We are committed to protecting your personal information and will only use it legally and responsibly
General privacy information
The National Gallery houses the national collection of paintings in the Western European tradition from the 13th to the early 20th centuries. We are the controller of your data and registered with the ICO under Data Protection Registration Number: Z5597415.
The National Gallery,
Trafalgar Square,
London, WC2N 5DN
We currently operate the following website: https://www.nationalgallery.org.uk
The National Gallery Company Ltd is a separate legal entity which runs shops in the Gallery, enters into contracts for venue hire at the Gallery and oversees the running of the restaurants and cafes. It has its own privacy policy which can be found here.
We follow strict security procedures in the storage and disclosure of information which you have given us to try to prevent:
- Unauthorised access;
- Improper use or disclosure;
- Unauthorised modification and
- Accidental loss, damage, and destruction.
We are required to ensure any transfers of information will be done securely, in accordance with best practice, and in compliance with Data Protection regulations.
All our staff and data processors, who have access to, and are associated with the processing of personal information, are legally obliged to respect the confidentiality of the personal information of our visitors, email subscribers, Members, shoppers, supporters, and all those who engage with us.
Transfers of data outside the EEA
In some cases, some of the services we provide or some of the processes we use may involve personal information being transferred outside the European Economic Area, for example where any data processor’s servers are located outside the EEA.
If you access our website or use any of the services we provide while you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.
If we do transfer personal data outside the EEA, it will only be done on one of the lawful bases including;
- The transfer is to a recipient in a country or territory approved by the European Commission as providing an adequate level of protection for personal data;
- The transfer is to a recipient that has entered into European Commission standard contractual clauses with us;
- The transfer is to a recipient in the United States of America who has registered under the EU/US Privacy Shield; or
- You have explicitly consented to the transfer.
If you wish to find out more about the transfer by us of your data outside the EEA, then please contact the Data Protection officer. See below ‘How to contact us’.
Links to other websites
This privacy notice does not apply to third-party websites you are directed to from our website. We encourage you to read the privacy statements on the other websites you visit.
You have certain rights in relation to your personal information. They are:
- The right to obtain confirmation that we are processing your personal information (see below our Subject Access Request process);
- The right to access your information (see below our Subject Access Request process);
- The right to have your personal information rectified if it is incomplete or inaccurate;
- The right to have your personal information removed or deleted in certain circumstances, for example when you have withdrawn consent to its being processed and we have no other basis for processing it;
- The right to restrict the processing of your personal information in certain circumstances;
- The right to object to certain processing including the right to not be subject to automated decision making and the right to object where we are processing your information on the basis of our legitimate interest;
- Where you have provided your consent to the processing, the right to withdraw consent to the processing of your data (without affecting the lawfulness of processing based on consent before its withdrawal); and
- The right to require us not to send you marketing communications.
Please note that the above rights are not absolute, and requests may be refused where exceptions apply.
For a more detailed explanation of these rights, please see the Information Commissioner’s guidance.
Subject Access Request
You can ask us to confirm if we are keeping any personal information about you and you can also request to receive a copy of that personal information – this is called a Subject Access Request.
To make a Subject Access Request you will need to provide adequate proof of identity such as a copy of your passport, birth certificate, or driving license before your request can be processed. Please try to be as clear as possible about the information you are seeking, as this will help us respond to your request more efficiently. Once we have received your Subject Access Request and proof of identity, you will receive a response from us within a month.
If you would like to submit a Subject Access Request or exercise any of the other rights referred to above, please print out and complete a Subject Access Request form. Or email dataprotection@ng-london.org.uk or write to The Data Protection Officer, The National Gallery, Trafalgar Square, London, WC2N 5DN.
If you are not happy with how we handle any of your requests, queries, or concerns, you can contact the Information Commissioner’s Office (www.ico.org.uk), which oversees the protection of personal information in the UK.
We may be required to update the terms of this policy from time to time. We will notify you about any significant changes in the way we treat personal information usually by sending a notice to the primary email address you have provided or by placing a prominent notice on our website(s).
This privacy policy was last updated on 16 May 2018.