Website user privacy notice

Who we are

The Board of Trustees of the National Galleries of Scotland is the Data Controller for any personal data you give to us or we collect about you. Our full contact details are:

National Galleries of Scotland
73 Belford Road
Edinburgh
EH4 3DS

0131 624 6200
enquiries@nationalgalleries.org

What personal data do we collect and what do we do with it?

We collect personal data from and about different types of individuals who use our website www.nationalgalleries.org. This privacy notice covers:

  • Nationalgalleries.org account holders
  • Online customers
  • Online event bookings
  • Enquirers using the ‘contact us’ form

We only gather the information we need to be able to fulfil the service in question or any other legitimate purposes. These purposes, the specific data we collect and the lawful basis for each, are set out below.

Information on the use of cookies on our website is provided in our website terms of use.

Please note that there are separate privacy notices for others who may come into contact with us through the website, including:

Nationalgalleries.org account holders

Purpose What data do we collect? What’s the legal basis?

To give you access to enhanced functionality on our website including booking events; this can also speed-up the checkout process for shopping.

First name, Last name, Email address.

If you use Facebook sign-in, Facebook will provide us with additional data based on your Facebook settings.

Contract

By accepting our terms of use, you can access the additional functionality.

The data you provide is held securely in our website and on Mailchimp. Please see ‘Who sees my data?’ below for further information.

Online customers

Purpose What data do we collect? What’s the legal basis?

To fulfil orders placed through our website including processing payment and delivering products, and to contact you in regard to any issues or updates relating to your order during and after payment.

First name, last name, email address, delivery address, contact telephone number.

Contract

Sale of the product or service.

Online event booking

Purpose What data do we collect? What’s the legal basis?

To process event bookings placed through our website including processing payment and delivering e-tickets, and to contact you in regard to any issues or updates relating to your order during and after payment.

First name, last name, email address, delivery address (if required), contact telephone number.

We may also gather details of any access requirements to ensure you can participate as fully as possible.

Contract

Sale of service.

Consent

Provision of access requirements is voluntary but enables us to make appropriate arrangements.

‘Contact us’ enquirers

Purpose What data do we collect? What’s the legal basis?

To respond to various types of visitor/ customer/ user enquiries, feedback and complaints.

First name, last name, email address.

Details of enquiry/feedback/complaint.

We may also gather details of any access requirements to ensure you can participate as fully as possible.

Legal obligation

Compliants.

Public Interest

Enquiries relating to the collection.

Contract

Enquiries relating to purchases or bookings.

Legitimate Interest

Other enquiries.

Automated decision-making and Profiling

No automated decisions are made on the personal data collected and processed as described above.

Who sees my data

In order to deliver our services effectively, we sometimes need to use a third party.  NGS remains responsible for keeping the data we hold about you safe and secure.  We will ensure that other organisations processing your data on our behalf do so only on our instruction and with appropriate safeguards in place.

  Third party recipients? International Transfer?

Nationalgalleries.org account holders

We store our account holders’ data in Mailchimp. NGS has a data processing agreement with them.

Mailchimp is based in the US. They have signed up to the EU-US Privacy Shield Framework.

Online customers

Orders for prints on demand are fulfilled by a third party. NGS has a data processing agreement with them.

No.

Online event bookings

Freelancers who may be running our events.

No.

Contact Us enquirers

None.

No.

How long do we keep data?

We only hold your information for as long as is necessary for the purpose it was collected.  When we no longer need the data for that purpose, we will either delete or destroy it, or remove any data which can identify you and retain the anonymised data for analytical purposes.

If you withdraw consent you have given, or ask us not to have any further contact with you, we will keep some basic information in order to avoid sending you unwanted communications in the future.

What are my rights over access to the data you hold on me?

If we are processing your data on the basis of your consent, you can withdraw your consent at any time.  You can also object to the use of your personal data at any time, where we have based our processing on public interest or legitimate interest. This may mean however, that we are no longer able to provide you with a particular service or communication where the information processing is an integral part of the service.  We will tell you if this is likely to be the case.

Subject to some legal exceptions, you also have the right:

  • To access the data we hold about you and to know what we are doing with it
  • To have any inaccuracies corrected
  • To have your personal data erased
  • To place a restriction on our processing of your data
  • To object to processing
  • To request your data to be ported (data portability)

If you want to learn more about these rights, please see the Information Commissioner’s Office (ICO) website.

Please note that if you are a nationalgalleries.org account holder, you can exercise the rights of access, accuracy, erasure and portability over the data held about you on our website when logged in to your account.  For other data held about you by NGS, or to exercise the other rights listed above, please contact the Data Protection Officer (details below).

How to contact us about your personal data or this privacy notice

If you have any questions about this privacy notice or about your personal data, please contact: 
Data Protection Officer
Director-General’s Office
National Galleries of Scotland
73 Belford Road
Edinburgh
EH4 3DS

0131 624 6473
dataprotection@nationalgalleries.org

Complaints

As well as contacting the Data Protection Officer using the details above, you can use our Feedback procedure to make a complaint about the way we process your personal information. You also have the right to lodge a complaint directly with the UK Information Commissioner's Office (ICO), the data protection supervisory authority in the UK by visiting www.ico.org.uk.