GDPR

Data Pro­tec­tion Pol­i­cy
[Now and Then Media]


Def­i­n­i­tions

Data pro­tec­tion prin­ci­ples
Now and Then Media is com­mit­ted to pro­cess­ing data in accor­dance with its respon­si­bil­i­ties under the GDPR.


Arti­cle 5 of the GDPR requires that per­son­al data shall be:
processed law­ful­ly, fair­ly and in a trans­par­ent man­ner in rela­tion to indi­vid­u­als;
col­lect­ed for spec­i­fied, explic­it and legit­i­mate pur­pos­es and not fur­ther processed in a man­ner that is incom­pat­i­ble with those pur­pos­es; fur­ther pro­cess­ing for archiv­ing pur­pos­es in the pub­lic inter­est, sci­en­tif­ic or his­tor­i­cal research pur­pos­es or sta­tis­ti­cal pur­pos­es shall not be con­sid­ered to be incom­pat­i­ble with the ini­tial pur­pos­es; ade­quate, rel­e­vant and lim­it­ed to what is nec­es­sary in rela­tion to the pur­pos­es for which they are processed; accu­rate and, where nec­es­sary, kept up to date; every rea­son­able step must be tak­en to ensure that per­son­al data that are inac­cu­rate, hav­ing regard to the pur­pos­es for which they are processed, are erased or rec­ti­fied with­out delay; kept in a form which per­mits iden­ti­fi­ca­tion of data sub­jects for no longer than is nec­es­sary for the pur­pos­es for which the per­son­al data are processed; per­son­al data may be stored for longer peri­ods inso­far as the per­son­al data will be processed sole­ly for archiv­ing pur­pos­es in the pub­lic inter­est, sci­en­tif­ic or his­tor­i­cal research pur­pos­es or sta­tis­ti­cal pur­pos­es sub­ject to imple­men­ta­tion of the appro­pri­ate tech­ni­cal and organ­i­sa­tion­al mea­sures required by the GDPR in order to safe­guard the rights and free­doms of indi­vid­u­als; and processed in a man­ner that ensures appro­pri­ate secu­ri­ty of the per­son­al data, includ­ing pro­tec­tion against unau­tho­rised or unlaw­ful pro­cess­ing and against acci­den­tal loss, destruc­tion or dam­age, using appro­pri­ate tech­ni­cal or organ­i­sa­tion­al measures.”

Gen­er­al pro­vi­sions
This pol­i­cy applies to all per­son­al data processed by Now and Then Media
The Respon­si­ble Per­son shall take respon­si­bil­i­ty for Now and Then Medi­a’s ongo­ing com­pli­ance with this policy.


This pol­i­cy shall be reviewed at least annu­al­ly.
Now and Then Media shall reg­is­ter with the Infor­ma­tion Commissioner’s Office as an organ­i­sa­tion that process­es per­son­al data.

Law­ful, fair and trans­par­ent pro­cess­ing
To ensure its pro­cess­ing of data is law­ful, fair and transparent,Now and Then Media shall main­tain a Reg­is­ter of Sys­tems.
The Reg­is­ter of Sys­tems shall be reviewed at least annu­al­ly.
Indi­vid­u­als have the right to access their per­son­al data and any such requests made to the Now and Then Media shall be dealt with in a time­ly manner.

Law­ful pur­pos­es 
All data processed by Now and Then Media must be done on one of the fol­low­ing law­ful bases: con­sent, con­tract, legal oblig­a­tion, vital inter­ests, pub­lic task or legit­i­mate inter­ests (see EDPB guid­ance for more infor­ma­tion).
Now and Then Media shall note the appro­pri­ate law­ful basis in the Reg­is­ter of Sys­tems.
Where con­sent is relied upon as a law­ful basis for pro­cess­ing data, evi­dence of opt-in con­sent shall be kept with the per­son­al data.
Where com­mu­ni­ca­tions are sent to indi­vid­u­als based on their con­sent, the option for the indi­vid­ual to revoke their con­sent should be clear­ly avail­able and sys­tems should be in place to ensure such revo­ca­tion is reflect­ed accu­rate­ly inNow and Then Medi­a’s systems.

Data min­imi­sa­tion
The Now and Then Media shall ensure that per­son­al data are ade­quate, rel­e­vant and lim­it­ed to what is nec­es­sary in rela­tion to the pur­pos­es for which they are processed.
This may include, but not be lim­it­ed to, Now and Then Medi­a­con­tact­ing indi­vid­u­als whose con­sent has been pre­vi­ous­ly obtained, to advise them of the abil­i­ty to revise and amend their per­son­al data, and the impor­tance thereof.

Accu­ra­cy
The Now and Then Media shall take rea­son­able steps to ensure per­son­al data is accu­rate.
Where nec­es­sary for the law­ful basis on which data is processed, steps shall be put in place to ensure that per­son­al data is kept up to date.
This may include, but not be lim­it­ed to, Now and Then Media con­tact­ing indi­vid­u­als whose con­sent has been pre­vi­ous­ly obtained, to advise them of the abil­i­ty to review and update their per­son­al data, and the impor­tance thereof.

Archiv­ing / removal
To ensure that per­son­al data is kept for no longer than nec­es­sary, Now and Then Media shall put in place an archiv­ing pol­i­cy for each area in which per­son­al data is processed and review this process annu­al­ly.
The archiv­ing pol­i­cy shall con­sid­er what data should/must be retained, for how long, and why.

Secu­ri­ty
Now and Then Media shall ensure that per­son­al data is stored secure­ly using mod­ern soft­ware that is kept-up-to-date.
Access to per­son­al data shall be lim­it­ed to per­son­nel who need access and appro­pri­ate secu­ri­ty should be in place to avoid unau­tho­rised shar­ing of infor­ma­tion.
When per­son­al data is delet­ed this should be done safe­ly such that the data is irrecov­er­able.
Appro­pri­ate back-up and dis­as­ter recov­ery solu­tions shall be in place.

Breach
In the event of a breach of secu­ri­ty lead­ing to the acci­den­tal or unlaw­ful destruc­tion, loss, alter­ation, unau­tho­rised dis­clo­sure of, or access to, per­son­al data, the Lim­er­ick Ear­ly Music Fes­ti­val shall prompt­ly assess the risk to people’s rights and free­doms and if appro­pri­ate report this breach to the Euro­pean Data Pro­tec­tion Board (more infor­ma­tion on the EDPB web­site: edpb.europa.eu).

END OF POLICY