GDPR and Data Protection Policy

GDPR and Data Protection Policy 

 Chatterbox Media Limited (“Chatterbox” “Company”) includes any individual subsidiary companies of Chatterbox Media Limited.

 

This policy applies to all employees; permanent staff and freelancers, production crew, and extends to our choice of contractors, subcontractors, consultants, business partners and any other parties associated with or hired by us. 

 

This policy also applies to people who are applicants, participants, contributors, performers, presenters and audience members (“Contributor(s)”) who may be featured in programmes or projects that Chatterbox intends to produce (“Programme(s)”).

 

Aim and scope of policy

This policy applies to the processing of personal data in manual and electronic records kept by the Company in connection with its human resources function as described below. It also covers the Company’s response to any data breach and other rights under the General Data Protection Regulation and current Data Protection Act.

 

This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers and self-employed contractors. These are referred to in this policy as Relevant Individuals.

 

Chatterbox will also collect, use and process certain personal information relating to Contributors for purposes connected with their contribution to the Programme and any participant agreement or contract that Chatterbox may in the future enter into with Contributors (“Contract”) including managing, administering and complying with the Contract; assessing Contributor’s suitability for participation in the Programme; filming Contributor’s contribution to the Programme and elements of it; producing, broadcasting, distributing, publicizing and commercializing the Programme; communicating with Contributors about their contribution to the Programme; contacting Contributors about other Chatterbox shows, products, projects, services and casting and complying with legal and regulatory obligations.  If Contributors do not provide Chatterbox with information necessary for the purposes of the Contract, Chatterbox may not be able to fulfil its obligations under the Contract and Contributors may not be able to participate in the Programme.

 

“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data. 

 

“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).

 

“Criminal offence data” is data which relates to an individual’s criminal convictions and offences.

 

“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Where third parties process data on behalf of the Company, the Company will ensure that the third party takes such measures in order to maintain the Company’s commitment to protecting data. In line with current data protection legislation, the Company understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.

 

Personal data, which may be held on paper, a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act 2018 (the Act) and other regulations as updated and extended by the General Data Protection Regulation ((EU)2016/679) (GDPR) and other applicable regulations and legislation (together Data Protection Laws). 

 

Types of data held

Personal data is kept in Chatterbox’s files. The following types of data may be held by the Company, as appropriate, on Contributors and Relevant Individuals as applicable:

 

  • name, social media usernames, address, phone numbers – for individual and next of kin 
  • nationality, date of birth
  • footage, recordings (including audio) and/or photographs of Contributors
  • information about Contributor’s interests, opinions, personality, previous appearances on television, family, life, job and general knowledge (to help Chatterbox decide whether Contributor is a suitable contributor for the Programme and decide whether or not to enter into the Contract with Contributor)
  • Contributor’s bank account details (in order to pay any sums due to Contributor), Contributor’s tax status
  • CVs and other information gathered during recruitment 
  • references from former employers 
  • National Insurance numbers and any applicable pension details (this information may only be collected if Chatterbox engages Contributor’s services)
  • a copy of Contributor’s passport (to fulfil Chatterbox’s legal obligation to check that Contributor has the right to work in the UK) and in connection with any visa, certificate or sponsorship or any other permit Chatterbox is required to obtain where applicable (“Permits”)
  • job title, job descriptions and pay grades 
  • conduct issues such as letters of concern, disciplinary proceedings
  • holiday records 
  • internal performance information
  • medical or health information (to obtain and administer insurance, to arrange and administer any medical treatment Contributor may require and to assess Contributor’s suitability to take part and continue to take part in the Programme)
  • Contributor’s ethnicity for diversity monitoring
  • any disability Contributor may have informed Chatterbox about in the application process or otherwise (to meet Chatterbox’s legal and regulatory obligations)
  • sickness absence records
  • tax codes 
  • terms and conditions of employment
  • information about any criminal background (for Chatterbox to meet its legal and regulatory obligations to safeguard the welfare of Contributor, the other participants, contributors and audience members, Chatterbox’s employees and freelancers, to assess Contributor’s suitability to take part in the Programme and to assess the need for and (if required) to obtain Permits)
  • information about Contributor that is relevant for inclusion in publicity material
  • any information Contributor provides as part of the filming and recording of the Programme including personal information relating to Contributor’s ethnicity, political opinions or religious belief, trade union membership, physical or mental health, sexual orientation, genetic and biometric data
  • training details. 

 

Chatterbox will obtain most of Contributor’s personal information directly from the Contributor, those authorized by Contributor or their representatives (if any).  Chatterbox may also collect information about Contributors from third parties (e.g. footage of others discussing Contributors), from public sources (such as social media), industry contacts and public opinion through surveys and market research.  Chatterbox may also conduct background checks to verify personal information about Contributors.  These checks could include checks of information that is publicly available online, including information Contributors have made public via social media and checks obtained lawfully from third parties engaged by Chatterbox for verification purposes such as data intelligence services and any organization authorized to provide basic criminal history checks.  Contributors may also be asked to provide Chatterbox with documentation to verify personal information provided by them.

 

Relevant Individuals should refer to the Company’s privacy notice for more information on the reasons for its processing activities, the lawful bases it relies on for the processing and data retention periods. 

 

Chatterbox’s legal grounds for processing Contributors data

 

Personal Data

Our legal grounds for collecting and processing Contributor’s personal information are that it is necessary:

 

  • for the performance of the Contract (or to take steps to decide whether or not to enter into the Contract with Contributor); and/or
  • to pursue Chatterbox’s legitimate interests (for example to fulfil contractual obligations to Contributor, the Programme broadcaster and others), where those interests are not overridden by your rights and freedoms.

 

In addition Chatterbox will also use Contributors’ data where necessary to fulfil its legal and regulatory obligations.

 

There may also be situations over the course of the Programme where it is necessary to use Contributors data to protect Contributors vital interests or the vital interests of another individual.

Contributors special category data

Chatterbox will use Contributors special category data or criminal background data where necessary for one of the above grounds and where one of the following applies:

 

  • Chatterbox needs to fulfil its legal and regulatory obligations and exercise its rights including those (where applicable) as an employer (for example, for the health and safety of Chatterbox’s programme contributors, staff and others)
  • Contributor has provided explicit consent
  • Chatterbox needs to protect Contributor’s vital interests or the vital interests of another individual, where Contributor is not capable of giving consent
  • Contributor has manifestly made the information public (including where Contributor does so when participating in the Programme)
  • for reasons of substantial public interest based on the law (for example, where necessary for Chatterbox’s health and safety obligations or for the purposes of Ofcom’s functions or for insurance purposes)
  • where necessary for Contributor to receive medical treatment from a registered medical professional

 

Special Purposes

The GDPR and the Act require Chatterbox to use Contributors data within the legal framework explained in this policy and in accordance with Contributors’ rights under the GDPR.  However, the GDPR and the Act contain an exemption which allows Chatterbox and the Programme broadcaster not to apply aspects of this legal framework and Contributors rights if they are not compatible with the artistic purposes of the Programme and there is a public interest in broadcasting the Programme.  This exemption is known as the “Special Purposes” exemption.  Consequently, please be aware that aspects of the legal framework explained in this policy and Contributors rights under the GDPR may not apply where they are not compatible with the Special Purpose.

 

Data protection principles

All personal data obtained and held by the Company will:

 

  • be processed fairly, lawfully and in a transparent manner
  • be collected for specific, explicit, and legitimate purposes
  • be adequate, relevant and limited to what is necessary for the purposes of processing
  • be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
  • not be kept for longer than is necessary for its given purpose
  • be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
  • comply with the relevant data protection procedures for international transferring of personal data.

 

In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:

 

  • the right to be informed
  • the right of access
  • the right for any inaccuracies to be corrected (rectification)

 

  • the right to have information deleted (erasure)
  • the right to restrict the processing of the data 
  • the right to portability
  • the right to object to the inclusion of any information 
  • the right to regulate any automated decision-making and profiling of personal data.

 

Procedures

The Company has taken the following steps to protect the personal data of Relevant Individuals and Contributors, which it holds or to which it has access:

 

  • it appoints or employs employees with specific responsibilities for:
  1. the processing and controlling of data 
  2. the comprehensive reviewing and auditing of its data protection systems and procedures 
  3. overviewing the effectiveness and integrity of all the data that must be protected.

There are clear lines of responsibility and accountability for these different roles.

 

  • it provides information to its employees on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions Relevant Individuals and Contributors can take if they think that their data has been compromised in any way 
  • it provides its employees with information and training to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially
  • it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
  • it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security. The procedure includes an assessment of the impact of both use and potential misuse of personal data in and by the Company
  • it recognises the importance of having a lawful basis for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions. The Company understands that explicit consent for processing of special category data must be freely given, specific, informed and unambiguous. The Company will seek consent on a specific and individual basis in line with this policy where appropriate. Relevant Individuals and Contributors have the absolute and unimpeded right to withdraw that consent at any time
  • it has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected 
  •  

 

individuals to the Information Commissioner, and is aware of the possible consequences

  • it is aware of the implications international transfer of personal data internationally.

 

Access to data

Relevant Individuals and Contributors have a right to be informed whether the Company processes personal data relating to them and to access the data that the Company holds about them. Requests for access to this data will be dealt with under the following summary guidelines:

 

  • the Company will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request
  • the Company will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.

 

Relevant Individuals and Contributors must inform the Company immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Company will take immediate steps to rectify the information. 

 

Sharing Contributors data

Chatterbox may share Contributor’s data with other personnel from the company on a need to know basis (such as HR, IT Legal and Finance), legal and regulatory authorities, insurers, Chatterbox’s professional advisors and other third parties such as broadcasters and distributors of the Programme, payment management providers, unions and industry representative bodies.  Contributors’ personal information will be broadcast to the public to the extent it is included in the Programme. 

 

Where Contributor is represented by a third party, Chatterbox will also share personal data with the that Contributor’s agent or representative in order to meet the purposes set out in this policy.

 

Data disclosures

The Company may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include: 

 

  • any employee benefits operated by third parties 
  • disabled individuals – whether any reasonable adjustments are required to assist them at work
  • individuals’ health data – to comply with health and safety or occupational health obligations towards the employee 
  • for Statutory Sick Pay purposes 
  • HR management and administration – to consider how an individual’s health affects his or her ability to do their job 
  • the operation of any employee insurance policies or pension plans.

 

These kinds of disclosures will only be made when strictly necessary for the purpose. 

 

In addition, employees must:

 

  • ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them



  • ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people
  • refrain from sending emails containing sensitive work related information to their personal email address
  • check regularly on the accuracy of data being entered into computers
  • always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them
  • use computer screen blanking to ensure that personal data is not left on screen when not in use.

 

Personal data relating to employees should not be kept or transported on laptops, USB sticks, or similar devices, unless authorised by Senior Management. Where personal data is recorded on any such device it should be protected by: 

 

  • ensuring that data is recorded on such devices only where absolutely necessary
  • using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted
  • ensuring that laptops or USB drives are not left lying around where they can be stolen.

 

Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.

 

International data transfers

The Company may transfer any personal data we hold to a country outside the European Economic Area (EEA), provided that one of the following conditions applies: 

 

  • the country to which the personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms; the data subject has given his consent; 
  • the transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject; 
  • the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; 
  • the transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights. 

 

Personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. That staff maybe engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services. 

 

Breach notification

Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of the Company becoming aware of it and may be reported in more than one instalment. 

 

Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.

 

If the breach is sufficient to warrant notification to the public, the Company will do so without undue delay.

 

Training

New employees must read and understand the policies on data protection as part of their induction. 

 

The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under data protection legislation.

 

All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.

 

Records

The Company keeps records of its processing activities including the purpose for the processing and retention periods in its HR data record. These records will be kept up to date so that they reflect current processing activities.

 

Data Protection Officer

The Company’s Data Protection Officer is Hannah Beatty.  She can be contacted at hannah.b@chatterbox.media

Copyright © 2025 All rights reserved

Linkedin Instagram

Our Policies

Website by Curly Bracket Media