Privacy Policy

SPARK: York C.I.C. Privacy Policy

This Privacy Notice sets out how SPARK:York C.I.C. (the Data Controller) collects and uses your personal data.  References to “SPARK”, “SPARK: York”, “we”, “us” “our” or “controller” in this Privacy Notice mean SPARK:York C.I.C..

Our Privacy Notice is structured in a way for you to easily find the specific details of what we do with your personal data.

When we refer to: 

• UK GDPR we mean the UK General Data Protection Regulation
• DPA18 we mean the Data Protection Act 2018
• PECR we mean the Privacy & Electronic Communications Regulation 2003

This Privacy Notice was last updated July 2024.

Our contact details

SPARK:York is the data controller for the personal data we process about you.

You can contact us regarding the use of your personal data via one of the following ways:

• Postal Address: SPARK:York, 17-21 Piccadilly, York, YO1 9PB 
• Telephone: 01904 217555
• Email:   [email protected]
• Website: https://www.sparkyork.org/contact 
• Instagram: @SparkYork
• Facebook: @SparkYorkCIC

Data Protection Officer 

Although we do not meet one of the criteria to legally appoint a Data Protection Officer under UK GDPR, a member of our team does oversee our data protection compliance.  The various ways you can contact us to discuss any data protection issues or concerns are shown in the “Our contact details” section.

How we get your personal data

Directly

This is when you and no-one else has given us your personal data.  Examples of when you directly give us your personal data are:

• enquire about renting a unit within SPARK:York
• rent a unit within SPARK:York
• enquire about hiring a meeting room or studio space at SPARK:York
• book a desk in our co-working space
• visit SPARK:York
• opt in to receive marketing from us
• apply for a job with us
• when we use your business to provide a service or goods to us
• enter a prize draw or competition run by SPARK:York
• are photographed or filmed by SPARK:York at our premises
• booked a ticket for an event at SPARK:York
• order with a food or drink vendor at SPARK:York
• email the team with any other enquiry

If we have met you at a networking event, business club or some other form of social meeting you may have provided your business card details to us.

Indirectly

This is when we have obtained your personal data from someone other than yourself, i.e. a third party, or a publicly available source.  This may include:

• Information you have made publicly available
• Wireless social – free wi-fi
• Web analytics providers
• Recruitment agencies
• Referees who provide a reference for recruitment purposes.

There may be occasions when we have obtained your details by word of mouth referrals, and recommendations from 3^rd parties – for example, another business has given us your details or introduced us to each other.

The lawful grounds we rely on to process your personal data

When gathering and using your personal data, we must have a lawful ground to do so – this is a key requirement of GDPR.

The lawful ground we rely on to process your personal data will vary depending on the interaction we have with you and the reason we use your personal data. Full details of each of the lawful grounds we rely on is given below.

Contractual obligation (GDPR Article 6(1)(b))

We rely on contractual obligation when you make enquiries about any of our services or events and when we enter into a contractual arrangement with you, such as renting a unit.

We require certain information from you to enable us to fulfil our contractual obligation.  If you are not able to provide all the necessary information that we need, we may not be able to provide the service to you and the arrangement may therefore not proceed or may need to be terminated.

Legal obligation (GDPR Article 6(1)(c))

There are times when we must process your personal data for us to comply with a legal or regulatory requirement. In these cases, we will usually rely on the lawful ground known as “legal obligation” as the processing is necessary for us to fulfil our legal obligation to which we are subject to.  For example: 

• we have certain obligations under employment law in relation to recruitment and selection and equal opportunities that we must comply with.
• we have a legal obligation to provide the police or other law enforcement body with information if they are investigating a crime.

Vital interests (GDPR Article 6(1)(d))

There may be rare occasions when we need to provide information about you to someone in order to protect your life.  For example, in medical emergencies where we have to provide medical staff with information about you to save your life if you are incapable of providing the information.  Should such an instance arise, it is likely that we will rely on the lawful ground known as “vital interests” as the processing is necessary in order to protect you, particularly in a life or death situation.

Legitimate interests (GDPR Article 6(1)(f))

We rely on “soft opt-in” to send you our newsletters and other marketing communications when you enquire about our services or once we’ve entered into a contractual arrangement with you. UK GDPR allows us to use the “legitimate interests” lawful ground for direct marketing purposes when soft opt-in applies.  This is because it is not deemed to be an unreasonable expectation for anyone who has a relationship with us to receive marketing communications from us.

This also complies with e-Privacy laws currently PECR, which governs how a business can undertake electronic direct marketing. We can rely on soft opt-in to send email marketing to prospective and existing customers.  

We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose.

We always give you the opportunity to object to receiving marketing communications from us, when we first collect your personal data and with every marketing communication thereafter.

Processing for employment law (GDPR Article 9(2)(b))

Information you provide to us that relates to special category personal data, such as health, religious or ethnic information is necessary for our recruitment and selection purposes as it relates to our obligations in employment law.

Processing to assess working capacity (GDPR Article 9(2)(h))

We have certain obligations to assess your health in relation to your ability to work for us.

Sharing your personal data with other businesses

We do not share, sell or rent your personal data to other businesses for them to use for their own marketing purposes.

We may sometimes need to share your data with other organisations, such as providing a list of ticket bookers to an organisation running an event in our venue, or when we have a legal obligation to do so.  Whenever we are asked to share personal data we always ensure we have a lawful ground to do so and fully document our reasons for the sharing.

You can find out about any routine data sharing that we undertake with other organisations in parts 2 and onwards of this privacy notice.

Using data processors and 3^rd parties

There are times when we need to use other businesses to help us fulfil the delivery of our services to you.  These other businesses will either be:

• data processors as they are acting under strict instruction from us on what they can and cannot do with the personal data; or
• joint data controllers as they have their own purposes to process your personal data (e.g. card payment providers).

When we do use other businesses to process personal data on our behalf (data processors) we always ensure we have appropriate UK GDPR compliant contracts in place with each one.  

A data processor is not allowed to do anything with your personal data other than what we have instructed them to do with it. They will not share your personal data with any other business apart from us, unless they are required to do so by law. They will hold it securely and retain it for the period we instruct.

Our data processors and 3^rd parties include:

• IT system providers;
• IT servicing and maintenance providers;
• Website host providers;
• Email host providers;
• Wi-Fi provider;
• HR services provider;
• Marketing service provider;
• CRM provider;
• Card payment provider;
• Booking/Ticketing platform provider.

How long we keep your data

We keep your personal information for as long as your relationship with SPARK:York continues, plus a further six years after the date of your last interaction with us.

Visiting and using our premises

If you are located at our premises or if you are a visitor to us or any of our tenants, etc it is likely that your image will be captured on our CCTV system and sometimes your image may be captured by one of our photographers. 

CCTV

We primarily use CCTV for the prevention and detection of crime and for health and safety of our tenants and visitors.  We ensure appropriate signage is in place where CCTV images are captured.  We ensure we comply with the Information Commissioner’s Office CCTV Code of Practice and the Biometrics & Surveillance Camera Commissioner’s Surveillance Camera Code.

Photographers

We occasionally have our photographers at our premises taking photos for use in our marketing, social media, and publications.  On the days the photographers are working we make sure tenants and guests are aware which areas are being photographed.  This allows you to make a choice of whether to remain in that area or not when the photographer is working.

Wifi

We also provide guest Wi-Fi to all our tenants and visitors, if you consent to use this service we will collect personal data about you, such as your email address. Our Wi-Fi service is provided by a third party; you must ensure you have read their terms and privacy notice when signing up to use our guest Wi-Fi service.  

Health and safety

On very rare occasions when there has been an accident on site we will collect personal data, some of which may be sensitive, of the person involved in the accident and any witnesses to the accident. Your personal data will only be used for compliance with applicable health and safety law requirements and for any legal claims made.

Transferring personal data outside of the UK 

Sometimes it is not possible for us to store or process your personal data wholly in the UK.  When your personal data does need to be transferred or stored outside of the UK, we make sure we comply with the specific requirements set out in UK GDPR for us to undertake this.  We will only transfer personal data outside of the UK when one of the following provisions are in place to safeguard your personal data:

• An “adequacy regulation” is in place with the country where the personal data is being transferred to. The UK has “adequacy regulations” in relation to the following countries and territories:some text
  • The European Economic Area (EEA) countries;
  • EU or EEA institutions, bodies, offices or agencies;
  • Gibraltar;
  • Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020).
• An “appropriate safeguard” as set out in UK GDPR is in place.  These include standard contractual clauses.
• An “exception” as set out in UK GDPR can be relied on if there is no adequacy decision or appropriate safeguard in place. For example, we could rely on your explicit consent to make the transfer of personal data.

Children’s information

The only occasions where children’s personal data is collected are:

• Via our CCTV
• When we have a photographer onsite taking photos.  We have appropriate signage in place to inform parents/carers that CCTV is in operation and we place signage in the areas where photographs are being taken
• If a child books a ticket online for one of our events
• If a child signs up to our email newsletter
• If a child enters one of our competitions that are open to under 18s.

Your rights

Depending on the reasons why we need your personal data and the legal basis we rely on, there are various rights available to you. You can:

• access the personal data we keep about you and be given specific information about the processing. This right always applies regardless of the reason we need your personal data.
• ask us to rectify personal data we hold about you that you think is inaccurate. This right always applies regardless of the reason we need your personal data.  
• ask us to delete your personal data. This right only applies in specific circumstances depending on the reason we need to use your personal data.  
• ask us to restrict the processing of your personal data. This right only applies when specific circumstances apply.  
• object to the processing when we have relied on legitimate interest to undertake that processing activity and you believe we have infringed your rights.  
• transfer your personal data from us to another service provider. This right only applies to personal data you have given to us directly and when the lawful ground for the processing is consent or contractual basis and the processing is automated.  

We do not undertake any solely automated decision making, including profiling, about you.

To find out more about how to exercise your rights please refer to the guidance on the Information Commissioner’s Office website.  https://ico.org.uk/your-data-matters/ 

You do not need to pay a fee to us to exercise any of your rights. However, if your request is manifestly unfounded or excessive, we do have the right to either charge a reasonable fee or refuse the request.

We shall respond to a valid request within one month of receiving it.

If you wish to exercise one of your rights, please contact us via one of the methods shown in the “Our contact details” section.

How to make a complaint about us to the Information Commissioner’s Office

If you are not happy with how we are processing your personal data or you believe we have not dealt with one of your rights correctly you are entitled to make a complaint to the Information Commissioner’s Office (ICO). The ICO has several ways in which you can get in touch with them, including post, email, and online forms. For full details on how to make a complaint, please refer to their website.  https://ico.org.uk/make-a-complaint/ 

Links to other websites

Our website may provide links to websites of other organisations. Our Privacy Notice does not cover how those organisations process your personal data when you visit their website. We advise you to read their Privacy Notices.

Changes to our Privacy Policy

We keep our Privacy Notice under review to ensure it remains accurate and up to date and we reserve the right to modify it at any time.  The current version of our privacy notice will always be available on our website. 

If you have any questions about our Privacy Notice, please contact us via one of the ways shown in the “Our contact details” section.

This Privacy Policy was last updated June 2024.

Transparency notices

If you rent a unit or hire a meeting room, co-working desk or studio space, including making any enquiries about renting/hiring

The personal data we need from you

• Name
• Contact details
• Financial details

The reasons we need your personal data and the lawful grounds we rely on

We use your personal data to: 

• provide relevant information to you in relation to the enquiry you have made; 
• enter into a rental agreement with you when you rent a unit;
• provide you with the use of a room or studio space when you hire these;
• provide updates regarding the services we provide to you; and
• send you marketing relating to our services in general and the work we do.

The lawful ground we rely on are:

Contractual obligation (GDPR Article 6(1)(b))

The services we provide to you are done so under contract (e.g. when you rent a unit) or with a view to you entering into a contract with us (when you make enquiries).  

We require certain information from you to enable us to fulfil our contractual obligation. If you are not able to provide all the information we need, we may not be able to provide the service to you and the arrangement may therefore need to be terminated.

Legitimate interests (GDPR Article 6(1)(f))

We rely on “soft opt-in” to send you our newsletters and other marketing communications when you enquire about our services or once we’ve entered into a contractual arrangement with you.  UK GDPR allows us to use the legitimate interests lawful ground for direct marketing purposes when soft opt in applies.  This is because it is not deemed to be an unreasonable expectation for anyone who has a relationship with us to receive marketing communications from us.

This also complies with e-Privacy laws currently PECR, which governs how a business can undertake electronic direct marketing.  We can rely on soft opt-in to send email marketing to prospective and existing customers.  

We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose.

We always give you the opportunity to object to receiving marketing communications from us, when we first collect your personal data and with every marketing communication thereafter.

How long we keep your personal data

We keep information relating to enquiries for up to 6 years.  It will depend on the nature of the enquiry as to how long we keep it, however enquiries about renting units are likely to be kept for longer until a vacancy arises.

We keep information relating to room hire and unit tenancy agreements for up to 6 years following termination of the agreement.

Marketing contact details are held for as long as you want to remain on our marketing contact list. You always have the option to unsubscribe from our marketing at any time.

The data processors we use

We use the following data processors to deliver our service to you:

• Website host
• IT Systems providers
• Email host provider
• Wi-Fi service provider
• Marketing service
• CRM provider
• Microsoft Clarity

If you attend any of the events we host

The personal data we need from you

Depending on whether this is a ticketed event or not, we may need to collect some or all of the following information from you:

• Name of person who made the booking;
• Contact details of individual who made the booking;
• Names of individuals attending the event;
• Payment details if it is a paid event.

We will gather your details either directly from you or we will obtain your details from the individual who has made the booking.

The reasons we need your personal data and the lawful ground we rely on

We need your personal data to:

• provide you with tickets and information about the event booking;
• process financial transactions relating to the purchase of tickets;
• send marketing related messages to you.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))

The data we obtain to process your event booking and to provide you with service updates in relation to that booking is necessary for the performance of a contract to which you have entered into with us.

We require certain information from you to enable us to fulfil our pre-contractual and contractual obligations.  If you are not able to provide all the necessary information we need we may not be able to process your booking.

Legitimate interests (GDPR Article 6(1)(f))

We rely on “soft opt-in” to send you our newsletters and other marketing communications when you book to attend one of our events.  UK GDPR allows us to use the legitimate interests lawful ground for direct marketing purposes when soft opt-in applies. This is because it is not deemed to be an unreasonable expectation for anyone who has a relationship with us to receive marketing communications from us.

This also complies with e-Privacy laws currently PECR, which governs how a business can undertake electronic direct marketing.  We can rely on soft opt-in to send email marketing to prospective and existing customers.  

We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose.

We always give you the opportunity to object to receiving marketing communications from us, when we first collect your personal data and with every marketing communication thereafter.

How long we keep your personal data

We keep event booking information for up to 6 years.

The data processors we use

We use the following data processors to deliver our service to you:

• IT system providers;
• Email host providers;
• Wi-Fi provider;
• Marketing service provider;
• CRM provider;
• Booking/Ticketing platform provider.
• Microsoft Clarity.

If you are one of our suppliers or contractors

The personal data we need from you

For us to pay you for the service or goods you have provided to us we need to collect and use a small amount of information about you and your business, this is also likely to include some information about the individuals who work at your business.  The personal data we are likely to need is:

• Your business name;
• The name (first and last name) of the person who we are liaising with at your business (in some cases this may be several staff members details);
• Business postal address;
• Business email address;
• Business telephone number;
• Business mobile number;
• Bank details to enable payment to be made;

The reasons we need your personal data and the lawful grounds we rely on

We need your personal data to either enquire about the services or goods you provide that we may be interested in purchasing or to make a purchase from you.  We then use your personal data to pay for those goods and services when you invoice us or to raise any queries about the payment.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))

The services or goods you have provided to us are done so under contract or with a view to entering into a contract (i.e. we have asked you for a quote for the goods or to undertake the service for us).

We require certain information from you to enable us to fulfil our part of the pre-contractual and contractual obligations, e.g. we need to have certain information to make the purchase and to process payment.  If you are not able to provide all the necessary information for us to do this, we will not be able to purchase the goods or services you provide or be able to make payment once purchased.

Legal obligation (GDPR Article 6(1)(c))

We have a legal obligation to pay for any services or goods we have purchased.

How long we will keep your personal data

We keep all financial data (which includes supplier information) for 6 years from the end of the financial year it relates to. This is inline with statutory taxation obligations.

The data processors we use

We use the following data processors:

• IT system providers;
• IT servicing and maintenance providers;
• Email host providers.

If you apply for a job with us

The personal data we need from you

When you apply for a job with us you will need to provide us with some personal data as part of the job application process, this will include some or all of the following:

• Full name
• Postal address
• Telephone number
• Mobile number
• Email address
• Equal opportunities information (which includes age, disability, gender, religion, sexual orientation, ethnic group, relationship status, caring responsibility) – voluntary
• Education history
• Qualifications
• Employment history
• Criminal convictions information
• Whether you hold a UK work permit
• References

Depending on where you get to in the recruitment stage will determine what personal data you will need to provide.

The reasons we need your personal data and the lawful grounds we rely on

We need your personal data to be able to process your application for a job with us, which includes, but is not limited to:

• assessing your suitability for the role applied for;
• making a decision on whether your application progresses to the next stage of the recruitment process (sifting and shortlisting);
• inviting you to interview or tests;
• making a decision on whether or not to appoint you to the role applied for;
• obtaining further information in order to carry out pre-employment checks if we make a conditional offer of employment to you; 
• gathering of information for equal opportunities monitoring; and
• gathering of information for criminal conviction checks.

The legal basis we rely on to undertake our recruitment activities includes:

Contractual obligation (GDPR Article 6(1)(b))

The processing of your job application is necessary in order for us to take steps at your request before entering into a possible employment contract with us.

We require certain information from you to enable us to fulfil our employment pre-contractual and contractual obligations.  If you are not able to provide all the necessary information we need we may not be able to process your application and consider you for one of our job vacancies.

Legal obligation (GDPR Article 6(1)(c))

We have certain obligations under employment law in relation to recruitment and selection and equal opportunities that we must comply with.

Processing for employment law (GDPR Article 9(2)(b))

Information you provide to us that relates to special category personal data, such as health, religious or ethnic information is necessary for our recruitment and selection purposes as it relates to our obligations in employment law.

Processing to assess working capacity (GDPR Article 9(2)(h))

We have certain obligations to assess your health in relation to your ability to work for us.

How long we will keep your personal data

All unsuccessful candidate details are kept for 6 months from the end of the recruitment process they relate to.

Successful candidate details are transferred to their employment record and kept for 6 years after employment ends.

The data processors we use

We use the following data processors :

• IT system providers;
• IT servicing and maintenance providers;
• Email host providers;
• Wi-Fi provider;
• HR services provider;

Marketing

The personal data we collect

We rely on “soft opt-in” to send you our newsletters and other marketing communications when you enquire about our services or once we’ve entered into a contractual arrangement with you.  

We maintain an official presence on various social media platforms, in pursuit of our own legitimate interests in relation to marketing and brand management. When you engage with us on these platforms the platform owner is the Data Controller in relation to the provision of the platform, its security, and the use of your profile on their platform, and their own privacy policy applies. SPARK:York is a joint Data Controller with the platform provider and is responsible for its own use of the platform and for our own use of your personal data as you engage with us on that platform. We will engage with you on social media only in accordance with the platform provider’s privacy policy.

We collect some of all of the following personal data:

• Name
• Email address
• Postal address
• Telephone number (landline or mobile)

The reasons we collect your personal data and the lawful grounds we rely on

We collect your personal data to be able to send you relevant news about us and our services, including special offers and events, etc.

The legal basis we rely on is:

Consent (GDPR Article 6(1)(a))

By submitting your contact details to receive marketing from us you have given your consent for us to use your personal data for this purpose.

You always have the right to withdraw your consent to receive marketing, you can do this by clicking the “unsubscribe” link on our emails or contact us via one of the ways shown in the “Our contact details” section.

If you choose to unsubscribe, we will stop sending you marketing communications.  We will aim to stop sending you marketing as soon as we possibly can after we have received your unsubscribe request. 

How long we keep your personal data

Your contact details are held for as long as you want to remain on our marketing contact list.  

The data processors we use

We use the following data processors to deliver our service to you:

• We use Sprout Social, owned by Me&u, to manage and distribute our marketing correspondence. Me&u’s Privacy Policy can be found at https://www.meandu.com/legal/meandu-privacy-policy-gb 
• We use Google Drive, Google Forms and Gmail, from Google Inc., to coordinate and distribute marketing activity including feedback surveys. Google may process your information in the United States, and is certified under the EU-US Privacy Shield Framework in order to implement appropriate safeguards in relation to your information. Google’s Privacy Policy can be found at https://policies.google.com/privacy.
• We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.