GDPR and Data Protection Policy

1. Introduction

Stirling Murder LTD is committed to ensuring the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other relevant data protection legislation. This policy outlines how we collect, process, store, and protect personal data, ensuring full compliance with legal obligations and industry best practices.

2. Scope

This policy applies to all employees, contractors, volunteers, and any third parties who handle personal data on behalf of Stirling Murder LTD. It covers all personal data that we process, whether electronically or in paper form, and includes special categories of personal data where necessary.

3. Data Protection Principles

Stirling Murder LTD adheres to the following principles when processing personal data:

  • Lawfulness, Fairness, and Transparency – Personal data will be processed lawfully, fairly, and transparently.
  • Purpose Limitation – Data will only be collected for specified, explicit, and legitimate purposes.
  • Data Minimisation – Only necessary data will be collected and processed.
  • Accuracy – Personal data will be kept accurate and up to date.
  • Storage Limitation – Data will be retained only as long as necessary.
  • Integrity and Confidentiality – Appropriate security measures will be in place to prevent unauthorised access, loss, or damage.
  • Accountability – Stirling Murder LTD will take responsibility for demonstrating compliance with these principles.

4. Data Collection

Stirling Murder LTD collects personal data from:

  • Customers booking or attending murder mystery events.
  • Employees and volunteers.
  • Business contacts and suppliers.

Types of data collected may include names, contact details, payment information, event preferences, and any necessary special requirements (e.g., accessibility needs, dietary preferences).

Sensitive data, such as health-related information, will only be processed where necessary and with explicit consent.

5. Legal Basis for Processing

Stirling Murder LTD processes personal data under the following legal bases:

  • Contractual Obligation – To provide services (e.g., event bookings, employment contracts).
  • Legal Obligation – To comply with legal or regulatory requirements, such as tax laws and employment regulations.
  • Legitimate Interests – For business operations, such as marketing, fraud prevention, and service improvement (with appropriate safeguards).
  • Consent – When required, explicit consent will be obtained before processing personal data, particularly for marketing and special categories of personal data.

6. Data Sharing

Stirling Murder LTD will not sell, rent, or trade personal data. However, data may be shared with third-party service providers (e.g., ticketing platforms, payment processors, legal and financial advisors) where necessary.

All third parties must comply with GDPR and have appropriate security measures in place. Data will not be transferred outside the UK without ensuring adequate protection through mechanisms such as Standard Contractual Clauses (SCCs) or an adequacy decision.

7. Data Security

We implement robust security measures, including:

  • Encryption of sensitive data.
  • Secure storage of paper records with restricted access.
  • Password protection and two-factor authentication for digital records.
  • Secure destruction of physical documents.
  • Regular security audits and staff training on data protection.
  • Incident response plan for potential data breaches.

8. Data Retention

Personal data will be retained only for as long as necessary:

  • Customer data: Retained for 2 years after event participation, unless otherwise required for financial or legal obligations.
  • Employee and volunteer data: Retained for 6 years after termination of employment.
  • Financial records: Retained for 6 years in compliance with HMRC requirements.
  • CCTV or event footage (if applicable): Retained for 30 days, unless required for security investigations.

Data no longer required will be securely deleted or anonymised.

9. Rights of Data Subjects

Individuals have the following rights under GDPR:

  • Right to Access – Request access to personal data.
  • Right to Rectification – Request corrections to inaccurate data.
  • Right to Erasure (Right to be Forgotten) – Request deletion of personal data under certain conditions.
  • Right to Restrict Processing – Request processing limitations.
  • Right to Data Portability – Request data transfer in a structured, commonly used format.
  • Right to Object – Object to certain types of processing (e.g., direct marketing).
  • Right to Withdraw Consent – Withdraw consent for processing at any time, where consent is the lawful basis.
  • Right to Lodge a Complaint – Complain to the Information Commissioner’s Office (ICO) if they believe their data protection rights have been violated.

Requests can be made via email at info@stirlingmurder.co.uk. Requests will be processed within one month.

10. Data Breach Policy

In the event of a data breach:

  1. The Data Protection Officer (DPO), either Joshua Taylor-Williams or Callum Taylor-Williams, will assess the breach.
  2. If there is a risk to individuals’ rights and freedoms, affected individuals and the Information Commissioner’s Office (ICO) will be notified within 72 hours.
  3. Measures will be taken to mitigate risks and prevent recurrence, including forensic investigations and staff retraining where necessary.

11. Marketing Communications

Stirling Murder LTD may send marketing emails regarding upcoming events. Consent will be obtained before sending such communications. Individuals may opt out at any time via the unsubscribe link or by contacting us directly.

Marketing activities will be regularly reviewed to ensure compliance with GDPR, and records of consent will be maintained

12. Responsibilities

  • Company Directors – Ensure compliance with GDPR policies and oversee data protection strategy.
  • Employees and Volunteers – Follow data protection guidelines and report any data breaches.
  • Data Protection Officer (DPO)Joshua Taylor-Williams or Callum Taylor-Williams, responsible for monitoring compliance, handling data subject requests, and liaising with regulatory authorities.

Contact: info@stirlingmurder.co.uk

13. Policy Review

This policy will be reviewed annually or sooner if required due to legislative changes. Any updates will be communicated to all relevant parties.

Last Updated: 22.02.25