General privacy notice

Who we are

The Board of Trustees of the National Galleries of Scotland (NGS) is the Data Controller for any personal data you give to us or we collect about you.  Our full contact details are:

National Galleries of Scotland
73 Belford Road

Tel: 0131 624 6200

Email: [email protected]


National Galleries of Scotland is a charity registered in Scotland, No. SC003728. VAT No. GB 100 1904 82

We may update this privacy notice at any time. Please refer back to this page for the most recent version. You may be notified directly of any significant changes which affect you where we believe it is appropriate and proportionate to do so.

What personal data do we collect and what do we use it for?

This privacy notice covers broad groups of people who might visit us in person at one of our galleries or contact us for a variety of reasons. The purposes for which we might gather and use your data are set out in the following table. There are also specific privacy notices for people/ purposes where additional processing of your data is undertaken, such as website users, Friends and volunteers. These privacy notices are available on our website.

Regardless of the purpose for which we collect and use your data, we will keep your details safe and process all personal information in accordance with applicable data protection legislation, including the General Data Protection Regulation and the Data Protection Act 2018.

Purpose What data do we collect? What’s the legal basis?

To provide and manage free wi-fi access to visitors and others at NGS sites.

Device MAC and IP addresses Temporary location data Apps used Categories of sites visited.

This data is required to provide the service in line with the terms of use.

To help protect visitors, staff, contractors and others on-site, as well as the collection and NGS property.

Images captured by CCTV.

Public task
NGS has a duty to secure the collection.

Legitimate interest
To protect NGS property and people visiting or working in the gallery buildings.

To improve the visitor experience.

To understand who our audiences are and what they want/ need.

Details left in comments books by visitors which may include:

Date of visit


Home location (eg city/ country/ postcode)


Email address (if they are happy to be contacted about their experience/ opinions).

Data provided via social media channels (on our accounts or making reference to us).

Legitimate interest
NGS uses this data internally to monitor performance, and to improve the services offered to the public; to meet and exceed expectations of existing visitors, attract new visitors and ensure satisfaction.

If we believe someone expects a response to their comment, and they have left an email address, we may follow this up.

All data provided in comments books is voluntary. If visitors are happy to be contacted about their experience, they can choose to leave their email address which will be added to a list to receive surveys.

Marketing/ promotional activities

Comments left in comments books

First name

Home town/ country

Legitimate interest
Some positive comments left voluntarily in comments books may be used in marketing and promotional material.

To respond to enquiries, requests for information and complaints made by individuals.


Contact details

Any opinions or biographical information contained within correspondence.

Outcome of request/enquiry

Legal obligation
Requests for information will be handled under Freedom of Information or Environmental Information legislation. Requests to exercise data protection rights will be handled under GDPR. Complaints will be handled and responded to as stipulated in the Ombudsman’s model complaints handling procedure.

Public task
Responding to enquiries about the collection is part of our statutory role.

Legitimate interest
Processing personal data contained in any other type of enquiry so that we may respond to that enquiry will be on the basis of legitimate interest (ours, yours or a third party).

Effective communication and consultation with private individuals, stakeholders and other organisations.

Contact details

Contents of correspondence (email, mail, voicemail) including biographical information.

Personal opinions, experience and other detail shared in consultation responses.

Public task
Most correspondence and consultation is undertaken in the course of delivering our statutory duties.

Some communication and consultation will be on the basis of contract, legal obligation or consent. Any communication not covered by the above will be on the basis of legitimate interest.

To document and record our activities and to promote our work.


Footage (general crowd, no individuals as focus of image/ footage).

NB. Photography/footage of events is addressed in the relevant privacy notice.

Public task
Documentation of our work is undertaken part of our public task.

Legitimate interest
Any promotional use will be on the basis of our legitimate interest.

To run competitions, give-aways etc.

Contact details

Other personal data required by particular competitions/ give-aways etc.

Depending on the particular circumstances, data processing may be on the basis of contract, legitimate interest or consent.

We may be required to provide evidence that a valid award took place. In this case, data processing will be on the basis of legal obligation.

To assist in returning lost property to owners.

Finder’s name and contact details where given.

Claimant’s name and contact details, signature and details which may help to prove ownership (if needed).

Time and date of visit, where applicable.

Any personal data contained within found objects.

Legal obligation
Civic Government (Scotland) Act 1982

Automated decision-making and Profiling

We do not undertake any automated decision-making or profiling based on the personal data covered by this privacy notice.

Who sees my data?

We will not disclose data to third parties unless under contract with you, with your consent or obliged to by law. Existing data sharing arrangements or likely sharing scenarios are set out below, including where we use a third party processor on our behalf. A data processing agreement will always be put in place with third party processors.

What might be shared? Third party recipients? International transfers?

MAC and IP addresses; location data; usage.

Our public wi-fi is provided by a third party which stores data for us to analyse.

The provider is based in the US; a data processing agreement is in place.

CCTV footage, images.

Police and others where it is required for the prevention or detection of crime.


Positive comments left in comments books with first name and city/country.

These may be viewed by anyone.

If they are posted on our website or social media sites, these may be viewed anywhere in the world.

Details of complaints, FOI requests, data subject requests in case of statutory appeal.

Scottish Information Commissioner
UK Information Commissioner


Names and contact details as provided in comments books for survey purposes.

Opinions, experience.

Surveys are administered through an online third party service.


Images of people visiting NGS or participating in NGS activities.

These may be viewed by anyone depending on where they’re published.

If they are posted on our website or social media sites, these may be viewed anywhere in the world.

Comments and questions made in relation to planning notices and planning applications.

Project partners for capital projects.


Names, contact details and other information provided or associated with lost and found property or personal data contained within found objects.

Police Scotland (Fettes Avenue, Edinburgh).


NGS is subject to the requirements of the Freedom of Information (Scotland) Act 2002 and other legislation which may require us to disclose information to third parties, including personal data. However, this must also be done in compliance with data protection legislation.

How long do we keep data?

We only hold your information for as long as is necessary for the purpose it was collected.  When we no longer need the data for that purpose, we will either delete or destroy it, or remove any data which can identify you and retain the anonymised data for analytical purposes.

If you withdraw consent you have given, or ask us not to have any further contact with you, we will keep some basic information in order to avoid sending you unwanted communications in the future

What are my rights over access to the data you hold on me?

If we are processing your data on the basis of your consent, you can withdraw your consent at any time.  You can also object to the use of your personal data at any time, where we have based our processing on public interest or legitimate interest. This may mean however, that we are no longer able to provide you with a particular service or communication where the information processing is an integral part of the service. We will tell you if this is likely to be the case.

Subject to some legal exceptions, you also have the right:

  • To access the data we hold about you and to know what we are doing with it
  • To have any inaccuracies corrected
  • To have your personal data erased
  • To place a restriction on our processing of your data
  • To object to processing
  • To request your data to be ported (data portability)

If you want to learn more about these rights, please see the Information Commissioner’s Office (ICO) website

How to contact us about your personal data or this privacy notice

If you have any questions about this privacy notice or about your personal data, please contact:

Data Protection Officer
Director-General’s Office
National Galleries of Scotland
73 Belford Road

Tel: 0131 624 6473

Email: [email protected]


As well as contacting the Data Protection Officer using the details above, you can use our Feedback procedure to make a complaint about the way we process your personal information.

You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the data protection supervisory authority in the UK.