Website user privacy notice

Who we are

The Board of Trustees of the National Galleries of Scotland is the Data Controller for any personal data you give to us or we collect about you. Our full contact details are:

National Galleries of Scotland
73 Belford Road

0131 624 6200
[email protected]

National Galleries of Scotland is a charity registered in Scotland, No. SC003728. VAT No. GB 100 1904 82

We are a data ‘controller’, which means we are responsible for deciding how we hold and use your personal information.

This notice explains how and why we will collect and use your personal information and your rights in relation to your personal information. We may amend this notice at any time. Please refer back to this page for the most recent version. You may be notified directly of any significant changes which affect you where we believe it is appropriate and proportionate to do so.

What personal data do we collect and what do we do with it?

We collect personal data from and about different types of individuals who use our website This privacy notice covers:

  • account holders
  • Online customers
  • Online bookings
  • Enquirers using the ‘contact us’ form

We only gather the information we need to be able to fulfil the service in question or any other legitimate purposes. These purposes, the specific data we collect and the lawful basis for each, are set out below.

During the Covid-19 (Coronavirus) pandemic we are supporting the NHS Scotland’s Test and Protect strategy. For specific details on how we will use your data if you visit our galleries at this time, please see the dedicated Test and Protect privacy notice.

Information on the use of cookies on our website is provided in our website terms of use.

Please note that there are separate privacy notices for others who may come into contact with us through the website, including: account holders

Purpose What data do we collect? What’s the legal basis?

To give you access to enhanced functionality on our website; this can also speed-up the checkout process for shopping.

First name, Last name, Email address.

If you use Facebook sign-in, Facebook will provide us with additional data based on your Facebook settings.

By accepting our terms of use, you can access the additional functionality.

Online customers

Purpose What data do we collect? What’s the legal basis?

To fulfil orders placed through our website including processing payment and delivering products, and to contact you in regard to any issues or updates relating to your order during and after payment.

First name, last name, email address, delivery address, contact telephone number.

Sale of the product or service.

Online booking

Purpose What data do we collect? What’s the legal basis?

To process bookings made through the website for timed gallery entry, ticketed exhibitions and events, including processing payment and delivering e-tickets, and to contact you in regard to any issues or updates relating to your order during and after payment.

First name, last name, email address, delivery address (if required), contact telephone number.

We may also gather details of any access requirements (if provided) to ensure you and/or members of your party can participate as fully as possible.

Sale of service.

Provision of access requirements is voluntary but enables us to make appropriate arrangements.

To gather feedback on booking and visitor experience and to make improvements where required.

Responses to surveys issued to the email address used to make the booking.

Legitimate interest
To understand the needs of our website users/visitors and to improve our offer, services and processes

‘Contact us’ enquirers

Purpose What data do we collect? What’s the legal basis?

To respond to various types of visitor/ customer/ user enquiries, feedback, complaints, and requests for information .

First name, last name, email address.

Details of enquiry/feedback/complaint/information request.

We may also gather details of any access requirements to ensure you can participate as fully as possible.

Legal obligation
To comply with the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004, and the SPSO’s complaints handling procedure as required by the Public Services Reform (Scotland) Act 2010.

Public Interest
Enquiries relating to the collection.

Enquiries relating to purchases or bookings.

Legitimate Interest
Other enquiries.

All of the above

Purpose What data do we collect? What’s the legal basis?

To build our understanding of and improve the relationship with our audience, supporters, customers and contacts

A record of transactions, purchases, donations, marketing preferences and communication with NGS

Legitimate interest NGS uses this data internally to monitor performance, and to improve the services offered to the public; to meet and exceed expectations of our existing audience, attract new visitors, customers and supporters and ensure satisfaction.

Automated decision-making and Profiling

No automated decisions are made on the personal data collected and processed as described above.

Who sees my data

In order to deliver our services effectively, we sometimes need to use a third party.  NGS remains responsible for keeping the data we hold about you safe and secure.  We will ensure that other organisations processing your data on our behalf do so only on our instruction and with appropriate safeguards in place.

  Third party recipients? International Transfer?

All activity covered by this privacy notice.

Data provided for the purposes set out here is hosted by our website or CRM suppliers.

Yes – some data is hosted in the EU.

Online customers

Orders for prints on demand are fulfilled by a third party supplier.


Online bookings

Freelancers who may be running our events.


How long do we keep data?

We only hold your information for as long as is necessary for the purpose it was collected.  When we no longer need the data for that purpose, we will either delete or destroy it, or remove any data which can identify you and retain the anonymised data for analytical purposes.

Data held in our CRM system may be held for up to six years after our last contact with an individual.

If you withdraw consent you have given, or ask us not to have any further contact with you, we will keep some basic information in order to avoid sending you unwanted communications in the future.

What are my rights over access to the data you hold on me?

If we are processing your data on the basis of your consent, you can withdraw your consent at any time.  You can also object to the use of your personal data at any time, where we have based our processing on public interest or legitimate interest. This may mean however, that we are no longer able to provide you with a particular service or communication where the information processing is an integral part of the service.  We will tell you if this is likely to be the case.

Subject to some legal exceptions, you also have the right:

  • To access the data we hold about you and to know what we are doing with it
  • To have any inaccuracies corrected
  • To have your personal data erased
  • To place a restriction on our processing of your data
  • To object to processing
  • To request your data to be ported (data portability)

If you want to learn more about these rights, please see the Information Commissioner’s Office (ICO) website.

Please note that if you are a account holder, you can exercise the rights of access, accuracy, erasure and portability over the data held about you on our website when logged in to your account.  For other data held about you by NGS, or to exercise the other rights listed above, please contact the Data Protection Officer (details below).

How to contact us about your personal data or this privacy notice

If you have any questions about this privacy notice or about your personal data, please contact: 

Data Protection Officer
Director-General’s Office
National Galleries of Scotland
73 Belford Road

Tel: 0131 624 6473

Email: [email protected]


As well as contacting the Data Protection Officer using the details above, you can use our Feedback procedure to make a complaint about the way we process your personal information.

You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the data protection supervisory authority in the UK.