Privacy policy

Purpose of this Privacy Policy

This Privacy Policy aims to give you information on how the Art UK Shop collects and processes your personal data through your use of the Art UK Shop website, including any data you may provide when you place an order, sign up to our newsletter, create an account with us or elect to donate money to us. It is important that you read this Privacy Policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other notices and privacy policies and is not intended to override them.

Art UK

Art UK is the operating name of the Public Catalogue Foundation, a charity registered in England and Wales (charity number: 1096185) and in Scotland (charity number: SC048601) We are registered in England and Wales under company number 04573564 and have our registered office at Salisbury House, Station Road, Cambridge, England, CB1 2LA.

The Art UK Shop website at https://artuk.org/shop/ (Website) is operated by the Public Catalogue Foundation. The Public Catalogue Foundation is the data controller of personal data collected from you by this Website and related means, or otherwise provided by you to us.

The Public Catalogue Foundation is committed to complying with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO) under Data Protection Registration Number: Z1168380.

We have appointed a Data Privacy Officer who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the Data Privacy Officer using the details set out below.

The Public Catalogue Foundation (We, us, our) are committed to protecting and respecting your privacy. The UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable national data privacy laws (together, Data Privacy Laws) place obligations on us in relation to the personal data that we collect and hold. This Privacy Policy (together with our Website Terms of Use) sets out how we comply with Data Privacy Laws, including detailing the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting the Website or otherwise providing us with your personal data you are doing so on the basis of the general practices described in this Privacy Policy.

Where we require your consent to process your personal data in accordance with these practices, we will seek this consent at the point at which you provide us with this data. Where we wish to process your personal data for a purpose other than that for which the personal data were collected, we will notify you of that intention, explain the legal basis which allows us to do so and obtain any further necessary consents. Please note that we may process your personal data without your knowledge or consent, in compliance with the Data Privacy Laws, where this is required or permitted by law.

1. Information we may collect from you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may process (e.g., collect, use, store and/or transfer) the following data about you:

(a) Information you give us. You may give us your personal data when you use our Website, place an order, or in correspondence with us, by phone, email or otherwise. This data may include information you provide when you create an account on our Website; subscribe to any of our services; donate to us; enter a competition, promotion or survey; report a problem with the Website; or otherwise in connection with your communications with us. The information you give us may include your name, invoice and delivery addresses, email address, phone number, job details, financial and credit card information, personal description and information relating to your participation in and feedback on any of our products or services.

(b) Information we collect about you. We may collect and process technical information about your computer, including (where available) your Internet Protocol (IP) address; login information; browser type and version; time zone setting; browser plug-in types and versions; operating system and platform; and any other technology on the devices you use to access our Website. We may also collect and process information about your visit to our Website, including the full Uniform Resource Locators (URL) clickstream to, through and from the Website (including date and time); products viewed or purchased;artworks or artists you viewed or searched for; page response times; download errors; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); methods used to browse away from the page; and any phone number used to contact us. We collect this information for system administration purposes and to report aggregate information on usage.

We never store credit or debit card payment information within our data. Any credit and debit card information that you provide to us is passed on directly by us to secure third party systems (such as banks, PayPal etc.) where it is stored securely.

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).

2. Cookies

The Website uses cookies to distinguish you from other users of the Website. This helps us to provide you with a good experience when you browse the Website and also allows us to improve the Website. For detailed information on the cookies we use and the purposes for which we use them see our Cookies Policy.

3. How we use your personal data

Under the General Data Protection Regulations, we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:

  • Contract – your personal information is processed in order to fulfil a contractual arrangement e.g. to provide the goods you have ordered and paid for.

  • Consent – where you agree to us using your information to make contact e.g. contact via email newsletters about offers and events. Where we require your consent to process your personal data, we will seek that consent at the point that we ask you for the data.

  • Legitimate Business Interests – this means the interests of Art UK in managing our service to provide you with the best products, service and customer service in the most secure and appropriate way.

  • Legal Obligation – where there is statutory or other legal requirement to share the information e.g. when we have to share your information with government and civil departments for the purposes of law enforcement and the investigation of any fraudulent activities.

Here is a list of the ways that we may use your personal information, and which of the reasons described above we rely on to do so.

Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.

3.1 We use information held about you in the following ways:


Purpose / activity

Lawful basis for processing, including basis of legitimate interest

Users of the Website

 

(a) to carry out our obligations arising from any contracts entered into between you and us and to provide you with any information, products and services that you request from us;

Performance of a contract with you

 (b) to contact you (including by email, post or telephone) in relation to the products and services that you have signed up for;

Performance of a contract with you

 (c) to contact you (including by email, post or telephone), about other products and services that we offer that are similar to those that you have already purchased, signed up for or enquired about, provided that you have opted in to receive these communications;

Your consent

 (d) to send you newsletters and other updates on our organisation and our products and services by email, where you have opted in to receive these;

Your consent

 (e) to manage relationships with our supporters and administer our charitable program

Legitimate interests (fulfilling our charitable objections)

(f) to administer and facilitate our programmes and services;

Legitimate interests (the administration, improvement and promotion of our projects and our Website)

(g) to notify you about changes to our organisation or services;

Legitimate interests (the administration, improvement and promotion of our projects and our Website)

(h) if you provide feedback about our Website, services or projects through a contact form or email address, to develop and improve the relevant area;

Legitimate interests (the administration, improvement and promotion of our projects and our Website)

(i) to monitor the way in which our sites are used, and to ensure that content from the Website is presented in the most effective manner for you and for your computer;

Legitimate interests (the administration, improvement and promotion of our projects and our Website)

(j) to administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

Legitimate interests (the administration, improvement and promotion of our projects and our Website)

(k) to allow you to participate in interactive features of our service, when you choose to do so;

Your consent

(l) as part of our efforts to keep the Website safe and secure;

Performance of a contract with you

Legitimate interests (the administration, improvement and promotion of our projects and our Website)

(m) to make suggestions and recommendations to you and other users of the Website about products or services that may interest you or them. We will only contact you about these products or services where you have opted in to receive these communications;

Your consent

(n) if the Public Catalogue Foundation or substantially all of its assets are acquired by a third party (who will be a UK charity and a not-for-profit organisation), in which case personal data will be one of the transferred assets;

Legitimate interests (continuity of our projects and services)

(o) if we are required to process your personal data by Law or if we believe in good faith that we are required to do so by any order of the Courts or other competent body or agency;

Necessary to comply with a legal obligation

(p) to enforce or apply our Website Terms of Use and other agreements; and

Legitimate interests (pursuit and defence of our rights and property)

(q) to protect or defend our rights or property or to protect the personal safety of our employees or the public at large.

Legitimate interests (pursuit and defence of our rights and property)

 

3.2 We will process your personal data on the basis of: (i) your consent, if requested; (ii) the performance of our obligations under any contracts entered into between you and us; (iii) compliance with applicable laws, rules and regulations; and/or (iv) our legitimate interests (which include (i) the administration, improvement and promotion of our projects and our Website; (ii) fulfilling our charitable objectives; (iii) continuity of our projects and services; and (iv) pursuit and defence of our rights and property). Where possible we will seek to use aggregate data in order to achieve these aims. Please contact us if you need details about the specific legal ground(s) we are relying on to process your personal data.

3.3 Where we need to collect your personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you.

3.4 Where our processing is based on your consent, and not any other legal basis, you have the right to withdraw your consent at any time. This withdrawal will not affect the lawfulness of processing prior to the withdrawal. If you inform us that you no longer wish to receive email or other communications from us, we will stop sending you these communications.

3.5 We do not envisage that any decisions will be taken about you using automated means, however we will notify you if this position changes.

4. Disclosure of your personal data

4.1 In order to provide our products and services, we may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

4.2 To enable us to fulfil orders placed, your personal information will be shared with our trusted third party suppliers and delivery partners. Where we have your opt-in consent to do so, we may share your information with selected third parties who we work with in order to run and promote our projects, including but not limited to, the participating collection administrations.

4.3 We may also disclose your personal information to third parties (see also the table at 3.1 above for further details on the lawful bases for processing for these purposes):

(a) if the Public Catalogue Foundation or substantially all of its assets are acquired by a third party (who will be a UK charity and a not-for-profit organisation), in which case personal data will be one of the transferred assets and the new owner may use your personal data in the same way as set out in this Privacy Policy;

(b) if required to do so by Law or if we believe in good faith that we are required to do so by any order of the Courts or other competent body or agency;

(c) in order to enforce or apply our Website Terms of Use and other agreements; or

(d) in order to protect or defend our rights or property or to protect the personal safety of our employees or the public at large.

4.4 We may from time to time engage third parties to perform services (including the processing of personal data) on our behalf, such as hosting our data (including your personal data) and Website; sending emails and other communications relating to our products and/or services; providing analytic services, such as tracking usage of our operational sites or websites; or performing other administrative services for us.

4.5 We shall only use processors that will commit to implement appropriate technical and organisational measures in order to ensure that their processing activities meet the requirements of Data Privacy Laws and ensure the protection of your data protection rights. Prior to allowing these service providers to access your personal data, we will enter into a formal agreement with them to ensure that they handle and process the information for specified purposes and in accordance with our instructions and applicable law.

4.6 We will not share your information with parties outside of the UK unless we are legally permitted or required to do so. You should be aware that certain countries do not require the same standards of protection of personal data as are legally required in the UK. If we send your data to these countries, we will ensure that there are appropriate and suitable safeguards to protect your personal data in accordance with Article 46 of the GDPR. This will involve at least one of the following:

(a) we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Information Commissioner’s Office (ICO); and/or

(b) where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

If you require further information on these mechanisms, please contact us at info@artuk.org

5. Data security

5.1 All information you provide to us is stored within the UK on secure servers provided by a third party vendor. Although we will do our best to protect your personal data, we cannot guarantee the security of the information transmitted to our Website and any transmission is at your own risk. Once we have received your information, we will put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we will limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to access your data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

5.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

5.3 Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

5.4 The Website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. It is your responsibility to check those policies before you submit any personal data to these websites.

6. Your rights

6.1 Under certain circumstances, you have rights under data protection laws in relation to your personal data. The rights available to you depend on our reason for processing you information but include the right to:

(a) request access to personal data held about you by us and be provided with information in relation to that data (including the purposes for which the data are processed, the recipients to whom that personal data have been or will be disclosed, how long it will be stored for, details of any automated decision-making and your right to lodge a complaint with the Information Commissioner’s Office);

(b) request correction of your personal data (including having inaccurate personal data amended or erased, and having incomplete personal data completed);

(c) request the erasure of your personal data (the so-called ‘right to be forgotten’);

(d) object to or restrict the processing of your personal data (including where your personal data is processed for direct marketing purposes or on the basis of legitimate interests);

(e) request that your personal data be transferred to another data controller or provided in a format that will permit this transfer (the so-called ‘right to portability’);

(f) object to any decision that affects you being taken solely by a computer or other automated process (including profiling);

(g) withdraw any consent you have granted to us in connection with the use of your personal data for a specific purpose at any time by updating your preferences in your online account via the Website or by emailing info@artuk.org. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the specific purpose that you originally agreed to, unless we have another legitimate basis for doing so in law; and

(h) lodge a complaint with the ICO (see https://ico.org.uk/concerns/ for further details on how to lodge a complaint). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

6.2 If you want to review, verify, correct or request erasure of your personal information, object to the processing or your personal data, or request that we transfer a copy of your personal information to another party, please email info@artuk.org.

6.3 You will not have to pay a fee to access your personal data (or to exercise any of the other rights listed above). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

6.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

7. Retention of personal data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. As a general rule, this means we will retain your personal data for the duration of your involvement with us and for up to six years afterwards. However, retention and destruction of personal data will be considered on a case-by-case basis.

8. Changes to our Privacy Policy

We keep our Privacy Policy under regular review. This version was last updated on 11 October 2023 and historic versions can be obtained by contacting us at info@artuk.org.

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Privacy Policy.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

9. Contact

If you have any questions or concerns regarding our use of your personal data or our Privacy Policy, please email us at info@artuk.org or contact our Data Protection Officer, Aidan McNeill, who is responsible for overseeing questions in relation to this Privacy Policy, at aidan.mcneill@artuk.org

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.