Art UK is the operating name of the Public Catalogue Foundation, a charity registered in England and Wales (charity number: 1096185) and in Scotland (charity number: SC048601), with its registered office at The Courtyard, Shoreham Road, Upper Beeding, Steyning, West Sussex, BN44 3TN. Art UK’s main trading address is Third Floor, Peek House, 20 Eastcheap, London EC3M 1EB.
The Art UK websites at www.artuk.org and www.artuk.org/artdetective (the Websites and each a Website) are operated by the Public Catalogue Foundation. The Public Catalogue Foundation is the data controller of personal data collected from you by the Websites and related means, or otherwise provided by you to us.
Where we require your consent to process your personal data in accordance with these practices, we will seek this consent at the point at which you provide us with this data. Where we wish to process your personal data for a purpose other than that for which the personal data were collected, we will notify you of that intention and obtain any further necessary consents.
1. Information we may collect from you
1.1 We may collect and process the following data about you:
(a) Information you give us. You may give us personal data about you when you use our Website, or in correspondence with us, by phone, email or otherwise. This data may include information you provide when you register to use the Website; subscribe to any of our services; place an order on the Website; post material to our Website; enter a competition, promotion or survey; report a problem with the Website; or otherwise in connection with your communications with us. The information you give us may include your name, address, email address, phone number, employer, job details, financial and credit card information, personal description and information relating to your participation in and feedback on any of our products or services.
(b) Information we collect about you. We may collect and process technical information about your computer, including (where available) your Internet Protocol address; login information; browser type and version; time zone setting; browser plug-in types and versions; operating system and platform. We may also collect and process information about your visit to our Website, including the full Uniform Resource Locators (URL) clickstream to, through and from the Website (including date and time); products you viewed or searched for; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); methods used to browse away from the page; and any phone number used to contact us. We collect this information for system administration purposes and to report aggregate information on usage.
3. Uses made of the information
3.1 We use information held about you in the following ways:
(a) to carry out our obligations arising from any contracts entered into between you and us and to provide you with any information, products and services that you request from us;
(b) to contact you (including by email, post or telephone) in relation to the products and services that you have signed up for;
(c) to contact you (including by email, post or telephone), about other products and services that we offer that are similar to those that you have already purchased, signed up for or enquired about, provided that you have opted in to receive these communications;
(d) to send you newsletters and other updates on our organisation and our products and services by email, where you have opted in to receive these;
(e) to administer and facilitate our programmes and services;
(f) to notify you about changes to our organisation or services;
(g) if you provide feedback about our Website, services or projects through a contact form or email address, to develop and improve the relevant area;
(h) to monitor the way in which our sites are used, and to ensure that content from the Website is presented in the most effective manner for you and for your computer;
(i) to administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
(j) to allow you to participate in interactive features of our service, when you choose to do so;
(k) as part of our efforts to keep the Website safe and secure; and
(l) to make suggestions and recommendations to you and other users of the Website about products or services that may interest you or them. We will only contact you about these products or services where you have opted in to receive these communications.
3.2 We will process your personal data on the basis of your consent, if requested, and/or our legitimate interests (which include (i) the performance of our obligations under any contracts entered into between you and us; (ii) the administration, improvement and promotion of our projects and our Website; (iii) management of relationships with our supporters; and (iv) for compliance with applicable laws, rules and regulations). Where possible we will seek to use aggregate data in order to achieve these aims.
3.3 Where our processing is based on your consent, and not any other legal basis, you have the right to withdraw your consent at any time. This withdrawal will not affect the lawfulness of processing prior to the withdrawal. If you inform us that you no longer wish to receive email or other communications from us, we will stop sending you these communications.
4. Disclosure of your information
4.1 In order to provide our products and services, we may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
4.2 Where we have your opt-in consent to do so, we may share your information with selected third parties who we work with in order to run and promote our projects, including but not limited to, the BBC, and participating collection administrations.
4.3 We may also disclose your personal information to third parties:
(a) if the Public Catalogue Foundation or substantially all of its assets are acquired by a third party (who will be a UK charity and a not-for-profit organisation), in which case personal data will be one of the transferred assets and the new owner may use your personal data in the same way as set out in this privacy notice;
(b) if required to do so by Law or in we believe in good faith that we are required to do so by any order of the Courts or other competent body or agency;
(d) in order to protect or defend our rights or property or to protect the personal safety of our employees or the public at large.
4.3 We may from time to time engage third parties to perform services (including the processing of personal data) on our behalf, such as hosting our data (including your personal data) and Website; sending emails and other communications relating to our products and/or services; providing analytic services, such as tracking usage of our operational sites or websites; or performing other administrative services for us. We shall only use processors that will commit to implement appropriate technical and organisational measures in order to ensure that their processing activities meet the requirements of Data Privacy Laws and ensure the protection of your data protection rights. Prior to allowing these service providers to access your personal data, we will enter into a formal agreement with them to ensure that they handle and process the information in accordance with applicable law.
4.4 We will not share your information with parties outside of the European Economic Area (the EEA) unless we are legally permitted or required to do so. You should be aware that certain non-EEA countries do not require the same standards of protection of personal data as are legally required in the EEA. If we send your data to these countries, we will ensure that there are appropriate and suitable safeguards to protect your personal data. This will involve at least one of the following:
(a) we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
(b) where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe; and
(c) where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
If you require further information on these mechanisms, please contact us at firstname.lastname@example.org.
5. Data security
5.1 All information you provide to us is stored within the EEA on secure servers provided by a third party vendor. Although we will do our best to protect your personal data, we cannot guarantee the security of the information transmitted to our Website and any transmission is at your own risk. Once we have received your information, we will put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we will limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to access your data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
5.2 Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
5.3 The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. It is your responsibility to check those policies before you submit any personal data to these websites.
6. Your rights
6.1 You have the right to:
(a) request access to personal data held about you by us and be provided with information in relation to that data (including the purposes for which the data are processed, the recipients to whom that personal data have been or will be disclosed, how long it will be stored for, details of any automated decision-making and your right to lodge a complaint with the Information Commissioner’s Office);
(b) have inaccurate personal data amended or erased, and to have incomplete personal data completed;
(c) request the erasure of your personal data (the so-called ‘right to be forgotten’);
(d) object to or restrict the processing of your personal data (including where your personal data is processed for direct marketing purposes or on the basis of legitimate interests);
(e) request that your personal data be transferred to another data controller or provided in a format that will permit this transfer (the so-called ‘right to portability’);
(f) object to any decision that affects you being taken solely by a computer or other automated process (including profiling);
(g) withdraw any consent you have granted to us in connection with the use of your personal data at any time by updating your preferences in your online account via the Website or by emailing email@example.com; and
(h) lodge a complaint with the UK Information Commissioner’s Office (ICO) (see https://ico.org.uk/concerns/ for further details on how to lodge a complaint). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
7. Retention of personal data
Your personal data will be destroyed or erased from our systems when it is no longer required for the relevant specified purpose that it was collected for, provided that we may retain personal data in order to comply with applicable laws, regulations and rules. As a general rule, this means we will retain your personal data for the duration of your involvement with us and for up to six years afterwards. However, retention and destruction of personal data will be considered on a case-by-case basis.
This version was last updated on 18 March 2019 and historic versions can be obtained by contacting us at firstname.lastname@example.org.