Privacy Policy

1.  Introduction

Please read this Privacy Notice and any other privacy notice or fair processing notice we may provide on specific occasions carefully, as it is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export and delete your information.

This Privacy Notice supplements the other notices and is not intended to override them.

We do not and will not sell your data to third parties.

 

2.  Who we are

DeMontfort Fine Art Limited, trading as DeMontfort Fine Art Ltd, Clarendon Fine Art, Whitewall Galleries and Atelier Galleries.

DeMontfort Fine Art Ltd is the data controller for all the organisations within the group that are covered by the scope of this Privacy Notice and are registered with the ICO under registration number Z6531915. This means that DeMontfort Fine Art Ltd determines what data is collected by each organisation within the group, how this data is going to be used and how this data is protected.

3.  Companies and websites within scope

The following companies and websites are within scope for this privacy notice:

Company

Website

DeMontfort Fine Art Ltd

www.demontfortfineart.co.uk

Clarendon Fine Art

www.clarendonfineart.com

Whitewall Galleries

www.whitewallgalleries.com

Atelier Galleries

www.ateliergalleries.co.uk

It includes personal data that is collected in the gallery and through our websites, by telephone, through online chat services and through any related social media applications.

4.  How to Contact us

If you have questions about this Privacy Notice or the processing of your Personal Data, please contact us at:

Postal address, you can write to:

Privacy Department

DeMontfort Fine Art Ltd

DeMontfort House

Europa Way

Lichfield

Staffordshire

WS14 9NW

Or via email at privacy@dmfa.co.uk

5.  Personal Data we collect about you

We may collect, use, store and transfer different kinds of Personal Data about you depending on our relationship with you:

Identity data 

 

Includes title, first name, last name, other names, date of birth, age or email address, information in support of proof of identification and proof of address. This may include the processing of official documents such as passports, driving licences, ID Cards.

Contact data

 

Includes your contact address, billing address, email address or telephone number(s).

Location data

 

We may collect your location data from your IP address or telephone area codes.

Loyalty Data

 

We may collect proof of purchase, invoice number, personal and Company billing addresses or trade account numbers.

Transaction data 

 

Includes notes on your interactions and conversations with us and on any orders or agreements that you establish with us. Includes details about payments to and from you and other details of art, products, and services you have purchased from us.

Technical data

 

Includes IP address, your login information, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices you use to access our websites.

Profile data

 

Includes your email and password, Information about your art interests,

the services you have used on our website, your use of social media functions on our websites for authentication, feedback, survey responses and such information as you provide to us.

  • contact details that you provide to us, including name, residential address, date of birth, telephone number, email address, postal address if different to residential.
  • information about your art interests.
  • notes on your interactions and conversations with us.
  • notes on any orders or agreements that you establish with us.
  • information collected from other source.

Usage data 

 

Includes information about how you use our websites, the resources you access, pages you visit, the time and date of your visit or an email opened, the time spent on those pages, unique device identifiers, the URL (Uniform Resource Locator) clickstream to, through and from our websites and other diagnostic data.

Marketing and communications data

 

Includes your preferences in receiving marketing from us and our third parties and your communication preferences and records of our correspondence with you.

 We may use various technologies, to collect the above information from your interaction with emails we send you. This enables us to focus our marketing, leading to more relevant emails to our subscribers. It also helps us to identify subscribers that are not engaged with our marketing emails, enabling us to remove them from our send lists. For more information about the tracking pixels please see our Cookie Notice.

Aggregated Data

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity.

However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data, which will be used in accordance with this Privacy Notice.

Special

Category Personal Data

No special category data is collected by us under this privacy notice.

 

 

6.  How we get your Personal Data

We may use different methods to collect data from and about you through our partner websites, website, website forms, by telephone, and through any related social media applications, including but not limited to LinkedIn, Facebook and Twitter.

Personal Data provided directly by you

 

You may give us your Personal Data by placing an order, filling in forms, surveys, questionnaires, or assessments on our websites, by corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide when you:

  • register to use our websites or purchase our art, or to receive general, marketing or commercial information
  • submitting contact forms
  • start or complete a survey and/or questionnaire
  • enter a promotion or survey
  • give us feedback

Data we collect when you use our Websites

 

Each time you interact with our websites, we will automatically collect Personal Data, including technical data about your device, your browsing actions and patterns, content and usage data. We collect this data using Cookies, server logs and other similar technologies like pixels, tags and other identifiers in order to remember your preferences, to understand how our Websites are used, and to customise our marketing offerings and to continually improve customer journeys.

Please see our Cookies Notice or further details.

Information we receive from third parties

 

We may receive Personal Data about you from various third parties, such as contact, financial, technical data and device data from parties including:

  • analytics providers such as Google Analytics
  • social Media Advertising networks such as but not limited to WhatsApp, Linkedin, Twitter, Tiktok Google, Facebook and Instagram.
  • providers of Fraud prevention tools
  • address lookups

Information we receive from public sources

Identity and contact data from publicly available sources such as the UK Companies House and the electoral register inside the UK. Publicly available data sources are used for postcode and address data for delivery, as well in the prevention of fraud.

7.  How we use your Personal Data

We need your Personal Data to conduct our business and provide you with our art products and services. Most commonly we will use your Personal Data in the following circumstances:

  • Where you have consented before the processing.
  • Where we need to perform a contract, we are about to enter or have entered with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation

8.  UK GDPR/EU GDPR Lawful Basis Table

The table below describes the ways we plan to use your Personal Data, and which Lawful Basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

For more information on the Lawful Basis, we use to process your data under the UK GDPR and EU GDPR, see our Lawful Basis table below or contact us.

 

Lawful Basis Table

LAWFUL BASIS

PURPOSE EXAMPLES

Contractual

 

We use your Personal Data on the basis that it is necessary for us to provide our services and products to you.

 

When you sell or purchase a product or service, you are entering into a contract with us.

 

 

 

 

 

Onboarding - when you register as a new client or supplier.

  • we may use your personal, contact, technical, profile and marketing and communication data.

Delivery - in order to be able to deliver our art products and services or receive products and services in physical or digital form.

To provide you with information, art products or services that you requested from us and to notify you about changes to our products and/or services.

The fulfilment and distribution of physical and digital art to our users.

  • we use your personal, contact, technical, profile and marketing and communication data to deliver our art and/or related services to you.

Account administration - when we administer accounts, take, or receive payment, deal with any transaction, respond to queries, refund requests and complaints.

When we collect and recover money owed to us

  • we use Identity Data, Contact Data, Loyalty Data, Payment Data, Transaction Data to administer accounts.

Relationship management - to manage our relationship with you, which may include:

  • notifying you of changes to our terms or Privacy Notice;
  • notifying you of changes to, any product or service processing, delivering your art products and/or services and incentives.
  • processing orders
  • asking you to leave a review or take a survey.

We use Identity Data, Contact Data, Location Data, Transaction Data, Profile Data, Marketing and Communications Data to manage our relationship with you.

Communication - to be able to contact you regarding updates or informative communications related to our events, artist updates and new releases that are likely to be relevant and/or of interest to you.

Handling the information, you submit to us enables us to respond effectively. We may also keep a record of these queries to inform any future communications between us and to demonstrate how we communicated with you throughout our contractual relationship.

  • we use Identity Data, Contact Data, Transaction Data, Profile Data, Marketing and Communications Data to help us to communicate with you.

Legitimate interest

 

Our legitimate business interests do not automatically override your interests – we will not use your Personal Data for activities where our interests are overridden by the impact on you unless we have your consent or are otherwise required or permitted to by law.

 

 

Managing our business - we hold Personal Data for our own legitimate business interest. This relates to us managing our business to enable us securely to provide our service/products:

  • when we respond to your queries and complaints, where you are not a user, client or supplier, or a potential client, user or supplier.
  • when we monitor trends so we can improve our services websites.
  • in the context of a business reorganisation or group restructuring exercise.

We may use your use Identity Data, Contact Data, Transaction Data, Profile Data, Marketing and Communications Data to help us to manage our business.

It is necessary to process this personal data for our legitimate interests for running our business, provision of administration, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise.

Provide and maintain websites - It is in our legitimate interests to process personal data for our legitimate interests for running our business, provision of administration and IT services, network security and

  • to prevent fraud.
  • to provide and maintain our websites, including to monitor the usage of these, troubleshooting, data analysis and system testing necessary for our legitimate interests (for running our business, provision of administration and IT services, network security) and to limit our business, cyber and legal risk.
  • to ensure that our website content is presented in the most effective manner to clients, which is in our legitimate interest to keep users and clients engaged in our website and services to help towards the growth of our business.

The personal data we use to provide and maintain websites includes Identity Data, Contact Data, Location Data, Technical Data, Transaction Data, Profile Data, Usage Data, Loyalty Data, Marketing and communications data, and Aggregated data.

Recommendations and marketing - It is in our legitimate interests to use marketing to grow our business and ensure commercial viability by marketing to and we use personal data to:

  • to measure and analyse the effectiveness of the advertising we serve you.
  • to ensure that our marketing is tailored to your interests and to keep our records up to date and to provide you with marketing as allowed by law.
  • to make suggestions and recommendations to you about art, artists or events that may be of interest to you and necessary for our legitimate interests (to develop our art products/services and grow our business).

We use personal data from existing clients for these purposes and this data includes Identity Data, Contact Data, Location Data, Technical Data, Transaction Data, Profile Data, Usage Data, Loyalty Data, Marketing and Communications Data.

Security - it is in our legitimate interests to process personal data securely to maintain network security and:

  • to prevent fraud when users are transacting on our website,
  • to ensure our websites and systems are secure. to prevent financial and reputational loss to our business.

Reviews - when we capture client reviews, for example when you buy art from us, we may follow it up with an enquiry about your experience of the service to help us gauge customer satisfaction.

  • it is in our legitimate interests to ensure our survival in a competitive market by ensuring that our services and art are market appropriate and delivered satisfactorily to our clients and users.

Valuations – we use your transactional data in order to provide any future valuations required for insurance purposes.

We use Identity Data, Contact Data, Transaction, Marketing and Communications Data, to be able to properly communicate and respond to reviews.

Research and analysis - for statistical analysis, so that we can monitor and improve services and websites or develop new ones and we may also aggregate personal data for these purposes.

  • it is necessary to us and in our legitimate interests (to study how customers use our websites, to develop them, to grow our business and to inform our marketing strategy).

We use Identity Data, Contact Data, Location Data, Loyalty Data, Technical Data, Payment Data, Transaction Data, Profile Data, Candidate Data, Marketing and Communications Data, and Usage Data for research and statistical analysis the type of personal data we use depends on the nature of the research and analysis.

Data analytics - we use data analytics to improve our Websites, products/services, marketing, customer relationships and experiences.

  • data Analytics are necessary to our business and in our legitimate interests to define types of customers for our art products and services, to study how customers use our Websites and services so we are able to develop our products and services and keep our website updated and relevant. We need this information to develop our business and to inform our marketing strategy to ensure the growth of our business.

We may use Location Data, Technical Data, Payment Data, Transaction Data, Profile Data, and Usage Data for data analytics.

Rights and claims - it is in our legitimate interests to use personal data, where it is necessary,

  • to enforce or apply our website terms of use, our policy terms and conditions, or other contracts.
  • to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with.

Necessary for our legitimate interests (for running our business, provision of administration services, network security, to prevent fraud.

We may use Identity Data, Contact Data, Location Data, Loyalty Data, Technical Data, Payment Data, Transaction Data, Profile Data, Marketing and Communications Data, Aggregated Data, Usage Data for these purposes.

Legal obligations

 

We may use your Personal Data to comply with laws (for example, if we are required to co-operate with a police investigation after a court order orders us to).

 

 

Legal requirement - the processing is necessary for compliance with our legal obligations, such as but not limited to security requirements and accounting requirements.

  • to comply with applicable law, for example in response to a request from a court or regulatory body, where such request is made in accordance with the law.

We may use Identity Data, Contact Data, Location Data, Loyalty Data, Technical Data, Payment Data, Transaction Data, Profile Data, Marketing and Communications Data, Aggregated Data, Usage Data for these purposes.

Data subject rights - verifying your identity when you exercise your data subject rights.

  • fulfilling data subject rights requests.

We may use Identity Data, Contact Data, Location Data, Loyalty Data, Technical Data, Payment Data, Transaction Data, Profile Data, Marketing and Communications Data, Aggregated Data, Usage Data for these purposes, dependent on the Data Subject request itself.

Criminal activity - to detect fraudulent or criminal activity, we may share information with forces such as the police and the national crime agency.

We may use Identity Data, Contact Data, Location Data, Loyalty Data, Technical Data, Payment Data, Transaction Data, Profile Data, Marketing and Communications Data, Usage Data for these purposes.

Consent

 

We may have to get your consent to use your Personal Data, such as when we collect and use Special Category Personal Data about you or when we have want to email you for marketing purposes etc.

 

We will get your consent before sending third-party direct marketing communications to you via email or text message or before processing any Personal Data relating to your health. You have the right to withdraw consent to marketing at any time by contacting us.

 

Wherever consent is the only reason for using your Personal Data, you have the right to change your mind and/or withdraw your consent at any time by clicking the Unsubscribe button at the bottom of an applicable email or using our contact us form.

Marketing -

  • for marketing our art and services like email marketing newsletters generally.
  • to deliver content and advertisements to you.
  • to measure and analyse the effectiveness of the advertising we serve you.
  • to monitor trends so we can improve our websites,
  • to facilitate visitors’, use of the Websites, we may collect IP addresses and store Cookies on visitors’ devices.
  • Sending third-party direct marketing communications to you via email, letters or phone calls. 

We may use Identity Data, Contact Data, Location Data, Technical Data, Marketing and Communications Data for these purposes.

Location - when you use our website, you may allow us to obtain your precise location from your device. We use this information to deliver personalised content and for analytics.

We may use Location Data, Technical Data, Payment Data, and Usage Data for these purposes.

 

9.  Using your Personal Data for other reasons

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the Lawful Basis that allows us to do so.


10.  Sharing your Personal Data with others

We will, in some circumstances and where the law allows, share your data with third parties, we require all third parties to respect the security of your Personal Data and to treat it in accordance with the law.

We do not allow our third-party service providers to use your Personal Data for their own purposes. We only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

We ensure that the personal data being supplied is also limited with the minimum being used for each of the services provided by the third-party service providers.

We may share your personal information with the following organisations that help us manage our business and deliver our products, applications, or services, or where we are legally obliged to share information, including with:

 
  • HMRC as our Anti Money Laundering supervisor and with law enforcement officials or other authorities as required by law.
  • third parties we use to help us run our business such as our bank, marketing agencies website hosts, IT support system providers, contractors and our telephony system provider.
  • third-party service provider to assist us with client insight analytics and track page views such as Google Analytics we may send the 3rd party Page Information (URL, Title), Browser Information (Browser name, Viewport or Viewing pane, Screen resolution, Java enabled, Flash version), User Information (Location - IP address, Language).
  • third-party platforms to manage and deliver customer relationship management.
  • external auditors, e.g., in relation to the audit of our accounts, in which case the recipient of the information will be bound by confidentiality obligations;
  • professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
  • law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations; or
  • other parties in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised, but this may not always be possible, however, the recipient of the information will be bound by confidentiality obligations.
  • we may share your personal information with our, third party service provider who use credit reference agencies, electoral role and fraud prevention agencies to help prevent money laundering and financial crime if required to by law.
  • we may share personal information with our interest-free credit providers, couriers and/or our artwork insurance providers and only then if you have opted to use these services.

11.  Marketing and advertising

We may use your information to provide you with details about artworks, new launches, events and services.

Where we are legally required to obtain your consent to provide you with certain marketing materials, we will only provide you with such marketing materials where we have obtained such consent from you.

You can opt-out of us using your personal information for marketing purposes by following the unsubscribe link included in each marketing email or by contacting us by emailing privacy@dmfa.co.uk


12.  Promotional Events – Photography and Filming

At times we may capture photographic images or record video footage at promotional events. By confirming your attendance at any events, you are consenting to your image being captured. These images and footage and may be published through any of the following channels:

  • press and media (including newspapers, magazines, websites and social media).
  • on our websites.
  • on our social media feeds including Twitter, Facebook, YouTube, Instagram and LinkedIn.
  • in printed publicity literature such as leaflets, broachers, posters or other display materials.

Consent for Children under the age of 18 will require a consent from an appropriate guardian.

Display signs will be present at events informing you, if you wish for your image not to be captured please raise with the event organiser.

Any data captured will be stored securely and kept in line with our data retention policy.

You can opt out of us using your personal information by contacting us by emailing privacy@dmfa.co.uk.


13.  Sharing your Personal Data overseas

Please note that we may send personal information outside of the country generally for, but not limited to, reasons relating to processing and storage by our service providers.

 

When we do this, we will ensure it has an appropriate level of protection and the transfer is made in line with Data Protection Law. Often, this protection is set out under a contract with the organisation that receives that information. You can find more details of the protection given to your information when it is transferred overseas by emailing privacy@dmfa.co.uk


14.  Third-party websites, plugins and services links to other websites

You should be aware that information about your use of the websites (including your IP address) may be retained by your ISP (Internet Service Provider), the hosting provider and any third party that has access to your Internet traffic.

Our websites may contain links to third-party websites and plugins, for instance a social media login plugin. If you choose to use these websites, plugins, or services, you may disclose your information to those third parties. 

We are not responsible for the content or practices of those websites, plugins, or services. The collection use and disclosure of your Personal Data will be subject to the privacy notices of these third parties and not this Privacy Notice. We urge you to read the privacy and Cookie Notices of the relevant third parties.

15.  Use by children

We do not target children, and our websites and art are not intended to attract children.

 

If a parent or guardian notifies us, or it is discovered by other means, that a minor under the age of 18 has provided their Personal Data to us, we will promptly delete the minor’s Personal Data that is in our possession.

16.  Cookies

We use Cookies and similar technologies like pixels, tags, and other identifiers to remember your preferences, to understand how our Websites are used, and to customise our marketing offerings.

Further details can be found in our Cookie Notice.

17.  How long we keep your personal data

We will keep your Personal Data in line with our data retention policy for no longer than is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.


18.  How we keep your Personal Data safe

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties that have a business need to know. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your Personal Data, we do not have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many Information Security Risks that exist and take appropriate steps to safeguard your own information.

If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses

19.  Your rights as a data subject

As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email privacy@dmfa.co.uk or use the information supplied in the ‘Contact us’ section. To process your request, we will ask you to provide two valid forms of identification for verification purposes.

 

Table of your rights

YOUR RIGHT

DETAILS

Right to be informed

We have a legal obligation to provide you with concise, transparent, intelligible, and easily accessible information about your personal information and our use of it. We have written this Privacy Notice to do just that, but if you have any questions or require more specific information, you can contact us.

Right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information. When you request this data, this is known as making a data subject access request (DSAR). In most cases, this will be free of charge; however, in some limited circumstances, for example repeated requests for further copies, we may apply an administration fee.

Right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Right to erasure

You have the right to ask us to erase your personal information in certain circumstances. We have the right to refuse to comply with a request for erasure if we are processing the Personal Data for one of the following reasons:

  • to exercise the right of freedom of expression and information.
  • to comply with a legal obligation.
  • to perform a task in the public interest or exercise official authority.
  • for archiving purposes in the public interest, scientific research, historical research or statistical purposes.
  • for the exercise or defence of legal claims.
 

Right to restriction of processing

You may ask us to stop processing your Personal Data. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing:

  • the accuracy of the Personal Data is contested.
  • processing of the Personal Data is unlawful.
  • we no longer need the Personal Data for processing, but the Personal Data is required for part of a legal process.
  • the right to object has been exercised and processing is restricted pending a decision on the status of the processing.
 

Right to object to processing

You have the right to object to processing in certain circumstances. You can also object if the processing is for a task carried out in the public interest, the exercise of official authority vested in you, or your legitimate interests (or those of a third party).

 

Right to data portability

 

This right only applies if we are processing information based on your consent or for the performance of a contract and the processing is automated.

 

You may also find it helpful to refer to the guidance from the UK’s Information Commissioner on your rights under the UK GDPR.

20.  How to exercise your rights

If you would like to exercise any of those rights, please use the organisation's form for making a subject access request or email DeMontfort on privacy@dmfa.co.uk

You can call or write to us — see ‘4. How to contact us’.

When contacting us please:

  • provide enough information to identify yourself (e.g., your full name, address and customer or matter reference number) and any additional identity information we may reasonably request from you, and
  • let us know which right(s) you want to exercise and the information to which your request relates

In most circumstances, you do not need to pay any charge for exercising your rights. We have one month to respond to you. 

21.  How you can complain to or about us

We hope that we can resolve any query or concern you raise about our use of your information. Please contact us first and title your email “Complaint”. All complaints will be treated in a confidential manner, and we will try our best to deal with your concerns. We are committed to manage complaints promptly, effectively and fairly.

Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the EU. For the UK, this is the ICO (Information Commissioners Office), which is also our lead supervisory authority. Its contact information can be found at https://ico.org.uk/global/contact-us/.

22.  Changes to privacy policy

We may change this privacy notice from time to time. When we do, we will inform you by posting the updated versions on our websites and summarising key amendments.

We have a separate employee privacy notice which describes how we collect and use personal information about our staff in relation to their employment, which can be obtained from human resources department.

 

Glossary

Aggregated Data

means data that can be compiled from numeric or non-numeric data.

The data is collected and summarised for the purpose of statistical analysis or reporting. It is limited to recognising general trends due to the non-specific nature of the information.

It could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.

Anonymisation

means a type of information sanitisation whose intent is privacy protection. It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.

In order to be truly anonymised under the UK GDPR and EU GDPR, the personal data must be stripped of sufficient elements that mean the individual can no longer be identified. However, if you could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised and subject to data protection law.

For more information visit the ICO website

Consent

he UK GDPR. and EU GDPR. sets a high standard for consent, consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

Controller

means the natural or legal person, public authority, agency or any other entity or person who alone or jointly with others determines the purposes and means of the processing of personal data.

Our entry as a Controller on the ICO’s Data protection register can be found on the ICO website https://ico.org.uk/

Cookies

means a small file of letters and numbers that is stored on a browser or the hard drive of a computer. Cookies contain information that is transferred to a computer’s hard drive.

Controllers must have users’ informed consent before storing cookies or similar technologies on a user’s device and/or tracking them.

For more information, please read our Cookie Notice.

The ICO provides information about cookies https://ico.org.uk/your-data-matters/online/cookies/

DPA 2018

 

UK Data Protection Act 2018

Data Protection Act 2018 (legislation.gov.uk)               

Data Protection Law

means all applicable data protection and privacy legislation in force from time to time including the UK GDPR and the EU GDPR, the Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended, and any other legislation relating to personal data and all other legislation and regulatory requirements in force from time to time that apply to the use of personal data.

Encryption

is the process that scrambles readable text so it can only be read by the person who has the secret code, or decryption key. It helps provide data security for sensitive information.

EU GDPR

means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the Directive.

ICO

means the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Information Security Risks

comprises the impacts on individuals or organisations that could occur due to the threats and vulnerabilities associated with the operation and use of information systems and the environments in which those systems operate.

Lawful Basis

under the EU GDPR and the UK GDPR, you must have a valid lawful basis to process personal data.

Lawful Basis of processing personal data

There are six lawful bases for processing personal data available:

(a) Consent: the individual has given clear consent to the processing of their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract, or because specific steps have been taken before entering into a contract.

(c) Legal obligation: the processing is necessary for compliance with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests. (This cannot apply if an organisation is a public authority processing data to perform its official tasks.)

Special category data 

Special category data is personal data that needs more protection because it is sensitive.

Personal Data

this is also referred to as “personal information” and it means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach           

 

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Privacy Notice

(also sometimes called a privacy policy or fair processing notice) is a public document from an organisation that explains how that organisation processes personal data and how it applies data protection principles under Articles 12, 13 and 14 of the EU GDPR and the UK GDPR.

Processor

 

means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.

Special Category Personal Data

some of the personal data that organisations process is more sensitive and needs higher protection. Under the GDPR, this is known as ‘special categories of personal data’, and includes information about a person’s:

  • race
  • ethnicity
  • political views
  • religion, spiritual or philosophical beliefs
  • biometric data for ID purposes
  • health data
  • sex life data
  • sexual orientation
  • genetic data

Special Category Personal Data Conditions for Processing

the conditions for processing special category data:

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)

                                  

Supervisory Authorities

means the data protection authority tasked with supervising GDPR compliance in each member state of the European Union.

Tracking Pixels

a tracking pixel is an HTML code snippet which is loaded when a user visits a website or opens an email. It is useful for gathering information about visitors on a website—how they browse, what type of ads they click on, etc.

UK GDPR

means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the DPA 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU

Exit) Regulations 2019, and other data protection or privacy legislation in force from time to time in the United Kingdom.

Websites

 

means:

www.demontfortfineart.co.uk

www.clarendonfineart.com

www.whitewallgalleries.com

www.ateliergalleries.co.uk

 

including all subdomains thereof, present and future.