+ Who we are
We are the National Gallery Company Ltd, the trading arm of the National Gallery. Our purpose is to generate valuable income for the National Gallery. Our Information Protection Registration Number is Z8038395.
We are a company registered in England and Wales under number 2280277 and our registered office is at St Vincent House, 30 Orange Street, London, WC2H 7HH. https://www.nationalgallery.co.uk/.
The National Gallery is an exempt charity which houses the national collection of paintings in the Western European tradition from the 13th to the early 20th centuries. Its Information Protection Registration Number is Z5597415. The National Gallery is found at Trafalgar Square, London, WC2N 5DN.https://www.nationalgallery.org.uk/.
+ What personal information we collect
The personal information we collect includes (depending on the circumstances) your:
- name, title, gender and date of birth
- email address, phone number, postal address, billing address, delivery address
- family and spouse/partner details, relationships to other National Gallery supporters and/or Members and named Joint Members
- product selections and purchases of goods or services
- credit card or other payment information
- bank details for setting up a regular direct debit
- current interests and preferences
- feedback you may have submitted related to the National Gallery Company and National Gallery products and services
- a password
- contact preferences
- details of correspondence sent to you, or received from you
- your geographic location (for mobile devices)
- where you are on the internet (e.g. the URL you came from, IP address, domain types like .co.uk and .com), your browser type, the country and telephone area code where your computer is located, the pages of our website(s) that were viewed during your visit, the advertisements you clicked on, and any search terms that you entered on our website(s). Please see our Cookies Policy to learn more
- any other information provided by yourself to us and/or the National Gallery
Sensitive personal information
Data protection law identifies certain categories of personal information as “sensitive”, including (for example) information regarding health, race, religious beliefs, and political opinions. We only collect sensitive personal information in limited cases, where we have a valid reason for doing so, and where data protection law permits it, such as accessibility or dietary requirements for events.
+ How and why we use this personal information
Our use of your personal information will be fair, honest, sensitive, responsible, and respectful of your privacy and in line with the legal basis we have for processing it.
We will use your information to process and deliver products and services you buy from us and provide a more tailored service where applicable. In addition, we may use your information for general administration purposes and statistical analysis to help improve our products and services.
However it is collected, we use your personal information to:
- sell you products and services or provide you with the services, products or information you’ve asked for
- allow you to purchase goods
- administer payments such as purchases from our shop
- send you newsletters, updates and information, if you’ve given us permission (see Communicating with you below)
- personalise our communications (including newsletters) to you and send you communications (including newsletters) you’re interested in
- learn more about you to make what we do better for you
- organise and run events
- run competitions
- manage our website and for improvements, including troubleshooting, data analysis, testing, statistical and survey purposes
- improve your interactions with this website, for example by ensuring that content is presented in the most relevant and effective manner for you and for your device
- as part of our efforts to keep this website and its functionality safe and secure
- measure or understand the effectiveness of advertising and to deliver relevant advertising to you
- deal with enquiries and/or complaints
- carry out our legal obligations, for example arising from contracts entered into between you and us or in relation to regulatory, government and/or law enforcement bodies with whom we may work
- prevent fraud, misuse of services or money laundering
- enforce legal claims
We may analyse your personal information to ensure communications (including invitations to events) are relevant, timely, and not excessive, and provide you with an improved experience. More detail on this is provided below. Where appropriate we may share this information with the National Gallery.
We will always tell you why we need your personal details, including the explanations in this policy. We won’t ever ask you for personal details if we don’t need them. And we won’t ask for anything extra: we’ll only ask for what we really need to know to send you the products, services and information you want.
+ How we collect personal information
Information you give us directly
We collect personal information that you may provide through, for example:
- registering an online account
- buying products through our website(s) or in the Gallery
- signing up to our email newsletters and/or following the National Gallery / National Gallery Shop social media channels
- taking part in surveys or competitions
- communicating with us by phone, email or letter
Information you give us indirectly via your use of our website(s) and services
We collect information about the services you use and how you use them, such as:
- when you visit and shop our website
- when you view and interact with our emails, advertisements, and content
Information from third parties
We may also receive and gather information about you from third parties such as our business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers and search information providers.
We may also receive information about you from the National Gallery.
To the extent we have not done so already, we will notify you when we receive information about you from third parties and tell you how and why we intend to use that information.
Via our website
When you visit our website or connect to the Gallery’s Wi-Fi, we collect technical information including the internet protocol (IP) address used to connect your computer or device to the internet, as well as information about your visit to the website.
When you visit our website, cookies, small files stored on your computer help us to know who you are, remember what you’ve looked at and liked, and make using our websites better and easier. You can see more about our Cookies policy here.
From public sources
Depending on your privacy settings for social media platforms, we may access information from those accounts or services.
Filming and photography at events
We (or our service providers) or third party event hosts may film or photograph those attending or taking part in events. We may use the footage or photographs for publicity and marketing purposes. For example, in National Gallery or National Gallery Company print and/or digital material (including social media) or via external advertising and press outlets, all of which may be made available to the public. No personal details (e.g. names) of children under 16 will be used in such materials without consent from their parent or legal guardian, but we may use images where children are incidentally pictured (for example, as part of a crowd).
In general, we may combine your personal information from these different sources for the purposes set out in this Policy.
+ Why are we allowed to process your personal information
We are required to comply with data protection legislation, including the General Data Protection Regulation (GDPR).
The GDPR requires us to have one or more lawful grounds to process your personal information. We consider the following to be relevant to our use of personal information as set out in this policy:
- Where there is a legitimate reason in us doing so and the use is reasonably necessary to pursue that reason. Our legitimate reasons are set out above under ”Who we are” – namely, to manage the Company as a commercial entity, generating funds for the National Gallery by for example running the shops and cafés in the Gallery
- Some processing may be necessary so that we can fulfil a contractual relationship we have with you (for example if you purchase something from our online shop)
- Because we are required by law or other statutory requirement to process information (for example to share it with our regulators)
- In other instances, we will rely on your consent to process your personal information, for example to send you certain marketing communications via email. Details on how to manage your preferences in relation to marketing communications are described in the section Communicating with you below
+ What we share with third parties
We will only share your personal information with our employees and service providers where it is necessary in order to fulfil a valid, stated purpose, or contract or to carry work out on our behalf and improve your experience. Examples of such service providers/information processors include our:
- email service providers and online applications
- partners and suppliers to fulfil your purchase order, where necessary
- partners and suppliers to fulfil the services you have requested, where necessary
- payments, finance, governance, legal auditing requirements or any others who undertake work on our behalf
These service providers are acting as approved information processors on our behalf and the contracts we enter into with all of our information processors require them to comply with UK information protection laws, act only under our instruction, and ensure they have the appropriate controls in place to protect the security of your information.
We may disclose your information to different areas of National Gallery Company and to the National Gallery, for internal purposes and so they can contact you where this is appropriate and legitimate, or where you have given your consent to hear from them. We may also use and disclose information in aggregate (so that no individuals are identified) internally for marketing and strategic development purposes – such as anonymised information about visitor trends.
We may use information which we hold about you to show you relevant advertising on third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter). You have the right to opt out of your personal information being used for advertising purposes - if you don’t want to be shown targeted advertising messages from the National Gallery Company or National Gallery, some third party sites allow you to request not to see messages from specific advertisers on that site in future, or by changing your browser settings.
Anonymised customer and visitor statistics are published in our Annual Report and Accounts and Annual Review, and we may work additionally with third parties to conduct this type of research. We also use anonymous information about visitors to our website, the National Gallery Wi-Fi service, or in-gallery technology such as audio guides.
We will not sell your personal information to any third parties or external organisations.
In the event we transfer or receive any business or assets (such as a reorganisation) we may disclose your personal information to the other parties involved in the transfer.
We might need to share your personal information more widely if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions(https://www.nationalgallery.co.uk/control/terms) of supply and other agreements, or to protect the rights, property, or safety of the National Gallery Company, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
+ Communicating with you
Essential shop communications
As a shopper/customer there are some essential service communications that are necessary to fulfil our contract with you, and therefore separate from your marketing communication contact preferences. These include for example order acknowledgements.
When you create a shopping account or when you access our website you will be given the option to consent to receive marketing information from us by email, including about products, promotions, events or special offers which we feel may be of interest to you.
If you have given us a contact email address and your consent to do so (e.g. via our website, National Gallery Wi-Fi, data kiosks or through our Venue Hire team), we will contact you for marketing purposes via email. These marketing communications include, for example, our new product ranges and special offers from our shops, cafés and restaurant, events, surveys, competitions, National Gallery exhibitions and information about changes in our services, we think you'll find of interest based on your relationship with us.
We may ask for your consent to receive such communications from us.
Please see the “changing your email marketing preferences” below to manage the communications you receive.
Changing your email marketing preferences
It is always your choice as to whether you want to receive email marketing updates from us the National Gallery Company about the shops and venue hire or from the National Gallery about exhibitions, events and news that support and conserve the collection.
You can change your communication marketing preferences at any time (including telling us that you don’t want us to contact you for marketing purposes) by:
- Log into our email communication preference center here using the email address you used to receive our emails - please note that you will be asked to create a password. This will enable you to decide which type of email marketing communications you want to receive from us.;
- indicating that you do not wish to receive our marketing emails by clicking the ‘unsubscribe’ link at the end of our marketing emails;
- contacting us at firstname.lastname@example.org
If you have indicated that you do not wish to be contacted for email marketing communication purposes, we will maintain your details on a suppression list to help us ensure that we do not continue to contact you for marketing purposes.
Our email marketing communications makes use of a "Clear Image" (gif) to track the results of the email campaign. If you wish to turn off this tracking, you can by turning off the images in the email. Tools may also be used to monitor the effectiveness of our communications with you, including email tracking, which records when an e-newsletter from us is opened and/or how many links are clicked within the message. The information from this tracking is generally used in an aggregated and anonymised form. Please see our Cookies policy to learn more
As explained above, we will continue to send you essential shop communications that we are required to send for administrative and contract purposes.
If you have provided us with your postal address we may send you direct mail about our work unless you have told us that you don’t want to receive such information via this channel. You can change your direct mail marketing preferences by contacting us at: email@example.com
Tailoring our communications
We are committed to communicating with you using an approach that is right for you. This means we carefully manage the communications we send you to ensure that we are contacting you in the most relevant way.
If you do not want your information to be combined and analysed in this way, or receive personalised marketing communications from us, you can visit our email preference center here to change your preferences or to unsubscribe. Or you can unsubscribe by clicking the ‘unsuscribe’ link at the end of our marketing emails; or you can contact us, as described in the Contact us section.
+ How we keep your personal information safe
We follow strict security procedures in the storage and disclosure of information which you have given us to try and prevent its loss, destruction, misuse, alteration, unauthorised disclosure of or access to it.
We are required to ensure any transfers of information will be done securely, in accordance with best practice, and in compliance with data protection laws.
All our employees and information processors, who have access to, and are associated with the processing of personal information, are legally obliged to respect the confidentiality of your personal information. Our security procedures mean that we may occasionally request proof of identity before we are able to disclose sensitive information to you.
Please note that despite our endeavours we cannot guarantee the security of personal information transmitted via the internet.
Transfers of data outside the EEA
In some cases, some of the services we provide or some of the processes we use may involve personal information being transferred outside the European Economic Area, for example where any data processor’s servers are located outside the EEA.
If you access our website or use any of the services we provide while you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.
If we do transfer personal data outside the EEA, it will only be done on one of the lawful bases including:
- the transfer is to a recipient that has entered into European Commission standard contractual clauses with us;
- the transfer is to a recipient in the United States of America who has registered under the EU/US Privacy Shield; or
- you have explicitly consented to the transfer.
If you would like to find out more about the transfer by us of your data outside the EEA, you can contact us, as described in the How to contact us section.
Links to other websites
This privacy notice does not cover the links within our sites linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
+ How long we keep your personal information
In general, unless still required in connection with the purpose(s) for which it was collected and/or is processed, we remove your personal information from our records seven years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.
If you ask not to receive any further contact from us, we will keep some basic information about you in order to avoid sending you unwanted materials in the future.
+ Your rights
You have certain rights under data protection laws in relation to your personal information. These include the right:
- To access your information (please see below for the process)
- To erasure – of your personal information from our records (or to anonymise it)
- To rectification – to ask us to update our records if they are inaccurate
- To restrict processing – if there is any disagreement about its accuracy or legitimate usage
- To object – to our processing of your personal information in certain circumstances, including when using your personal information for direct marketing
- To withdraw consent at any time, where we are relying on that consent to use your personal information
- To find out more information from or to make a complaint to the Information Commissioner’s Office (ICO) about the way we have used your personal information.
Please note that you may only use/benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the ICO – www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
The ICO is the regulatory for data privacy in the UK. Its contact details can be found at www.ico.org.uk/global/contact-us/.
Subject Access Requests
You can ask us if we are keeping any personal information about you and you can also request to receive a copy of that personal information – this is called a Subject Access Request.
To make a Subject Access Request you will need to provide adequate proof of identity such as a copy of your passport, birth certificate or driving license before your request can be processed. Please try to be as clear as possible about the information you are seeking, as this will help us respond to your request more efficiently. Once we have received your Subject Access Request and proof of identity, you will receive a response from us within a month and you will be able to get copies of any information we hold on you.
Please send Subject Access Requests and/or requests for us to update or correct your personal information to:
- email: firstname.lastname@example.org
- phone: +44 (0)20 7747 5102
- or write to us at National Gallery Company Ltd, St Vincent House, 30 Orange Street, London, WC2H 7HH
- our Data Protection Officer is Tara Jay
We keep this policy under review and may update it from time to time. We will notify you about any significant changes, usually by sending a notice to the primary email address you have provided or by placing a notice on our website(s). This policy was last updated on 31.07.2019.
+ Contact us
- email: email@example.com
- phone: 020 7747 5102
- post: National Gallery Company Ltd, St Vincent House, 30 Orange Street, London, WC2H 7HH