1.1 The Deco (“we”, “us” or “our”) are committed to protecting and respecting your privacy.
1.2 This notice sets out the basis on which we will process any personal data our ID scanners collect from our guests and other visitors (“you” or “your”) or that you provide to us.
1.3 This notice relates specifically to our processing of your personal data using ID scanners.
1.4 For the purpose of the General Data Protection Regulation 2016/679 (“GDPR”) and Data Protection Act 2018 the data controller is MDAB LIMITED of 1-2 The Hard, Portsea, Portsmouth PO1 3PU with registration number 04560227
2 ID SCANNING MAY BE A CONDITION OF YOUR ENTRY
2.1 The ID scanning machine collects a copy of your Passport, Driving Licence, PASS ID or other National Identification document and checks (i) your age, (ii) whether you are listed on its local database of people who have been banned from a particular venue and (iii) if you are the subject of any alerts from other venues.
2.2 You are not obliged to allow us to collect such personal data, but it may be a condition of entry to the venue that you do.
3 PURPOSE AND EXTENT OF PROCESSING
3.1 The Licensing Act 2003 includes four main objectives which we, as a licence holder, are legally required to promote. These objectives are (i) the prevention of crime and disorder, (ii) public safety, (iii) the prevention of public nuisance and (iv) the protection of children from harm.
To further these objectives, our venue and its staff must ensure that we do not serve alcohol to anyone under the age of 18. As we also operate an 18+ only policy for most of our events, we therefore need to verify your age before allowing you into the venue.
Additionally, to prevent crime and disorder, prevent public nuisance and to ensure public safety we may use your information at our venue to investigate accidents and enforce local bans. We also may share your information:
3.1.1 with other venues and networks, such as Pubwatch and The Safer Clubbing at Night Network, should you be banned from our venue; and
3.1.2 with the police and local authorities in the event of an incident.
3.2 We do not use automated decision making: all decisions regarding entry to the venue are made at the discretion of the venue management team.
4 LEGAL BASES FOR THE PROCESSING
4.1 The processing of your personal data is necessary (i) to allow us to comply with our legal obligations under the Licensing Act 2003 and (ii) for our legitimate interests in preserving our reputation as a responsible operator and promoting the interests of those participating in the late-night economy more generally.
4.2 If we are processing any personal data relating to criminal convictions and/or offences, such processing (i) is necessary for the purposes of the prevention or detection of crime and disorder, (ii) must be carried out without the consent of the individuals involved so as not to prejudice those purposes, and (iii) is necessary for reasons of substantial public interest.
5 SECURITY AND WHERE WE STORE YOUR PERSONAL DATA
5.1 Your personal data is stored securely on the individual ID scanning machine. Details of guests are only shared externally (i) where necessary to allow the ID system to be properly maintained and (ii) when a guest has been banned from a venue. The sharing of information about bans is done for the purpose of preventing or detecting crime and disorder (see paragraph 4 above). The data that is shared is a copy of the identification document and (where applicable) a summary of the reason for the ban. This information is encrypted and kept securely with a cloud service provider based in the UK and can only be accessed by the technical support team and by operators using compatible equipment.
5.2 Your personal data will only be transferred outside of the European Union where (i) the technical support team needs access to the data and (ii) adequate steps have been taken to ensure that processing is conducted in accordance with the GDPR.
6 HOW LONG WE STORE YOUR PERSONAL DATA
6.1 We will keep your information only for as long as it is required, being 31 days if your data is not the subject of an alert or investigation. Otherwise, we may store your information for a maximum of 3 years, or longer where required by law or in connection with an investigation or legal proceedings.
6.2 In limited circumstance, our service provider may keep sample copies of information to improve the service they provide – for example where a form of ID is unusual and the equipment may need to be configured to allow it to handle such forms of ID. When the information is no longer needed for that purpose it is deleted.
7 EXCLUSION POLICY
7.1 From time to time it may be necessary for us to exclude guests from our venue. Whilst the decision to exclude is within our discretion, in doing so we will seek to act fairly and where we share information about exclusions with other people we will do so in accordance with the requirements of GDPR.
7.2 Decisions to exclude will normally be taken by the General Manager at the venue, the Head of Security or one of their deputies. Where practical, guests who have been excluded will be informed of the reasons for the exclusion and the length of the ban. We aim to ensure that any exclusion is proportionate to the behaviour which has led to that exclusion.
7.3 If you have been banned from a venue and wish us to review that decision, you should contact the General Manager of the venue at email@example.com. Subject to paragraph 8 below, any decision following such a review is final.
8 YOUR RIGHTS
8.1 The GDPR gives you the following rights:
8.1.1 Right to rectification. You have the right to rectification of inaccurate personal data.
8.1.2 The right to be forgotten. You have the right to obtain from us the erasure of your personal data where:
(a) the personal data is no longer necessary in relation to the purposes for which it was collected or processed;
(b) where consent is required you withdraw your consent to processing;
(c) you object to the processing provided there are no overriding legitimate grounds for the processing;
(d) the personal data has been unlawfully processed; and
(e) we are required to erase the personal data in order to comply with the law.
8.1.3 Right to restriction. You have the right to obtain from us the restriction of processing where:
(a) you contest the accuracy of the personal data we hold about you;
(b) the personal data has been unlawfully processed;
(c) we no longer need the personal data but they are required by you in limited circumstances;
(d) you object to the processing pending the verification as to whether our legitimate grounds override those of the data subject.
8.1.4 Right to data portability. In certain limited circumstances, you have the right to receive personal data from us in a structured, commonly used and machine-readable format and the right to transmit it to a third-party organisation.
8.1.5 Right to object. You have the right to object to any of our processing. Please let us know if you object to any of our processing and we will work with you to try and resolve any issues you may have with our processing of your personal data.
8.1.7 Right to complain to the ICO. Whilst we prefer it if you approached us first about any complaints or queries you may have, you always have the right to lodge a complaint with the Information Commissioner’s Office.
8.1.8 Subject access right. Subject to certain exceptions, you have the right to access personal data we hold about you. Your right of access can be exercised in accordance with the GDPR.
9.1 Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to firstname.lastname@example.org