This website uses cookies. We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Cookies are small text files that can be used by websites to make a user’s experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

Cookie Policy

Last Revised: 17th July 2024 

What are cookies?

How do we use cookies?

Manage cookie preferences

Cookie Settings

External Links & Embedded Content

Our website may contain links to enable you to visit other websites of interest easily, or include embedded content from other sites and services as part of news articles and pages. However, once you have used these links to leave our site or view such embedded content, you should note that we do not have any control over that other website, content or any cookies set by third parties. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and consider the privacy statement applicable to the website in question.

Supplier Fair Processing Notice

The General Data Protection Regulation (GDPR) protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals’ data lawfully and fairly. In order to meet the fairness part of this we need to provide information on how we process personal data.

This Fair Processing Notice satisfies this element of legislation and is designed to highlight the areas of Data Protection which may be of particular concern to current and/or former Suppliers, and to help those people understand how information about them will be used. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office (ICO), the regulator for data protection in the UK.

If you are working for Metropolis London Music Ltd under a self-employed/freelance contract, Metropolis London Music Ltd may require and process your personal data in accordance with its Staff Fair Processing Notice.

More widely, Metropolis London Music Ltd is committed to meeting the entirety of its responsibilities to suppliers under the General Data Protection Regulation (GDPR) and related legislation taking these matters very seriously. We will always ensure personal data is collected, handled, stored, shared, retained and disposed of in a secure manner.

For the purpose of your data protection, Metropolis London Music Ltd is the recognised ‘controller’ of your data. We make a Data Protection Officer available to you, who can be contacted about any of the content held herein via:

Postal Address:

Data Protection Officer
Metropolis London Music Ltd
The Powerhouse
70 Chiswick High Road
London
W4 1SY
United Kingdom
Telephone: +44 (0) 208 742 1111
Email: dpaofficer@thisismetropolis.com

The legal basis by which we will process and may have already processed data about you:

Under the General Data Protection Regulation our legal basis for processing this information about you as a supplier will be that processing is necessary:

• “For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” This means the information is needed for the delivery and administration of your relationship with Metropolis London Music Ltd.

• “For compliance with a legal obligation.” This means Metropolis London Music Ltd is legally required to share some information about you, for example with HMRC. More information on this is covered below.
• “To protect the vital interests of a data subject or another person.” This means that in some rare circumstances it may be necessary to share information about you, for example to the emergency services.

If you cease to be a supplier of Metropolis London Music Ltd, the legal basis for continuing to process your information would then be:

• “Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.” This means it is reasonable to expect that Metropolis London Music Ltd would contact you if it had a query about any products or services you supplied to Metropolis London Music Ltd, a matter relating to a time in which you were supplying those products/services and/or in relation to another statutory/legal obligation it may have.

If you were a supplier of Metropolis London Music Ltd before May 25th 2018 (the date on which GDPR came into effect), it is important for you to remember that your personal data was already protected another way, by way of The Data Protection Act (The DPA). The DPA established a framework within which information about living individuals can be legally gathered, stored, used and disseminated. At its core were eight Data Protection Principles, which Metropolis London Music Ltd and other organisations needed to abide by. These specified that personal information must be:

• Processed fairly and lawfully, and only if certain conditions are met
• Obtained for specified and lawful purposes, and not used for purposes other than those for which it was gathered
• Adequate, relevant and not excessive
• Accurate and where necessary kept up to date
• Kept for no longer than necessary
• Processed in accordance with individuals’ rights
• Kept secure
• Not transferred outside the European Economic Area unless certain conditions are met

GDPR builds on these requirements and states that from 25 May 2018 information must be:

• processed lawfully, fairly and in a transparent manner in relation to individuals;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

GDPR also requires that:

• “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

These protections apply to information in electronic form and also many types of data in paper form. Further information about the Data Protection Act and the General Data Protection Regulation is available from the Information Commissioner’s Office at www.ico.org.uk .

How and why does Metropolis London Music Ltd use personal data?

Supplier personal data is processed primarily for, but not limited to, the following purposes:

• the general administration of our relationship with you, including for financial reasons;
• the selection process of suppliers;
• administration of non-Metropolis London Music Ltd staff contracted to provide services on behalf of Metropolis London Music Ltd;
• planning and management of Metropolis London Music Ltd’s workload or business activity;
• disputes and disciplinary matters;
• training and development;
• vetting checks;

We may disclose your data to certain outside organisations as outlined in this Fair Processing Notice.

We may use copies of the data, including sensitive personal data, which we hold about you for the purpose of testing our IT systems. If your data is used for system testing, it will be copied to a test environment and used with data on other suppliers to test changes to our IT systems in a realistic way. This is done to ensure that changes will be effective and will not cause loss or damage to data. The data about you which we hold in our live systems will not be affected. Your data will not be kept in the test environment for longer than is necessary for testing purposes. Data in that environment will not be used for purposes other than testing. We will also apply appropriate security precautions to the data.

What personal data does Metropolis London Music Ltd collect?

Metropolis London Music Ltd collects the following information from suppliers, which is outlined below:

• name and address
• contact details (telephone number, email address)
• Details and dates of usage of the products/services being supplied
• payment / bank details

CCTV

For safeguarding and crime prevention purposes, we may operate CCTV systems that cover areas you may work in if you visit Metropolis London Music Ltd. Please refer to our CCTV policy for more information.

Who else has access to my my data?

Metropolis London Music Ltd is required to share personal data with certain other organisations in order to meet statutory requirements or to provide services to suppliers. Sharing will always be undertaken in line with the requirements of data protection law, either through the consent of the individual, or another relevant legal gateway. The personal data that is actually shared will always be limited precisely to what the other organisation needs to meet its requirements or deliver its services.

Although we do not transfer data outside of the European Economic Area (EEA) as a matter of course of usual business, if this disclosure involves the transfer of your data outside the European Economic Area (EEA), we will inform you of this in advance, along with information about the safeguards in place. The data will only be transferred outside the EEA if one of the conditions set down in the Data Protection Act has been met, or in compliance with the conditions of transfer outlined in the General Data Protection Regulation.

Your data may also be sent to different companies/departments within the Metropolis London Music Ltd group where this is necessary for our day to day administration. The full list of Metropolis London Music Ltd Group companies is: The Academy of Contemporary Music Ltd, Metropolis London Music Ltd, ACM Commercial Ltd, ACM Education Ltd, ACM Guildford Ltd, ACM London Ltd, ACM Birmingham Ltd, Industrication Ltd, Metropolis London Music Ltd.

Metropolis London Music Ltd will make some statutory and/or routine disclosures of personal data to third parties where appropriate. These third parties include:

• HM Revenue and Customs (HMRC)
• Financial Auditors
• Other organisations who have asked us for a reference of your services.
• Communications Platforms to facilitate marketing and communications of Metropolis London Music Ltd services (governed by GDPR compliant data sharing agreements):
  • Facebook for re-marketing of Metropolis London Music Ltd services to you via its channels;
  • Clickatell for SMS (text message) services; and
  • Mailchimp and Mandrill for campaign and transactional email services

Personal data may also be disclosed when legally required or where there is a legitimate interest, either for Metropolis London Music Ltd or the data subject, taking into account any prejudice or harm that may be caused to the data subject.

Metropolis London Music Ltd may also use third party companies as data processors to carry out certain administrative functions on behalf of Metropolis London Music Ltd. If so, a written contract will be put in place to ensure that any personal data disclosed will be held in accordance with GDPR legislation.

How long do you keep data for?

Data we hold that is only relevant to current suppliers (such as bank information) will be deleted within 1 year of your last supply to us. All other relevant correspondence in relation to the supply of products/services will be held on file and retained for 6 years after an employee has left Metropolis London Music Ltd, in accordance with HMRC recommendation, after which time it will be securely disposed of. Basic information about a supply of service (ie a log that the service was provided) will be retained indefinitely, along with any other data we are required to hold indefinitely for legal/statutory reason.

A full schedule concerning data retention and disposal is available via the policies section of our website.

What are my rights regarding the personal data you hold relating to me?

An individual has the right to be informed about data collection via a Fair Processing Notice. This is that notice.

An individual has the right to ask Metropolis London Music Ltd what personal data we hold about them , and to ask for a copy of that information. Metropolis London Music Ltd reserves the right to ask you to provide proof of identification and for you to clarify your request if it is unclear in the first instance. You will receive a reply no longer than 30 calendar days from the date you make the request in writing. If you are unhappy with the initial response you can ask Metropolis London Music Ltd to undertake a further search if there is specific information you have good reason to believe exists but that hasn’t been delivered to you.

You have the right to rectify data that is incorrect. If you believe Metropolis London Music Ltd holds information about you that is factually incorrect please email our HR department to provide the correct information, and Metropolis London Music Ltd should update it within one month.

You have the right to be forgotten. Where there is not a legal / statutory obligation for Metropolis London Music Ltd to hold data about you, you have the right to be forgotten.

You have the right to data portability where the personal data is processed with the consent of the data subject, not where the personal data has been collected using any of the other legal basis for processing.

You have the right to restrict processing.

You have rights in relation to automated decision making and profiling.

You also have the right to object / withdraw consent from the processing of your personal data by Metropolis London Music Ltd at any time , if your consent was sought initially to use your personal data.

You also have the right to complain to the UK Regulator the Information Commissioner’s Office (the ICO) if you believe you request has not been dealt with properly or you have a complaint to raise against Metropolis London Music Ltd for any other data protection related issue. A complaint can be raised via the ICO’s website at www.ico.org.uk or by writing to the following address:

The Office of the Information Commissioner Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

How do I exercise my rights under GDPR?

For the purpose of your data protection, Metropolis London Music Ltd is the recognised ‘controller’ of your data. We make a same Data Protection Officer available to you, who can be contacted if you would like to exercise any of your rights under GDPR:

Postal Address:

Data Protection Officer
Metropolis London Music Ltd
The Powerhouse
70 Chiswick High Road
London
W4 1SY
United Kingdom
Telephone: +44 (0) 208 742 1111
Email: dpaofficer@thisismetropolis.com

What are my responsibilities?

Metropolis London Music Ltd will make every reasonable effort to keep your details up to date. However, it is your responsibility to provide us with accurate information about yourself when you provide it. It is also your responsibility to let us know of any subsequent changes to your details. You must also abide by Metropolis London Music Ltd’s Data Protection Policy when handling any personal data you come into contact with for which Metropolis London Music Ltd is responsible.