General Privacy Notice

The Board of Trustees of the National Gallery houses the national collection of paintings in the Western European tradition from the 13th to the early 20th centuries. Under the UK GDPR, we are the data controller of your data and registered with the ICO under Data Protection Registration Number: Z5597415.

We are located in:

The National Gallery,
Trafalgar Square,
London, WC2N 5DN

We currently operate the following websites: https://www.nationalgallery.org.uk and https://www.shop.nationalgallery.org.uk.

The National Gallery Global Limited, is a separate wholly owned legal entity whose main purpose is to generate valuable income for the Board of Trustees of the National Gallery. It runs shops in the Gallery, enters into contracts for venue hire at the Gallery, oversees the running of the restaurants and cafes, oversees the sale of audio guides, acts as our agent for ticketed exhibitions and events, and runs our Membership Scheme. It is registered with the ICO under Data Protection Registration Number: Z8038395.

We only collect personal information that is necessary to run the Gallery, fulfil our obligations to you, and keep you informed about our activities.

Personal information means any information about an individual from which that person can be identified. This does not include anonymised information.

We may collect, store, and use the following personal information about you:

• personal details (name, title, gender, and date of birth);
• contact details (email address, phone number, and postal address), and contact preferences;
• (in the case of Members) any named Joint Member;
• (in the case of patrons and other supporters) family and spouse/partner details, relationships to other Gallery supporters, and/or Members and named Joint Members;
• current interests, preferences and previous activities with the Gallery, such as ticket purchase, event registration/attendance, product selections, and purchase of goods or services;
• feedback submitted related to Gallery services and products and responses to our visitor surveys;
• participation in a competition operated by us or one of our partners;
• donations made to the Gallery;
• financial information: credit card or other payment information (we only store this for as long as we need to process payment), bank details for setting up a regular direct debit, billing and delivery address;
• details of Gift Aid declaration (if applicable to any donation made);
• details provided in correspondence sent or received;
• a password for your online account (although we will not be able to see this)
• any other information provided by you to the Gallery;
• images recorded on our CCTV cameras;
• images captured on film or photography taken in the Gallery and at Gallery external events; and
• MAC (Media Access Control) addresses of any device(s) you bring with you to the Gallery, whether or not you have connected to our free public Wi-Fi service. MAC addresses are identifiers which any Wi-Fi enabled device transmits when searching for a Wi-Fi connection.

If you are a Member, a patron, or donor, please visit our ‘Further reading’ section for more details about the personal data we collect for our Members and other supporters.

In addition to the above, when you visit our website, we use cookies to improve your experience and personalise the service you receive. See our Cookies Policy for more information.

Special categories of personal data

Under data protection law, certain categories of personal information are recognised as sensitive, including information regarding health, race, religious beliefs, and political opinions (‘special category data’). We only collect such information in limited cases, and where there is a clear reason for doing so, such as in relation to accessibility, recording accidents, or dietary requirements for events.

Direct information

We collect personal information that is provided to us directly by you, for example when you:

• purchase tickets/products through the website or in person;
• sign up as a Member and/or patron;
• sign up to our email updates;
• register an online account;
• make a donation;
• complete a visitor or shop survey or enter a competition; or
• communicate with us by phone, email, or letter.

Indirect information

We collect information about the services you use and how you use them, for example:

• when you visit our website, see our Cookies Policy for more information,
• when you view and interact with our emails, advertisements, and content;
• information about contact you have with us;
• through the use of CCTV in and around our premises for monitoring and security purposes; and
• information collected via your MAC address when you visit the Gallery, for the purpose of maintaining our free public Wi-Fi service, and monitoring and analysing this usage (in an aggregated and anonymous format) to improve our visitor experience.

Information from third parties

We may also receive information about you from third parties, for example when you:

• enter a competition run on a partner website (and agree to the sharing of your information with us); or
• follow our social media channels (subject to your privacy settings on those channels).

Information from publicly available sources

In relation to some patrons, other donors, and potential supporters, we may collect publicly available information about you to assist us with our activities. See also What this means for our donors, patrons, and potential supporters.

We will only process your information if we have a legal basis for doing so under current UK data protection law, including:

• Processing your information because it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract, for example to:
  • process payment(s);
  • fulfil orders for exhibition tickets or other events, goods or services; or
  • provide Membership or patrons' benefits and communications, which you are contractually entitled to receive.
• Where we are required by law to process your information, for example to:
  • make a Gift Aid claim.
• Where we have your consent to process your information, for example when:
  • you have agreed to receive email updates (including offers, newsletters or fundraising appeals in accordance with your preferences);
  • you have asked to receive information about our education events for teachers, our research events, or our national programme events; or
  • you have agreed to participate in a Gallery-based research project to improve the information we provide on our paintings.

Where you have given consent to the processing of your data you may withdraw it at any time. See below ‘What rights do you have in relation to your personal information?’.

• Where processing your information is necessary for our legitimate interests, for example:
  • for certain types of marketing, such as postal marketing (see What this means for our email and postal subscribers);
  • to process donations;
  • where we combine information we hold about you to better understand your interests and preferences so that we can target communications we send to you in line with this privacy notice;
  • where we conduct analysis and research in relation to our visitors and supporters;
  • where we collect MAC addresses;
  • where we collect and view images recorded on our CCTV cameras; or
  • where we (or a third party) carry out any filming, including interviews, or filming/photography of talks, or events in the Gallery. Where our areas are going to be used for filming or photography, we will flag this in advance with clear signage or otherwise make you aware so that you can avoid being filmed or photographed. We take great care to protect the rights of children and do not use the personal information of anyone under 13 years old in such materials without the explicit consent of their parent or legal guardian. We may, however, use images where children are incidentally pictured (for example, as part of a crowd).

Where we are relying on this basis of processing you have the right to object to this. See below ‘What rights do you have in relation to your personal information?'

• As a public authority we may also process your personal data where it is necessary for performing our Public Task.
• We may process special category data (for example, health data) on the basis of additional grounds, including where it is necessary to protect an individual's vital interests (for example where you have a life-threatening accident or illness while visiting us and we have to process your personal data in order to make sure you receive appropriate medical attention).

Our basis for processing your data in relation to your visit is set out in the What this means for our visitors section of this notice.

We will not sell your personal information to any third parties or external organisations.

Sharing your information with our service providers/external data processors

As well as sharing within the Gallery companies (i.e., Board of Trustees of the National Gallery and National Gallery Global Limited), we may share some of your personal information with our service providers/external data processors, to carry work out on our behalf. Examples of such service providers/data processors include:

• CIS Limited, which provides security and visitor services within the Gallery. We share CCTV footage and other information about security incidents in the Gallery with CIS Limited; they process information enquiries (including requests to use our disabled parking space) on our behalf; provide trained first-aiders in the Gallery, who record details of any accidents if they are called to assist; sell Memberships and exhibition tickets on desks in the Gallery, record, on our behalf, personal data of those making these purchases; and process comments and complaints submitted to the Gallery, and respond to these on our behalf and in liaison with us;
• our email distribution service provider, who sends out our marketing and service communications;
• our mailing house, who sends out our Membership welcome and renewal packs, and postal marketing communications;
• our ticketing service provider;
• our service provider, who enables us to evaluate our education programmes;
• our warehouse, who sends online shop orders;
• our third party suppliers, who send online shop orders directly to customers;
• our analytics partner, who collates our statistical data and performs analysis of this data on our behalf;
• our third-party Wi-Fi infrastructure provider, who collects and processes MAC addresses and information regarding usage of our Wi-Fi service on our behalf; and
• our third-party advertisers such as Facebook who help us target our advertising communications. For example, if we are running a social media advertising campaign, we may provide some pseudonymised data to the third-party site which leverages information such as demographics, interests, and behaviours for matching purposes. This enables us to profile and identify new users likely to be interested in our content.

Any such companies are acting as our data processors under UK GDPR, and the contracts we enter into with them require them to comply with UK data protection laws. This means they can only process your personal information for the purposes we specify, and we ensure they have the appropriate controls in place to protect the security of your information.

Sharing information of patrons and donors

If you are a patron or donor, we may share information with the National Gallery Trust or the American Friends of the National Gallery, London Inc. if you make your donations through one or other of those supporting charities. See What this means for our donors, patrons, and potential supporters for more information.

Sharing CCTV footage and Wi-Fi usage data

CCTV footage and Wi-Fi usage data (including MAC addresses) may, in the event of a security incident, be shared with the police and/or local authorities where it is lawful and appropriate to do so, in accordance with our legitimate interests outlined above.

Sharing with YouTube

Although we do not share your personal data with Google or YouTube, we are contractually obliged to include information about how we use YouTube API.

The Gallery website uses YouTube API services to show YouTube videos and playlist information in its pages. We do not access, collect, store or otherwise use any user personal information from YouTube. We also do not share any website user personal information with YouTube.

By accessing the YouTube videos through the YouTube API on our website, your personal information may be collected by YouTube. For further information on how Google and YouTube handle your personal information, please refer to the Google Privacy Policy.

Our Cookies Policy explains what cookies or other similar technology may be placed on a user’s device when accessing video content through the YouTube Player.

Compliance with IAB Europe TCF Policies

The Gallery participates in the IAB Europe Transparency and Consent Framework and complies with its Specifications and Policies. The Gallery uses the Consent Management Platform with the identification number 134.

We will only retain your personal information for as long as necessary to fulfil our contractual obligations to you, comply with legal requirements, tax, and accounting rules, or for other reasonable legal purposes set out in this notice.

The retention period will vary according to the nature of the purpose under which the information is held. For example:

• we retain Gift Aid declarations in accordance with HMRC guidance, which in the case of a one-off donation is generally ten years from the end of the accounting period in which the donation is received; the period is longer in the case of a declaration which applies to a series of donations or if an HMRC query is received during the normal retention period;
• we retain active Member account information subject to requests for erasure and/or transfers of Membership (for example to next of kin); and
• we retain CCTV footage for 31 days, although in the event of an accident or incident, which may give rise to an insurance claim, footage may be retained longer.

We follow strict security procedures in the storage and disclosure of personal information to prevent:

• unauthorised access;
• improper use or disclosure;
• unauthorised modification; and
• accidental loss, damage, and destruction.

We are required to make sure any transfers of information will be done securely, in accordance with best practice, and in compliance with applicable laws and regulations.

All our staff and data processors who have access to, and are associated with the processing of personal information, are legally obliged to respect the confidentiality of your personal information.

Transfers of data outside the United Kingdom (‘UK’)

In some cases, some of the services we provide or some of the processes we use may involve personal information being transferred outside the UK, for example where any data processors' servers are located outside the UK.

If you access our website or use any of the services we provide while you are outside the UK, your information may be transferred outside the UK in order to provide you with those services.

If we do transfer personal data outside the UK, it will only be done so on a permitted basis under UK law, including:

• the transfer is to a recipient in a country or territory approved by the European Commission as providing an adequate level of protection for personal data;
• (for transfer arrangements concluded before 21 September 2022) the transfer is to a recipient that has entered into European Commission (‘EU’) standard contractual clauses with us. This will continue to be valid until 21 March 2024;
• (for transfer arrangements after 21 September 2022) the transfer is to a recipient that has entered into either the UK’s new International Data Transfer Agreement or the UK’s new International Data Transfer Addendum to the EU’s new standard contractual clauses; or
• you have explicitly consented to the transfer.

If you wish to find out more about the transfer by us of your data outside the UK, then please contact the Data Protection Officer. See below ‘How to contact us’.

Links to other websites

This notice does not apply to third-party websites you are directed to from our website. When you leave our website, we encourage you to read the privacy statements on the other websites.

You have certain rights in relation to your personal information. You have the right to:

1. obtain confirmation that we are processing your personal information;
2. access your information (see below our Subject Access Request process);
3. rectification of your personal information if incomplete or inaccurate;
4. erasure in certain circumstances, for example when you have withdrawn consent to it being processed and we have no other basis for processing it;
5. restrict the processing of your personal information in certain circumstances;
6. object to certain processing including the right to not be subject to automated decision-making and the right to object where we are processing your information on the basis of our legitimate interest; and
7. withdraw consent to the processing of your data (without affecting the lawfulness of processing based on consent before its withdrawal).; and
8. opt out of marketing communications.

Please note that the above rights may not apply in all circumstances, and requests may be refused where legal exceptions apply.

For a more detailed explanation of these rights, please see the Information Commissioner’s guidance.

Subject Access Request

You can request to receive a copy of personal information we hold about you, this is called a Subject Access Request (‘SAR’).

You will need to provide adequate proof of identity, such as a copy of your passport, birth certificate, or driving license, before your request can be processed. We will respond within one month of receipt of your request; please try to be as clear as possible about the information you are seeking, as this will help us respond to your request more efficiently.

If you would like to submit a SAR or exercise any of the other rights referred to above, please print out and complete a Subject Access Request Form. Alternatively, you can email dataprotection@nationalgallery.org.uk or write to the Data Protection Officer, The National Gallery, Trafalgar Square, London, WC2N 5DN.

If you have any queries about our privacy notice, or want to raise a concern about how we process the information we hold about you, please email dataprotection@nationalgallery.org.uk or write to the Data Protection Officer at The National Gallery, Trafalgar Square, London, WC2N 5DN.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), which oversees the protection of personal information in the UK (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.