Privacy Notices - STEAM e-newsletters Privacy Notice


We are STEAM – Museum of the Great Western Railway and this Privacy Notice gives you information as to when and why we collect personal information from you, how we keep it secure and how we use it.

This Privacy Notice is relevant to you if you have given consent to receive STEAM’s e-newsletter.

What is a Privacy Notice?

A Privacy Notice is a statement issued by an organisation which explains how personal and confidential data about individuals is collected, used and shared.

Who is collecting and using your personal data?

This notice sets out the basis on which STEAM – Museum of the Great Western Railway collects and uses the personal data of e-newsletter subscribers.

STEAM – Museum of the Great Western Railway is run by Swindon Borough Council.

Swindon Borough Council will act as a “Data Controller” for any personal data that you provide to us.  We will ensure that the data given to us is processed in line with our Data Protection Act 2018 (DPA 18) and the EU General Data Protection Regulations. (GDPR)

To find out more about Swindon Borough Council’s data protection policies please contact our Data Protection Officer. or in writing to Data Protection Officer, Civic Offices, Euclid Street, Swindon, Wiltshire, SN1 2JH.

This Privacy Notice was last updated in September 2020.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

What personal data do we collect?

STEAM collects data about you when you sign up to receive our newsletters.

This includes:

  • your email address
  • your explicit consent to receive newsletter(s)

We collect this data in a variety of ways. For example, through a form on the Swindon Borough Council website, social media channels and through our E-POS system (Merac) when making a purchase or booking online.

Data reports are automatically generated by our mailing provider Mailerlite and information such as your location, browser data, device type and link clicks are also stored for reporting and evaluation purposes.

How do we process your personal data?

Examples of the situations in which we will process your personal information are listed under 'What personal data do we collect?'.

Why do we need your personal information?

Email addresses will be used :

  • to deliver newsletters and update you on the services we provide
  • to check the quality of services
  • to help with research and development of existing services
  • to help with research and planning of new services
How the law allows us to use your information?

The law requires that we collect and record your explicit consent before providing you with our email newsletters, but you have the right to remove your consent at any time.

If you want to remove your consent, either use the unsubscribe option provided on any emailed newsletter from us, or contact and tell us which service you are using and wish to unsubscribe from, so we can deal with your request promptly.

Who do we share your information with?

Our newsletter service provider is ‘Mailerlite’, who provide email marketing and automation software as a service. They process your Personal Data as a Processor on behalf of Swindon Borough Council.

Our EPOS system stores personal information. The provider of our EPOS system (Merac) has access to the stored information in order to provide ongoing technical support to us for the system. It is part of our contract with Merac that the organisation complies with data protection legislation.

We will not share your data with any other third parties without ensuring that you are advised through changes to this Privacy Notice.

How do we protect your information?

We will do what we can to make sure we hold records about you in a secure way. We have internal policies and controls in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal information to those employees and third parties (named above) who have a business need to know when providing services to STEAM – Museum of the GWR.

All third party processors will only process your information on our instructions and in accordance with obligations under the DPA 2018.

Your personal data will be stored on STEAM’s Merac E-POS system and on Swindon Borough Council’s newsletter service provider: Mailerlite and is stored as follows:

  • Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password)
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
  • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • Mailerlite’s secure data storage centre is situated within the European Economic Area (EEA) and has information storage security certification to ISO 27001 as well as a certificate of IT service management to ISO 20000
How long do we keep your personal information?

Mailerlite will keep a record of your personal data for six months after last use. If you unsubscribe and remove your consent, your data will be deleted.

What you can do with your information?

The law gives you a number of rights to control what personal information is used by us and how it is used by us.

  • You can ask for access to the information we hold on you
  • You can ask to change information you think is inaccurate
  • You can ask to delete information (right to be forgotten)
  • You can ask us to limit what we use your personal data for
  • You can ask to have your information moved to another provider (data portability)

Should you wish to exercise any of your rights, you should contact our Data Protection Officer at

Your right to complain

If you believe that the Council has not complied with your data protection rights, you should write to the Data Protection Officer and clearly outline your case. Your complaint will then be investigated in accordance with our customer complaint procedure.

If you remain dissatisfied with the way your personal data has been handled, you have the right to complain to the Information Commissioner’s Office at You may refer the matter to the Information Commissioner’s Office whose contact details are below:

Information Commissioner’s Office
Wycliffe House
Water Lane


What if you do not provide personal data?

You are under no statutory obligation to provide personal data to Swindon Borough Council during the newsletter sign-up process; however, your email address is mandatory to receive the service. If you decline to provide it, we will not be able to provide this service to you.

How will we ensure compliance?

A six-monthly audit will take place on personal data to ensure we remain legally compliant in accordance with current data protection legislation.

Main privacy notice

You are viewing the Privacy Notice required if you have given consent to receive STEAM’s e-newsletter.

Read the main Privacy Notice