Website user privacy notice
Who we are
The Board of Trustees of the National Galleries of Scotland is the Data Controller for any personal data you give to us or we collect about you. Our full contact details are:
National Galleries of Scotland
73 Belford Road
Edinburgh
EH4 3DS
0131 624 6200
[email protected]
National Galleries of Scotland is a charity registered in Scotland, No. SC003728. VAT No. GB 100 1904 82
We are a data ‘controller’, which means we are responsible for deciding how we hold and use your personal information.
This notice explains how and why we will collect and use your personal information and your rights in relation to your personal information. We may amend this notice at any time. Please refer back to this page for the most recent version. You may be notified directly of any significant changes which affect you where we believe it is appropriate and proportionate to do so.
What personal data do we collect and what do we do with it?
We collect personal data from and about different types of individuals who use our website www.nationalgalleries.org. This privacy notice covers:
- Nationalgalleries.org account holders
- Online customers
- Online bookings
- Enquirers using the ‘contact us’ form
We only gather the information we need to be able to fulfil the service in question or any other legitimate purposes. These purposes, the specific data we collect and the lawful basis for each, are set out below.
During the Covid-19 (Coronavirus) pandemic we are supporting the NHS Scotland’s Test and Protect strategy. For specific details on how we will use your data if you visit our galleries at this time, please see the dedicated Test and Protect privacy notice.
Information on the use of cookies on our website is provided in our website terms of use.
Please note that there are separate privacy notices for others who may come into contact with us through the website, including:
Nationalgalleries.org account holders
| Purpose | What data do we collect? | What’s the legal basis? |
|---|---|---|
|
To give you access to enhanced functionality on our website; this can also speed-up the checkout process for shopping. |
First name, Last name, Email address. If you use Facebook sign-in, Facebook will provide us with additional data based on your Facebook settings. |
Contract |
Online customers
| Purpose | What data do we collect? | What’s the legal basis? |
|---|---|---|
|
To fulfil orders placed through our website including processing payment and delivering products, and to contact you in regard to any issues or updates relating to your order during and after payment. |
First name, last name, email address, delivery address, contact telephone number. |
Contract |
Online booking
| Purpose | What data do we collect? | What’s the legal basis? |
|---|---|---|
|
To process bookings made through the website for timed gallery entry, ticketed exhibitions and events, including processing payment and delivering e-tickets, and to contact you in regard to any issues or updates relating to your order during and after payment. |
First name, last name, email address, delivery address (if required), contact telephone number. We may also gather details of any access requirements (if provided) to ensure you and/or members of your party can participate as fully as possible. |
Contract Consent |
|
To gather feedback on booking and visitor experience and to make improvements where required. |
Responses to surveys issued to the email address used to make the booking. |
Legitimate interest |
‘Contact us’ enquirers
| Purpose | What data do we collect? | What’s the legal basis? |
|---|---|---|
|
To respond to various types of visitor/ customer/ user enquiries, feedback, complaints, and requests for information . |
First name, last name, email address. Details of enquiry/feedback/complaint/information request. We may also gather details of any access requirements to ensure you can participate as fully as possible. |
Legal obligation Public Interest Contract Legitimate Interest |
All of the above
| Purpose | What data do we collect? | What’s the legal basis? |
|---|---|---|
|
To build our understanding of and improve the relationship with our audience, supporters, customers and contacts |
A record of transactions, purchases, donations, marketing preferences and communication with NGS |
Legitimate interest NGS uses this data internally to monitor performance, and to improve the services offered to the public; to meet and exceed expectations of our existing audience, attract new visitors, customers and supporters and ensure satisfaction. |
Automated decision-making and Profiling
No automated decisions are made on the personal data collected and processed as described above.
Who sees my data
In order to deliver our services effectively, we sometimes need to use a third party. NGS remains responsible for keeping the data we hold about you safe and secure. We will ensure that other organisations processing your data on our behalf do so only on our instruction and with appropriate safeguards in place.
| Third party recipients? | International Transfer? | |
|---|---|---|
|
All activity covered by this privacy notice. |
Data provided for the purposes set out here is hosted by our website or CRM suppliers. |
Yes – some data is hosted in the EU. |
|
Online customers |
Orders for prints on demand are fulfilled by a third party supplier. |
No. |
|
Online bookings |
Freelancers who may be running our events. |
No. |
How long do we keep data?
We only hold your information for as long as is necessary for the purpose it was collected. When we no longer need the data for that purpose, we will either delete or destroy it, or remove any data which can identify you and retain the anonymised data for analytical purposes.
Data held in our CRM system may be held for up to six years after our last contact with an individual.
If you withdraw consent you have given, or ask us not to have any further contact with you, we will keep some basic information in order to avoid sending you unwanted communications in the future.
What are my rights over access to the data you hold on me?
If we are processing your data on the basis of your consent, you can withdraw your consent at any time. You can also object to the use of your personal data at any time, where we have based our processing on public interest or legitimate interest. This may mean however, that we are no longer able to provide you with a particular service or communication where the information processing is an integral part of the service. We will tell you if this is likely to be the case.
Subject to some legal exceptions, you also have the right:
- To access the data we hold about you and to know what we are doing with it
- To have any inaccuracies corrected
- To have your personal data erased
- To place a restriction on our processing of your data
- To object to processing
- To request your data to be ported (data portability)
If you want to learn more about these rights, please see the Information Commissioner’s Office (ICO) website.
Please note that if you are a nationalgalleries.org account holder, you can exercise the rights of access, accuracy, erasure and portability over the data held about you on our website when logged in to your account. For other data held about you by NGS, or to exercise the other rights listed above, please contact the Data Protection Officer (details below).
How to contact us about your personal data or this privacy notice
If you have any questions about this privacy notice or about your personal data, please contact:
Data Protection Officer
Director-General’s Office
National Galleries of Scotland
73 Belford Road
Edinburgh
EH4 3DS
Tel: 0131 624 6473
Email: [email protected]
Complaints
As well as contacting the Data Protection Officer using the details above, you can use our Feedback procedure to make a complaint about the way we process your personal information.
You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the data protection supervisory authority in the UK.