or Profiling: From time to time we may process personal data for direct marketing purposes. Data subjects have a right to object to their data being included in a decision based on automated processing (eg. preference profiling) and if they object we should comply and remove the personal data from the relevant marketing list with immediate effect.
(i) The Right to Lodge a Complaint with the Information Commissioner's Office ("ICO"): If a data subject is concerned that their personal data is being collected, stored, processed or shared illegally, they can report that misuse to the ICO at https://ico.org.uk/concerns/ or call (UK +44)(0)3031231113.
We work with a number of third party service providers who process personal data to allow us to run our business and to fulfil contractual obligations on behalf of our staff, clients, B2B and B2C customers and website visitors. These may include, but are not limited to:
In certain circumstances, the Data Protection Act and UK GDPR allow personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, Faber Music will disclose requested data. However, the data protection supervisor will ensure the request is legitimate, seeking assistance from the Board and from the company’s legal advisers where necessary.
We work closely with these third party processors to ensure their services fully comply with the DPA, UK GDPR and PECR and keep a copy of their Privacy Policies on file should you wish to access one.
Faber Music will not respond to requests for personal information on individuals from other third parties without the written consent of the individual concerned. This applies to requests from banks, building societies, prospective employers, etc. We may transfer information about you to other group companies for purposes connected with your employment or the management of the company’s business.
The UK government has stated that transfers of data from the UK to the EEA are permitted. We never transfer your personal information outside of the EEA or to an international organisation without first informing you that we need to do so, and for what purpose, and will always ensure appropriate safeguards are in place to protect it.
We want to tell people who are interested in Faber Music about what we do. We have various forms of marketing communications and are dedicated to ensuring that wherever we are using personal data we are always compliant with the DPA, UK GDPR and PECR.
Definitions:
"Marketing" means the promotion by Faber and its group of companies of news, information, products and services related to the business, our composers and their music;
"Email Marketing" means the electronic delivery of correspondence via email and e-newsletters straight to your Inbox; and
"Direct Mail Marketing" means the posting of physical newsletters, magazines, catalogues, etc. to a postal address via a third party mail delivery service.
Personal Information and Marketing
In order to ensure that your personal information is processed fairly and lawfully, we will endeavour to:
This Privacy Policy outlines the measures taken by Faber Music to mitigate security breaches in relation to the personal data that we hold. In the unlikely case of a breach occurring, the following response plan will be actioned:
Step 1 – The member of staff who first learns of a possible breach will notify their line manager without delay, who, in turn, will notify the Data Protection Supervisor;
Step 2 – The Data Protection Supervisor will liaise with the relevant internal staff to: i) pinpoint the breach location, ii) determine the extent to which personal information may or may not have been affected and iii) assess the level of risk to the data subject(s) as a result of the breach.
Step 3 – Immediate action will be taken to regain full security.
Step 4 – If we determine there is a high risk to the rights and freedoms of the data subject(s) in question, we will make contact with them without undue delay to alert them to the breach and advise them as to how to mitigate any further risk.
Step 5 – The Data Protection Supervisor will notify the ICO of a serious breach within 72 hours of becoming aware of it.
Step 6 – We shall document all breaches, even those which do not need to be reported.
Back to top
If you have any questions or concerns about this Privacy Policy or any of our Privacy Notices or you wish to you exercise any of the rights outlined in section 5 above please write to us at the following address: FAO Data Protection Supervisor, Faber Music Limited, Bloomsbury House, 74-77 Great Russell Street, London, WC1B 3DA, United Kingdom. Alternatively you may send an email to dataprotection@fabermusic.com or call +44 (0) 2079085340.