Privacy Statement

Waverley Ensemble CIC

Registered company 10298965

Privacy Policy Statement

Waverley Ensemble is referred to as “WE” in this statement.

Email list

In brief, if you add your name to our email list we will:

  • send you typically 2-3 emails per concert informing you and reminding you about our concerts and occasionally about other concerts. They include an unsubscribe option.
  • hold your contact details securely and not pass them to third parties other than the data processors whom we use to provide our services
  • respect your right to remove your contact details and give you a link to do so in each email
  • allow you to see any information held and to correct any information.

Quick Summary

WE stores contact and payment information as an essential part of its operations and makes extensive use of QuickBooks On-line for these tasks. In particular it sends regular emails to members and other contacts about forthcoming concerts that are considered to be of interest and uses MailChimp for this task. WE complies with all the relevant legislation, and where there are judgements to be made has applied the principle of proportionality bearing in mind that WE is a small organisation with severely limited resources run by a few unpaid volunteers.

We aim to treat all our contacts in an open, respectful and courteous way and we will delete your personal information on request.

If you would like to know more, please read on.


We use personal data only in legal ways in accordance with our objectives which are:

“to carry out activities which benefit the community and in particular without limitation:

  • To perform Baroque concerts, operas and lesser known music at at Christopher’s Church, in Haslemere, and
  • To hold an annual competition for string instrument players between the ages of 11 and 19.”


Data Controllers

Mrs Ishani Bhoola of Little Oak, Farnham Lane, Haslemere, GU27 1EU;

Reginald John Horrocks of Bethany, Chapel Lane, Pirbright, Surrey GU24 0JZ;

Data Processors

Third party services as indicated in this document.

Collection of Information

WE collects information on persons interested in concerts under:

Direct opt-in involving consent through the use of the MailChimp subscription form and this will be recorded through the normal MailChimp arrangements.

“Manually” by sending requests by email and these emails will be recorded.

“Manually” by signing forms for collecting emails and these forms will be stored.

In addition we add to our contacts list from time to time details of persons whom we have reason to believe will be interested in receiving information on concerts. We do this under the provisions of Article 6.1(f) in pursuit of our “legitimate interests” in benefitting the community.

Our contact list of some 700 persons has been built up over 5 years and although there is a very low rate of unsubscriptions, typically one per emailing, we have never had complaints from recipients. We consider that this shows that we are using the contact information in a helpful and responsible manner and that this confirms the willingness of the data subjects to receive the information that we send.

Information on Concerts

We send typically 2-3 emails per concert to our list of contacts using MailChimp to inform them about the concerts. Our emails contain links to enable the recipients to unsubscribe.

 Legitimate interests assessment (LIA), Balancing exercise and Proportionality Considerations

We believe that our collection and use of contact information (primarily emails) conforms to the guidance from the ICO “Legitimate interest is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing”.

We have applied the ICO tests as follows:

1- identify a legitimate interest

Our legitimate interest is  benefitting the community through concerts and this is the purpose of contacting people.

2 – the processing is necessary to achieve it

The processing is primarily the collection, storage and responsible use of email addresses as email is the most cost effective way to inform people about concerts and we collect emails only where we have some reason to believe that the subject is interested in music and concerts.

3 – balance it against the individual’s interests, rights and freedoms.

We hold contact information on some 700 contacts. WE is run solely by a handful of unpaid volunteers. Since we do not hold passwords, or especially sensitive information such as health, relating to our contacts we consider our use of personal data to be low risk.

We consider that sending information by email is not intrusive (whereas cold calling is intrusive) as emails can easily be deleted and we provide means to unsubscribe. We consider that the risks are more than out-weighed by the benefits to the data subjects in terms of information about concerts.

We receive both email and verbal appreciations of information that we send out about concerts. Overall we consider our practices to be proportionate given the objectives of the GDPR and that we have obtained a good balance in our use of personal information.

Access to Information

We will be delighted to provide anyone with copies of the information that we hold about them. Requests should be sent to or call 01483 797807.

Disclosure and Erasure

WE does not disclose personal information to other persons or organisations except as follows:

  • Third party data processors MailChimp, QuickBooks On-line, PayPal, HSBC Bank as necessary for the use of their services by WE.
  • Information about future concerts sent out by email using MailChimp contains reference to this Policy Statement and an option for the recipient to unsubscribe, in which case their data will be handled using the MailChimp arrangements.

We will keep a record of all explicit requests for the deletion of personal information.

Correction and updating

WE will correct and update any information as soon as reasonably possible after being informed of the need to do so.

Personal Data Audit

Data Stored

WE holds the following personal data:

  • Some or all of name, address, email address, telephone number, and seating preference of persons interested in concerts.
  • Payment dates and amounts, any PayPal identifiers, name, address, email address and telephone number of people who have bought tickets or given donations.
  • Records including name, address, email address , telephone numbers and bank account name, account number, and sort code of performers who have played for WE or whom WE may invite to play including records of expected future fees.
  • Name, address, email address and telephone number of representatives of other music societies with whom WE may cooperate.

Except as indicated above WE does not store dates of birth, health or personal preference information. We do not issue or store passwords relating to our data subjects. We have not, and do not intend to, issue cookies ourselves but cookies may be used by the data processors that we use.

Means of storage

Personal data is stored:

  • On MailChimp for the purpose of sending emails, accessible only under password
  • On QuickBooks On-line, accessible only under password
  • On the hard drives of the data controllers and processors, accessible only under password
  • In the data systems of PayPal, and HSBC Bank as stored payees.

Where the above are third party organisations, WE does not have detailed information on where or how the data is held and the third party organisations are themselves responsible for meeting the relevant regulatory requirements.

Period of Storage

Contact information stored for the purpose of sending out information on concerts will be stored as long at WE continues, or as long as it appears to be useful, or until the data subject requests its erasure, whichever is the shorter.

Backups and Deletions

In order to protect the integrity of our stored data, we make periodic back-ups and we retain sets of backed up data in case the data is corrupted by a virus that lies dormant for months or years before spreading. Such a virus would cause us to go back over many back-ups to find uncorrupted data. In practice back-ups are hardly ever used but are a wise precaution. Data held on-line by the third part data processors will also probably be held as many separate successive backups.

When we receive a request for erasure, it will not be practicable for us to go through all the back-ups erasing data but we will erase the data from the current record and record the erasure so that if we need to use backed up date we can erase the relevant items from the backed up date when we start to use it.


If you have any concerns about the way in which we process personal information, please address your concerns to our data controllers:

  • Reginald John Horrocks of Bethany, Chapel Lane, Pirbright, Surrey GU24 0JZ;
  • Mrs Ishani Bhoola of Little Oak, Farnham Lane, Haslemere, GU27 1EU

And they will do their best to resolve your concerns.

You are also entitled to make a complaint to the Office of the Information Commissioner, see