Effective Date: May 25, 2018
Our EU Privacy Notice addresses the way we collect and process personal data that is subject to the General Data Protection Regulation. It applies to our EU website visitors as well as our customers and business contacts (including contractors, vendors, suppliers, and the like).
Please read carefully before using this site.
This Privacy Notice describes the ways in which The Pilgrimage Music & Cultural Festival (the “Festival”) processes and protects the personal data of our customers and business contacts.
The Festival is owned and operated by Pilgrimage Presents, LLC and its affiliates (collectively “Producer”). Producer, along with its affiliates, produces the Festival, which is held in the third week of September, at The Park at Harlinsdale, in Franklin, Tennessee.
The types of personal data that we process, as described in this Privacy Notice, are those necessary for us to provide our customers with information about the Festival, a positive and enjoyable Festival experience for those who attend the Festival, to sell products or services related to the Festival to our customers, and to carry out various ancillary activities.
We take very seriously our legal, professional and ethical duties and obligations to protect personal data. We have an information security management program in place to protect the personal data and other information that we process. These measures are monitored, reviewed and regularly enhanced in order to meet our professional responsibilities and the needs of our customers.
In line with the transparency requirements of Articles 13 and 14 of the EU General Data Protection Regulation (“GDPR”), this Privacy Notice sets out the following information:
2. Contact Information of Our Data Protection Officer (“DPO”);
3. Source and Categories of Personal Data That We Process, Why We Do So, and Lawful Bases for Processing;
4. Festival Offices As Well As Third Parties With Which Our Offices May Share Personal Data;
5. Circumstances in Which We Transfer Personal Data to Countries Outside the EU for Processing, and the Safeguards We Put in Place to Protect the Personal Data Transferred;
6. Our Retention Policy for Records Containing Personal Data;
7. Individuals Rights in Relation to Personal Data; and
8. Definitions Used in this Privacy Notice.
1. Data Controllers
Our offices are located at 230 Franklin Road, Suite 11HH, Franklin, Tennessee 37064. We have no offices in the EU. You may contact our data controller by writing to that address, attention “Data Controller”.
2. Data Protection Officer
The core business of Producer is the promotion, production, and operation of the Festival and does not involve the large-scale processing of personal data. The Producer has nonetheless elected to appoint a DPO in order to support our GDPR compliance efforts.
- The contact details for our DPO are as follows:
- By email: email@example.com
- Data Protection Officer
- Pilgrimage Presents, LLC
- 230 Franklin Road
- Suite 11HH
- Franklin, Tennessee 37064
Please direct all general communications or queries relating to this Privacy Notice or the Producer’s compliance with the GDPR to our DPO. With regard to the exercise of data subject rights under the GDPR, a specific email address is provided in Section 7 below for the convenience of individuals wishing to submit a data subject request.
3. Source and Categories of Personal Data That We Process, Why We Do So, and Lawful Bases for Processing
Our office processes various categories of personal data for the purposes identified below, on the lawful basis indicated for each respective processing activity.
To Provide Festival-Related Products, Services and Information to Our Customers
The information that we collect and process in relation to our customers for the purposes of providing Festival-related products, services and information to them is primarily customer contact and payment information data.
In order to provide, charge for and manage the delivery of products, services and to communicate with our customers in relation to the Festival, it is in our legitimate interests, and those of our customers, to process personal data relevant to the products, services and Festival-related information we provide them.
The categories of personal data that we process for this purpose, which our customers or business contacts usually provide to us, include the following:
- Contact details of customers (the individual customer’s name, physical and email addresses, and telephone number) – for purposes of communication in relation to our provision of Festival-related products and services to them;
- Bank account details and related personal data necessary for us to make and receive payments – in order to receive payment for ticketing, merchandise, or other Festival-related transactions;
Where we obtain personal data from a business contact in relation to customer’s personal data that is subject to the GDPR requirements, we do so on the basis that our business contact has satisfied its own obligations as a controller in its own right in relation to the collection, processing and transfer of such personal data to us.
To Engage With Our Vendors
For the purposes of dealing with vendors and suppliers, it is in our legitimate interests and those of our vendors and suppliers for us to process the business contact details of the vendors' and suppliers’ individual account representatives in order to communicate and otherwise conduct business with them relating to the Festival. The information that we typically process for this purpose is provided by the vendor or supplier and includes the appointed business contact’s name, position, company affiliation, physical and email addresses, and telephone numbers.
To Market Our Products and Services to Customers and Business Contacts
It is in our legitimate interest as the producer of the Festival to collect and process contact data needed to provide requesting customers and contacts with copies of our newsletters on developments concerning the Festival, customer alerts, blogs, and other marketing materials. The personal data that we collect for these purposes includes the following:
- The contact details of our individual customers and the employees of our vendors and suppliers (e.g., name, address, email address, phone number, company name, company address, title or position)
- Where relevant, information provided by these individuals about their preferences in relation to receiving updates from us on developments regarding the Festival
We generally obtain the contact details and preference information that we use for marketing communications directly from our customers, vendors and suppliers. This includes visitors to our website, who may register online to opt-in to receiving customer alerts, newsletters, and other information from us. We obtain the consent of customers and others with whom we do not have an existing customer relationship before sending them our marketing materials by electronic means, in accordance with applicable Member State rules. We have in place an effective online tool for users to manage requests to opt out or modify their preferences in relation to the subject matter and categories of information they receive.
In order to manage the preferences of our customers, website visitors and other contacts efficiently and maintain the accuracy of the data we collect, we utilize third-party marketing and sales partnerships and other solutions. We safeguard any personal data that we transfer to these service providers, or which they collect on our behalf, in the manner discussed in Sections 4 and 5 below. The personal data that you provide when you register on our website may be shared with Festival marketing and sales partners located in offices outside the European Union.
We use “cookies” and similar applications for the purposes of enabling us to evaluate the use of our website and improve the experience of visitors to it.
4. Data Sharing With Third Parties
The purposes for which we share personal data relating to our customers and business contacts within our organization, and also with trusted third-party vendors and business partners, are set out below.
Transfers of personal data between Producer and its affiliated entities who work with us as necessary to market, promote, produce and operate the Festival may be necessary in order to deliver our products and services to our customers efficiently and effectively.
Other functions that involve the transfer of customer-related and business contact personal data to selected members of our management and staff include Festival news updates, Festival management and administration.
Transfers to Third Parties
We also share personal data with trusted service providers and business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any personal data that we share with them. The data recipients include, for example, IT service providers, marketing, ticket, and merchandise sales platforms, telecommunications operators, banking institutions, together with their appointed legal and other advisors.
We may also share personal data collected for the purposes of marketing and promoting Festival products and services with external recipients in circumstances where we have a legal obligation to do so, including but not limited to courts, tribunals, regulatory authorities, tax authorities and law enforcement.
We will never sell personal data collected for the purposes of marketing and promoting Festival products and services, or otherwise obtained from third parties, nor knowingly permit it to be used for marketing purposes by any person outside of Producer, its affiliates, and their vendors and suppliers who assist Producer in the marketing, promotion, production and operation of the Festival.
5. International Transfers
We do not transfer personal data internationally.
6. Records Retention Policy
We retain personal data only for as long as necessary for the purposes for which the data was collected, except where necessary to meet our legal obligations or in order to establish, exercise or defend potential legal claims or to pursue our legitimate interests.
7. Rights of Individuals in Relation to Their Personal Data
The GDPR and other applicable EU and Member State data protection laws provide certain rights to data subjects in relation to their personal data. These include the rights to:
- Request details about the personal data that we process, and obtain a copy of the data that we hold about them (to the extent this is not in breach of a legal obligation of professional secrecy to which we are subject in relation to customer data entrusted to us and that would, therefore, prevent us from informing the relevant data subjects)
- Correct or update their personal data subject to the above
- Port personal data that the data subject has provided to us, in machine readable format, to another supplier
- Erase the data that we hold about them in some cases
- Restrict or object to its processing in some cases
- Object to processing:
- Based on grounds relating to the individual’s particular situation, where the processing is based on the legitimate interest of Producer or our customers
- Where personal data is being processed for direct marketing purposes
Where consent is the basis for processing their personal data, the individual may decline to give his or her consent, or to withdraw consent to the processing at any time.
These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject in the performance of legal services.
In some cases, the exercise of these rights (for example, erasure, objection, restriction or the withholding or withdrawing of consent to processing) may make it impossible for us to achieve the purposes identified in Section 3 of this Privacy Notice and provide effective legal services.
The processing of requests for action by Producer in regard to the exercise of a data subject’s rights under the GDPR is overseen by an internal team consisting of the DSAR Manager, the Office of General Counsel, the DPO and other professionals needed to respond to the particular request.
Any individual wishing to assert his or her rights under the GDPR should address the relevant request to:
- Data Protection Officer
- Pilgrimage Presents, LLC
- 230 Franklin Road
- Suite 11HH
- Franklin, Tennessee 37064
By email: firstname.lastname@example.org
Data subjects also have the right to submit a complaint concerning our processing of their personal data to the appropriate supervisory authority.
“Customer” means an individual that is or was a customer of Producer.
“Controller” means an individual or entity who or which, alone or jointly, determines the purposes and means of processing of personal data (and, where relevant, this term shall have the specific meaning attributable to it for the purposes of the GDPR).
“DSAR” means Data Subject Action Request, relating to the rights of data subjects under the GDPR.
“EU” means the European Union or, where relevant in the given context, the European Economic Area.
“GDPR” means the General Data Protection Regulation, (EU) 2016/679, or applicable national implementing legislation.
“Individual” means a human person (also sometimes referred to as a “natural” person).
“Legal Notices” means the Legal Notices page on the Producer website which hosts this Privacy Notice.
“Personal data” means any information relating to an identified or identifiable individual (a “data subject”). An identifiable individual is one whose identity can be established by one or more identifiers (for example, their name) specific to that individual.
“Processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means an individual or entity who or which processes personal data on behalf of a controller.
“Recipient” means an individual or entity to whom or to which personal data are transmitted or disclosed.
“Third party” when used to describe a data subject, means an individual who is not a customer.
“Third-party data” means personal data of a third party.