We are National Gallery Global Limited, the commercial arm of the National Gallery. Our purpose is to generate valuable income for the National Gallery. Our Information Protection Registration Number is Z8038395.

We are a company registered in England and Wales under number 2280277 and our registered office is at Trafalgar Square, London WC2N 5DN. https://shop.nationalgallery.org.uk/

The National Gallery is an exempt charity which houses the national collection of paintings in the Western European tradition from the 13th to the early 20th centuries. Its Information Protection Registration Number is Z5597415. The National Gallery is found at Trafalgar Square, London, WC2N 5DN.https://www.nationalgallery.org.uk/.

You can view the National Gallery’s privacy policy here.

Our use of your personal information will be fair, honest, sensitive, responsible, and respectful of your privacy and in line with the legal basis we have for processing it.

We will use your information to process and deliver products and services you buy from us and provide a more tailored service where applicable. In addition, we may use your information for general administration purposes and statistical analysis to help improve our products and services.

However it is collected, we use your personal information to:

• sell you products and services or provide you with the services, products or information you’ve asked for
• allow you to purchase goods
• administer payments such as purchases from our shop
• send you newsletters, updates and information, if you’ve given us permission (see "Communicating with you" below)
• personalise our communications (including newsletters) to you and send you communications (including newsletters) you’re interested in
• learn more about you to make what we do better for you
• organise and run events
• run competitions
• manage our website and for improvements, including troubleshooting, data analysis, testing, statistical and survey purposes
• improve your interactions with this website, for example by ensuring that content is presented in the most relevant and effective manner for you and for your device
• as part of our efforts to keep this website and its functionality safe and secure
• measure or understand the effectiveness of advertising and to deliver relevant advertising to you
• deal with enquiries and/or complaints
• carry out our legal obligations, for example arising from contracts entered into between you and us or in relation to regulatory, government and/or law enforcement bodies with whom we may work
• prevent fraud, misuse of services or money laundering
• enforce legal claims

We may analyse your personal information to ensure communications (including invitations to events) are relevant, timely, and not excessive, and provide you with an improved experience. More detail on this is provided below. Where appropriate we may share this information with the National Gallery.

We will always tell you why we need your personal details, including the explanations in this policy. We won’t ever ask you for personal details if we don’t need them. And we won’t ask for anything extra: we’ll only ask for what we really need to know to send you the products, services and information you want.

Information you give us directly
We collect personal information that you may provide through, for example:

• registering an online account
• buying products through our website(s) or in the Gallery
• signing up to our email newsletters and/or following the National Gallery / National Gallery Shop social media channels
• taking part in surveys or competitions
• communicating with us by phone, email or letter

Information you give us indirectly via your use of our website(s) and services
We collect information about the services you use and how you use them, such as:

• when you visit and shop our website
• when you view and interact with our emails, advertisements, and content

Information from third parties
We may also receive and gather information about you from third parties such as our business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers and search information providers.

We may also receive information about you from the National Gallery.

To the extent we have not done so already, we will notify you when we receive information about you from third parties and tell you how and why we intend to use that information.

Via our website
When you visit our website or connect to the Gallery’s Wi-Fi, we collect technical information including the internet protocol (IP) address used to connect your computer or device to the internet, as well as information about your visit to the website.

When you visit our website, cookies, small files stored on your computer help us to know who you are, remember what you’ve looked at and liked, and make using our websites better and easier. You can see more about our Cookies policy here.

From public sources
Depending on your privacy settings for social media platforms, we may access information from those accounts or services.

Filming and photography at events
We (or our service providers) or third party event hosts may film or photograph those attending or taking part in events. We may use the footage or photographs for publicity and marketing purposes. For example, in National Gallery or National Gallery Company print and/or digital material (including social media) or via external advertising and press outlets, all of which may be made available to the public. No personal details (e.g. names) of children under 16 will be used in such materials without consent from their parent or legal guardian, but we may use images where children are incidentally pictured (for example, as part of a crowd).

In general, we may combine your personal information from these different sources for the purposes set out in this Policy.

We are required to comply with data protection legislation, including the General Data Protection Regulation (GDPR).

The GDPR requires us to have one or more lawful grounds to process your personal information. We consider the following to be relevant to our use of personal information as set out in this policy:

• Where there is a legitimate reason in us doing so and the use is reasonably necessary to pursue that reason. Our legitimate reasons are set out above under ”Who we are” – namely, to manage the Company as a commercial entity, generating funds for the National Gallery by for example running the shops and cafés in the Gallery
• Some processing may be necessary so that we can fulfil a contractual relationship we have with you (for example if you purchase something from our online shop)
• Because we are required by law or other statutory requirement to process information (for example to share it with our regulators)
• In other instances, we will rely on your consent to process your personal information, for example to send you certain marketing communications via email. Details on how to manage your preferences in relation to marketing communications are described in the section "Communicating with you" below

We will only share your personal information with our employees and service providers where it is necessary in order to fulfil a valid, stated purpose, or contract or to carry work out on our behalf and improve your experience. Examples of such service providers/information processors include our:

• email service providers and online applications
• partners and suppliers to fulfil your purchase order, where necessary
• partners and suppliers to fulfil the services you have requested, where necessary
• payments, finance, governance, legal auditing requirements or any others who undertake work on our behalf

These service providers are acting as approved information processors on our behalf and the contracts we enter into with all of our information processors require them to comply with UK information protection laws, act only under our instruction, and ensure they have the appropriate controls in place to protect the security of your information.

We may disclose your information to different areas of National Gallery Company and to the National Gallery, for internal purposes and so they can contact you where this is appropriate and legitimate, or where you have given your consent to hear from them. We may also use and disclose information in aggregate (so that no individuals are identified) internally for marketing and strategic development purposes – such as anonymised information about visitor trends.

We may use information which we hold about you to show you relevant advertising on third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter). You have the right to opt out of your personal information being used for advertising purposes - if you don’t want to be shown targeted advertising messages from the National Gallery Company or National Gallery, some third party sites allow you to request not to see messages from specific advertisers on that site in future, or by changing your browser settings.

Anonymised customer and visitor statistics are published in our Annual Report and Accounts and Annual Review, and we may work additionally with third parties to conduct this type of research. We also use anonymous information about visitors to our website, the National Gallery Wi-Fi service, or in-gallery technology such as audio guides.

We will not sell your personal information to any third parties or external organisations.

In the event we transfer or receive any business or assets (such as a reorganisation) we may disclose your personal information to the other parties involved in the transfer.

We might need to share your personal information more widely if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions(https://shop.nationalgallery.org.uk/terms) of supply and other agreements, or to protect the rights, property, or safety of the National Gallery Global, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Essential shop communications

As a shopper/customer there are some essential service communications that are necessary to fulfil our contract with you, and therefore separate from your marketing communication contact preferences. These include for example order acknowledgements.

Email marketing
When you access our website, at the bottom of every one of our website pages you are able to consent to receive marketing information from us by email, including about products, promotions, events or special offers which we feel may be of interest to you.

If you have given us a contact email address and your consent to do so (e.g. via our website, National Gallery Wi-Fi, data kiosks or through our Venue Hire team), we will contact you for marketing purposes via email. These marketing communications include, for example, our new product ranges and special offers from our shops, cafés and restaurant, events, surveys, competitions, National Gallery exhibitions and information about changes in our services, we think you'll find of interest based on your relationship with us.

We may ask for your consent to receive such communications from us.

Please see the “changing your email marketing preferences” below to manage the communications you receive.

Changing your email marketing preferences

It is always your choice as to whether you want to receive email marketing updates from us the National Gallery Company about the shops and venue hire or from the National Gallery about exhibitions, events and news that support and conserve the collection.

You can change your communication marketing preferences at any time (including telling us that you don’t want us to contact you for marketing purposes) by:

• Log into our email communication preference center here using the email address you used to receive our emails - please note that you will be asked to create a password. This will enable you to decide which type of email marketing communications you want to receive from us.;
• indicating that you do not wish to receive our marketing emails by clicking the ‘unsubscribe’ link at the end of our marketing emails;
• contacting us at dataprotection@nationalgallery.org.uk

If you have indicated that you do not wish to be contacted for email marketing communication purposes, we will maintain your details on a suppression list to help us ensure that we do not continue to contact you for marketing purposes.

Our email marketing communications makes use of a "Clear Image" (gif) to track the results of the email campaign. If you wish to turn off this tracking, you can by turning off the images in the email. Tools may also be used to monitor the effectiveness of our communications with you, including email tracking, which records when an e-newsletter from us is opened and/or how many links are clicked within the message. The information from this tracking is generally used in an aggregated and anonymised form. Please see our Cookies policy to learn more

As explained above, we will continue to send you essential shop communications that we are required to send for administrative and contract purposes.

Postal communications
If you have provided us with your postal address we may send you direct mail about our work unless you have told us that you don’t want to receive such information via this channel. You can change your direct mail marketing preferences by contacting us at: dataprotection@nationalgallery.org.uk

Tailoring our communications
We are committed to communicating with you using an approach that is right for you. This means we carefully manage the communications we send you to ensure that we are contacting you in the most relevant way.

In order to do this, we may combine the information we collect about you (including via your interactions with our website and our use of cookies) and analyse what we know about your interests, preferences and interactions with our website(s) and marketing emails to create a profile so we can contact you in the most appropriate way and with the most relevant information. Example communications that use profiling in this manner include our email updates, newsletters, exhibition pre and post visits emails, abandon browse and abandon basket reminders, recommendations, favourites and associated updates.

If you do not want your information to be combined and analysed in this way, or receive personalised marketing communications from us, you can visit our email preference center here to change your preferences or to unsubscribe. Or you can unsubscribe by clicking the ‘unsubscribe’ link at the end of our marketing emails; or you can contact us, as described in the Contact us section.

We follow strict security procedures in the storage and disclosure of information which you have given us to try and prevent its loss, destruction, misuse, alteration, unauthorised disclosure of or access to it.

We are required to ensure any transfers of information will be done securely, in accordance with best practice, and in compliance with data protection laws.

All our employees and information processors, who have access to, and are associated with the processing of personal information, are legally obliged to respect the confidentiality of your personal information. Our security procedures mean that we may occasionally request proof of identity before we are able to disclose sensitive information to you.

Please note that despite our endeavours we cannot guarantee the security of personal information transmitted via the internet.

Transfers of data outside the EEA
In some cases, some of the services we provide or some of the processes we use may involve personal information being transferred outside the European Economic Area, for example where any data processor’s servers are located outside the EEA.

If you access our website or use any of the services we provide while you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.

If we do transfer personal data outside the EEA, it will only be done on one of the lawful bases including:

• the transfer is to a recipient that has entered into European Commission standard contractual clauses with us;
• the transfer is to a recipient in the United States of America who has registered under the EU/US Privacy Shield; or
• you have explicitly consented to the transfer.

If you would like to find out more about the transfer by us of your data outside the EEA, you can contact us, as described in the How to contact us section.

Links to other websites
This privacy notice does not cover the links within our sites linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

In general, unless still required in connection with the purpose(s) for which it was collected and/or is processed, we remove your personal information from our records seven years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.

If you ask not to receive any further contact from us, we will keep some basic information about you in order to avoid sending you unwanted materials in the future.

You have certain rights under data protection laws in relation to your personal information. These include the right:

• To access your information (please see below for the process)
• To erasure – of your personal information from our records (or to anonymise it)
• To rectification – to ask us to update our records if they are inaccurate
• To restrict processing – if there is any disagreement about its accuracy or legitimate usage
• To object – to our processing of your personal information in certain circumstances, including when using your personal information for direct marketing
• To withdraw consent at any time, where we are relying on that consent to use your personal information
• To find out more information from or to make a complaint to the Information Commissioner’s Office (ICO) about the way we have used your personal information.

Please note that you may only use/benefit from some of these rights in limited circumstances. For more information, we suggest that you consult guidance from the ICO – www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.

The ICO is the regulatory for data privacy in the UK. Its contact details can be found at www.ico.org.uk/global/contact-us/.

Subject Access Requests

You can ask us if we are keeping any personal information about you and you can also request to receive a copy of that personal information – this is called a Subject Access Request.

To make a Subject Access Request you will need to provide adequate proof of identity such as a copy of your passport, birth certificate or driving license before your request can be processed. Please try to be as clear as possible about the information you are seeking, as this will help us respond to your request more efficiently. Once we have received your Subject Access Request and proof of identity, you will receive a response from us within a month and you will be able to get copies of any information we hold on you.

Please send Subject Access Requests and/or requests for us to update or correct your personal information to:
- email: dataprotection@nationalgallery.co.uk
- phone: +44 (0)20 7747 5102
- or write to us at National Gallery Company Ltd, Trafalgar Square, London WC2N 5DN

If you have any queries or concerns about our privacy policy or the way in which we use your personal information, or if you want to update any of the information we hold about you, please contact us:

• email: dataprotection@nationalgallery.org.uk
• phone: 020 7747 5102
• post: National Gallery Global Limited, Trafalgar Square, London WC2N 5DN

We may be required to update the terms of this notice from time to time. We will notify you about any significant changes in the way we treat personal information usually by sending a notice to the primary email address you have provided or by placing a prominent notice on our website(s). It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

This privacy notice was last updated on 22nd July 2022.

The ‘National Gallery’ is the trading name of the Board of Trustees of the National Gallery. This privacy notice covers the use of personal information by both the Board of Trustees of the National Gallery and our wholly owned trading company, National Gallery Global Limited. We refer to ourselves throughout this notice as the ‘Gallery’, ‘we’ or ‘us’.  We share personal data responsibly between our two legal entities where necessary for the purposes set out in this privacy notice.

We are committed to protecting the privacy and security of your personal information and will only use this legally and responsibly.

This privacy notice describes how we collect and use your personal information; what we do with it; and with whom it might be shared, in accordance with the UK General Data Protection Regulation (‘UK GDPR’) and other applicable information laws.

This privacy notice contains links to other internet pages which contain details about specific activities we undertake. These pages are deemed to form part of this notice:

• What this means for our email and postal subscribers
• What this means for our members
• What this means for our donors, patrons, and potential supporters
• What this means for your visit

We only collect personal information that is necessary to run the Gallery, fulfill our obligations to you, and keep you informed about our activities.

Personal information means any information about an individual from which that person can be identified. This does not include anonymised information.

We may collect, store, and use the following personal information about you:

• personal details (name, title, gender, and date of birth);
• contact details (email address, phone number, and postal address), and contact preferences;
• (in the case of Members) any named Joint Member;
• (in the case of patrons and other supporters) family and spouse/partner details, relationships to other Gallery supporters, and/or Members and named Joint Members;
• current interests, preferences and previous activities with the Gallery, such as ticket purchase, event registration/attendance, product selections, and purchase of goods or services;
• feedback submitted related to Gallery services and products and responses to our visitor surveys;
• participation in a competition operated by us or one of our partners;
• donations made to the Gallery;
• financial information: credit card or other payment information (we only store this for as long as we need to process payment), bank details for setting up a regular direct debit, billing and delivery address;
• details of Gift Aid declaration (if applicable to any donation made);
• details provided in correspondence sent or received;
• a password for your online account (although we will not be able to see this)
• any other information provided by you to the Gallery;
• images recorded on our CCTV cameras;
• images captured on film or photography taken in the Gallery and at Gallery external events; and
• MAC (Media Access Control) addresses of any device(s) you bring with you to the Gallery, whether or not you have connected to our free public Wi-Fi service. MAC addresses are identifiers which any Wi-Fi enabled device transmits when searching for a Wi-Fi connection.

If you are a Member, a patron, or donor, please visit our ‘Further reading’ section for more details about the personal data we collect for our Members and other supporters.

In addition to the above, when you visit our website, we use cookies to improve your experience and personalise the service you receive. See our Cookies Policy for more information.

Special categories of personal data
Under data protection law, certain categories of personal information are recognised as sensitive, including information regarding health, race, religious beliefs, and political opinions (‘special category data’). We only collect such information in limited cases, and where there is a clear reason for doing so, such as in relation to accessibility, recording accidents, or dietary requirements for events.

Direct information
We collect personal information that is provided to us directly by you, for example when you:

• purchase tickets/products through the website or in person;
• sign up as a Member and/or patron;
• sign up to our email updates;
• register an online account;
• make a donation;
• complete a visitor or shop survey or enter a competition; or
• communicate with us by phone, email, or letter.

Indirect information
We collect information about the services you use and how you use them, for example:

• when you visit our website, see our Cookies Policy  for more information;
• when you view and interact with our emails, advertisements, and content;
• information about contact you have with us;
• through the use of CCTV in and around our premises for monitoring and security purposes; and
• information collected via your MAC address when you visit the Gallery, for the purpose of maintaining our free public Wi-Fi service, and monitoring and analysing this usage (in an aggregated and anonymous format) to improve our visitor experience.

Information from third parties
We may also receive information about you from third parties, for example when you:

• enter a competition run on a partner website (and agree to the sharing of your information with us); or
• follow our social media channels (subject to your privacy settings on those channels).

Information from publicly available sources
In relation to some patrons, other donors, and potential supporters, we may collect publicly available information about you to assist us with our activities. See also What this means for our donors, patrons, and potential supporters.

We will only process your information if we have a legal basis for doing so under current UK data protection law, including:

 - Processing your information because it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract, for example to:

• process payment(s);
• fulfil orders for exhibition tickets or other events, goods or services; or
• provide Membership or patrons' benefits and communications, which you are contractually entitled to receive.

 - Where we are required by law to process your information, for example to:

• make a Gift Aid claim.

 - Where we have your consent to process your information, for example when:

• you have agreed to receive email updates (including offers, newsletters or fundraising appeals in accordance with your preferences);
• you have asked to receive information about our education events for teachers, our research events, or our national programme events; or
• you have agreed to participate in a Gallery-based research project to improve the information we provide on our paintings.

Where you have given consent to the processing of your data you may withdraw it at any time. See below ‘What rights do you have in relation to your personal information?’.

 - Where processing your information is necessary for our legitimate interests, for example:

• for certain types of marketing, such as postal marketing (see What this means for our email and postal subscribers);
• to process donations;
• where we combine information we hold about you to better understand your interests and preferences so that we can target communications we send to you in line with this privacy notice;
• where we conduct analysis and research in relation to our visitors and supporters;
• where we collect MAC addresses;
• where we collect and view images recorded on our CCTV cameras; or
• where we (or a third party) carry out any filming, including interviews, or filming/photography of talks, or events in the Gallery. Where our areas are going to be used for filming or photography, we will flag this in advance with clear signage or otherwise make you aware so that you can avoid being filmed or photographed. We take great care to protect the rights of children and do not use the personal information of anyone under 13 years old in such materials without the explicit consent of their parent or legal guardian. We may, however, use images where children are incidentally pictured (for example, as part of a crowd).

Where we are relying on this basis of processing you have the right to object to this. See below ‘What rights do you have in relation to your personal information?'

• As a public authority we may also process your personal data where it is necessary for performing our Public Task.
• We may process special category data (for example, health data) on the basis of additional grounds, including where it is necessary to protect an individual's vital interests (for example where you have a life-threatening accident or illness while visiting us and we have to process your personal data in order to make sure you receive appropriate medical attention).

Our basis for processing your data in relation to your visit is set out in the What this means for our visitors section of this notice.

We will not sell your personal information to any third parties or external organisations.

Sharing your information with our service providers/external data processors

As well as sharing within the Gallery companies (i.e., Board of Trustees of the National Gallery and National Gallery Global Limited), we may share some of your personal information with our service providers/external data processors, to carry work out on our behalf. Examples of such service providers/data processors include:

• Securitas, which provides security and visitor services within the Gallery. We share CCTV footage and other information about security incidents in the Gallery with Securitas; they process information enquiries (including requests to use our disabled parking space) on our behalf; provide trained first-aiders in the Gallery, who record details of any accidents if they are called to assist; sell Memberships and exhibition tickets on desks in the Gallery, record, on our behalf, personal data of those making these purchases; and process comments and complaints submitted to the Gallery, and respond to these on our behalf and in liaison with us;
• our email distribution service provider, who sends out our marketing and service communications;
• our mailing house, who sends out our Membership welcome and renewal packs, and postal marketing communications;
• our ticketing service provider;
• our service provider, who enables us to evaluate our education programmes;
• our warehouse, who sends online shop orders;
• our third party suppliers, who send online shop orders directly to customers;
• our analytics partner, who collates our statistical data and performs analysis of this data on our behalf;
• our third-party Wi-Fi infrastructure provider, who collects and processes MAC addresses and information regarding usage of our Wi-Fi service on our behalf; and
• our third-party advertisers such as Facebook who help us target our advertising communications. For example, if we are running a social media advertising campaign, we may provide some pseudonymised data to the third-party site which leverages information such as demographics, interests, and behaviours for matching purposes. This enables us to profile and identify new users likely to be interested in our content.

Any such companies are acting as our data processors under UK GDPR, and the contracts we enter into with them require them to comply with UK data protection laws. This means they can only process your personal information for the purposes we specify, and we ensure they have the appropriate controls in place to protect the security of your information.

Sharing information of patrons and donors
If you are a patron or donor, we may share information with the National Gallery Trust or the American Friends of the National Gallery, London Inc. if you make your donations through one or other of those supporting charities. See What this means for our donors, patrons, and potential supporters for more information.

Sharing CCTV footage and Wi-Fi usage data
CCTV footage and Wi-Fi usage data (including MAC addresses) may, in the event of a security incident, be shared with the police and/or local authorities where it is lawful and appropriate to do so, in accordance with our legitimate interests outlined above.

Sharing with YouTube
Although we do not share your personal data with Google or YouTube, we are contractually obliged to include information about how we use YouTube API.

The Gallery website uses YouTube API services to show YouTube videos and playlist information in its pages. We do not access, collect, store or otherwise use any user personal information from YouTube. We also do not share any website user personal information with YouTube.

By accessing the YouTube videos through the YouTube API on our website, your personal information may be collected by YouTube. For further information on how Google and YouTube handle your personal information, please refer to the Google Privacy Policy.

Our Cookies Policy explains what cookies or other similar technology may be placed on a user’s device when accessing video content through the YouTube Player.

We will only retain your personal information for as long as necessary to fulfil our contractual obligations to you, comply with legal requirements, tax, and accounting rules, or for other reasonable legal purposes set out in this notice.

The retention period will vary according to the nature of the purpose under which the information is held. For example:

• we retain Gift Aid declarations in accordance with HMRC guidance, which in the case of a one-off donation is generally ten years from the end of the accounting period in which the donation is received; the period is longer in the case of a declaration which applies to a series of donations or if an HMRC query is received during the normal retention period;
• we retain active Member account information subject to requests for erasure and/or transfers of Membership (for example to next of kin); and
• we retain CCTV footage for 31 days, although in the event of an accident or incident, which may give rise to an insurance claim, footage may be retained longer.

We follow strict security procedures in the storage and disclosure of personal information to prevent:

• unauthorised access;
• improper use or disclosure;
• unauthorised modification; and
• accidental loss, damage, and destruction.

We are required to make sure any transfers of information will be done securely, in accordance with best practice, and in compliance with applicable laws and regulations.

All our staff and data processors who have access to, and are associated with the processing of personal information, are legally obliged to respect the confidentiality of your personal information.

Transfers of data outside the United Kingdom (‘UK’)
In some cases, some of the services we provide or some of the processes we use may involve personal information being transferred outside the UK, for example where any data processors' servers are located outside the UK.

If you access our website or use any of the services we provide while you are outside the UK, your information may be transferred outside the UK in order to provide you with those services.

If we do transfer personal data outside the UK, it will only be done so on a permitted basis under UK law, including:

• the transfer is to a recipient in a country or territory approved by the European Commission as providing an adequate level of protection for personal data;
• (for transfer arrangements concluded before 21 September 2022) the transfer is to a recipient that has entered into European Commission (‘EU’) standard contractual clauses with us. This will continue to be valid until 21 March 2024;
• (for transfer arrangements after 21 September 2022) the transfer is to a recipient that has entered into either the UK’s new International Data Transfer Agreement or the UK’s new International Data Transfer Addendum to the EU’s new standard contractual clauses; or
• you have explicitly consented to the transfer.

If you wish to find out more about the transfer by us of your data outside the UK, then please contact the Data Protection Officer. See below ‘How to contact us’.

Links to other websites
This notice does not apply to third-party websites you are directed to from our website. When you leave our website, we encourage you to read the privacy statements on the other websites.

You have certain rights in relation to your personal information. You have the right to:

1. obtain confirmation that we are processing your personal information;
2. access your information (see below our Subject Access Request process);
3. rectification of your personal information if incomplete or inaccurate;
4. erasure in certain circumstances, for example when you have withdrawn consent to it being processed and we have no other basis for processing it;
5. restrict the processing of your personal information in certain circumstances;
6. object to certain processing including the right to not be subject to automated decision-making and the right to object where we are processing your information on the basis of our legitimate interest; and
7. withdraw consent to the processing of your data (without affecting the lawfulness of processing based on consent before its withdrawal).; and
8. opt out of marketing communications.

Please note that the above rights may not apply in all circumstances, and requests may be refused where legal exceptions apply.

For a more detailed explanation of these rights, please see the Information Commissioner’s guidance.

Subject Access Request
You can request to receive a copy of personal information we hold about you, this is called a Subject Access Request (‘SAR’).

You will need to provide adequate proof of identity, such as a copy of your passport, birth certificate, or driving license, before your request can be processed. We will respond within one month of receipt of your request; please try to be as clear as possible about the information you are seeking, as this will help us respond to your request more efficiently.

If you would like to submit a SAR or exercise any of the other rights referred to above, please print out and complete a Subject Access Request Form . Alternatively, you can email or write to the Data Protection Officer, The National Gallery, Trafalgar Square, London, WC2N 5DN.

If you have any queries about our privacy notice, or want to raise a concern about how we process the information we hold about you, please email dataprotection@nationalgallery.org.uk or write to the Data Protection Officer at The National Gallery, Trafalgar Square, London, WC2N 5DN.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), which oversees the protection of personal information in the UK (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

We only collect information that is necessary to keep you informed about the Gallery and its activities. Please see our General Privacy Notice for details of the personal information we may collect from you as an email subscriber.

In addition to the personal information listed in our General Privacy Notice , we will only process the following additional personal information if we have a legal basis for doing so under current UK data protection law:

Where we have your consent to process your information
We will communicate with you by email in accordance with your preferences. Email updates may include:

• information about our collection, merchandise, events, courses, talks, Membership, changes to our services, offers and products available in our shops, café and restaurant, and ways to support the Gallery. We may occasionally include selected information about events at other organisations. We will endeavour to ensure that these products are of interest to you and within your reasonable expectations to receive as part of a Gallery mailing communication;
• email reminders – for example, if you started to book a ticket for an exhibition but did not complete the purchase;
• events and news for people working in UK museums and galleries (if you’re part of our Subject Specialist Network);
• events and news about our research activities, including research seminars and conferences (if you have signed up to our Research updates); or
• if you’re interested in our British Sign Language talks, and Family events, or hiring the Gallery as a venue, you can also let us know via our email preference centre and we’ll send you emails about these topics too.

Where processing your information is necessary for our legitimate interests, for example to:

• invite you to take part in surveys, to improve the Gallery’s experience and product offering; or
• send marketing materials to you by post (subject to any objection from you to marketing by post and the Mail Preference Service (‘MPS’).

Our communications with you as an email subscriber

We are committed to communicating with you using an approach that is right for you. This means we carefully manage the communications we send you to make sure that we are contacting you in the most relevant way.

We analyse what we know about your previous orders, interests, preferences, and interactions with our website(s) and marketing emails, so we can target communications we send and contact you in the most appropriate way, and with the most relevant information.

Examples of communications that use profiling in this manner include some email updates, pre- and post-visit emails, abandon browse, abandon basket, and postal communications.

You do have the right to object to us combining and analysing information in this way. If you do not want to receive personalised communications, please contact dataprotection@nationalgallery.org.uk and we will stop dealing with your data in this way and sending you personalised communications.

Changing your email preferences

You can change your email preferences or unsubscribe at any time by:

·       logging into our email preference centre and indicating which type of emails you want to receive from us (e.g., if you wish to opt out of fundraising appeals);

·       indicating that you do not wish to receive our emails by clicking the ‘unsubscribe’ link at the end of our emails and/or via our email preference centre; or

·       contacting us at dataprotection@nationalgallery.org.uk.

If you are a Member or have an account with the Gallery you will continue to receive service communications that you cannot opt out of.

How long do we keep your information?

Where you ask us to stop contacting you for marketing purposes, we are required to keep a minimal amount of your personal information (your name and email address) to help us make sure that we do not continue to contact you. These details are kept securely.

What this means for our Members

This section contains additional information specific to our Members and must be read in conjunction with our General Privacy Notice.

When you purchase a Membership in your own name, or for yourself and a Joint named Member, we will process your personal information (including your name and address) to fulfil our Membership services to you while you remain a Member of the Gallery, and for our own market research and analysis, in accordance with this notice.

We only collect information that is necessary to run our Membership programme, fulfil our obligations to you, and keep you informed about the Gallery and its activities. You will find information about the personal information we may collect about you in our General Privacy Notice.

Special categories of personal data
We only collect special categories of personal information in limited cases and where there is a clear reason for doing so, such as in relation to accessibility to Members' events, recording accidents, or dietary requirements for events.

In addition to the personal information listed in our General Privacy Notice, we will only process the following additional personal information about our Members if we have a legal basis for doing so under current UK data protection law:

 - Where we need to process your information to perform our Membership contract with you or in order to take steps at your request prior to the entering into of the contract, for example:

• to process payments;
• to fulfil orders for exhibition tickets or other events or services;
• to provide you with Membership benefits, which you are contractually entitled to receive;
• to send you your Membership card and pack;
• to use your email address to enable you to book exhibition tickets and tickets for Members' events online;
• to send you service communications by email; and
• to send you limited information by post, including your Membership card and pack, and renewal reminders.
   

 - Where we have your consent to process your information, for example:

• where you have agreed to receive Members' email updates in relation to the Gallery

Where you have given consent to the processing of your data you may withdraw it at any time. See General Privacy Notice for further details.

 - Where processing your information is necessary for our legitimate interests, for example:

• to process donations;
• where we combine information we hold about you to better understand your interests and preferences so that we can target communications we send to you (see below 'Membership communications');
• where we conduct general quantitative research on Gallery Membership;
• to invite you to take part in surveys, to improve the Gallery’s experience and product offering; and
• to send marketing materials to you by post (subject to any objection from you to marketing by post and the Mail Preference Service (‘MPS’).

Where we are relying on this basis of processing you have the right to object to this. See our General Privacy Notice for further details.

Communicating with Members

Members will be among the first to hear about Members' events, offers, news, and ways to support the Gallery.

Gallery Membership is administered almost exclusively through online channels. When you join as a Member, you will be asked for your email address, which may be used to send you confirmation of payment, a welcome email, and direct debit notifications. You can also opt in to receive email updates, which may include information about our collection, merchandise, Members’ events exhibitions, news, appeals, and offers and products available in our shops and restaurants.

You can unsubscribe from marketing or fundraising emails or change your email preferences at any time. Please see below ‘changing your email preferences’.

If you chose not to provide an email address, the only communications you will receive from us will be those very limited communications which we send by post, including the Membership card and pack (which form part of your Membership benefits) and a postal reminder about renewal.

We will only telephone you directly at the contact number you’ve provided when it is deemed the most appropriate channel to effectively resolve any issues or queries you may have with your Membership, or a Gift Membership you may have purchased.

Tailoring our emails and services
We are committed to communicating with you using an approach that is right for you. This means we carefully manage the communications we send you to make sure we are contacting you in the most relevant way.

In order to do this, we may combine the information we collect about you from different sources (including via the Board of Trustees of the National Gallery or National Gallery Global Limited) and analyse what we know about your interests, preferences, and interactions with our website(s) and marketing emails to target communications we send to you so that we can contact you in the most appropriate way, and with the most relevant information. Example communications that use profiling in this manner include our Members' email updates, some newsletters, exhibition pre- and post-visit emails, abandon browse, abandon basket, recommendations, favourites, associated updates, and email reminders about renewing your Membership.

You do have the right to object to us combining and analysing information in this way. If you do not want to receive personalised communications, please contact dataprotection@nationalgallery.org.uk,  and we will stop dealing with your data in this way and sending you personalised communications.

Changing your email preferences
You can change your email preferences at any time by:

• logging into our email preference centre using the email address to which our emails are sent, and indicating which type of emails you want to receive from us;
• indicating that you do not wish to receive any email updates by clicking the ‘unsubscribe’ link at the end of our emails or via the email preference centre; or
• contacting us at Membership@nationalgallery.org.uk.

If you have indicated that you do not wish to be contacted by email, we will maintain a minimal amount of your personal information (for example, your name, email address, or postal address) to make sure that we do not send unwanted correspondence to that email address in the future.

You will continue to receive service communications that you cannot opt out of.

When your Membership ends

When your Membership ends, you will be automatically opted out of Membership emails, including Members’ newsletters and updates about Member events.

However, you will continue to receive general Gallery email updates and postal communications if you are an email subscriber (see What this means for our email and postal subscribers) to let you know what is happening at the Gallery, and give you an opportunity to renew your Membership. If you do not wish to hear from us after your Membership expires, you can unsubscribe using the 'unsubscribe' link at the end of our emails, or via the email preference centre.

What this means for our donors, patrons, and potential supporters

This section contains information which is specific to our donors, patrons, and potential supporters, and must be read in conjunction with our General Privacy Notice.

The Gallery raises crucial income from its fundraising activities from patrons (who may join the George Beaumont Group or George Beaumont Circle) and other donors.

What personal information do we collect about our donors, patrons and potential supporters?

We collect personal information that is necessary to carry out our fundraising activities, process donations, and keep you informed about the Gallery and its projects. You will find information about the personal information we may collect about you in our General Privacy Notice.

We also, on occasion, collect additional information from public sources. (See below ‘Analysis and research of our supporters and potential supporters’.)

Special categories of personal data
We only collect special categories of information about patrons, donors, and potential supporters in limited cases and where there is a clear reason for doing so, such as accessibility or dietary requirements for events, or due diligence in respect of major donations.
 

We may also collect information that is manifestly made public by you (for example, where you have published your political opinions/affiliations).

Direct Information

We collect personal information that you may provide to us; the National Gallery Trust (NGT), a registered UK charity which exists to support the National Gallery; or the American Friends of the National Gallery, London Inc. (AFNGL), a US not-for-profit organisation which exists to support and assist the National Gallery, including when you:

• make a donation to any of us or complete a Gift Aid declaration; complete a patron joining or renewal form;
• respond to an invitation or attend an event at the Gallery; or
• are in correspondence or verbal conversation about a donation or Gallery-related project with a member of the Development department.

In relation to some patrons, other donors, and potential supporters we may collect publicly available information about you to assist us with our activities (See below ‘Analysis and research of our supporters and potential supporters’).

In addition to the personal information listed in our General Privacy Notice, we will only process the following additional personal information about our donors, patrons or potential supporters if we have a legal basis for doing so under current UK data protection law:

 - Processing your information because it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract, for example:

• to process payments;
• to provide you with patrons' benefits, which patrons are contractually entitled to receive; or
• in relation to donations, to credit you in whatever way we have agreed to do. 

 - Where processing your information is necessary for our legitimate interests, for example:

• to process donations;
• when we carry out analysis and research of patrons, donors, or potential supporters to gain a better understanding of our existing and potential supporters. This enables us to raise funds for our charitable purposes more effectively and efficiently, and allows us to approach supporters in a targeted and informed way about projects or activities they may be interested in supporting. See below ‘Analysis and research of our supporters and potential supporters’; and
• when we carry out due diligence in advance of soliciting or accepting major donations in order to make sure we do not accept gifts from sources which could harm the reputation of the Gallery, see our Ethical Sponsorship and Donations Acceptance Policy;

Where we are relying on this basis of processing you have the right to object to this. See our General Privacy Notice for further details.

Analysis and research of our supporters and potential supporters

We use tools, including information segmentation and profiling, to help us build a picture of our supporters and potential supporters to target our resources more effectively, as well as to improve the level of service we provide (for example, by briefing staff about guests in advance of meetings, dinners, and other events at which supporters and potential supporters may be present).

When building a profile we may use gift history, geographic, demographic, and other information you have provided, in order to better understand your interests and preferences.

On occasion, we may collect publicly available information to create a profile of your interests, preferences, and level of potential donations, so we can contact you in the most appropriate way and with the most relevant information.

Sources of publicly available information include Companies House, The Charity Commission, 192.com (UK Electoral Roll and Directory Enquiries), and information that has been published in articles/newspapers (we use Factiva, a Global news database).

We also carry out due diligence in respect of major donations. See our Ethical Sponsorship and Donations Acceptance Policy.

Our communications with you as a donor, patron or potential supporter

We are committed to communicating with donors, patrons, and potential supporters using an approach that is right for you. This means we carefully manage the communications we send you to ensure that we are contacting you in the most relevant way.

If you are an email subscriber see What this means for our email and postal subscribers.

If you have agreed to receive email invitations to events from the Development team, you can change your email preferences at any time by:

• logging into our email preference centre using the email address to which our emails are sent and indicating which type of emails you want to receive from us;
• indicating that you do not wish to receive our emails by clicking the ‘unsubscribe’ link at the end of our marketing emails or via the email preference centre; or
• contacting us at dataprotection@nationalgallery.org.uk.

If you have provided us with your postal address, we may send you direct mail about our work or invitations to our events, unless you have told us that you do not want to receive such information via this channel. You may change your direct mail preferences by contacting us at dataprotection@nationalgallery.org.uk

We will not sell your personal information to any third parties or external organisations.

Sharing your information with our supporting charities
Donations from our patrons are paid, at the option of the donor, to either the NGT or AFNGL. Other donations for the support of the Gallery may also be paid, if the donor wishes, to either the NGT or AFNGL. Where necessary, we may share data of patrons (and other donors) with the NGT or AFNGL, to enable those organisations to collect and process donations and deal with any associated tax issues in relation to those donations.

Sharing information with our travel agency
If you book onto a patrons' trip we may share information, which you provide to us (to enable us to facilitate the booking) with Heritage Travel or another agency, through whom your booking will be made.

What this means for your visit

This section contains information which relates specifically to your visit to the National Gallery (whether collected via the Board of Trustees of the National Gallery or National Gallery Global Limited) and should be read in conjunction with our General Privacy Notice.

When you book a ticket to visit the Gallery (subject to our Ticketing Terms), you will set up an account with us in order to facilitate your booking. We may also collect information in relation to your visit when you make a purchase on site, use the Wi-Fi facilities or as part of our CCTV surveillance. Please see our General Privacy Notice for details of the personal information we may collect from you as a visitor.

In addition to the personal information listed in our General Privacy Notice , we will only process the following additional information about our visitors if we have a legal basis for doing so under current UK data protection law:

 - Where processing your information is necessary for our legitimate interests, for example:

• to conduct analysis and research in relation to our visitors, classify our visitors and audience into groups or segments by attitudes and behaviours, using the information you provide us with (through your interactions with us). These segments help us to understand our audience better, ensure we are sending relevant information to each group, and enable us to tailor and target our programme and services to help us manage and improve them;
• to send marketing materials to you by post (subject to any objection from you to marketing by post and the Mail Preference Service (‘MPS’);
• to invite visitors to take part in surveys, to improve the Gallery’s visitor experience and product offering; and
• to retain your personal information on our secure customer relationship management system for the above purposes.

Where we are relying on the legitimate interest basis for processing data, you have the right to object to this. See our General Privacy Notice for further details.

 - Processing your information because it is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract, including:

• to process your booking, including any payment, of tickets;
• to confirm the completion of ticket bookings and to provide you with your ticket;
• to process your payment for the purchase of goods;
• to confirm your identity for entry to the Gallery (and/or any Exhibition or Event) at the time allotted by your ticket;
• to arrange collection of pre-ordered merchandise when you visit, if you purchased any when booking your ticket;
• to provide you with information which is relevant to your visit and your ticket, including information about the Gallery and our collection applicable to your visit, which services will be available on the day of your visit, what health and safety restrictions may be in place in relation to your visit, expectations in relation to your conduct during your visit (in particular in relation to the Coronavirus Pandemic), and to bring your attention to any cancellation or closure of all or part of the Gallery whether planned or in an emergency; and
• retain your personal information on our secure customer relationship management system for the above purposes.

 - Where we have your consent to process your information, for example:

• if you choose to leave a comment or query on one of our feedback forms, you may include your contact details if you wish to receive a reply from the Gallery (we aim to respond within 10 working days, after which we will delete your personal data);
• following our courses and events we ask for feedback in order to assess and improve our services; and
• from time to time we may undertake surveys of our visitors or invite visitors to participate in research projects in order to improve our services.

Where you have given consent to the processing of your data you may withdraw it at any time. See our General Privacy Notice for further details.

 - When we have a legal obligation to do so. In appropriate circumstances we shall use your information to fulfil our legal obligations which may include:

• complying with Health and Safety legislation in relation to the Coronavirus Pandemic (COVID-19), as required to from time to time (and we will keep this under regular review). This shall include managing capacity of the Gallery and to analyse attendance and no-show rates and to inform capacity management;
• complying with the Health and Safety implications if appropriate, for example reporting first aid incidents;
• the use of CCTV recording equipment on our premises for monitoring and security purposes;
• detecting and reducing the risk of fraudulent transactions in person or online, including the use of robots or bots in contravention of our Ticketing Terms
• undertaking due diligence to detect fraud, money laundering and credit risk and protecting the reputation of the Gallery;
• to keep our databases up to date;
• for our financial records, including for Gift Aid purposes;
• such other obligations as are imposed on us from time to time;
• deleting or updating the information we hold about you if we learn such information is inaccurate; and
• complying with your data rights (as further described in our General Privacy Notice)