We are Aberdeen Science Centre and this Privacy and Cookies Policy provides detailed information as to when and why we will collect and use your personal data, our legal basis for doing so and how we keep your data secure.

Looking after the personal data you share with us is an important part of our service, so please do take the time to read our Privacy Policy which explains:

• The data we collect
• How we will use the data
• Where we collect your data from
• How long we retain your data
• Our legal basis for processing your personal data
• Digital services
• Securing your data
• In what situations we may disclose your details to third parties
• Other processing activities by ASC
• Your rights and how you can see, update or delete your personal data

Introduction
Aberdeen Science Centre (ASC), previously known as Satrosphere until 2016, has been an important education resource in the North East for nearly 30 years. Established in 1988, Satrosphere was the first science Centre in Scotland and its ethos of interactive science discovery is still a cornerstone of everything we do today.

ASC is both well known and loved by local communities in Aberdeen City and Shire, hosting frequent visits from education groups from nurseries, school groups and teachers. The Centre is also open to the public to enjoy the interactive exhibits, the inspiring activities and the array of educational and topical science events for all ages, abilities and backgrounds.

As a registered charity, sponsorship and donations are essential to enable ASC to operate and maintain our facilities, while continuing to have the necessary resources to deliver the wide range of innovative and dynamic STEM programs we offer.

Controller
Aberdeen Science Centre is a registered Scottish Charity, charity no: SC014922 and as the Data Controller, responsible for your personal data.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact ASC at dpo@asc.scot or write to us at:

179 Constitution St,
Aberdeen
AB24 5TU

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

What information do we collect and what do we use it for?
In order for ASC to provide you with a high quality visitor experience, we need to collect personal data for the services we provide, such as visitor admissions, donations, Gift Aid and membership, or to provide you with information for special events taking place at ASC.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth and gender
• Contact Data includes address, email address and telephone numbers
• Financial Data includes bank account and payment card details
• Transaction Data includes details about payments to and from you including your postcode and other details of products and services you have purchased from us.  This is usually through the Electronic Point of Sale (EPOS).
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
• Enquiry Data includes data you provided us with when you contact ASC for customer service assistance (by any means of communication including written communications, via our website, telephone, email, or our social media channels) or when you visit us, attend special events here at the Centre or participate in one of our surveys, we may record all customer service communications and keep information about the particular communication, including your name, the relevant product(s) or services, the reason why you contacted us, and the advice we gave you so we can track the resolution of any customer service issues and for customer service training purposes.
• Usage Data includes information about how you use our website, products and services, as well as the frequency and pattern of your service use.
• Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences

We will use your data:

•  When you contact us to book activities over the telephone or by email
• When you book activities in person at the Centre
• To process payments for our products and services
• When you enter into a competition operated by us or one of our partners
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
• Where we need to comply with a legal or regulatory obligation
• Where we need to perform the contract, we are about to enter into or have entered into with you
• Keep a record of your relationship with us
• Ensure we know how you prefer to be contacted
• Understand how we can improve our services or information
• To keep you updated on our products and services

Where do we collect your information from?

We collect your personal information through a number of different sources:

• Via our website forms including CLPL enquiries and bookings
• Ticket transactions made by phone or in person
• Donating or opting to Gift Aid
• Paper forms including contact forms, applications (STEM Passport), visitor books etc.
• When you give consent to receiving marketing (Mailchimp)

Digital Service

Website
ASC uses a third-party supplier (data processor) to maintain and host our website. Full due diligence has been carried out with robust contractual and service level agreements in place.  Our processor takes a proactive approach to privacy and ensures the necessary steps
are taken to protect the privacy and security of user’s data throughout their online visiting experience.

Tracking
This website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computer’s hard drive in order to track and monitor your
engagement and usage of the website, but will not store, save or collect personal information. You can read Google’s privacy policy here for further information:

https://www.google.com/privacy.html service to you. We do not link information automatically logged by such means with personal data about
specific individuals.

To opt out of being tracked by Google Analytics across all websites, visit https://tools.google.com/dlpage/gaoptout.

Social Media
Our website contains social media features such as Facebook, Twitter, Instagram and LinkedIn that have their own privacy notices. Please make sure you read their terms and conditions and privacy notice carefully before providing any personal data as we do not accept any responsibility or liability for these features.

eNewsletters | Marketing
We will send you marketing emails and newsletters to keep you updated on our products and services.  When you book or register with us we will ask if you would like to receive marketing communications. You can change your marketing preferences online, over the phone, using the ‘unsubscribe’ link in our marketing emails at any time.

A)    For business customers, our lawful basis is legitimate interest as it’s necessary to inform business customers and stakeholders about our products/services to enhance their business offering and ours.  Your information will be securely destroyed 3 years after your last interaction with ASC

B)     For STEM passport holders and CLPL, our lawful basis is legal obligation as we need to process your personal data so that we can manage your account or booking, your membership including the PVG scheme (Disclosure Scotland) and provide you with the necessary training and support pertaining to your relationship with ASC.   Your information will be securely destroyed 3 years after your last interaction with ASC.  PVG data is not held by ASC.

C)     For consumers, our lawful basis is consent and will be securely destroyed 1 month after consent is withdrawn.

ASC use third party eNewsletter software, Mailchimp to manage subscriptions and as a delivery mechanism. Their privacy policy is monitored by TRUSTe, and have certified their compliance with the EU-U.S./Swiss-U.S. Privacy Shield Frameworks. For further information, please view Mailchimp’s Privacy Policy.

Surveys
For some events and visits we may ask you to complete visitor surveys either online through Survey Monkey or in person where we record the data you provide on paper forms.  In most cases the data is anonymised will no personal data capture (so that it can no longer be associated with you).  Our lawful basis is legitimate interest and retained only where governed by law or specific business-sector requirements and agreed practices.

SurveyMonkey Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield.
SurveyMonkey is committed to subjecting all personal information and data received from European Union (EU) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov/ or visit (https://www.surveymonkey.co.uk/mp/legal/privacy-policy).

Filming and Photography
Filming and photography often take place at ASC for promotional and archival purposes. The photographs and recordings made are likely to appear on our website, social media channels and printed material.  If filming or photography is taking place on the day of your visit, large warning signs will be on display to inform you of such activity.

If you would prefer not to be photographed, please let the photographer know or a member of the ASC team as soon as possible.

For group visits such as nurseries and schools, film and photography consent must be sought and gained from ALL parties prior to the visit and
evidenced on arrival.  Should any parties from a group visit decline to give consent, unfortunately ASC will refrain from any filming/photography of the entire group to ensure compliance.

If you have any questions or seek further information, please contact dpo@asc.scot

Security
ASC has put in place appropriate safeguards (both in terms of our procedures and the technology we use) to keep your personal information as
secure as possible to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data to those employees, volunteers, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

The security of your data also depends on you. For example, where we have given you or where you have chosen a password for access to certain services, you are responsible for keeping this password confidential.

• Using Secure Sockets Layer (SSL) encryption when collecting or transferring sensitive information, such as credit card details
• Limiting access to the information we collect about you (for instance, only those of our personnel who need your information to carry out
  our business activities are allowed access)
• Putting in place physical, electronic, and procedural safeguards in line with industry standards
• If you use your credit or debit card to purchase from us or to make a donation, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). You can find more information about this standard on the PCI-DSS website.

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (‘EEA’). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.

By submitting your personal data to ASC, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this policy. This is done in a number of different ways including:

The country we send the data to might be approved by the European Commission as being sufficiently secure;
The recipient is located in the United States and is a certified member of the approved EU-US Privacy Shield Scheme; or
The recipient company might have signed up to a contract obliging them to protect your information.

CCTV
ASC grounds and properties, internal and external, are monitored by CCTV systems. These systems are in place to protect the property from theft and vandalism and to protect the health and safety interests of our visitors. ASC does not use these systems for anything other than safeguarding the properties and for visitor safety.

ASC retains all recorded information for 5 days only, unless there is a specific reason to hold onto the footage for longer, for example a health and safety action or for criminal evidence. An individual has a right to access their own image by submitting a Subject Access Request but does not have the right to the images of other customers or visitors to ASC.

Police Scotland or the Scottish Courts may ask for a recording to be used as evidence. Police Scotland must request footage via the relevant release forms, and these will be approved and released by a member of ASC staff. Any enquires relating to CCTV footage must be directed to DPO@asc.scot

In what situations we may disclose your details to third parties
ASC will not share, sell or otherwise make available your personal information to third parties without your express prior permission.

We shall share your data with third parties who are performing services on our behalf (for example, where we use third party ticketing organisations), in order to comply with our legal obligations (for example fraud protection) or in order to enforce our rights, property or the safety of ASC, our visitors or others.

Data Processor activities by ASC
ASC acts as a ‘data processor’ as defined by the ICO in several contracts with other data controllers. Whenever a controller uses a processor, there needs to be a written contract in place. For avoidance of any doubt, ASC and the afore mentioned data controllers have put in place compliant contracts outlining both controller and processor obligations.

In addition to the Article 28.3 contractual obligations set out in the controller and processor contracts, ASC will adhere to our direct processor responsibilities and liabilities under the data protection legislation.

Your Rights
Under the GDPR and DP Act, you have rights as an individual which you can exercise in relation to the information we hold about you.

We commit to ensure that any data we process is correct and up to date. It is your obligation to make us aware of any changes to your personal information.

In some situations,you may have the;

• Right to be informed. This means that we must tell you how we use your data, and this is the purpose of this privacy notice.
• Right to request access. You have the right to access the data that we hold on you. To do so, you should make a subject access request.
• Right to request correction. If any data that we hold about you is incomplete or inaccurate, you are able to require us to correct it.
• Right to request erasure. If you would like us to stop processing your data, you have the right to ask us to delete it from our systems where you believe there is no reason for us to continue processing it.
• Right to object to the inclusion of any information. In situations where we are relying on a legitimate interest (or those of a third party) you have the right to object to the way we use your data where we are using it.
• Right to request the restriction of processing. You have the right to ask us to stop the processing of data of your personal information. We will stop processing the data (whilst still holding it) until we have ensured that the data is correct.
• Right to portability. You may transfer the data that we hold on you for your own purposes.
• Right to request the transfer. You have the right to request the transfer of your personal information to another party.

Individuals can find out if we hold any personal information by making a Subject Access Request.  More information can be found at https://ico.org.uk.

If we do hold information about you, we will:

•  Give you a description of it;
• Tell you why we are holding it;
• Tell how long we keep in for and the lawful basis for doing so;
• Tell you who it could be disclosed to; and
• Let you have a copy of the information in an a commonly used electronic format, unless the individual requests otherwise.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

We may retain your personal data for a longer period where such retention is necessary for compliance with a legal obligation to which we are subject (The Act of Limitation), or in order to protect your vital interests or the vital interests of another natural person, or in the event of a complaint, or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Changes to our Notice
We may change the Policy at any time so please check it regularly on our website for any updates. If the changes are significant, we will provide a prominent notice on our website including, if we believe it is appropriate, electronic notification of Privacy Policy changes.

Please get in touch with us if you have any questions about any aspect of his Privacy Policy, and in particular if you would like to object to any
processing of your personal information that we carry out for our legitimate business interests, or to withdraw consent already given.

Last update: February 2019

Cookies

A cookie is a small file placed on your computer’s hard drive. It enables our website to identify your computer as you view different pages on our website.
Our website uses software provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computer’s hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information. You can read Google’s privacy policy here for further information:

https://www.google.com/privacy.html service to you.

We do not link information automatically logged by such means with personal data about specific individuals.

To opt out of being tracked by Google Analytics across all websites, visit https://tools.google.com/dlpage/gaoptout