Privacy Notice

How we use your information

This privacy notice tells you who we are and what to expect when the National Gallery of Ireland (the Gallery) collects your personal information. When you use our services, you trust us with your information and we want to assure you that we take your rights seriously.

This notice applies to information we collect about:

• Visitors to our digital channels
• Devices detected by our free Wi-Fi service
• Visitors to the Gallery and anyone else who uses and supports our services
• Job and volunteering applicants

It also provides information on:

• How we  use your personal information
• Your rights to access and correct the information we hold about you
• How to contact us for queries or complaints about our use of your personal information, and to unsubscribe from marketing communications.

Who we are

The Gallery’s mission is to care for, interpret, develop and showcase art in a way that makes us an exciting place to visit.  We aim to provide an outstanding experience that inspires an interest in and an appreciation of art for all and are dedicated to bringing people and their art together.  The Gallery’s parent department is the Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media. The Gallery is also a registered charity (CHY No. 2345).

Friends of the National Gallery of Ireland (Friends) is a self-funding cultural organisation with charitable status (Registered Charity Number: 20158958) committed to promoting the Gallery and its collection. Its purpose is to support the work of the Gallery and expand awareness and appreciation of the visual arts. Through a range of educational events, the Friends encourage interest in the Gallery, art and architecture, both in Ireland and abroad.  Friends is also subject to the Gallery’s policies and procedures, including this notice.

The Gallery and/or Friends are the data controller(s) of your personal information.

Throughout this notice:

“the Gallery” and “we” refer to the Gallery and Friends; and

“Website” refers to the following websites operated by the Gallery

• The Gallery’s main website (www.nationalgallery.ie) (hosted externally)
• Our Images website (www.nationalgalleryimages.ie) (hosted externally)
• Our Shop website (hosted externally)
• Our Library and Archives websites (hosted internally)
• Our Online Collection website (hosted internally)

Legal bases and reasons for processing personal data 

The main purposes for which we collect and process personal data are:

• to provide the service, goods or information requested
• for administration purposes e.g. ticketing, donations or fulfilling orders from our Shop and Images websites
• to comply with law, including health & safety
• to gather feedback
• to fulfil our tasks, in the public interest, of:  
  • loaning, exhibiting, securing and protecting the National Collection
  • acquiring works of art
  • receiving donations and subscriptions and undertaking fundraising (to further our charitable aims)
  • increasing and diffusing knowledge of the visual arts, including via our education programmes and our Library & Archives
  • securing the proper care and preservation of works of art

The table below gives more information of the personal data we process, whether we share it with anyone else, for how long we retain it and what the legal basis is for processing such data.

Category of data and identity of 3rd part processor (if applicable)	Purpose of Processing	Retention period	Legal basis
Optional cookies - website visitors Shared with social media and analytics partners, as set out in Cookies Notice in more detail.	To enhance user experience, to provide social media features and to analyse website traffic. We also share information about your use of our site with our social media and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.	Outlined in Cookies Notice	Consent, gathered in accordance with ePrivacy Regulations.
Users of free WIFI service Email address, plus anonymous data (MAC address, wireless access point location, time and date)	To allow use of free WIFI service.	24 hours.	Consent/contract (WIFI Terms and Conditions of Use)
Job applications and expressions of interest. Shared with Candidate Manager, an external recruitment portal	We process the personal data of applicants for employment for the purposes of enabling fair and lawful recruitment	1 year post competition	The Employment Equality Acts 1998-2008
Interview materials	We process the personal data of applicants for employment for the purposes of enabling fair and lawful recruitment	1 year post competition	The Employment Equality Acts 1998-2008
Volunteer/Intern Records Shared with Better Impact (located in Canada, which has been deemed to have an adequate Data Protection regime by EU Commission)	Record of volunteers/interns engaged by Gallery	1 year after end of contract. Transferred to personnel file if individual becomes a permanent staff member	Civil Miscellaneous Provisions Law Act, 2011 Statute of Limitations Act, 1957
CCTV footage of onsite visitors, customers, service users, event attendees, enquirers, contractors Shared with Noonan Security Services Limited (live footage only)	Public interest task/legislative obligation: To ensure appropriate control over Gallery premises  (Section VIII of the National Gallery of Ireland Act 1854) and security of National Collection	28 days, except where the image identifies an issue and is retained specifically in the context of an investigation of that issue.	National Gallery of Ireland Acts 1854-1963 and National Cultural Institutions Act 1997: responsibility for entire and exclusive possession, occupation and control of Gallery premises. The Gallery’s building and grounds are vested in the OPW, subject to the Gallery’s right to use and occupy the building. responsibility for securing the proper care and preservation of works of art  the right to make byelaws concerning the care, maintenance, management, control, preservation, protection and regulation of the use of the Gallery and the maintenance of good order therein; Safety, Health & Welfare at Work Act 2005 (s.8 in particular) The Gallery’s Byelaws Legitimate interest: investigation of allegations, complaints, accidents and incidents and verification of facts as regards same Prevention, detection and deterrence of crime
Onsite visitors MAC address of visitor’s electronic device (irreversibly anonymised) shared with ShopperTrak (based in United States)	To monitor footfall and dwell time	For duration of agreement with Shoppertrak	Opt out available (see below) Safety and Health at Work Act 2005 Public interest task: securing the proper care and preservation of works of art Johnson Controls (Shoppertrak) has adopted Binding Corporate Rules (BCRs) that have been vetted by EU data protection authorities
Photo and/or contact information of contractors and back of house visitors Shared with SINEPro (based in Sydney, Australia)	Application to facilitate badging of contractors/back of house visitors  entering Gallery premises (information stored on an individual’s personal mobile devices and shared with designated Gallery personnel)	In accordance with SINEPro’s privacy policy	Model clauses and Sine’s Terms & Conditions (https://www.sine.co/privacy/). By agreeing to use the service, you consent to transfer of your personal data outside of the EEA Safety Health and Work Act 2005
Guest lists for events	controlling access/capacity for health & safety/security reasons	30 days following the event	Safety Health and Work Act 2005 Work Safely Protocol  Facilities hire agreement
Lenders, Donors and Potential Donors Shared with eTapestry, a cloud-based fundraising client relationship management system for charities (based in United States) Postal addresses of donors, potential donors shared with mailing houses for certain Gallery publications, e.g. Gallery magazine: Inkspot Limited and Impress Printing Works Ltd	Receiving donations and subscriptions Fundraising, to further our charitable aims Art loans Acquisitions of Works of Art	Data regularly reviewed to ensure it remains accurate and up to date. where there is a contractual arrangement in place, end of contract +6 years	Standard Contractual Clauses (“SCCs”) or Model Clauses which provide appropriate safeguards for the protection of personal data Public interest task: fundraising; loaning, exhibiting, securing and protecting the National Collection; acquiring works of art; securing the proper care and preservation of works of art Legislative Basis: National Gallery of Ireland Acts 1854-1963; National Cultural Institutions Act 1997; Statute of Limitations Act, 1957 Contractual, for corporate sponsors and lenders Data processing agreements (Inkspot and Impress)
Contact details for subscribers to our newsletters, mailing of other Gallery publications/marketing materials Group mailings sent by email are shared with MailChimp, e.g. What’s On, newsletter. Postal addresses of subscribers shared with mailing houses for certain Gallery publications, e.g. Gallery magazine: Inkspot Limited and Impress Printing Works Ltd	Increasing and diffusing knowledge of the visual arts, including via our education programmes and our Library & Archives To communicate the information requested	Until consent is revoked	Consent Public interest task: increasing and diffusing knowledge of the visual arts and fundraising Legislative Basis: National Gallery of Ireland Acts 1854-1963; National Cultural Institutions Act 1997 Standard Contractual Clauses (MailChimp). MailChimp is based in the United States and has issued assurances that data transfers from the EU to the US are protected by Standard Contractual Clauses, and that they continue to honour obligations to protect EU, UK, and Swiss data in compliance with the Privacy Shield Principles. Please see MailChimp's Privacy Policy Data processing agreements (Inkspot and Impress)
Friends members/Patrons: contact details, financial information Shared with: Ticketsolve: Ticketing, donations and online registration for Friends membership Mailing houses for certain Gallery publications, e.g. Gallery magazine: Inkspot Limited and Impress Printing Works Ltd (postal addresses only) Safe (financial information) Mailchimp (email addresses only) (newsletters) eTapestry: contact details and renewal information	Processing Friends/Patrons membership sales, administering benefits of membership	Financial details: 6 years Contact details: for duration of membership + 1 year	Taxes Consolidation Act 1997 Legitimate interest: increasing Friends membership to in turn support the Gallery’s mission and programming Data processing agreements Secure Payments Authentication Directive
Customers: contact details, financial information Shared with: Ticketsolve: Ticketing, donations WorldPay Secure online payments for Shop and Images websites Shopify: payment and billing information	processing orders, ticket sales and payments on Shop and Images websites	Financial info: 6 years Contact info: 4 weeks from posting of item(s)	Taxes Consolidation Act 1997
Visitor/Friends Surveys Culture Counts Visitor Surveys (based in Singapore, Australia, the United Kingdom and the United States) Survey Monkey Survey Monkey has issued assurances that they meet GDPR standards, although they also host all their data in the United States. Please see Survey Monkey’s Privacy Policy.	Occasional voluntary surveys to gather feedback and improve services for the benefit of the public	IP addresses are anonymised before results are compiled and analysed, so no personal data is retained by the Gallery	Legitimate interest: continual improvement of services and programming for the benefit of the public
Tour booking information Shared with BookingLive (based in the UK)	To administer tours	12 months	Legitimate interest: ancillary support of public interest task of diffusing knowledge of art. Data processed in accordance with Standard Contractual Clauses.

More information about how we process your personal data is set out below.

Visitors to our digital channels and how we use cookies

When you visit the Website, we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the Website, to compile statistical reports on website activity and to personalise and improve our visitors’ experiences of using the site. We use Google Analytics to help us analyse such data but do not share any personally identifiable information with it.

The Website uses cookies, so a cookie may be placed in your computer browser. Cookies are small text files which provide us with information about how often someone visits the Website and what they do during those visits. Cookies do not themselves contain any personally identifying information, but if you provide information to us, it may be linked to the data stored in the cookie. You can set your browser not to accept cookies and remove cookies from your browser. However, in some cases, some of our website features may not function as a result. Optional cookies will be enabled only when you have opted in to their use.

If we do want to collect personally identifiable information via the Website or other digital channels, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

We reserve the right to disclose personal information provided by you to us where required or otherwise permitted by law, to operate our systems properly and to protect us and/or other users of the Website.

This notice does not cover links to external websites on the Website or use of our social media channels. We encourage you to read the privacy notices of those websites and social media providers. We are not responsible for the content or privacy practices of other websites or platforms.

Devices detected by our free Wi-Fi service

Free Wi-Fi access is available throughout the Gallery via our free Wi-Fi network. If you access this network, you will be asked to provide your email address and agree to terms and conditions of use of the Wi-Fi.

Your data is processed as follows:

Anonymous data detailing the individual wireless devices carried within the Gallery are detected and retained for 24 hours. The details stored are MAC address, wireless access point location, time and date.  This anonymous data alone cannot be used to identify you.

This anonymous data is used to generate a daily internal report monitoring general visitor flows throughout the Gallery, informing us about visitor interaction with the physical environment.

If you successfully connect to and use the public Wi-Fi Internet service, you will be required to give your email address and accept the Wi-Fi terms and conditions of use. We are obliged to retain your email address and individual wireless device details for compliance reasons and our practice is to retain and securely store these for 24 hours before deleting them.

If you do not use the free Wi-Fi network, but you have Wi-Fi enabled on your smartphone, tablet or another internet-enabled device, your device can still be detected by the network. We record data about the location and type of devices in the Gallery that have Wi-Fi enabled so that we can monitor the flow of visitors around the Gallery and to improve our services.

We will not link the anonymous device data with any other personal data that identifies you individually without your express permission. If in future we want to process your data in this way to offer you additional services, before doing so we will always ask you if you agree to take part.

Social Media

Occasionally your information will be used to improve ads targeting on Facebook, Instagram and Twitter, in accordance with the privacy policies of those platforms, to help ensure that we are reaching those mostly likely to be interested in the Gallery, saving valuable advertising budget. Apart from this activity, which is carried out in accordance with the preferences you set with those platforms, personally identifiable data held by us will not be used by us for automated decision-making or profiling.

Visitors to our premises and others who use and support our services

ShopperTrak

We use ShopperTrak to monitor footfall at the two Gallery entrances; in the Print Gallery; Rooms 6 – 10; in the Café, and in the Gallery Shop. Visitors’ movements are tracked by counters which “tag” their electronic devices in order to find out the average dwell time spent in temporary exhibitions. ShopperTrak uses the MAC address of the electronic device, and each MAC is irreversibly anonymised.

Identifying dwell time assists us in informing us how entry times for ticketed events are spaced, helps to ensure room capacity restrictions are not exceeded, in line with our health and safety legislative obligations, and also helps to ensure rooms do not become overcrowded which could adversely affect our visitors’ overall experience and enjoyment of their visit. We are also required to regularly report on visitor numbers and footfall monitoring assists with this. Anyone wishing to opt out from ShopperTrak should follow these steps:

• Email the request to [email protected]
• Ensure the subject line only comprises the 17 characters that make up the MAC address of the device to be opted out (e.g 00:1a:2b:3c:12:34)
• Do not include any other information about themselves in the subject or main body of the email  
• An automated reply will acknowledge receipt
• Within 24 hours of receipt that device will then be excluded from any ShopperTrak installation globally and no data will be stored from then on

CCTV

The Gallery uses a Closed Circuit Television (CCTV) system to provide a safe and secure environment for staff and visitors and to protect the National Collection and other Gallery property from loss or damage. CCTV images are retained for 28 days and then destroyed, save for where an incident has been recorded and there is an ongoing investigation of claim arising from it, in line with the Gallery’s CCTV policy.

Marketing

We may contact you from time to time by post, email, phone and/or SMS with news and information about the Gallery that we feel may be of interest to you, such as Gallery publications, research, education and fundraising, and about our other events, activities, products and services, where you have consented to such use. We will not use your personal information for such marketing purposes if you have indicated that you do not wish to be so contacted and we will only contact you in accordance with the preferences that you have indicated to us.

When you subscribe to our services or give consent to receiving news and information from us, you can cancel your subscription, withdraw your consent to being contacted, change your preferences or change your preferred method of contact at any time by clicking here. Subscribing for email newsletters and other marketing communications is optional. You do not need to subscribe to marketing from us when you buy products, book tickets, donate or use any of our other services. We will not share your personal data with anyone else for marketing purposes.

Donor Profiling and Research

The Gallery does not carry out automatic decision-making, but on occasion, we systematically analyse our databases and the information that we hold about you, in order to improve the efficiency, cost effectiveness and relevance of our communication with you (profiling). In a very limited number of cases, our Development Department may use desk research, profiling and screening techniques to analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you, to be prepared when we meet you, or to help us find others like you who might like to show their support. 

We may sometimes use geo-demographic, measures of affluence and/or other personal information which may include identification of individuals’ capacity to give, through a process called ‘wealth screening’, using publicly available information sources. We may on occasion use third party suppliers to undertake these activities on our behalf and provide them with your information to the extent required. At present, we engage Dow Jones for this purpose, and they act as joint controller of your personal data in this regard. We may also carry out our own research into our supporters, again using publicly available information or information that you provide us with. Collating this information helps us better understand your motivations and preferences enabling us to deliver a more targeted and relevant donor experience. Additionally, it enables us to raise more funds, sooner, and more cost-effectively than we otherwise would. It also helps us understand the background of the people who do or may support us and helps us to make appropriate requests for gifts to supporters who may be able and willing to give more than they already do and/or leave us a gift in their will.

If you would prefer us not to process your personal data for the purpose of wealth screening, we will respect your wishes. If you do not wish to be subject to such profiling or wealth screening or wish to update your contact preferences, please call our Development team on +353 (0) 87 381 8970 or email [email protected] and we will happily address your request.

Friends

The table above sets out the personal data we hold about you if you are a Friend. If you are gifted a Friends membership, the person giving you that gift has provided your contact details to us for the purpose of setting up and servicing your membership.

General Enquiries

If you choose to send us personal details, for example by post or email, we process this data in the course of assessing, managing or responding to your communication. Processing your data is necessary to perform a task carried out in the public interest or for our official functions.

Data Processors

We occasionally outsource functions when we do not have the in-house capacity or expertise required, such as the use of a mailing house for mailings (including invitations to exhibition openings and Gallery publications), CCTV monitoring services and analytical services that enable us to target our communications with customers and supporters more effectively. In such cases, we will only use reputable firms and have contracts and processes in place that ensure the safe and confidential processing of personal data at all times. We will always ensure an adequate level of protection is provided for personal information transferred outside the European Economic Area. The main organisations that we currently share your data with are outlined in the table above.

Children and Vulnerable Persons

Education is one of our core activities. As part of our Education Programme, we provide services and activities aimed at children and vulnerable people, such as workshops, outreach programmes, work placements and art competitions.

• Personal contact details of children may be processed by us in order to administer these activities as follows:
• For children aged 17 years or under, we will always obtain the express consent of their parent or legal guardian before doing so
• When providing services to a child online (including ticketing for workshops aimed at young people), we will seek proof that the data subject is aged 16 years or over and obtain their explicit consent in easy to understand language. We will not provide online services to those aged under 15 or under.
• Personal contact details of vulnerable persons may be processed by us in order to administer these activities as follows:
• For vulnerable persons who can provide consent on their own behalf, we will always obtain their express consent before doing so
• For vulnerable persons who do not have the capacity to provide consent on their own behalf, we will always obtain the express consent of their guardian or nominated representative before doing so.

Job and volunteering applicants

If you apply to work or volunteer at the Gallery, we will use the information you supply to us to process your application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example, where we want to take up a reference, we will not do so without informing you beforehand. Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, after which it will automatically be destroyed, unless you have asked us to destroy it earlier or allowed us to retain it for longer by written request.  We currently use Candidate Manager to help manage and administer the recruitment process and share your data with them for this purpose.

You can register your interest for job opportunities at the Gallery.

Data Subject Rights

You have the right to request a copy of information that we hold about you by making a Subject Access Request.  On request, we will also correct your data according to your preference should errors be identified and/or delete all of your personal data, unless we have to keep it to comply with statutory retention requirements or, in the case of some technical logs, cannot modify or delete it. In any such case, we will restrict your data for further processing so that it can no longer be used. You also have a right to object to the further processing of your data and the right to receive your data in electronic form. Where you have consented to us processing your data, you have the right to revoke that consent at any time.

If you wish to exercise any of these rights, please contact our Data Protection Officer or using the contact details given below.

If you believe that your data is not being processed by us in accordance with applicable data protection laws, you have the right of appeal to the Data Protection Commissioner.

Keeping your data

In general, we do not keep your data for any longer than is necessary for the purpose for which it was obtained from you. In limited circumstances, Certain of our IT systems log information that cannot be modified and, in limited circumstances, cannot be deleted. Access to these systems is tightly controlled and the data captured therein is put beyond use.

We are currently reviewing and updating our records management policy and retention schedules. As a result, as we move towards compliance, personal data may in certain circumstances be held longer than the minimum period required. We hope to publish further details of retention periods soon and ask you to bear with us during this time.

We will take care to ensure that your information is accurate, kept up to date and stored securely and will do our best to carry out our services using the minimum amount of personal data possible.

We adopt Transport Layer Security measures to protect information sent to and from the Website from interception and hacking. However, there are risks involved with the transfer of information across the internet and the users of the Website should be aware of such risks.

Complaints, enquiries and feedback

The Gallery tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of their information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. Please contact our Data Protection Officer here or using the contact details provided below.

How to contact us

For general enquiries, please email us at [email protected].

To opt out from receiving marketing communications from us, update your contact details or change your contact preferences at any time, you can write to us at: Visitor Experience, The National Gallery of Ireland, Merrion Square West, Dublin 2, D02 K303. You can also click the “unsubscribe” link at the bottom of our emails. Please ensure that you state your full name and address to help us locate your records. If your personal details change, please help us to keep your information up to date by notifying us.

As outlined above, you are entitled to view, amend or delete the personal data that we hold about you. If you wish to exercise any of these rights, please email our Data Protection Officer or in writing to: The Data Protection Officer, The National Gallery of Ireland, 89 Merrion Square West, Dublin 2, D02 K303.

• If you have any queries in relation to National Gallery Images, please contact [email protected].
• If you have any queries in relation to the Shop, please contact [email protected].
• If you have any queries in relation to Friends, please contact [email protected].

Use of our services and changes to this notice

By using our services, you confirm that you have read, understood and agreed to this notice. We keep this notice under regular review. You are advised to visit this page periodically in order to keep up to date with any changes to it. By continuing to use our services after any such changes, you shall be deemed to have accepted any such revised notice.

This Privacy Notice was last updated on 11 March 2022.