Updated: October 2025

1. Introduction

This Privacy Policy outlines how the Cross Border Orchestra of Ireland (CBOI) collects, uses, stores, and protects personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Data Protection Acts 1988–2018 (as amended).

CBOI is committed to protecting the privacy and rights of all individuals whose personal data we process. This policy applies to personal data held by CBOI and covers all of our activities and programmes, including Peace Proms, Count Us In, and related educational or performance projects.

This policy applies to:
– All CBOI staff (full-time, part-time, temporary, freelance, and self-employed individuals such as tutors and conductors).
– Members of the Board of Management.
– CBOI Members and their Parents/Guardians.
– Volunteers and contractors.
– Choir Members, Teachers, and Principals participating in CBOI projects such as Peace Proms.

CBOI operates a “Privacy by Design and by Default” approach, meaning that data protection is embedded into all our planning, operations, and systems.

We regularly review our practices to:
1. Enable individuals to access their data easily.
2. Ensure data is held securely.
3. Maintain clear documentation of our data handling procedures.
4. Demonstrate accountability and compliance with Irish and EU data protection law.

2. Data Protection Principles

As Data Controller, the CBOI Board of Management ensures that all processing of personal data complies with the seven key principles of GDPR.

Lawfulness, Fairness, and Transparency:
Data is obtained and processed fairly and transparently, with individuals informed about how their data will be used.

Consent:
Where consent is required (for example, for photography, video recording, or communications), it must be freely given, specific, informed, and unambiguous. Consent can be withdrawn at any time without penalty.

Purpose Limitation:
Personal data is collected for specified, explicit, and legitimate purposes and will not be used for incompatible purposes.

Data Minimisation:
Only data that is adequate, relevant, and limited to what is necessary for CBOI’s work is collected and processed.

Accuracy:
CBOI ensures that all data is accurate and kept up to date.

Storage Limitation:
Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

Integrity and Confidentiality:
Data is stored securely, both physically and digitally.

Accountability:
CBOI maintains full responsibility for demonstrating compliance with all data protection principles.

3. Rights of Data Subjects

Individuals have the following rights under Irish and EU data protection law:
– Right of Access
– Right to Rectification
– Right to Erasure (“Right to be Forgotten”)
– Right to Restrict Processing
– Right to Data Portability
– Right to Object
– Rights in relation to Automated Decision-Making and Profiling

Requests may be made in writing to the Data Protection Officer (DPO) at privacy@cboi.ie.
CBOI will respond within one month of receipt of a valid request.

4. Data Breach Management

In the event of a personal data breach, CBOI will:
– Assess and document the breach immediately.
– Notify the Data Protection Commission (DPC) within 72 hours if there is a risk to individuals’ rights or freedoms.
– Inform affected individuals without undue delay if the breach poses a high risk.

5. Data Sharing and Third-Party Processing

CBOI will not share personal data with third parties except where required by law, or where necessary to fulfil contractual obligations (e.g., venue operators, ticketing agents, or contracted service providers).

Any third party acting on behalf of CBOI is bound by a Data Processing Agreement that meets the requirements of Article 28 GDPR.

6. Data Protection Scope

This policy applies to all data processed by CBOI, including data relating to staff, volunteers, members, choir participants, school staff, and any individuals who interact with CBOI in a professional, educational, or artistic capacity.

7. International Data Transfers

CBOI does not routinely transfer personal data outside the European Economic Area (EEA). Any such transfers are made only where adequate safeguards or Standard Contractual Clauses (SCCs) are in place.

8. Website and Digital Communications

CBOI’s website may collect limited personal data via forms (e.g., newsletter sign-up, event registration). Cookies are used only where necessary for website functionality and analytics. All electronic marketing communications are opt-in only.

9. Ticket Purchases and Event Attendance Information

When individuals purchase tickets for CBOI concerts or events, CBOI and its authorised ticketing partners (such as Ticketmaster or TicketTailor) collect the following personal data:
– Name and contact details (email, phone, postal address)
– Payment details (processed securely by the ticketing provider)
– Ticket purchase history
– Accessibility requirements (where provided)

How this data is used:
– To process ticket purchases and issue confirmations
– To communicate essential event information
– To manage audience safety and compliance with venue regulations
– To analyse attendance and improve future events
– To send event updates or related news where consent has been given

CBOI does not directly store or process payment information.
Ticketing partners act as Data Processors and handle payments securely under PCI-DSS standards.

10. Policy Review

This Privacy Policy will be reviewed regularly (at least every two years) or sooner if required by legislative or operational changes. Updated versions will be published on the CBOI website and circulated to relevant staff and partners.

11. Contact Information

Data Protection Officer (DPO)
Cross Border Orchestra of Ireland
Email: privacy@cboi.ie
Website: www.cboi.ie