TERMS AND CONDITIONS
Terms and Conditions - September 2019 DREAM MAKE Ltd.
1.1 This section sets out the Terms and Conditions by which DREAM MAKE Ltd. agrees to provide products and services to you and your child.
1.2 When you book or purchase any product or service from us, you are signifying your agreement to these Terms and Conditions. These are included at registration and can also be found on our Website. It is your responsibility to familiarise yourself with them before you book or purchase any product or service from us.
1.3 We reserve the right to modify, cancel or append to these Terms and Conditions and upon doing so shall provide you with notification that there has been a change. The current Terms and Conditions always appear on our Website. On purchase of any DREAM MAKE Ltd. product or service, the most recent Terms and Conditions shall apply.
2.1 "Booked Workshop" is a Workshop that we have agreed, verbally or in writing, that your child may attend.
2.2 "Feedback Form" is a form sent to you by us, after your child's Booked Workshop took place.
2.3 "Inform", "Notify", "Communicate" and "Contact" are the processes by which we exchange information and enter into contracts regarding our products and services.
2.4 "Missed Workshop" is a Booked Workshop, no part of which has been attended by your child.
2.5 Our "Website" and all associated DREAM MAKE websites which are accessible through
2.6 "DREAM MAKE", "we", "us" or "our" refers to DREAM MAKE Ltd. and any of its directors, officers, employees, managers, subcontractors, agents, parent, subsidiary and affiliated companies.
2.7 "Registration Form" is a blank online form, we will ask you to complete when you book your child in for a Workshop and before leaving your child with us.
2.8 "Workshop" refers to a particular Class held at a specific time on a specific date at a specific venue for a specific duration.
2.9 "Sibling" is a younger brother, sister, half-brother, half-sister, step-brother or step-sister of a particular child.
2.10 "Untaken Workshop" is a Booked Workshop which has not yet been attended and which is not due to occur within the next three working days.
2.11 "Vouchers" are vouchers given pursuant to Section 6.
2.12 "Waiting List" is a list maintained by us comprising children who wish to attend a particular Workshop which is over-subscribed.
2.13 "Workshops" is the generic term for the regular general drawing, den and modelmaking Sessions inspired by architecture and design, offered by DREAM MAKE.
2.14 "You" refers to a person or organisation buying products or services from us.
2.15 "Your child" is any child for whom you are nominated as an authorised adult on the Registration Form regarding your dealings with us and we therefore deem to be in your care. "Children" shall be construed accordingly.
The following provisions shall apply in relation to Workshops only.
3.1.1. The full cost of Booked Workshop minus any agreed discounts must be paid the latest 1 day BEFORE the start of the Booked Workshop.
3.2.1. Limited discounts are available in certain circumstances. Only one discount can be used against the cost of Booked Workshops at any time.
3.2.2. All discounts must be claimed at the time of booking. No retrospective discounts or refunds will be offered.
3.3.1 If you would like your child to Switch to a Workshop at a different time to their booked Workshop, you must notify us at least 14 days prior to your child's intended Switched Workshop. Subject to availability in the requested Workshop, we will arrange the switch to the requested workshop at no cost to you.
3.4 CHANGES & CANCELLATIONS
3.4.1 All deposits, however paid, are nonrefundable.
3.4.2 You may cancel your child's Untaken Workshops at any time and for any reason.
3.4.3 In the event that you wish to cancel any Untaken Workshops:
If you give us at least 14 days notice before the date of the Workshop you would like to cancel, we will refund all monies paid.
Unfortunately we will not be able to refund any workshops when less than 14 days notice is given.
3.4.4 You must notify the DREAM MAKE ltd. directly by e-mail (firstname.lastname@example.org) at least 14 days prior to cancellation. Any other method of informing us will not be treated as notification for the purposes of this paragraph.
3.4.5 Only an Untaken Workshop may be cancelled.
3.5.1 We reserve the right to alter, vary, omit or substitute any part or parts of any Workshop provided by us described in any promotional or other materials published by us or on our behalf.
3.5.2 In the event of any change in any content as described above, we will have no liability to refund any part of any fee or deposit paid.
3.6 WAITING LISTS
3.6.1 If your child is on a Waiting List, this does not guarantee a place in a particular Workshop.
3.6.2 Subject to paragraph 3.6.3 below, we intend to contact customers and prospective customers on the Waiting Lists in this order:
a) Existing DREAM MAKE customers attending another Workshop; then
b) Other children on the Waiting List.
3.6.3 We accept no responsibility and make no guarantees to the order in which places are offered.
4.1 In the event that we consider:
a) you are in breach of any of these Terms and Conditions or any regulations issued from time to time by us;
b) the behaviour of your child is disruptive or likely to put other children or DREAM MAKE staff in danger; or
c) your behaviour towards us, other customers, children in their care or our suppliers, agents, managers, subcontractors or employees is disruptive, inappropriate, consistently negligent (including late collection of your child) or likely to bring us or any of our products or services into disrepute, we reserve the right to exclude your child from any DREAM MAKE activity or part thereof.
4.2 In the event that your child is excluded, no fees or deposits will be repaid to you and we reserve the right to seek payment of the balance of any fees due to us.
5. Returned payments and refunds
5.1 Refunds are issued in the form in which the original payment was made.
5.2 We will process any refund within 28 days of notifying you that we are issuing you the refund.
6.2.1 Vouchers entitle the owner to a discount off the face value of an order as stated on the voucher.
6.2.2 Vouchers are not transferable and have no cash value.
6.2.3 Vouchers cannot be used retrospectively.
6.2.4 Vouchers must be used before the expiry date printed on them.
6.2.5 Vouchers can only be applied to one order (i.e. cannot be split between several small orders).
6.2.6 No "change" shall be issued if the order value is smaller than the Voucher value.
6.2.7 Vouchers are issued and accepted at our discretion.
7.1 GENERAL DISCLAIMER
7.1.1 For the avoidance of doubt, all our products and services are provided on an "as is" basis and save as expressly stated herein without representations, conditions, warranties or other terms of any kind, either express or implied, including, but not limited to, child development, non-infringement or title but excluding the implied warranties of satisfactory quality and fitness for a particular purpose.
7.2 CANCELLATIONS & VENUE CHANGES
7.2.1 We reserve the right to cancel any Workshop or other service at any time up to and including the date the activity starts. Should this occur we will endeavour to give you at least seven day's notice and will attempt to offer you a viable alternative or will offer you a refund of any fee paid.
7.2.2 Occasionally it is necessary to temporarily change the venue of our Workshops. Where this occurs we will endeavour to ensure that the alternative venue is no more than five miles from the usual location. If the distance is greater than five miles and, as a result, your child is unable to attend, subject to application in writing by you, we will credit Your Account with the amount you paid for the Missed Workshop.
7.3 HEALTH & INJURIES
7.3.1 We accept children on the assumption that they are in good health and it is your responsibility to alert us to any medical complaint or history suffered by your child.
7.3.2 We do not accept responsibility for loss or damage arising from errors or omissions on the Registration Form whether completed by you or by another person in charge of your child at the time of completion.
7.3.3 We do not accept liability for death or personal injury to any child attending a DREAM MAKE workshop or any activity related to DREAM MAKE whether organised by DREAM MAKE or otherwise save to the extent that such death or injury shall be caused by the negligence or default of any member of our staff or any other default on our part.
7.4 PERSONAL PROPERTY
7.4.1 We do not accept responsibility for any loss of, or damage to, personal property belonging to you or your child irrespective of whether such possessions might be used by you or the child for the purposes of any DREAM MAKE activity save to the extent that such loss or damage shall be caused by the negligence or default of any member of our staff or any other default on our part.
7.5 OTHER LOSSES
7.5.1 We do not accept responsibility for any loss or expense due to circumstances beyond our control, including, but not limited to, delays in public transport, weather, quarantine, sickness, bereavement, strikes or other industrial action, terrorism, fire and riot.
7.5.2 Without prejudice to the other terms of this agreement, in no event (including our own negligence) will we be liable for any:
a) economic losses (including, without limitation, loss of revenue, profits, contracts, business or anticipated savings);
b) loss of goodwill or reputation;
c) any other special, indirect or consequential losses; or
d) loss to third parties.
7.6.1 No provision of these Terms and Conditions shall operate or be construed to operate so as to exclude or restrict our liability under the provisions of any UK legislation in force from time to time which are not capable of being excluded or restricted.
7.6.2 Save as otherwise required by UK legislation, our total liability for any loss, damages, costs or expenses shall not exceed an amount equal to the invoice value for the services provided.
7.7 THIRD PARTIES
7.7.1 A person who is not a party to these Terms and Conditions or any agreement or document incorporating these Terms and Conditions shall have no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.
8. Use of personal information
8.1 We may monitor and record communications with you (including phone conversations and emails) for quality assurance, legal, compliance and training purposes.
8.2 From time to time, photographs, film, video or audio recordings may be made during DREAM MAKE activities for publicity, promotional or broadcast purposes. Please inform us before any such event if you do not wish you or your child to appear or be identified in any such material.
9. Behaviour Code of conduct
9.1 Behaviour Code of Conduct: DREAM MAKE encourages a relaxed atmosphere and aims to promote positive behaviour at all times.
9.2 Upon booking you agree that your child or children will:
Respect the property of others
Be patient, honest, fair, and polite to others
Not use abusive or obscene language
Not be aggressive in the way they speak or behave towards others
Respect and treat others as they would wish to be treated
10.1.1 These Terms and Conditions and any documents referred to herein constitute the entire agreement between you and us in connection with your booking, purchase or use of our products and services superseding any prior agreements between you and us.
10.1.2 You agree that you have entered into these Terms and Conditions without reliance on any representation, warranty or undertaking by us which is not set out expressly in these Terms and Conditions.
10.1.3 We shall not be under any liability for any failure to perform any of our obligations under these Terms and Conditions if we are prevented from or delayed in doing so due to any circumstances beyond our reasonable control, provided that if the event in question continues for a continuous period in excess of 60 days, you shall be entitled to give notice in writing to us to terminate the contract.
10.1.4 If any payments which are due under these Terms and Conditions are not made by their respective due date, interest shall accrue on the full amount outstanding at a rate of 8% above the base lending rate of the Bank of England from time to time, from the due date until the date of actual payment.
10.2.1 You may contact us by writing to us at the address outlined in your acceptance letter or email. We will be deemed to have received any communication from you, in the case of communication by post, a correctly addressed letter sent by pre-paid first class post or recorded delivery post shall be deemed to have been received two working days after the date of posting.
10.2.2 We may contact you by post, telephone, email, text or fax. Notification sent to you by post will be deemed received by you within two working days. Any other notification will be deemed received by you within one working day.
10.2.3 It is your responsibility to ensure that we have current contact details for you and all adults authorised to pick up your child. You must also keep us appraised of any changes in the health or other relevant circumstances of you or your child.
10.2.4 We may accept any instructions which are given to us regarding a child from anyone who is nominated as an authorised adult on the Registration Form for that child.
10.3 LAW & JURISDICTION
10.3.1 Any failure by us to exercise or enforce any right or provision of these Terms and Conditions shall not constitute a waiver of such right or provision.
10.3.2 If any provision of these Terms and Conditions is found by a court of competent jurisdiction to be invalid or unenforceable, the parties nevertheless agree that the court should endeavour to give effect to the parties' intentions as reflected in the provision and that other provisions remain in full force and effect.
10.3.3 Our relationship with you is subject to English law and you and we irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.
11. WORKSHOPS FOR EVENT ORGANISERS
11.1 A fixed £150 deposit will be required to secure your booking date and time. If however, your circumstances change, please let us know as soon as possible and we will do our best to accommodate your change. A balance payment for the workshop will be required no later than 5 days before your event. Payments are non-refundable. However, we will endeavour to accommodate date and time changes where possible. We will contact you 5 days before the workshop date to confirm our attendance and the numbers of children attending. Upon receiving the balance payment, you will have your workshop details confirmed.
11.2 A representative of the school or the event organiser is responsible at all times for the general supervision of children within the school or other premises during our workshops. This includes the supervision of emergency exits, fire safety, first aid and for ensuring that children only leave the party venue with their own parent or guardian. Our responsibility is strictly limited to the supervision of workshop activities provided by Dream Make ltd.
Privacy Notice - June 2019 DREAM MAKE Ltd.
At DREAM MAKE, we are committed to protecting and respecting your and your children’s privacy.
This notice explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others, how we keep it safe and secure and your rights and choices in relation to your information.
It can be read in conjunction with our Data protection policy.
Any questions regarding this policy and our privacy practices should be sent by email to
Who are we?
We are DREAM MAKE ltd., we provide fun hands-on creative workshops for children inspired by architecture and design.
In this policy ‘DREAM MAKE ltd., ‘we’, ‘us’ or ‘our’ means DREAM MAKE ltd. - a company limited by guarantee (no. 12054913). Registered address is 1 Woodridge, Newbury, England, RG14 6NP
Our privacy principles
We are committed to safeguarding the privacy of your and your children's information. By 'your information' we mean any information about you that you or third parties provide to us.
We will only collect and use your information where we have lawful grounds and legitimate business reasons to do so.
We will be transparent in our dealings with you and will tell you about how we will collect and use your information.
If we have collected your information for a particular purpose, we will not use it for anything else unless you have been informed and, where relevant, your permission obtained.
We will not ask for more information than we need for the purposes for which we are collecting it.
We will continue to review and assess the quality of our information.
We will implement and adhere to information retention policies relating to your information, and will ensure that your information is securely disposed of at the end of the appropriate retention period.
We will observe the rights granted to you under applicable privacy and data protection laws, and will ensure that queries relating to privacy issues are promptly and transparently dealt with.
We will train our staff on their privacy obligations.
We will ensure we have appropriate physical and technological security measures to protect your information regardless of where it's held.
How do we collect information from you?
We obtain information about you in the following ways:
Information you give us directly
Information that you provide by filling in forms or interacting with pages on any of our sites which can be accessed from ("our site"). We may also ask you for information when you report a problem with our site.
Information that you provide to us by filling in forms in person.
Information that you provide to us over the telephone which we then input on our database.
Information you give us indirectly
Your information may be shared with us by third parties, which might include:
subcontractors acting on our behalf who provide us with technical, payment or delivery services
our business partners, advertising networks analytics providers and search information providers.
When you visit this website
We, like many companies, automatically collect the following information:
technical information, including the type of device you’re using, the IP address, browser and operating system being used to connect your computer to the internet. This information may be used to improve the services we offer.
information about your visit to this website, for example: we collect information about pages you visit and how you navigate the website, i.e. length of visits to certain pages, products and services you viewed and searched for, referral sources (e.g. how you arrived at our website).
When you interact with us on social media platforms such as Facebook, Instagram and Twitter we may obtain information about you. The information we receive will depend on the privacy preferences you have set on those types of platforms.
What type of information is collected from you?
The personal information we collect, store and use might include:
your name and contact details (including postal address, email address and telephone numbers);
your children’s names, date of birth, gender, school, medical conditions and any other relevant information you share with us;
the names and telephone numbers of adults you authorise to collect your children or to be contacted in the event of an emergency;
information about your activities on our website and about the device used to access it, for instance your IP address and geographical location;
your bank or credit card details. If you make a donation online or make a purchase, your card information is not held by us, it is collected by our third party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions;
any other personal information shared with us.
Data protection laws recognise certain categories of personal information as sensitive and therefore requiring greater protection, for example information about your children and you and your children’s health, ethnicity and religion.
Where appropriate, we will make why we are collecting this type of information and what it will be used for clear.
How and why is your information used?
We may use your information for a number of different purposes, which may include:
ensuring the safety and security of your children;
ensuring activities are tailored to your children's personalities, abilities and as per your aims and objectives;
providing you with the services, products or information you asked for;
processing orders that you have submitted;
carrying out our obligations under any contracts entered into between you and us;
keeping a record of your relationship with us;
conducting analysis and market research so we can understand how we can improve our services, products or information;
checking for updated contact details against third party sources so we can stay in touch if you move;
dealing with entries into a competition;
seeking your views or comments on the services we provide;
notifying you of changes to our services;
sending you communications which you have requested and that may be of interest to you. These may include information about campaigns, fundraising appeals and activities and promotions of goods and services; and
How long is your information kept for?
We keep your information for no longer than is necessary for the purposes it was collected for, The length of time we retain your personal information for is determined by operational and legal considerations. For example, we are legally required to hold some types of information to fulfil our statutory and regulatory obligations (e.g. health/safety and tax/accounting purposes).
We review our retention periods on a regular basis.
Who has access to your information?
We do not sell or rent your information to third parties.
We do not share your information with third parties for marketing purposes.
However, we may disclose your information to third parties working on our behalf in order to achieve the other purposes set out in this policy. These third parties may include third party service providers, suppliers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to send you mailings). However, when we use these third parties, we disclose only the personal information that is necessary to deliver the services and we have a contract in place that requires them to keep your information secure and prevents them from using it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties for them to use for their own purposes, unless we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
Data protection law requires us to rely on one or more lawful grounds to process your personal information. We consider the following grounds to be relevant:
Where you have provided consent to us using your personal information in a certain way, such as to send you email, text and/or telephone marketing.
Performance of a contract
Where we are entering into a contract with you or performing our obligations under it.
Where necessary so that we can comply with a legal or regulatory obligation to which we are subject, for example where we are ordered by a court or regulatory authority.
Where it is necessary to protect life or health (for example in the case of medical emergency suffered by a child at one of our classes) or a safeguarding issue which requires us to share you information with the emergency services.
Where it is reasonably necessary to achieve our or others’ legitimate interests (as long as what the information is used for is fair and does not duly impact your rights).
We consider our legitimate interests to be running Perform as an organisation in pursuit of our aims and ideals. For example to:
send communications which we think will be of interest to you;
conduct research to better understand who our customers are to better target our marketing;
monitor who we deal with to protect us against fraud, money laundering and other risks;
enhance, modify, personalise or otherwise improve our services /communications for the benefit of our customers; and
better understand how people interact with our website.
When we legitimately process your personal information in this way, we consider and balance any potential impact on you (both positive and negative), and your rights under the data protection laws. We will not use your personal information where our interests are overridden by the impact on you, for example, where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted by law).
When we use sensitive personal information, we require an additional legal basis to do so under data protection laws, so will either do so on the basis of your explicit consent or another route available to us at law (for example, if we need to process it for employment, social security or social protection purposes, your vital interests, or, in some cases, if it is in the public interest for us to do so).
We may use your contact details to provide you with information about the classes, courses and parties we offer as well as the products and services you can buy, if we think they may be of interest to you.
We will only send you marketing and fundraising communications if you have provided your prior consent. You may opt out of our marketing communications at any time by clicking the unsubscribe link at the end of our marketing emails.
We may send you marketing and fundraising communications by post unless you have told us that you would prefer not to hear from us.
You have a choice about whether or not you wish to receive information from us. If you do not want to receive direct marketing communications from us , you can select your choices by ticking the relevant boxes situated on the form used to collect your information.
We’re committed to putting you in control of your data so you’re free to change your marketing preferences (including to tell us that you don’t want to be contacted for marketing purposes) at any time by contacting us by email:
We will not use your personal information for marketing purposes if you have indicated that you do not wish to be contacted and will retain your details on a suppression list to help ensure that we do not continue to contact you. However, we may still need to contact you for administrative purposes to confirm an order, a payment or while you are a customer of Perform.
Under UK data protection law, you have certain rights over the personal information that we hold about you. Here is a summary of the rights that we think apply:
Right to withdraw consent
If you wish to withdraw previously granted consent to us processing your data for notifying you about our services, please inform us by contacting us by email:
Right of access
You have a right to request access to the personal data that we hold about you. You also have the right to request a copy of the information we hold about you, and we will provide you with this unless legal exceptions apply.
If you want to access your information, please send a description of the information you want to see and proof of your identity by post to the address below.
Right to have your inaccurate personal information corrected
You have the right to have inaccurate or incomplete information we hold about you corrected. The accuracy of your information is important to us so we’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change email address, or if you believe any of the other information we hold is inaccurate or out of date, please inform us by contacting us by email: email@example.com.
Right to restrict use
You have a right to ask us to restrict the processing of some or all of your personal information if there is a disagreement about its accuracy or we’re not lawfully allowed to use it.
Right of erasure
You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions; we will do so as far as we are required to. In many cases, we will anonymise that information, rather than delete it.
If you want us to delete your personal information, please send a description of the information you want to see and proof of your identity by post to the address below.
Right for your personal information to be portable
If we are processing your personal information (1) based on your consent, or in order to enter into or carry out a contract with you, and (2) the processing is being done by automated means, you may ask us to provide it to you or another service provider in a machine-readable format.
Right to object
You have the right to object to processing where we using your personal information (1) based on legitimate interests, (2) for direct marketing or (3) for statistical/research purposes.
If you want to exercise any of the above rights, please email us at firstname.lastname@example.org We may be required to ask for further information and/or evidence of identity. We will endeavour to respond fully to all requests within one month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.
Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the UK’s Information Commissioner’s Office.
Keeping your information safe
When you give us personal information, we take steps to ensure that appropriate technical and organisational controls are in place to protect it.
All printed Registration Forms and Registers are securely stored and securely disposed of when no longer required.
Non-sensitive details (your email address etc.) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Use of 'cookies'
It is possible to switch off cookies by setting your browser preferences.Turning cookies of may result in a loss of functionality when using our sites
Links to other websites
Our website may contain links to other websites run by other organisations. This policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other websites even if you access them using links from our website.
16 or under
We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian's permission beforehand whenever you provide us with personal information.
We are committed to protecting vulnerable supporters, customers and volunteers and appreciate that additional care may be needed when we use their personal information. In recognition of this, we observe good practice guidelines in our interactions with vulnerable people.
Transferring your information out of Europe
As part of the services offered to you through this website, the information which you provide to us may be transferred to countries outside the European Economic Area (“EEA”). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EEA. You should be aware that these countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy.
If you use our services while you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services. We undertake regular reviews of who has access to information that we hold to ensure that your info is only accessible by appropriately trained staff and contractors.
Changes to this policy
Any changes we may make to this policy in the future will be posted on this website so please check this page occasionally to ensure that you’re happy with any changes. If we make any significant changes we’ll make this clear on this website.
Review of this policy
We keep this policy under regular review. This policy was last updated in June 2019.
DATA PROTECTION STATEMENT
Data Protection Statement DREAM MAKE Ltd.
Issue No: 1 Issue Date: June 2019
1.1 Background to the General Data Protection Regulation (‘GDPR’) The General Data Protection Regulation 2016 replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent
1.2 Definitions used by the organisation (drawn from the GDPR)
Material scope (Article 2) – the GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.
Territorial scope (Article 3) – the GDPR will apply to all controllers that are established in the EU (European Union) who process the personal data of data subjects, in the context of that establishment. It will also apply to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behavior of data subjects who are resident in the EU.
1.3 Article 4 definitions
Establishment – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on behalf of the controller and deal with supervisory authorities.
Personal data – any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying
natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data subject – any living individual who is the subject of personal data held by an organisation.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.
Data subject consent - means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Child – the GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13 by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
2. Policy statement
2.1 The Directors of DREAM MAKE Ltd. located at 1 Woodridge, Newbury, RG14 6NP are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information DREAM MAKE Ltd. collects and processes in accordance with the General Data Protection Regulation (GDPR).
2.2 Compliance with the GDPR is described by this policy and other relevant policies along with connected processes and procedures.
2.3 The GDPR and this policy apply to all of DREAM MAKE Ltd’s personal data processing functions, including those performed on customers’, clients’, employees’, suppliers’ and partners’ personal data, and any other personal data the organisation processes from any source.
2.4 The GDPR Owner is responsible for reviewing the register of processing annually in the light of any changes to DREAM MAKE Ltd’s activities (as determined by changes to the data inventory register and the management review) and to any additional requirements identified by means of data protection impact assessments. These records will be available on the supervisory authority’s request.
2.5 This policy applies to all Employees/Staff and Interested Parties of DREAM MAKE Ltd such as outsourced suppliers. Any breach of the GDPR will be dealt with under DREAM MAKE Ltd’s disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
2.6 Partners and any third parties working with or for DREAM MAKE Ltd, and who have or may have access to personal data, will be expected to have read, understood and to comply with this policy. No third party may access to personal data held by DREAM MAKE Ltd without having first entered into a data confidentiality agreement or contract, which imposes on the third party obligations no less onerous than those to which DREAM MAKE Ltd is committed, and which gives DREAM MAKE Ltd the right to audit compliance with the agreement.
DREAM MAKE Ltd’s objectives for compliance with the GDPR:
are consistent with this policy
In order to achieve these objectives, DREAM MAKE Ltd has determined:
what will be done
what resources will be required
who will be responsible
when it will be completed
how the results will be evaluated
3. Responsibilities and roles under the General Data Protection Regulation
3.1 DREAM MAKE Ltd is both data controller and/or data processor under the GDPR.
3.2 Top Management and all those in managerial or supervisory roles throughout DREAM MAKE Ltd are responsible for developing and encouraging good information handling practices within DREAM MAKE Ltd; responsibilities are set out in individual job descriptions.
3.3 Annelies Rygole as GDPR Owner is a member of the team, and is accountable for the management of personal data within DREAM MAKE Ltd and for ensuring that compliance with data protection legislation and good practice can be demonstrated. This accountability includes:
3.3.1 Development and implementation of the GDPR as required by this policy; and
3.3.2 Security and risk management in relation to compliance with the policy.
3.4 The GDPR Owner has specific responsibilities in respect of procedures such as the Subject Access Request Procedure and is the first point of call for Employees/Staff seeking clarification on any aspect of data protection compliance.
3.5 Compliance with data protection legislation is the responsibility of all Employees/Staff of DREAM WORK Ltd who process personal data.
3.6 Employees/Staff of DREAM WORK Ltd are responsible for ensuring that any personal data about them and supplied by them to DREAM WORK Ltd is accurate and up-to-date.
4. Data protection principles
4.1 Personal data must be processed lawfully, fairly and transparently
Lawful – identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing”, for example consent.
Fairly in order for processing to be fair, the data controller has to make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources.
The GDPR has increased requirements about what information should be available to data subjects, which is covered in the ‘Transparency’ requirement. Transparently. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. Information must be communicated to the data subject in an intelligible form, using clear and plain language.
The specific information that must be provided to the data subject must, as a minimum, include:
4.1.1 the identity and the contact details of the controller and, if any, of the controller's representative;
4.1.2 the contact details of the GDPR Owner;
4.1.3 the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
4.1.4 the period for which the personal data will be stored;
4.1.5 the existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights, such as whether the lawfulness of previous processing will be affected;
4.1.6 the categories of personal data concerned;
4.1.7 the recipients or categories of recipients of the personal data, where applicable;
4.1.8 where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection afforded to the data;
4.1.9 any further information necessary to guarantee fair processing.
4.2 Personal data can only be collected for specific, explicit and legitimate purposes Data obtained for specified purposes must not be used for a purpose that differs from those formally notified to the supervisory authority as part of DREAM MAKE Ltd’s.
4.3 Personal data must be adequate, relevant and limited to what is necessary for processing
4.3.1 The GDPR Owner is responsible for ensuring that DREAM MAKE Ltd does not collect information that is not strictly necessary for the purpose for which it is obtained.
4.3.2 All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must be include a fair processing statement or link to privacy statement and approved by the GDPR Owner.
4.3.3 The GDPR Owner will ensure that, on an annual basis all data collection methods are reviewed to ensure that collected data continues to be adequate, relevant and not excessive
4.4 Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
4.4.1 Data that is stored by the data controller must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.
4.4.2 The GDPR Owner is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.
4.4.3 It is also the responsibility of the data subject to ensure that data held by DREAM MAKE Ltd is accurate and up to date. Completion of any application form by a data subject will include a statement that the data contained therein is accurate at the date of submission. Employees are required to notify DREAM MAKE Ltd of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of DREAM MAKE Ltd to ensure that any notification regarding change of circumstances is recorded and acted upon.
4.4.4 The GDPR Owner is responsible for ensuring that appropriate procedures and policies are in place to keep personal data accurate and up to date, taking into account the volume of data collected, the speed with which it might change and any other relevant factors.
4.4.5 On at least an annual basis, the GDPR Owner will review the retention dates of all the personal data processed by DREAM MAKE Ltd, by reference to the data inventory, and will identify any data that is no longer required in the context of the registered purpose. This data will be securely deleted/destroyed in line with the Secure Disposal of Storage Media Procedure
4.4.6 The GDPR Owner is responsible for responding to requests for rectification from data subjects within one month. This can be extended to a further two months for complex requests. If DREAM MAKE Ltd decides not to comply with the request, the GDPR Owner must respond to the data subject to explain its reasoning and inform them of their right to complain to the supervisory authority and seek judicial remedy.
4.4.7 The GDPR Owner is responsible for making appropriate arrangements that, where third-party organisations may have been passed inaccurate or out-of-date personal data, to inform them that the information is inaccurate and/or out of date and is not to be used to inform decisions about the individuals concerned; and for passing any correction to the personal data to the third party where this is required.
4.5 Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
4.5.1 Where personal data is retained beyond the processing date, it will be encrypted in order to protect the identity of the data subject in the event of a data breach.
4.5.2 Personal data will be retained in line with the Retention of Records Procedure and, once its retention date is passed, it must be securely destroyed as set out in this procedure.
4.5.3 The GDPR Owner must specifically approve any data retention that exceeds the retention periods defined in Retention of Records Procedure, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.
4.6 Personal data must be processed in a manner that ensures the appropriate security
The GDPR Owner will carry out a risk assessment taking into account all the circumstances of DREAM MAKE Ltd’s controlling or processing operations.
In determining appropriateness, the GDPR Owner should also consider the extent of possible damage or loss that might be caused to individuals (e.g. staff or customers) if a security breach occurs, the effect of any security breach on DREAM MAKE Ltd itself, and any likely reputational damage including the possible loss of customer trust.
When assessing appropriate technical measures, the GDPR Owner will consider the following:
Automatic locking of idle terminals;
Removal of access rights for USB and other memory media;
Virus checking software and firewalls
Role-based access rights including those assigned to temporary staff;
Encryption of devices that leave the organisations premises such as laptops;
Security of local and wide area networks;
Privacy enhancing technologies such as pseudonymisation and anonymisation; Identifying appropriate international security standards relevant to DREAM MAKELtd.
When assessing appropriate organisational measures the GDPR Owner will consider the following:
The appropriate training levels throughout DREAM MAKE Ltd;
Measures that consider the reliability of employees (such as references etc.); The inclusion of data protection in employment contracts;
Identification of disciplinary action measures for data breaches; Monitoring of staff for compliance with relevant security standards;
Physical access controls to electronic and paper based records;
Adoption of a clear desk policy;
Storing of paper based data in lockable fire-proof cabinets;
Restricting the use of portable electronic devices outside of the workplace;
Restricting the use of employee’s own personal devices being used in the workplace;
Adopting clear rules about passwords;
Making regular backups of personal data and storing the media off-site;
The imposition of contractual obligations on the importing organisations to take appropriate security measures when transferring data outside the EEA.
These controls have been selected on the basis of identified risks to personal data, and the potential for damage or distress to individuals whose data is being processed.
4.7 The controller must be able to demonstrate compliance with the GDPR’s other principles (accountability)
The GDPR includes provisions that promote accountability and governance.
DREAM MAKE Limited will demonstrate compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct, implementing technical and organisational measures, as well as adopting techniques such as data protection by design, DPIAs, breach notification procedures and incident response plans.
5. Data subjects’ rights
5.1 Data subjects have the following rights regarding data processing, and the data that is recorded about them:
5.1.1 To make subject access requests regarding the nature of information held and to whom it has been disclosed.
5.1.2 To prevent processing likely to cause damage or distress.
5.1.3 To prevent processing for purposes of direct marketing.
5.1.4 To be informed about the mechanics of automated decision-taking process that will significantly affect them.
5.1.5 To not have significant decisions that will affect them taken solely by automated process.
5.1.6 To sue for compensation if they suffer damage by any contravention of the GDPR.
5.1.7 To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.
5.1.8 To request the supervisory authority to assess whether any provision of the GDPR has been contravened.
5.1.9 To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
5.1.10 To object to any automated profiling that is occurring without consent.
5.2 DREAM MAKE Limited ensures that data subjects may exercise these rights:
5.2.1 Data subjects may make data access requests as described in Subject Access Request Procedure; this procedure also describes how DREAM MAKE Limited will ensure that its response to the data access request complies with the requirements of the GDPR.
5.2.2 Data subjects have the right to complain to DREAM MAKE Limited related to the processing of their personal data, the handling of a request from a data subject and appeals from a data subject on how complaints have been handled in line with the Complaints Procedure.
6.1 DREAM MAKE Ltd understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The data subject can withdraw their consent at any time.
6.2 DREAM MAKE Ltd understands ‘consent’ to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.
6.3 There must be some active communication between the parties to demonstrate active consent. Consent cannot be inferred from non-response to a communication.
6.4 For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
6.5 In most instances, consent to process personal and sensitive data is obtained routinely by DREAM MAKE Ltd using standard consent documents Contracts of Employment or Client Contracts and Agreements e.g. when a new client signs a contract, or during induction for participants on programmes.
6.6 Where DREAM MAKE Ltd provides online services to children, parental or custodial authorisation must be obtained. This requirement applies to children under the age of 16 (unless the Member State has made provision for a lower age limit, which may be no lower than 13).
7. Security of data
7.1 All Employees/Staff are responsible for ensuring that any personal data that DREAM MAKE Ltd holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by DREAM MAKE Ltd to receive that information and has entered into a confidentiality agreement.
7.2 All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. All personal data should be treated with the highest security and must be kept: in a lockable room with controlled access; and/or in a locked drawer or filing cabinet; and/or if computerised, password protected in line with corporate requirements in the Access Control Policy and/or stored on (removable) computer media which are encrypted.
7.3 Care must be taken to ensure that PC screens and terminals are not visible except to authorised Employees/Staff of DREAM MAKE Ltd. All Employees/Staff are required to sign our Employee Security User Guide before they are given access to organisational information of any sort, which details rules on screen time-outs.
7.4 Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit authorisation. As soon as manual records are no longer required for day-to-day client support, they must be locked away.
7.5 Personal data may only be deleted or disposed of in line with the Retention of Records Procedure. Manual records that have reached their retention date are to be shredded and disposed of as ‘confidential waste. Hard drives of redundant PCs are to be removed and immediately destroyed before disposal.
7.6 Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data off-site.
8. Disclosure of data
8.1 DREAM MAKE Ltd must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of DREAM MAKE Ltd’s business.
8.2 All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the GDPR Owner.
9. Retention and disposal of data
9.1 DREAM MAKE Ltd shall not keep personal data in a form that permits identification of data subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.
9.2 DREAM MAKE Ltd may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.
9.3 The retention period for each category of personal data will be set out in the Retention of Records Procedure along with the criteria used to determine this period including any statutory obligations DREAM MAKE Ltd has to retain the data.
9.4 DREAM MAKE Ltd’s data retention and data disposal procedures will apply in all cases.
9.5 Personal data must be disposed of securely in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects. Any disposal of data will be done in a secure manner.
10. Data transfers
10.1 All exports of data from within the European Economic Area (EEA) to non-European Economic Area countries (referred to in the GDPR as ‘third countries’) are unlawful unless there is an appropriate “level of protection for the fundamental rights of the data subjects. The transfer of personal data outside of the EEA is prohibited unless one or more of the specified safeguards, or exceptions, apply:
10.1.1 An adequacy decision The European Commission can and does assess third countries, a territory and/or specific sectors within third countries to assess whether there is an appropriate level of protection for the rights and freedoms of natural persons. In these instances no authorisation is required.
Countries that are members of the European Economic Area (EEA) but not of the EU are accepted as having met the conditions for an adequacy decision. A list of countries that currently satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union.
10.1.3 Binding Corporate Rules DREAM MAKE Ltd may adopt approved binding corporate rules for the transfer of data outside the EU. This requires submission to the relevant supervisory authority for approval of the rules that DREAM MAKE Ltd is seeking to rely upon.
10.1.4 Model contract clauses DREAM MAKE Ltd may adopt approved model contract clauses for the transfer of data outside of the EEA. If DREAM MAKE Ltd adopts the model contract clauses approved by the relevant supervisory authority there is an automatic recognition of adequacy.
In the absence of an adequacy decision, Privacy Shield membership, binding corporate rules and/or model contract clauses, a transfer of personal data to a third country or international organisation shall only take place on one of the following conditions:
the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims; and/or
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
11. Information asset register/data inventory
11.1 DREAM MAKE Ltd has established a data inventory and data flow process as part of its approach to address risks and opportunities throughout its GDPR compliance project. DREAM MAKE Ltd’s data inventory and data flow determines:
business processes that use personal data;
source of personal data;
volume of data subjects;
description of each item of personal data;
maintains the inventory of data categories of personal data processed;
documents the purpose(s) for which each category of personal data is used;
recipients, and potential recipients of the personal data;
the role of the Perform Workshops Limited throughout the data flow;
key systems and repositories;
any data transfer and
all retention and disposal requirements.
11.2 DREAM MAKE Ltd is aware of any risks associated with the processing of particular types of personal data.
11.2.1 DREAM MAKE Ltd assesses the level of risk to individuals associated with the processing of their personal data. Data protection impact assessments are carried out in relation to the processing of personal data by DREAM MAKE Ltd, and in relation to processing undertaken by other organisations on behalf of DREAM MAKE Ltd.
11.2.2 DREAM MAKE Ltd shall manage any risks identified by the risk assessment in order to reduce the likelihood of a non-conformance with this policy.
11.2.3 Where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, DREAM MAKE Lted shall, prior to the processing, carry out a DPIA of the impact of the envisaged processing operations on the protection of personal data. A single DPIA may address a set of similar processing operations that present similar high risks.
11.2.4 Where, as a result of a DPIA it is clear that DREAM MAKE Ltd is about to commence processing of personal data that could cause damage and/or distress to the data subjects, the decision as to whether or not DREAM MAKE Ltd may proceed must be escalated for review to the GDPR Owner.
11.2.5 The GDPR Owner shall, if there are significant concern, either as to the potential damage or distress, or the quantity of data concerned, escalate the matter to the supervisory authority. Document Owner and Approval The GDPR Owner is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements stated above. A current version of this document is available to all members of staff. This policy was approved by the GDPR Owner on 23rd June 2019 and is issued on a version controlled basis under the signature of the GDPR Owner.
Date: 23 June 2019
Description of Change
Date of issue
23rd June 2019