Who we are
The National Gallery houses the national collection of paintings in the Western European tradition from the 13th to the early 20th centuries. We are the controller of your data and registered with the ICO under Data Protection Registration Number: Z5597415.
The National Gallery,
London, WC2N 5DN
We currently operate the following website: https://www.nationalgallery.org.uk
What personal information do we collect about you?
We only collect information that is necessary to run the Gallery, fulfil our obligations to you, and keep you informed about the Gallery and its activities.
The personal information we collect may include:
- your name, title, gender, and date of birth;
- your email address, phone number, postal address, billing address, delivery address;
- (in the case of Members) any named Joint Member;
- (in the case of patrons and other supporters) family and spouse/partner details, relationships to other National Gallery supporters, and/or Members and named Joint Members;
- current interests and preferences;
- feedback you may have submitted related to Gallery services and products;
- ticket purchase and event registration/attendance;
- product selections and purchases of goods or services;
- donations you have made to the Gallery
- credit card or other payment information (we only store this for as long as we need to process payment);
- contact preferences;
- bank details for setting up a regular direct debit;
- Gift Aid declaration;
- details of correspondence sent to you, or received from you;
- any other information provided by you to the National Gallery;
- images of you recorded on our CCTV cameras;
- images captured on film or photography taken in the Gallery; and
- MAC (Media Access Control) addresses of any device(s) you bring with you to the Gallery, whether or not you have connected to the Gallery’s free public Wi-Fi service. MAC addresses are identifiers which any Wi-Fi enabled device transmits when searching for a Wi-Fi connection.
Special categories of personal data
Under data protection law, certain categories of personal information are recognised as sensitive, including health information and information regarding race, religious beliefs, and political opinions (‘special category data’). We only collect such information in limited cases, and where there is a clear reason for doing so, such as in relation to accessibility, recording accidents, or dietary requirements for events.
How do we collect your personal information?
Information you give us
We collect personal information that you may provide to us including when you:
- purchase tickets or other products through the website or in the Gallery;
- sign up as a Member and/or patron;
- sign up to our email updates;
- make a donation; or
- complete a visitor survey or enter a competition.
- directly provide us with information to support the NHS Test and Trace scheme.
Information we get from your use of our website(s) and services
We collect information about the services you use and how you use them in a number of ways including:
- When you view and interact with our emails, advertisements, and content;
- Information about contact you have with us as a visitor, customer, Member, or supporter of the National Gallery;
- Information collected through use of CCTV in and around the Gallery; and
- Information collected via your MAC address when you visit the Gallery with a Wi-Fi enabled device (with Wi-Fi switched on and whether or not you have connected to the Gallery’s free public Wi-Fi service).
Information from third parties
We may also receive information about you from third parties, for example when:
- You enter a competition run on a partner website (and agree to the sharing of your information with us);
- You follow the National Gallery’s social media channels, subject to your privacy settings on those channels; or
- You make a purchase from the National Gallery Company Ltd.
Information we collect from publicly available sources
In relation to some patrons, other donors, and potential supporters we may collect publicly available information about you to assist us with our activities. See also What this means for our donors, patrons, and potential supporters.
How do we use your information and what is our legal basis for processing it?
We will only process your information if we have a legal basis for doing so under current UK data protection legislation, including:
- Processing your information because it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract, for example:
- To process payments;
- To fulfil orders for exhibition tickets or other events or services; or
- To provide you with Membership benefits, or patrons' benefits, which you are contractually entitled to receive.
- Where we are required by law to process your information, for example:
- To make a Gift Aid claim.
- Where we have your consent to process your information, for example:
- Where you have agreed to receive email updates in relation to the Gallery;
- Where you have asked to receive information about our education events for teachers, our research events, or our national programme events; or
- Where you have agreed to participate in a Gallery-based research project to improve the information we provide on our paintings.
Where you have given consent to the processing of your data you may withdraw it at any time. See below ‘What rights do you have in relation to your personal information?'
- Where processing your information is necessary for our legitimate interests, for example:
- To process donations;
- Where we conduct analysis and research in relation to our supporters.
- Where we collect MAC addresses for the purposes of monitoring and analysing the usage of, and maintaining, our free public Wi-Fi service, and also analysing (in an aggregated and anonymous format) visitor movements around the Gallery to improve our visitor experience;
- Where we collect and view images recorded on our CCTV cameras, which we use only for security reasons, to help us keep our visitors, staff, and collection safe; or
- Where (from time to time) we (or a third party) carry out any filming, including interviews or filming/photographing of talks or events in the Gallery. Where particular areas of the Gallery are going to be used for filming or photography, we will always flag this in advance with clear signage or otherwise make you aware of the filming in advance, so that you can avoid being filmed or photographed.
Where we are relying on this basis of processing you have the right to object to this. See below ‘What rights do you have in relation to your personal information?'
- As a public authority we may also process your personal data where it is necessary for performing our Public Task.
- We may process special category data (for example, health data) on the basis of additional grounds, including where it is necessary to protect an individual's vital interests (for example where you have a life-threatening accident or illness while visiting the Gallery and we have to process your personal data in order to make sure you receive appropriate medical attention).
Do we share your information with other organisations?
We will not sell your personal information to any third parties or external organisations.
Sharing your information with the National Gallery Company Ltd.
We share information with the National Gallery Company Ltd., which runs the shops and venue hire in the Gallery, and oversees the running of the cafes and restaurants in the Gallery and the sale of audio guides in the Gallery. Complaints and feedback we receive about the shops, restaurants, cafes, and audio guides may be shared with the Company and in the event of a security incident taking place in a shop, cafe, or restaurant, or at a venue hire event which is run by the Company, CCTV footage may be shared with the Company.
If you agree to receive email communications from the Gallery, we will share your information with the National Gallery Company Ltd., but they will not contact you about shops or other services they provide unless you specifically consent to this through our email preference centre.
Sharing your information with our service providers/external data processors
We may share some of your personal information with our service providers/external data processors, to carry work out on our behalf. Examples of such service providers/data processors include:
- Securitas, which provides security and visitor services within the Gallery; we share CCTV footage and other information about security incidents in the Gallery with Securitas; Securitas processes information enquiries (including requests to use the Gallery’s disabled parking space) received in the Gallery on our behalf; Securitas provides trained first-aiders in the Gallery, who record details of any accidents within the Gallery if they are called to assist; Securitas sells Memberships and exhibition tickets on desks in the Gallery, and records on our behalf personal data of those making these purchases; Securitas processes comments and complaints submitted to the Gallery and responds to these on our behalf and in liaison with us;
- The National Gallery Company Ltd. who sells Memberships and tickets online on our behalf;
- Our email distribution service provider who sends out our marketing emails;
- Our mailing house who sends out our Membership welcome and renewal packs;
- Our ticketing service provider;
- Our service provider enabling us to evaluate our education programmes; and
- Our third-party Wi-Fi infrastructure provider who collects and processes MAC addresses and information regarding usage of our Wi-Fi service on our behalf.
Any such companies are acting as our data processors and the contracts we enter into with them require them to comply with UK data protection laws, to process only for the purposes we specify, and ensure they have the appropriate controls in place to protect the security of your information.
Sharing information of patrons and donors
If you are a patron or donor we may share information with the National Gallery Trust or the American Friends of the National Gallery, London Inc. if you make your donations through one or other of those supporting charities. See What this means for our donors, patrons, and potential supporters for more information.
Sharing CCTV footage and Wi-Fi usage data
CCTV footage and Wi-Fi usage data (including MAC addresses) may, in the event of a security incident, be shared with the police and/or local authorities where it is lawful and appropriate to do so, in accordance with our legitimate interests outlined above.
Sharing with YouTube
Although we do not share your personal data with Google or YouTube, we are contractually obliged to include information about how the Gallery uses the You Tube API. The Gallery website uses YouTube API services to show YouTube videos and playlist information in its pages. We do not access, collect, store or otherwise use any user personal information from YouTube. We also do not share any website user personal information with YouTube.
The Gallery’s Cookies policy explains what cookies or other similar technology may be placed on a user’s device when accessing video content through the YouTube Player.
Sharing as part of NHS Test and Trace
How long do we keep your information?
The retention period will vary according to the nature of the purpose under which the information is held. For example:
- We retain Gift Aid declarations in accordance with HMRC guidance, which in the case of a one-off donation is generally six years from the end of the accounting period in which the donation is received; the period is longer in the case of a declaration which applies to a series of donations or if an HMRC query is received during the normal retention period; and
- we normally retain CCTV footage for 30 days although in the event of an accident or incident which may give rise to an insurance claim, which is captured on CCTV, it may be retained longer.
How do we keep your information secure?
We follow strict security procedures in the storage and disclosure of information which you have given us to try to prevent:
- Unauthorised access;
- improper use or disclosure;
- unauthorised modification; and
- accidental loss, damage, and destruction.
We are required to make sure any transfers of information will be done securely, in accordance with best practice, and in compliance with Data Protection regulations.
All our staff and data processors who have access to, and are associated with the processing of, personal information are legally obliged to respect the confidentiality of the personal information of our visitors, email subscribers, Members, shoppers, supporters, and all those who engage with us.
Transfers of data outside the EEA
In some cases, some of the services we provide or some of the processes we use may involve personal information being transferred outside the European Economic Area, for example where any data processors' servers are located outside the EEA.
If you access our website or use any of the services we provide while you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.
If we do transfer personal data outside the EEA, it will only be done on one of the lawful bases, including:
- The transfer is to a recipient in a country or territory approved by the European Commission as providing an adequate level of protection for personal data;
- the transfer is to a recipient that has entered into European Commission standard contractual clauses with us;
- the transfer is to a recipient in the United States of America who has registered under the EU/US Privacy Shield; or
- you have explicitly consented to the transfer.
If you wish to find out more about the transfer by us of your data outside the EEA, then please contact the Data Protection officer. See below ‘How to contact us’.
Links to other websites
This privacy notice does not apply to third-party websites you are directed to from our website. We encourage you to read the privacy statements on the other websites you visit.
What rights do you have in relation to your personal information?
You have certain rights in relation to your personal information. They are:
- The right to obtain confirmation that we are processing your personal information (see below our Subject Access Request process);
- The right to access your information (see below our Subject Access Request process);
- The right to have your personal information rectified if it is incomplete or inaccurate;
- The right to have your personal information removed or deleted in certain circumstances, for example when you have withdrawn consent to it being processed and we have no other basis for processing it;
- The right to restrict the processing of your personal information in certain circumstances;
- The right to object to certain processing including the right to not be subject to automated decision-making and the right to object where we are processing your information on the basis of our legitimate interest;
- Where you have provided your consent to the processing, the right to withdraw consent to the processing of your data (without affecting the lawfulness of processing based on consent before its withdrawal); and
- The right to require us not to send you marketing communications.
Please note that the above rights are not absolute, and requests may be refused where exceptions apply.
For a more detailed explanation of these rights, please see the Information Commissioner’s guidance.
Subject Access Request
You can ask us to confirm if we are keeping any personal information about you and you can also request to receive a copy of that personal information – this is called a Subject Access Request.
To make a Subject Access Request you will need to provide adequate proof of identity such as a copy of your passport, birth certificate, or driving license before your request can be processed. Please try to be as clear as possible about the information you are seeking, as this will help us respond to your request more efficiently. Once we have received your Subject Access Request and proof of identity, you will receive a response from us within a month.
If you would like to submit a Subject Access Request or exercise any of the other rights referred to above, please print out and complete a Subject Access Request form. Or email email@example.com or write to The Data Protection Officer, The National Gallery, Trafalgar Square, London, WC2N 5DN.
If you are not happy with how we handle any of your requests, queries, or concerns, you can contact the Information Commissioner’s Office (www.ico.org.uk), which oversees the protection of personal information in the UK.
We may be required to update the terms of this policy from time to time. We will notify you about any significant changes in the way we treat personal information usually by sending a notice to the primary email address you have provided or by placing a prominent notice on our website(s).
How to contact us