Privacy policy

Art UK Website

Art UK is the operating name of the Public Catalogue Foundation, a charity registered in England and Wales (charity number: 1096185) and in Scotland (charity number: SC048601) with its registered office at Salisbury House, Station Road, Cambridge, England, CB1 2LA. Art UK's main trading address is Staffordshire University Incubator Unit, 2nd Floor, Mellor Building, College Road, Stoke-on-Trent ST4 2DE.

The Art UK website at www.artuk.org (the Website) is operated by the Public Catalogue Foundation. The Public Catalogue Foundation is the data controller of personal data collected from you by this Website and related means, or otherwise provided by you to us.

The Public Catalogue Foundation (We, us, our) are committed to protecting and respecting your privacy. The Data Protection Act 1998, the General Data Protection Regulation, and other applicable national data privacy laws (together, Data Privacy Laws) place obligations on us in relation to the personal data that we collect and hold. This Privacy Policy (together with our Website Terms of Use) sets out how we comply with Data Privacy Laws, including detailing the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting www.artuk.org (the Website) or otherwise providing us with your personal data you are doing so on the basis of the general practices described in this Privacy Policy.

Where we require your consent to process your personal data in accordance with these practices, we will seek this consent at the point at which you provide us with this data. Where we wish to process your personal data for a purpose other than that for which the personal data were collected, we will notify you of that intention and obtain any further necessary consents.

1. Information we may collect from you

1.1 We may collect and process the following data about you:

(a) Information you give us. You may give us personal data about you when you use our Website, or in correspondence with us, by phone, email or otherwise. This data may include information you provide when you register to use the Website; subscribe to any of our services; place an order on the Website; post material to our Website; enter a competition, promotion or survey; report a problem with the Website; or otherwise in connection with your communications with us. The information you give us may include your name, address, email address, phone number, employer, job details, financial and credit card information, personal description and information relating to your participation in and feedback on any of our products or services.

(b) Information we collect about you. We may collect and process technical information about your computer, including (where available) your Internet Protocol address; login information; browser type and version; time zone setting; browser plug-in types and versions; operating system and platform. We may also collect and process information about your visit to our Website, including the full Uniform Resource Locators (URL) clickstream to, through and from the Website (including date and time); products you viewed or searched for; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); methods used to browse away from the page; and any phone number used to contact us. We collect this information for system administration purposes and to report aggregate information on usage.

(c) Information we receive from other sources. We may also receive information about you from third parties, where you have consented to those third parties sharing your personal data with us. Where we receive personal data in this way, we will process it in accordance with the terms of this Privacy Policy and the terms of any consent that you provided.

2. Cookies

The Website uses cookies to distinguish you from other users of the Website. This helps us to provide you with a good experience when you browse the Website and also allows us to improve the Website. For detailed information on the cookies we use and the purposes for which we use them see our Cookies Policy.

3. Uses made of the information

3.1 We use information held about you in the following ways:

(a) to carry out our obligations arising from any contracts entered into between you and us and to provide you with any information, products and services that you request from us;

(b) to contact you (including by email, post or telephone) in relation to the products and services that you have signed up for;

(c) to contact you (including by email, post or telephone), about other products and services that we offer that are similar to those that you have already purchased, signed up for or enquired about, provided that you have opted in to receive these communications;

(d) to send you newsletters and other updates on our organisation and our products and services by email, where you have opted in to receive these;

(e) to administer and facilitate our programmes and services;

(f) to notify you about changes to our organisation or services;

(g) if you provide feedback about our Website, services or projects through a contact form or email address, to develop and improve the relevant area;

(h) to monitor the way in which our sites are used, and to ensure that content from the Website is presented in the most effective manner for you and for your computer;

(i) to administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

(j) to allow you to participate in interactive features of our service, when you choose to do so;

(k) as part of our efforts to keep the Website safe and secure; and

(l) to make suggestions and recommendations to you and other users of the Website about products or services that may interest you or them. We will only contact you about these products or services where you have opted in to receive these communications.

3.2 We will process your personal data on the basis of your consent, if requested, and/or our legitimate interests (which include (i) the performance of our obligations under any contracts entered into between you and us; (ii) the administration, improvement and promotion of our projects and our Website; (iii) management of relationships with our supporters; and (iv) for compliance with applicable laws, rules and regulations). Where possible we will seek to use aggregate data in order to achieve these aims.

3.3 Where our processing is based on your consent, and not any other legal basis, you have the right to withdraw your consent at any time. This withdrawal will not affect the lawfulness of processing prior to the withdrawal. If you inform us that you no longer wish to receive email or other communications from us, we will stop sending you these communications.

4. Disclosure of your information

4.1 In order to provide our products and services, we may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

4.2 Where we have your opt-in consent to do so, we may share your information with selected third parties who we work with in order to run and promote our projects, including but not limited to, the BBC, and participating collection administrations.

4.3 We may also disclose your personal information to third parties:

(a) if the Public Catalogue Foundation or substantially all of its assets are acquired by a third party (who will be a UK charity and a not-for-profit organisation), in which case personal data will be one of the transferred assets and the new owner may use your personal data in the same way as set out in this privacy notice;

(b) if required to do so by Law or in we believe in good faith that we are required to do so by any order of the Courts or other competent body or agency;

(c) in order to enforce or apply our Website Terms of Use and other agreements; or

(d) in order to protect or defend our rights or property or to protect the personal safety of our employees or the public at large.

4.3 We may from time to time engage third parties to perform services (including the processing of personal data) on our behalf, such as hosting our data (including your personal data) and Website; sending emails and other communications relating to our products and/or services; providing analytic services, such as tracking usage of our operational sites or websites; or performing other administrative services for us. We shall only use processors that will commit to implement appropriate technical and organisational measures in order to ensure that their processing activities meet the requirements of Data Privacy Laws and ensure the protection of your data protection rights. Prior to allowing these service providers to access your personal data, we will enter into a formal agreement with them to ensure that they handle and process the information in accordance with applicable law.

4.4 We will not share your information with parties outside of the European Economic Area (the EEA) unless we are legally permitted or required to do so. You should be aware that certain non-EEA countries do not require the same standards of protection of personal data as are legally required in the EEA. If we send your data to these countries, we will ensure that there are appropriate and suitable safeguards to protect your personal data. This will involve at least one of the following:

(a) we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;

(b) where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe; and

(c) where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

If you require further information on these mechanisms, please contact us at info@artuk.org.

5. Data security

5.1 All information you provide to us is stored within the EEA on secure servers provided by a third party vendor. Although we will do our best to protect your personal data, we cannot guarantee the security of the information transmitted to our Website and any transmission is at your own risk. Once we have received your information, we will put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we will limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to access your data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

5.2 Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

5.3 The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. It is your responsibility to check those policies before you submit any personal data to these websites.

6. Your rights

6.1 You have the right to:

(a) request access to personal data held about you by us and be provided with information in relation to that data (including the purposes for which the data are processed, the recipients to whom that personal data have been or will be disclosed, how long it will be stored for, details of any automated decision-making and your right to lodge a complaint with the Information Commissioner's Office);

(b) have inaccurate personal data amended or erased, and to have incomplete personal data completed;

(c) request the erasure of your personal data (the so-called 'right to be forgotten');

(d) object to or restrict the processing of your personal data (including where your personal data is processed for direct marketing purposes or on the basis of legitimate interests);

(e) request that your personal data be transferred to another data controller or provided in a format that will permit this transfer (the so-called 'right to portability');

(f) object to any decision that affects you being taken solely by a computer or other automated process (including profiling);

(g) withdraw any consent you have granted to us in connection with the use of your personal data at any time by updating your preferences in your online account via the Website or by emailing info@artuk.org; and

(h) lodge a complaint with the UK Information Commissioner's Office (ICO) (see https://ico.org.uk/concerns/ for further details on how to lodge a complaint). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

7. Retention of personal data

Your personal data will be destroyed or erased from our systems when it is no longer required for the relevant specified purpose that it was collected for, provided that we may retain personal data in order to comply with applicable laws, regulations and rules. As a general rule, this means we will retain your personal data for the duration of your involvement with us and for up to six years afterwards. However, retention and destruction of personal data will be considered on a case-by-case basis.

8. Changes to our privacy policy

This version was last updated on 25th May 2018 and historic versions can be obtained by contacting us at info@artuk.org.

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy.

9. Contact

If you have any questions or concerns regarding our use of your personal data or our Privacy Policy, please email us at info@artuk.org or contact Lauren Colley, who is responsible for overseeing questions in relation to this Privacy Policy, at lauren.colley@artuk.org.

Art UK Shop Privacy Policy

The Art UK Shop, www.artuk.org/shop, (Art UK Shop) is independently operated by Heritage Digital Ltd. of Cromford Mills, Mill Lane, Cromford, Derbyshire DE4 3RQ (company number 09940667).

Heritage Digital Ltd is committed to complying with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Heritage Digital Ltd. is committed to maintaining the privacy and security of your personal information. To comply with UK and European Law we are registered with the Information Commissioner's Office (ICO). Our UK registration number is ZA348989.

Looking after the personal information you share with us is very important and we want you to be confident that your personal data is kept safely and securely and to explain how we use it to offer you a better and more personalised shopping experience.

We have published this notice to help you understand:

• how and why Heritage Digital Ltd collects information from you;
• who we share your information with, why and on what basis and
• what your rights are under the new GDPR regulations

If we make changes to this notice we will notify you by updating it on our website.

Heritage Digital Ltd is the 'Data Controller' of the personal data you provide to us, and we will sometimes refer to ourselves in this notice as 'we' or 'us'.

Should you need to contact us, please write to the Data Protection Officer, Heritage Digital Ltd., Cromford Mills, Mill Lane, Cromford, Derbyshire, DE4 3RQ or via email at enquiries@heritage-digital.co.uk quoting the subject as 'Security and Privacy Enquiry'.

This privacy notice was last updated on 9th July 2018.

The information we collect when you register and why we collect it:

When you buy goods from us via our website or by telephone, or make an enquiry through one of our websites you are entering into a contract with us to supply goods or to provide information about the content of our website or the goods that we sell.

When ordering, we will always need to set up an account through our website to process your information, provide the service you require from us and create any value added tax (VAT) invoice as required for legal purposes by UK HMRC tax laws and our financial accounts. To set this up we will ask you to provide some personal information such as:

• full name
• Invoice and delivery addresses
• a username & password
• contact numbers
• email address
• credit or debit card details

We never store credit or debit card payment information within our data. Any credit and debit card information that you provide to us is passed on directly by us to secure third party systems (such as banks, PayPal etc.) where it is stored securely. To provide a personalised website experience, we will also gather information about the devices you use to access our sites (desktop and mobile), and this may include your IP address. Much of the information is gathered through the standard use of automatic analytical software such as Google Analytics. For further information on our use of cookies and tracking please see our Cookie Notice at the end of this document.

How do we use your information?

Under the General Data Protection Regulations, we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:

• Contract – your personal information is processed in order to fulfil a contractual arrangement e.g. to provide the goods you have ordered and paid for.

• Consent – where you agree to us using your information to make contact e.g. contact via email newsletters about offers and events. Where we require your consent to process your personal data, we will seek that consent at the point that we ask you for the data.

• Legitimate Business Interests – this means the interests of Heritage Digital Ltd in managing our business to provide you with the best products, service and customer service in the most secure and appropriate way.

• Legal Obligation – where there is statutory or other legal requirement to share the information e.g. when we have to share your information with government and civil departments for the purposes of law enforcement and the investigation of any fraudulent activities.

Here is a list of the ways that we may use your personal information, and which of the reasons described above we rely on to do so.

Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.

Who we share your information with and why

We work with a number of external organisations to provide you with the high quality goods and services you expect from us. Some examples of the types of third parties with whom we share your data are:

Suppliers

We work with a number of trusted suppliers who supply products and services on our behalf. All suppliers are subject to security checks, and will only hold the minimum amount of personal information needed that they need to fulfil the orders you place or to provide a service on our behalf.

Clients and licensors

Some of our websites are managed by Heritage Digital Ltd. on behalf of Clients who also help us to promote the websites under their own brand. Other websites contain content that is licensed to us from third party organisations. We may share your personal data with those clients and licensors but only if you provide us with your consent to do so.

Delivery companies

We work with a number of delivery companies including Royal Mail and courier companies. We only pass limited information to them in order to ensure delivery of your items.

IT support companies

We work with businesses who maintain aspects of our website hosting and other

business systems.

Marketing Companies

We work with compliant marketing companies who help us manage our electronic communications with you or carry out surveys and product reviews on our behalf.

Payment processors

We work with trusted third party payment processing providers such as banks and PayPal in order to securely take payments either by telephone or through the website.

Keeping in touch with you

We want to keep you up to date with information about new ranges, special offers and improvements to our website and its content. When you set your account up, we will ask you if you want to receive this type of marketing information. We will never share your information with other companies without your consent.

We will not share your information with parties outside the European Economic Area (EEA) unless we are legally permitted or required to do so. If you decide you do not want to receive this marketing information you can request that we stop by any of the following options:

• By emailing our Data Protection Officer at: enquiries@heritage-digital.co.uk;
• By calling 0115 845 0050 and asking to speak to the Data Protection Officer;
• By logging into your website account and amending your contact preferences;
• By clicking on the unsubscribe link within any marketing email you receive from us.

Your preferences are changed as quickly as possible once your request has been received – a reasonable time is 1 to 3 days. It is possible that you may continue to receive mailings for a short period while your request is dealt with.

How long we keep your information

If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our legal obligations.

We may need your personal information to establish, bring or defend legal claims. For this purpose, we will normally retain your personal information for a period of 6 years. After the date it is no longer needed by us for any of the purposes listed under the section 'How we use your information' above and we will delete it.

The only exceptions to this are where:

• the law requires us to hold your personal information for a longer period, or delete it sooner;
• you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law;
• we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible; or
• in limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period.

What are your rights?

Your personal data is protected by legal rights. You are entitled to request the following from Heritage Digital Ltd, these are called your Data Subject Rights and there is more information on these on the Information Commissioners website www.ico.org.uk

• Right of access – to request access to your personal information and information about how we process it
• Right to rectification – to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
• Right to erasure (also known as the Right to be Forgotten) – to have your personal information erased.
• Right to restriction of processing – to restrict processing of your personal information
• Right to data portability - to electronically move, copy or transfer your personal information in a standard form
• Right to object - to object to processing of your personal information
• Rights with regards to automated individual decision making, including profiling–rights relating to automated decision making, including profiling

If you have any general questions about your rights or want to exercise your rights please contact enquiries@heritage-digital.co.uk.

You have the right to lodge a complaint with a data protection regulator in Europe, in particular in a country you work or live or where your legal rights have been infringed.

The contact details for the Information Commissioner's Office (ICO), the data protection regulator in the UK, are available on the ICO website www.ico.org.uk where your personal information has or is being used in a way that you believe does not comply with data, however, we encourage you to contact us before making any complaint and we will seek to resolve any issues or concerns you may have.