Privacy Statement (GDPR)

Eisteddfod Genedlaethol Cymru (The National Eisteddfod of Wales) is committed to protecting your personal information and being transparent about what information we hold about you.

Under GDPR (General Data Protection Regulation) we are responsible for ensuring that:

  • Your personal data is kept secure and is protected;
  • We are clear about the purposes we are using your data for;
  • Your data is used in appropriate way;
  • It is easy to withdraw consent or update your preferences at any time.

Using personal information helps us to better understand our customers and in turn to provide you with relevant and timely information about the work that we do. As a charity, it also helps us to engage with potential donors and supporters.

This notice explains how we use your personal information in accordance with GDPR and all other applicable laws concerning the protection of personal information. This notice explains:

  • What information we may collect about you;
  • How we may use that information;
  • When we use your details to contact you;
  • In what situations we may disclose your details to third parties;
  • How we keep your personal information secure, how we maintain it and your rights to be able to access it.

The personal information described in this notice is collected from you through the following channels:

  • Your booking with the National Eisteddfod of Wales (online, by telephone or in person;
  • Our website;
  • Emails you receive from us;
  • Your visit to the National Eisteddfod;
  • Letters and other written correspondence;
  • Other interactions with us by phone or in person.

Our website is one of the main places our customers interact with us and share their personal information. If you are concerned at any time that your online account may have been compromised, please contact the Eisteddfod immediately. You may find links throughout our site to third party websites which are subject to their own privacy policies and may use cookies. We advise that you review their policies and cookies when you visit their sites but we do not take any responsibility for third party websites.

If you have any queries about this notice, please contact the Data Protection Officer at the National Eisteddfod of Wales

Who we are

Eisteddfod Genedlaethol Cymru is a registered charity – number 1155539.  The registered address is 40 Parc Ty Glas, Llanishen, Cardiff  CF14 5DU.

Information collection

We collect, process and hold various types of information:

Information you give us

For example, when you create an account on our website, buy tickets or make a donation, we will store personal information which will include some of the following:

  • Full names
  • Postal addresses
  • Email addresses
  • Telephone Numbers (Mobile and Landlines)
  • Date of birth
  • Access requirements
  • Any genre preferences or requests to be added to specific mailing lists
  • Payment card details
  • Information collected through surveys and questionnaires
  • Information collected through cookies

Information about your interactions with us

When you visit our website, book a ticket or other product for the Eisteddfod, make a donation or receive a marketing communication from us we will make a record. This will include:

  • Purchase History
  • Donation History
  • Gift Aid status
  • Website visit history
  • Emails sent, open and clicks (We keep a record of which emails we have sent you, which ones you have opened and which links you clicked)
  • Mailings we have sent you

Sensitive personal data

Data Protection law recognises that certain categories of personal information are more sensitive such as health information, race, religious beliefs and political opinions. We do not usually collect this type of information about our customers unless there is a clear reason for doing so.

Where is personal information collected and stored?

The National Eisteddfod of Wales is data controller for the data we collect and store. Data is collected and stored through the following systems and platforms

  • Through individuals signing up to emails and join our mailing list through our website.
  • Ticketsolve supplies our Box Office system which holds your accounts, purchase history, contact information, contact preferences and allows us to produce marketing reports and lists for marketing activity
  • We use Mailchimp to send marketing emails
  • We use Surveymonkey to generate surveys
  • Realex processes our Box Office payments; World Pay and Securetrading for all other purchases on our website
  • A range of other services may be used

Your personal information will not be subjected to automated processing which would negatively impact on any individual

How do we use your personal data?

There are three bases under which we may process your data:


When you buy tickets or other product from us or make a donation to us, you are entering into a contract with us. In order to perform this contract we need to process and store your data. The instances in which this legal basis will apply are:

  • Processing a booking and verifying payment through our website, over the phone or in person
  • Setting up a customer account
  • Enabling you to make a donation (either a one-off donation or an ongoing arrangement through Just Giving)
  • Using your data to ensure we can fulfil our contract of service with you
  • Letting you know about a change to a performance, including a change of time or cancellation (in exceptional circumstances)
  • Getting in touch with you with advance information about your visit to the Eisteddfod
  • Storing your data on a secure system
  • Getting in touch with you to acknowledge and thank you for a donation you have made
  • To pre-order any additional services or products we may offer as part of your visit to the Eisteddfod.


We will ask for your consent before using your personal information in the following instances. You can withdraw your consent at any time and you can do this by logging into your account or calling the Box Office. The instances in which consent is the legal basis of our processing are:

  • Ensuring that you are sent relevant marketing information about performances, events and products at the National Eisteddfod by email, by post or by phone
  • To contact you with details on how you may support our work through making a donation
  • To take and use photos of participants for documentary and marketing purposes

Legitimate business interests

In certain situations we collect and process your personal information for purposes that are in our legitimate organisational interests. We only do this if there is no overriding prejudice to you by using your personal information in this way. The situations in which we use legitimate interest as the legal basis for processing are as follows:

  • Sending you a post show survey by email to help us understand how we can improve the service we provide you with
  • Sharing your data securely with a supplier to undertake direct mailing on our behalf
  • Managing data on secure spreadsheets independent of our Box Office system
  • Suppressing (not using) your data after inactivity (6 years)
  • Using anonymised data to help make our marketing communications more effective
  • Using anonymised data so that we can report to our funders
  • Segmenting your data to ensure you are sent relevant information
  • Using bulk email sending software for our email marketing communications
  • To take photos of our audience in our auditoria or in our public spaces for use in our marketing and promotional activity
  • Capturing and storing footage for security purposes
  • To contact schools and colleges about relevant upcoming performances and projects
  • To contact members of the press with invitations to press nights, press releases and story ideas and opportunities 
  • To invite funders and stakeholders to guest nights
  • To send funders, stakeholders and public representatives information about new and developments at the National Eisteddfod which are in the public interest
  • To manage relationships with potential funders and donors
  • To contact National Eisteddfod members with information on performances and the latest news by email and by post

In all of the above cases we will always keep your rights and interests at the forefront to ensure they are not overridden by our own interests or fundamental rights and freedoms. You have the right to object to any processing at any time. If you wish to do this please use the contact details at the end of this policy. Please bear in mind that this may affect our ability to carry out tasks that are for your benefit.

Third parties

In certain circumstances we may need to disclose your personal information to third parties. These circumstances are:To our own service providers who process data on our behalf and on our instructions (for example our Box Office System supplier). In these cases we require that these third parties comply strictly with our instructions and with data protection laws, for example around security of personal data.

Where we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies).

Please note that we do not share share data and will never ask for your consent to do this.


We use a mixture of essential and non-essential cookies as part of the online booking process in order to ensure you have the best possible experience:

ESSENTIAL COOKIES In order to keep track of your order it is essential that we store a "session cookie" on your computer. This cookie will last for 24 hours.

NON-ESSENTIAL COOKIES We use a few non-essential cookies to customise your booking experience and help make it easier and more enjoyable for you. These extra cookies are used to store thinks like your login details so you will be automatically logged in each time you visit our site.

Before storing any of these cookies for the first time, we will alert you and ask your permission before proceeding. If you do not wish to store these cookies you will not be able to use that particular feature, but the rest of the site will continue to work correctly.

Your debit and credit card information

If you use your credit or debit card to purchase from us or to make a donation, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). You can find more information about this standard here. We optionally allow you to store your card details for use in a future transaction. This is carried out in compliance with PCI-DSS and in a way where none of our staff members are able to see your full card number. We never store your 3 or 4 digit security code.

Retention of personal information

Your personal information will only be held for as long as necessary.  If you sign up to receive emails from us, we will periodically check with you that you continue to wish to hear from us. The option to unsubscribe is on all of our email communications.

CCTV footage

We retain CCTV footage for 30 days.


We will hold any written communications from and with you for 6 years. We delete and destroy all data records which no longer need to be held.

Maintaining your personal information

You can review the personal contact details we hold for you at any time by logging into your online account or by calling the Box Office. You can also update and change your details at any time this way.

Security of your personal information

The security of your personal information is of paramount importance. We have put in place appropriate safeguards (both in terms of our procedures and the technology we use) to keep your personal information as secure as possible. We will ensure that any third parties we use for processing your personal information do the same.

Access to your personal information

You have a right to request a copy of the personal information that we hold about you and to have any inaccuracies in this data corrected. You may use the contact details at the end of this policy if you would like to exercise this right.

Your rights

Under the General Data Protection Regulations you have the following rights:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object 8. Rights in relation to automated decision making and profiling.

Contact details and further information

Please get in touch with us if you have any questions about any aspect of this privacy policy, and in particular if you would like to object to any processing of your personal information that we carry out for our legitimate organisational interests. Please contact us in writing using the following addresses:
Data Protection, National Eisteddfod of Wales, 40 Parc Ty Glas, Llanishen, Cardiff CF14 5DU

Any objections you make to any processing of your data will be stored against your record on our system so that we can comply with your requests.

This notice was last updated on 24 May 2018.