General privacy notice
Who we are
The Board of Trustees of the National Galleries of Scotland (NGS) is the Data Controller for any personal data you give to us or we collect about you. Our full contact details are:
National Galleries of Scotland
73 Belford Road
Edinburgh
EH4 3DS
Tel: 0131 624 6200
Email: [email protected]
National Galleries of Scotland is a charity registered in Scotland, No. SC003728. VAT No. GB 100 1904 82
We may update this privacy notice at any time. Please refer back to this page for the most recent version. You may be notified directly of any significant changes which affect you where we believe it is appropriate and proportionate to do so.
What personal data do we collect and what do we use it for?
This privacy notice covers broad groups of people who might visit us in person at one of our galleries or contact us for a variety of reasons. The purposes for which we might gather and use your data are set out in the following table. There are also specific privacy notices for people/ purposes where additional processing of your data is undertaken, such as website users, Friends and volunteers. These privacy notices are available on our website.
Regardless of the purpose for which we collect and use your data, we will keep your details safe and process all personal information in accordance with applicable data protection legislation, including the General Data Protection Regulation and the Data Protection Act 2018.
| Purpose | What data do we collect? | What’s the legal basis? |
|---|---|---|
|
To provide and manage free wi-fi access to visitors and others at NGS sites. |
Device MAC and IP addresses Temporary location data Apps used Categories of sites visited. |
Contract |
|
To help protect visitors, staff, contractors and others on-site, as well as the collection and NGS property. |
Images captured by CCTV. |
Public task Legitimate interest |
|
To improve the visitor experience. To understand who our audiences are and what they want/ need. |
Details left in comments books by visitors which may include: Date of visit Name Home location (eg city/ country/ postcode) Comments/opinions Email address (if they are happy to be contacted about their experience/ opinions). Data provided via social media channels (on our accounts or making reference to us). |
Legitimate interest If we believe someone expects a response to their comment, and they have left an email address, we may follow this up. Consent |
|
Marketing/ promotional activities |
Comments left in comments books First name Home town/ country |
Legitimate interest |
|
To respond to enquiries, requests for information and complaints made by individuals. |
Name Contact details Any opinions or biographical information contained within correspondence. Outcome of request/enquiry |
Legal obligation Public task Legitimate interest |
|
Effective communication with private individuals, stakeholders and other organisations. |
Name Contents of correspondence (email, mail, voicemail) including biographical information. |
Public task Some communication will be on the basis of contract, legal obligation or consent. Any communication not covered by the above will be on the basis of legitimate interest. |
|
To document and record our activities and to promote our work. |
Photographs Footage (general crowd, no individuals as focus of image/ footage). NB. Photography/footage of events is addressed in the relevant privacy notice. |
Public task Legitimate interest |
|
To run competitions, give-aways etc. |
Name Other personal data required by particular competitions/ give-aways etc. |
Depending on the particular circumstances, data processing may be on the basis of contract, legitimate interest or consent. |
Automated decision-making and Profiling
We do not undertake any automated decision-making or profiling based on the personal data covered by this privacy notice.
Who sees my data?
We will not disclose data to third parties unless under contract with you, with your consent or obliged to by law. Existing data sharing arrangements or likely sharing scenarios are set out below, including where we use a third party processor on our behalf. A data processing agreement will always be put in place with third party processors.
| What might be shared? | Third party recipients? | International transfers? |
|---|---|---|
|
MAC and IP addresses; location data; usage. |
Our public wi-fi is provided by a third party which stores data for us to analyse. |
The provider is based in the US; a data processing agreement is in place. |
|
CCTV footage, images. |
Police and others where it is required for the prevention or detection of crime. |
- |
|
Positive comments left in comments books with first name and city/country. |
These may be viewed by anyone. |
If they are posted on our website or social media sites, these may be viewed anywhere in the world. |
|
Details of complaints, FOI requests, data subject requests in case of statutory appeal. |
Scottish Information Commissioner |
- |
|
Names and contact details as provided in comments books for survey purposes. Opinions, experience. |
Surveys are administered through an online third party service. |
|
|
Images of people visiting NGS or participating in NGS activities. |
These may be viewed by anyone depending on where they’re published. |
If they are posted on our website or social media sites, these may be viewed anywhere in the world. |
NGS is subject to the requirements of the Freedom of Information (Scotland) Act 2002 and other legislation which may require us to disclose information to third parties, including personal data. However, this must also be done in compliance with data protection legislation.
How long do we keep data?
We only hold your information for as long as is necessary for the purpose it was collected. When we no longer need the data for that purpose, we will either delete or destroy it, or remove any data which can identify you and retain the anonymised data for analytical purposes.
If you withdraw consent you have given, or ask us not to have any further contact with you, we will keep some basic information in order to avoid sending you unwanted communications in the future
What are my rights over access to the data you hold on me?
If we are processing your data on the basis of your consent, you can withdraw your consent at any time. You can also object to the use of your personal data at any time, where we have based our processing on public interest or legitimate interest. This may mean however, that we are no longer able to provide you with a particular service or communication where the information processing is an integral part of the service. We will tell you if this is likely to be the case.
Subject to some legal exceptions, you also have the right:
- To access the data we hold about you and to know what we are doing with it
- To have any inaccuracies corrected
- To have your personal data erased
- To place a restriction on our processing of your data
- To object to processing
- To request your data to be ported (data portability)
If you want to learn more about these rights, please see the Information Commissioner’s Office (ICO) website www.ico.org.uk.
How to contact us about your personal data or this privacy notice
If you have any questions about this privacy notice or about your personal data, please contact:
Data Protection Officer
Director-General’s Office
National Galleries of Scotland
73 Belford Road
Edinburgh
EH4 3DS
Tel: 0131 624 6473
Email: [email protected]
Complaints
As well as contacting the Data Protection Officer using the details above, you can use our Feedback procedure to make a complaint about the way we process your personal information.
You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the data protection supervisory authority in the UK.