Privacy Notice

How we use your information

This privacy notice tells you who we are and what to expect when the National Gallery of Ireland (the Gallery) collects your personal information. When you use our services, you trust us with your information and we want to assure you that we take your rights seriously.

This notice applies to information we collect about:

  • Visitors to our digital channels
  • Devices detected by our free Wi-Fi service
  • Visitors to the Gallery and anyone else who uses and supports our services
  • Job and volunteering applicants

It also provides information on:

  • How we  use your personal information
  • Your rights to access and correct the information we hold about you
  • How to contact us for queries or complaints about our use of your personal information, and to unsubscribe from marketing communications.

Who we are

The Gallery’s mission is to care for, interpret, develop and showcase art in a way that makes us an exciting place to visit.  We aim to provide an outstanding experience that inspires an interest in and an appreciation of art for all and are dedicated to bringing people and their art together.  The Gallery’s parent department is the Department of Culture, Heritage and the Gaeltacht. The Gallery is also a registered charity (CHY No. 2345).

Friends of the National Gallery of Ireland (Friends) is a self-funding cultural organisation with charitable status (Registered Charity Number: 20158958) committed to promoting the Gallery and its collection. Its purpose is to support the work of the Gallery and expand awareness and appreciation of the visual arts. Through a range of educational events, the Friends encourage interest in the Gallery, art and architecture, both in Ireland and abroad.  Friends is also subject to the Gallery’s policies and procedures, including this notice.

The Gallery and/or Friends are the data controller(s) of your personal information.

Throughout this notice:

“the Gallery” and “we” refer to the Gallery and Friends; and

“Website” refers to the following websites operated by the Gallery:

    • The Gallery’s main website (www.nationalgallery.ie) (hosted externally)
    • Our Images website (www.nationalgalleryimages.ie) (hosted externally)
    • Our Shop website (hosted externally)
    • Our Library and Archives websites (hosted internally)
    • Our Online Collection website (hosted internally)

Legal bases and reasons for processing personal data 

The main purposes for which we collect and process personal data are:

  • to provide the service, goods or information requested
  • for administration purposes e.g. ticketing, donations or fulfilling orders from our Shop and Images websites
  • to comply with law, including health & safety
  • to gather feedback
  • for contact tracing.
  • to fulfil our tasks, in the public interest, of:  
    • loaning, exhibiting, securing and protecting the National Collection
    • acquiring works of art
    • receiving donations and subscriptions and undertaking fundraising (to further our charitable aims)
    • increasing and diffusing knowledge of the visual arts, including via our education programmes and our Library & Archives
    • securing the proper care and preservation of works of art

The table below gives more information of the personal data we process, whether we share it with anyone else, for how long we retain it and what the legal basis is for processing such data.

Category of data and identity of 3rd part processor (if applicable)

Purpose of Processing

Retention period Legal basis

Optional cookies - website visitors

Shared with social media and analytics partners, as set out in Cookies Notice in more detail.

To enhance user experience, to provide social media features and to analyse website traffic. We also share information about your use of our site with our social media and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Outlined in Cookies Notice Consent, gathered in accordance with ePrivacy Regulations.

Users of free WIFI service

Email address, plus anonymous data (MAC address, wireless access point location, time and date)

To allow use of free WIFI service. 24 hours. Consent/contract (WIFI Terms and Conditions of Use)

Job applications and expressions of interest.

Shared with Candidate Manager, an external recruitment portal

We process the personal data of applicants for employment for the purposes of enabling fair and lawful recruitment 1 year post competition The Employment Equality Acts 1998-2008
Interview materials

We process the personal data of applicants for employment for the purposes of enabling fair and lawful recruitment

 

1 year post competition The Employment Equality Acts 1998-2008
Volunteer/Intern Records

Shared with Better Impact (located in Canada, which has been deemed to have an adequate Data Protection regime by EU Commission)
Record of volunteers/interns engaged by Gallery 1 year after end of contract. Transferred to personnel file if individual becomes a permanent staff member Civil Miscellaneous Provisions Law Act, 2011

Statute of Limitations Act, 1957
CCTV footage of onsite visitors, customers, service users, event attendees, enquirers, contractors

Shared with Noonan Security Services Limited (live footage only)
Public interest task/legislative obligation: To ensure appropriate control over Gallery premises  (Section VIII of the National Gallery of Ireland Act 1854) and security of National Collection 28 days, except where the image identifies an issue and is retained specifically in the context of an investigation of that issue.

Guidance on CCTV issued by the Office of the Data Protection Commissioner

Safety, Health and Welfare at Work Act 2005

Statute of Limitations Act, 1957

Section VIII of the National Gallery of Ireland Act 1854

Contract (Noonan Security Services)

 

Onsite visitors

MAC address of visitor’s electronic device (irreversibly anonymised) shared with ShopperTrak (based in United States)

 To monitor footfall and dwell time For duration of agreement with Shoppertrak

Opt out available (see below)

Loan contracts for works of art

Safety and Health at Work Act 2005

Public interest task: securing the proper care and preservation of works of art

Johnson Controls (Shoppertrak) has adopted Binding Corporate Rules (BCRs) that have been vetted by EU data protection authorities

 

Photo and/or contact information of contractors and back of house visitors

Shared with SINEPro (based in Sydney, Australia)
Application to facilitate badging of contractors/back of house visitors  entering Gallery premises (information stored on an individual’s personal mobile devices and shared with designated Gallery personnel)

Contract tracing
In accordance with SINEPro’s privacy policy

Data used for contact tracing will be retained for 28 days for duration of COVID19 pandemic

Model clauses and Sine’s Terms & Conditions (https://www.sine.co/privacy/). By agreeing to use the service, you consent to transfer of your personal data outside of the EEA

Safety Health and Work Act 2005

Work Safely Protocol – COVID19 Specific National Protocol for Employers and Workers (Department of Business, Enterprise and Innovation and Department of Health)

 

Café customers Contact tracing Data used for contact tracing will be retained for 28 days  for duration of COVID19 pandemic Data Protection Commission Guidance on Processing Customer Data for COVID-19

Contact Tracing
Guest lists for events controlling access/capacity for health & safety/security reasons

Contact tracing
28 days following the event

Safety Health and Work Act 2005

Work Safely Protocol – COVID19 Specific National Protocol for Employers and Workers (Department of Business, Enterprise and Innovation and Department of Health)

Facilities hire agreement

 

Lenders, Donors and Potential Donors

Shared with eTapestry, a cloud-based fundraising client relationship management system for charities (based in United States)

Postal addresses of donors, potential donors shared with mailing houses for certain Gallery publications, e.g. Gallery magazine: Inkspot Limited and Impress Printing Works Ltd
Receiving donations and subscriptions

Fundraising, to further our charitable aims

Art loans

Acquisitions of Works of Art
Data regularly reviewed to ensure it remains accurate and up to date. where there is a contractual arrangement in place, end of contract +6 years

Standard Contractual Clauses (“SCCs”) or Model Clauses which provide appropriate safeguards for the protection of personal data


Public interest task: fundraising; loaning, exhibiting, securing and protecting the National Collection; acquiring works of art; securing the proper care and preservation of works of art


Legislative Basis: National Gallery of Ireland Acts 1854-1963; National Cultural Institutions Act 1997; Statute of Limitations Act, 1957


Contractual, for corporate sponsors and lenders


Data processing agreements (Inkspot and Impress)

 

Contact details for subscribers to our newsletters, mailing of other Gallery publications/marketing materials

Group mailings sent by email are shared with MailChimp, e.g. What’s On, newsletter.

Postal addresses of subscribers shared with mailing houses for certain Gallery publications, e.g. Gallery magazine: Inkspot Limited and Impress Printing Works Ltd

Increasing and diffusing knowledge of the visual arts, including via our education programmes and our Library & Archives

To communicate the information requested
Until consent is revoked

Consent


Public interest task:

increasing and diffusing knowledge of the visual arts and fundraising


Legislative Basis: National Gallery of Ireland Acts 1854-1963; National Cultural Institutions Act 1997


Standard Contractual Clauses (MailChimp). MailChimp is based in the United States and has issued assurances that data transfers from the EU to the US are protected by Standard Contractual Clauses, and that they continue to honour obligations to protect EU, UK, and Swiss data in compliance with the Privacy Shield Principles. Please see MailChimp's Privacy Policy


Data processing agreements (Inkspot and Impress)

 

Friends members/Patrons: contact details, financial information


Shared with:


Ticketsolve: Ticketing, donations and online registration for Friends membership


Mailing houses for certain Gallery publications, e.g. Gallery magazine: Inkspot Limited and Impress Printing Works Ltd (postal addresses only)


Safe (financial information)


Mailchimp (email addresses only) (newsletters)


eTapestry: contact details and renewal information

 

Processing Friends/Patrons membership sales, administering benefits of membership Financial details: 6 years

Contact details: for duration of membership + 1 year
Taxes Consolidation Act 1997

Legitimate interest: increasing Friends membership to in turn support the Gallery’s mission and programming

Data processing agreements

Customers: contact details, financial information

Shared with:

Ticketsolve: Ticketing, donations

WorldPay Secure online payments for Shop and Images websites

Shopify: payment and billing information

 

processing orders, ticket sales and payments on Shop and Images websites Financial info: 6 years

Contact info: 4 weeks from posting of item(s)
Taxes Consolidation Act 1997

Visitor/Friends Surveys

Culture Counts Visitor Surveys (based in Singapore, Australia, the United Kingdom and the United States)

Survey Monkey Survey Monkey has issued assurances that they meet GDPR standards, although they also host all their data in the United States. Please see Survey Monkey’s Privacy Policy.

 

Occasional voluntary surveys to gather feedback and improve services for the benefit of the public IP addresses are anonymised before results are compiled and analysed, so no personal data is retained by the Gallery Legitimate interest: continual improvement of services and programming for the benefit of the public 

Tour booking information

Shared with BookingLive (based in the UK)

To administer tours 12 months

Legitimate interest: ancillary support of public interest task of diffusing knowledge of art.

Data processed in accordance with Standard Contractual Clauses.

More information about how we process your personal data is set out below.

Visitors to our digital channels and how we use cookies

When you visit the Website, we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the Website, to compile statistical reports on website activity and to personalise and improve our visitors’ experiences of using the site. We use Google Analytics to help us analyse such data but do not share any personally identifiable information with it.

The Website uses cookies, so a cookie may be placed in your computer browser. Cookies are small text files which provide us with information about how often someone visits the Website and what they do during those visits. Cookies do not themselves contain any personally identifying information, but if you provide information to us, it may be linked to the data stored in the cookie. You can set your browser not to accept cookies and remove cookies from your browser. However, in some cases, some of our website features may not function as a result. Optional cookies will be enabled only when you have opted in to their use.

If we do want to collect personally identifiable information via the Website or other digital channels, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

We reserve the right to disclose personal information provided by you to us where required or otherwise permitted by law, to operate our systems properly and to protect us and/or other users of the Website.

This notice does not cover links to external websites on the Website or use of our social media channels. We encourage you to read the privacy notices of those websites and social media providers. We are not responsible for the content or privacy practices of other websites or platforms.

Devices detected by our free Wi-Fi service

Free Wi-Fi access is available throughout the Gallery via our free Wi-Fi network. If you access this network, you will be asked to provide your email address and agree to terms and conditions of use of the Wi-Fi.

Your data is processed as follows:

Anonymous data detailing the individual wireless devices carried within the Gallery are detected and retained for 24 hours. The details stored are MAC address, wireless access point location, time and date.  This anonymous data alone cannot be used to identify you.

This anonymous data is used to generate a daily internal report monitoring general visitor flows throughout the Gallery, informing us about visitor interaction with the physical environment.

If you successfully connect to and use the public Wi-Fi Internet service, you will be required to give your email address and accept the Wi-Fi terms and conditions of use. We are obliged to retain your email address and individual wireless device details for compliance reasons and our practice is to retain and securely store these for 24 hours before deleting them.

If you do not use the free Wi-Fi network, but you have Wi-Fi enabled on your smartphone, tablet or another internet-enabled device, your device can still be detected by the network. We record data about the location and type of devices in the Gallery that have Wi-Fi enabled so that we can monitor the flow of visitors around the Gallery and to improve our services.

We will not link the anonymous device data with any other personal data that identifies you individually without your express permission. If in future we want to process your data in this way to offer you additional services, before doing so we will always ask you if you agree to take part.

Social Media

Occasionally your information will be used to improve ads targeting on Facebook, Instagram and Twitter, in accordance with the privacy policies of those platforms, to help ensure that we are reaching those mostly likely to be interested in the Gallery, saving valuable advertising budget. Apart from this activity, which is carried out in accordance with the preferences you set with those platforms, personally identifiable data held by us will not be used by us for automated decision-making or profiling.

Visitors to our premises and others who use and support our services

ShopperTrak


We use ShopperTrak to monitor footfall at the two Gallery entrances; in the Print Gallery; Rooms 6 – 10; in the Café, and in the Gallery Shop. Visitors’ movements are tracked by counters which “tag” their electronic devices in order to find out the average dwell time spent in temporary exhibitions. ShopperTrak uses the MAC address of the electronic device, and each MAC is irreversibly anonymised.

Identifying dwell time assists us in informing us how entry times for ticketed events are spaced and helps us to ensure room capacity restrictions, as set out in loan contracts for works of art and as required in order to meet our health & safety legislative obligations and our duty to protect works of art with appropriate environmental controls, are met. We are also required to regularly report on visitor numbers and footfall monitoring assists with this. Anyone wishing to opt out from ShopperTrak should follow these steps:

  • Email the request to [email protected]
  • Ensure the subject line only comprises the 17 characters that make up the MAC address of the device to be opted out (e.g 00:1a:2b:3c:12:34)
  • Do not include any other information about themselves in the subject or main body of the email  
  • An automated reply will acknowledge receipt
  • Within 24 hours of receipt that device will then be excluded from any ShopperTrak installation globally and no data will be stored from then on


CCTV

The Gallery uses a Closed Circuit Television (CCTV) system to provide a safe and secure environment for staff and visitors and to protect the National Collection and other Gallery property from loss or damage. CCTV images are retained for 28 days and then destroyed, save for where an incident has been recorded and there is an ongoing investigation of claim arising from it, in line with the Gallery’s CCTV policy.

Personal Data Processed in Connection with COVID-19

The Gallery is aware of the gravity of the public health issues that arise due to the current COVID-19 pandemic, its obligations under the Safety Health and Work Act 2005 to provide a safe place of work for employees and the guidance set out in the Return to Work Safely Protocol – COVID19 Specific National Protocol for Employers and Workers (Department of Business, Enterprise and Innovation and Department of Health). In particular, the Protocol recommends that a contact log is maintained to facilitate contact tracing in the event of a positive case of COVID-19 in the workplace. In line with this advice, the Gallery may use the personal contact information provided to it by certain third parties visiting the Gallery’s premises for the further use of contact tracing, where a positive case of COVID-19 has been identified in the workplace and there is a possibility that:

  • the relevant third party may have come in contact with that person for more than 15 minutes face to face; and
  • a social distance of 2 metres has not been maintained at all times when on site.
  • This information is stored securely and gathered:
    • Via the SINEPro app on third parties’ personal mobile devices and the Gallery’s Badge Room (via password-controlled iPad), accessible by SINEPro and Security Supervisors only;
    • In connection with facilities hire agreements for events, accessible by designated Security and Events staff only;
    • Via contact with the Gallery’s Exhibitions & Collections team, accessible by that team only;
    • For café customers, accessible by designated staff only.


Marketing

We may contact you from time to time by post, email, phone and/or SMS with news and information about the Gallery that we feel may be of interest to you, such as Gallery publications, research, education and fundraising, and about our other events, activities, products and services, where you have consented to such use. We will not use your personal information for such marketing purposes if you have indicated that you do not wish to be so contacted and we will only contact you in accordance with the preferences that you have indicated to us.

When you subscribe to our services or give consent to receiving news and information from us, you can cancel your subscription, withdraw your consent to being contacted, change your preferences or change your preferred method of contact at any time by clicking here. Subscribing for email newsletters and other marketing communications is optional. You do not need to subscribe to marketing from us when you buy products, book tickets, donate or use any of our other services. We will not share your personal data with anyone else for marketing purposes.

Friends

The table above sets out the personal data we hold about you if you are a Friend. If you are gifted a Friends membership, the person giving you that gift has provided your contact details to us for the purpose of setting up and servicing your membership.

General Enquiries

If you choose to send us personal details, for example by post or email, we process this data in the course of assessing, managing or responding to your communication. Processing your data is necessary to perform a task carried out in the public interest or for our official functions.

Data Processors

We occasionally outsource functions when we do not have the in-house capacity or expertise required, such as the use of a mailing house for mailings (including invitations to exhibition openings and Gallery publications), CCTV monitoring services and analytical services that enable us to target our communications with customers and supporters more effectively. In such cases, we will only use reputable firms and have contracts and processes in place that ensure the safe and confidential processing of personal data at all times. We will always ensure an adequate level of protection is provided for personal information transferred outside the European Economic Area. The main organisations that we currently share your data with are outlined in the table above.

Children and Vulnerable Persons

Education is one of our core activities. As part of our Education Programme, we provide services and activities aimed at children and vulnerable people, such as workshops, outreach programmes, work placements and art competitions.

  • Personal contact details of children may be processed by us in order to administer these activities as follows:
  • For children aged 17 years or under, we will always obtain the express consent of their parent or legal guardian before doing so
  • When providing services to a child online (including ticketing for workshops aimed at young people), we will seek proof that the data subject is aged 16 years or over and obtain their explicit consent in easy to understand language. We will not provide online services to those aged under 15 or under.
  • Personal contact details of vulnerable persons may be processed by us in order to administer these activities as follows:
  • For vulnerable persons who can provide consent on their own behalf, we will always obtain their express consent before doing so
  • For vulnerable persons who do not have the capacity to provide consent on their own behalf, we will always obtain the express consent of their guardian or nominated representative before doing so.


Job and volunteering applicants

If you apply to work or volunteer at the Gallery, we will use the information you supply to us to process your application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example, where we want to take up a reference, we will not do so without informing you beforehand. Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, after which it will automatically be destroyed, unless you have asked us to destroy it earlier or allowed us to retain it for longer by written request.  We currently use Candidate Manager to help manage and administer the recruitment process and share your data with them for this purpose.


You can register your interest for job opportunities at the Gallery here.

Data Subject Rights

You have the right to request a copy of information that we hold about you by making a Subject Access Request.  On request, we will also correct your data according to your preference should errors be identified and/or delete all of your personal data, unless we have to keep it to comply with statutory retention requirements or, in the case of some technical logs, cannot modify or delete it. In any such case, we will restrict your data for further processing so that it can no longer be used. You also have a right to object to the further processing of your data and the right to receive your data in electronic form. Where you have consented to us processing your data, you have the right to revoke that consent at any time.

If you wish to exercise any of these rights, please contact our Data Protection Officer by clicking here or using the contact details given below.


If you believe that your data is not being processed by us in accordance with applicable data protection laws, you have the right of appeal to the Data Protection Commissioner.

Keeping your data

In general, we do not keep your data for any longer than is necessary for the purpose for which it was obtained from you. In limited circumstances, Certain of our IT systems log information that cannot be modified and, in limited circumstances, cannot be deleted. Access to these systems is tightly controlled and the data captured therein is put beyond use.

We are currently reviewing and updating our records management policy and retention schedules. As a result, as we move towards compliance, personal data may in certain circumstances be held longer than the minimum period required. We hope to publish further details of retention periods soon and ask you to bear with us during this time.

We will take care to ensure that your information is accurate, kept up to date and stored securely and will do our best to carry out our services using the minimum amount of personal data possible.

We adopt Transport Layer Security measures to protect information sent to and from the Website from interception and hacking. However, there are risks involved with the transfer of information across the internet and the users of the Website should be aware of such risks.

Complaints, enquiries and feedback

The Gallery tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of their information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. Please contact our Data Protection Officer here or using the contact details provided below.

How to contact us

For general enquiries, please email us at [email protected].

To opt out from receiving marketing communications from us, update your contact details or change your contact preferences at any time, you can write to us at: Visitor Experience, The National Gallery of Ireland, Merrion Square West, Dublin 2, D02 K303. You can also click the “unsubscribe” link at the bottom of our emails. Please ensure that you state your full name and address to help us locate your records. If your personal details change, please help us to keep your information up to date by notifying us.

As outlined above, you are entitled to view, amend or delete the personal data that we hold about you. If you wish to exercise any of these rights, please contact our Data Protection Officer here or in writing to: The Data Protection Officer, The National Gallery of Ireland, 89 Merrion Square West, Dublin 2, D02 K303.


Use of our services and changes to this notice

By using our services, you confirm that you have read, understood and agreed to this notice. We keep this notice under regular review. You are advised to visit this page periodically in order to keep up to date with any changes to it. By continuing to use our services after any such changes, you shall be deemed to have accepted any such revised notice.


This privacy notice was last updated on 8 December 2020