Privacy Policy

Privacy Policy

This page sets out the details of Hijinx Theatre’s (“Hijinx”) privacy notice in relation to information collected about you. Hijinx is committed to protecting your privacy, we will use the information we collect about you in accordance with the Privacy and Electronic Communications Regulations 2003, , and, from May 2018, the General Data Protection Regulation (GDPR) and Data Protection Act 2018. This policy may change from time to time so please check it periodically. This update is current as from October 2021.

1. Who we are

Our website address is:

Hijinx is an arts organisation and registered charity – we make theatre and films; train learning disabled and/or autistic actors; work with communities and provide training to businesses. We receive core funding from the Arts Council of Wales (ACW) and generate additional income from a combination of ticket sales, training fees, commercial partnerships, trusts and foundations, grant-giving bodes, individual donations and other trading activities.

Hijinx is a charity registered in England and Wales, number 1078358, and a company registered in England and Wales, number 2161783.

Hijinx is responsible for the personal data you supply us. In data protection law, this is called being the data controller. This means we decide how to collect and use your data and are responsible for ensuring that your data is kept safely and used lawfully, fairly and in a transparent manner. Your data is processed for the purposes of Hijinx’s legitimate interests in operating its business and, in particular, to let you know about our activities.

If you have any queries regarding this policy please get in touch, our contact details are:

Address: Hijinx Theatre, Wales Millennium Centre, Cardiff Bay, CF10 5AL


Phone: 02920 300331


Data Protection Contact: Sarah Horner, Chief Executive

2. What personal data we collect and why we collect it

To comply with our contractual and legal obligations, and in the legitimate interest of our business, we process personal data from employees, workers, participants, volunteers and applicants.This includes data deemed sensitive which may fall under ‘special categories’ of data as defined under the GDPR.  ‘Personal data’ refers to any information about you.  Processing of personal data refers to collection, retention, use, access and disclosure as required, up to and including the destruction of data.  Hijinx will process data in accordance with the GDPR and Data Protection Act (2018) and will refer regularly to updated guidance from the Information Commissioners Office.

You give us your information when you:

  • book to attend one of our events
  • update your contact preferences
  • apply for, or accept a job with us
  • accept a freelance contract of work with us
  • volunteer
  • join one of our training courses
  • complete a survey
  • communicate with us via post, email and social media.

We also keep your details when you sign up to receive emails from us.

When we ask you to provide your personal information, we will let you know why we are asking, and how we will use your data, by directing you towards this notice.

The personal information that we collect can include:

  • Names, title, date of birth and gender
  • Information about race, ethnicity, and sexual orientation (you have the right to decline to provide us with this information)
  • Contact details including postal address, e-mail, phone numbers and links to social media accounts
  • Employment history, references, qualifications
  • Copies of documentation for proof of right to work
  • Details of any qualification or safeguarding checks we are legally required to carry out
  • Access requirements (for example if you require wheelchair access, audio description, BSL interpretation, or any other access requirement) and whether you have a disability defined by the Equality Act 2010
  • Welsh language preferences
  • Details of visits to our website including traffic data, location data, operating system, browser usage, and the resources that you access
  • Image and likeness (as captured in photographs and videos we use for promotional purposes (note: we may seek specific consent for prominent or impactful uses, but typically not for group shots, background inclusion or internal use)
  • Data concerning health
  • Other background personal information you provide to us (for example when you apply for a job, tell us your story, provide a reason for making a donation or correspond with us)

We may also process your personal data (including sensitive personal data) where:

  • It is necessary for medical purposes (for example, in a medical emergency)
  • It is necessary to protect your or another person’s vital interests
  • It is necessary to protect public health or in the substantial public interest
  • It is necessary for the delivery of a contract
  • It is necessary in order to comply with employment, social security, or social protection law
  • It is necessary to enable us to pursue our legitimate interest
  • We have your consent to do so (or explicit consent in the case of special category data)
  • We have your consent to do so (for example, to monitor the diversity of Hijinx’s audiences and participants, or in relation to a training programme).

We will also ask for your consent to provide you with information about products and services and fundraising activities which may be of interest to you (apart from where it is appropriate for us to rely on our legitimate interests to do so).

For volunteers and job applicants we collect the minimum amount of personal data required to contact you, to enable us to make informed decisions about your volunteering or working for us, to protect our legitimate interests and to meet our legal obligations.

The Charity processes this data based on explicit consent from our applicants and for the purposes of legal obligations placed on us.  The Charity has a legal obligation to check all applicants have proof of right to work in the UK prior to employing them.

3. How we use your data 

We process your data for certain legitimate business purposes in order to provide you with the best experiences and most relevant information.

We will not supply your details to third party organisations to allow them to contact you with marketing information unless you have given us specific permission to do so.


The Personal Information you supply to us when you opt in to marketing communications will be used by Hijinx to keep you up to date with events and activities organised by, and news and information from, Hijinx.

We may use your information to send you promotional and marketing information by electronic means. These types of communications can include:

  • promotional material for our performances
  • informing you of other products, services or events related to Hijinx, such as performances, film screening and events
  • news and updates from Hijinx
  • surveys for market research purposes
  • to carry out our obligations arising from any contracts entered into between you and us
  • to provide aggregate information about our users to stakeholders (but not to advertisers)

Each e-mail we send you offers you the opportunity to unsubscribe from these preferences, or you can ask us to do this by e-mailing


We collect personal data for applicants via post, email and social media.

We anonymise applicants prior to shortlisting by utilising an external HR consultant to remove bias from the recruitment process and ensure our commitment to diversity and inclusion is met to the best of our ability.  The HR consultant adheres to all Data Protection principles of the Charity.

If an Applicant fails to supply data that the Charity has a legal obligation to collect and process, then we will not be able to proceed with the application.

Hijinx will process special categories of data according to our Data Protection Policy.  Special categories of data are given extra protection and will only be used for applicants based on consent and separately where a legal obligation exists for the Charity. The GDPR defines special categories of data as data which may pose risks to an individuals’ fundamental rights and freedoms.   Examples of special categories of data include but are not limited to; race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sexual orientation.

You have the right to obtain from us an electronic or paper copy of all Personal Information concerning yourself, or to speak to a Hijinx representative on any matter, by e-mailing or writing to Hijinx, Wales Millennium Centre, Cardiff, CF10 5AL

If you would like to revise the information provided to us at any time or feel what we currently have on record is incorrect, you may update the information by emailing the address above.

If you decide not to use our services any further or to instruct us to cease using your Personal Information as contemplated in this Policy, and notify us either in writing or by email as mentioned above, we shall destroy any retained Personal Information.

From time to time we may ask you for further information in order to update our records or for particular purposes. We will always tell you how we will use any further information received from you.

4. How we keep your information secure 

We have implemented security procedures and technical measures to protect the personal data that we have under our control from:

  • unauthorised access
  • improper use or disclosure
  • unauthorised modification

Your personal data will be held and processed on Hijinx’s systems or systems managed by suppliers on behalf of Hijinx. We always seek to hold your data securely and with all data processing, consideration will be given to the safest method of processing the data before processing begins.

Access to customer information is strictly controlled. Our systems can only be accessed by people who need it to do their job. Certain data, for example sensitive information, is additionally controlled and is only made visible to members of staff who have a reason to work with it. Hard copes of data are secured by lock and key and electronic data by password protection and encryption where appropriate.

Personal data may also be held on Cloud based IT devices, which means that personal data may be transferred outside of the EU. Where this is the case, the Cloud based IT device has confirmed that it has appropriate safeguards in place.). We will take all reasonable steps to ensure that your privacy rights continue to be protected as outlined in the privacy policy.

We will keep your information only for as long as is reasonably necessary for the purposes set out in this privacy policy and to fulfil our legal obligations.  We will not keep more information than we need.  The retention period will vary according to the purpose. Some information may be retained indefinitely for historical, statistical or research purposes.

We retain job applicant data for 3 months after the conclusion of the interview process. If we have not had meaningful contact with you within a period of 3 months, we will delete your personal data from our systems unless we believe in good faith that legal obligation requires us to preserve it (for example, in connection with any anticipated legal action).

However, you have the right to require us to erase personal data.

5. Third Parties 

We may need to disclose your details to third parties in the following circumstances:

  • To comply with any legal obligation to do so. This includes the police and other crime protection and detection agencies or regulatory bodies
  • For the purposes of regulatory or inspection compliance, for example, to the Charity Commission
  • To report to funding bodies, particularly Arts Council of Wales, who may use anonymised personal information to analyse our work
  • Data processing services acting in accordance with our instructions, and subject to confidentiality obligations
  • If we run an event in partnership with another named organisation so that they can help us run the event
  • To our legal advisors

We collect and store data through the following third party systems and platforms:

  • MailChimp – we use Mailchimp to send marketing emails and to enable people to sign up to receive information from us via email on our website – MailChimp maintain our email list for this purpose
  • Salesforce – our customer relationship management (CRM) system
  • Smartsurvey and Google Forms to generate surveys
  • Eventbrite – for people to book for workshops or activities
  • Paypal – to process donations made on our website
  • A range of other systems may also be used

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

We do not sell personal details to third parties for any purpose nor will we share your personal data with any other organisations or promoters that have not been named in our privacy policy for their own marketing communications.

We may also receive information from external sources, which enables us to gain a better understanding of our audiences, visitors, and supporters and to improve our fundraising and marketing methods.

Pages on the Hijinx website include links to relevant content, including venue websites, for the purpose of purchasing tickets. Each of these websites has its own privacy notice, and this privacy notice does not apply to these websites.

6. Cookies

Cookies are small pieces of information that are stored by your browser on your computer’s hard drive. They make it possible for us to track visitor statistics, such as returning visitors.

This website uses the following non-essential cookies:

Google Analytics cookies

These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. You can go to to find out more about Google Analytics cookies and how to opt-out of them.

Cookies used by Twitter and Facebook

These cookies provide information on visitors to Twitter and Facebook, check whether users are logged in to either platform and set application cookies for Twitter and Facebook. If you’d like to change your settings, please visit your account pages on these platforms.

7. Social Media

We use social media to broadcast messages and updates about events and news.  On occasion we may reply to comments or questions you make to us on social media platforms.  You may also see adverts from us on social media that are tailored to your interests.  See point 6. Cookies for further information.

Depending on your settings and the privacy policies used by social media and messaging services like Facebook, LinkedIn, Twitter or Instagram, we may receive non-personally identifying demographic or analytical information from these services that enable us to better understand the reach and effectiveness of our advertising.

8. What rights you have over your data

Data protection law gives you certain rights in relation to your data, including a right to ask us for access to your data, to correct or erase it, to restrict our processing of it, and to object to us processing it. For further details of these rights (some of which are not automatic and apply only in certain circumstances) see

Under data protection law, you have rights including:

  • Your right of access – You have the right to ask us for copies of your personal information.
  • Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
  • Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
  • You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at or by writing to Hijinx, Wales Millennium Centre, Cardiff, CF10 5AL if you wish to make a request.

How to complain

If you are not satisfied with our response, you can also complain to the ICO if you are unhappy with how we have processed your data.

The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Helpline number: 0303 123 1113