Privacy Policy

This Privacy Policy applies to Design Dundee Limited (‘we’ or ‘us’ below), a company registered in Scotland (Company No. SC370598), and the owner and operator of www.vam.ac.uk/dundee and www.vandadundee.org. Our office address is V&A Dundee, 1 Riverside Esplanade, Dundee, DD1 4EZ.

Design Dundee Limited shall only use your personal information in accordance with this Policy and relevant data protection laws, including the Data Protection Act 1998 and the General Data Protection Regulation that comes into force in May 2018. We are registered as a data controller with the UK Information Commissioner’s Office. Our registration number is Z2806090. A data controller is responsible for determining the purposes and means of processing personal data.

Please also be aware that the V&A South Kensington, Young V&A and V&A East are part of the V&A family and have a separate privacy policy.

We reserve the right to change this Policy from time to time. The Policy applicable to your use of our website at any given time will be the version that is currently displayed. If we change our Policy, we will notify you of this change.

It is important that the information we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us.

You may request that inaccurate or incomplete personal data related to you be corrected or deleted where the purpose of data processing has lapsed or ceased to be applicable for other reasons.

Please also get in touch if you wish to know what personal information we hold about you (“data subject access requests”). You can contact us by email, datacontroller@vandadundee.org, or write to us at the address noted above. We may require proof of your identification before disclosing the requested information. We will respond to your request within one calendar month of the receipt of this.

1. What is personal data?

Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Category of Data: means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

2. What information may we receive about you?

You can browse the V&A Dundee website without telling us who you are or revealing any personal information about yourself or your location. However, the website will collect some anonymous information about you automatically as you move through the site. This information includes traffic data, location data, web logs, and other communication data, and what resources you use on our website when you visit. We will use an analytics cookie to help collect this information. Take a look at section 4 for more details on our use of cookies.

Information is also collected about your computer which could include your IP address, browser type and operating system. This is statistical data about your browsing actions and patterns and does not identify you as an individual.

Once you submit information to us you are no longer anonymous. Any personal information that you choose to give to us will be transferred and stored securely in one of our databases until such time as it is no longer required.

This includes any information you provide when joining our e-news, including your name, email, postcode and date of birth. We may also ask you for information if you contact us. Our e-news signups are collected via Mailchimp who are annually certified to EU/US and Swiss Safe Harbor Frameworks.

Information you provide when booking tickets, by a membership or donate online. Our ticketing platform is provided and hosted by Spektrix and data saved on secure servers in Europe and is fully PCI complaint. Payments and donations via our ticketing system are processed by Opayo UK in a secure manner. If you have any questions about the information we collect about you and how it is used you can contact us at datacontroller@vandadundee.org.

3. How do we use your personal information?

We will only use your personal data when the law allows us to. Most commonly, we will use our personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you.

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

  • Where we need to comply with a legal or regulatory obligation.

The information that we do hold about you ensures our website is properly maintained and operated. We use it to:

  • Understand website usage and ensure our website content is presented to you in an effective manner.
  • Provide you with any information that you request.
  • Keep records in our CRM of; any donations made to the campaign to fund V&A Dundee: any purchases made: any correspondence we receive from you.
  • Send information for the purposes of fundraising for and marketing about V&A Dundee; Comply with our legal obligations.

We want to better understand our audiences, customers, members, donors and potential supporters by using various techniques including market research and audience profiling. When building a profile we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences and predict what products, services and information you might be most interested in.

Your information enables us to tailor our communications to you to make them more interesting and relevant.

We will keep your information only for as long as is necessary for these purposes. Once your personal information is no longer required, or on receipt of any request from you, we will delete it from our records in a secure manner.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

You will only receive marketing communications from us if you have given your explicit consent or have requested information from us or purchased goods or services from us, or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.

If you do not want to receive marketing information from us or our partner organisation, Dundee Museums Foundation, you can opt out of this either:

  • at the time of approving this Policy;
  • each time you receive marketing material from us or Dundee Museums Foundation by clicking the unsubscribe link at the bottom of the email; or
  • emailing us directly at any time at datacontroller@vandadundee.org.

See section 6 to find out more information about any partner organisations.

4. Collection of personal data for Test and Protect

For the health and safety of the customers and staff in these premises, we are recording the name and contact details of everyone who enters to support NHS Scotland’s Test and Protect. This information will be used to enable NHS Scotland to contact you should you have been in the premises around the same time as someone who has tested positive for coronavirus. Contacting people who might have been exposed to the virus is an important step in stopping the spread.

Along with the date and time of your arrival, we will collect the following personal data for you or the lead person in your group if applicable:

  • your name

  • contact telephone number, postal address or email address

In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS Scotland. This will only be in the unlikely event there is a cluster of coronavirus cases linked to the venue. Information will be transferred securely to NHS National Services Scotland who will use the data to contact trace those who were in the establishment at the same time as the positive case, and will provide guidance and support to those who may be advised to self-isolate.

Read further information on the NHS Scotland Test and Protect strategy on the NHS website.

Customer health information will not be requested or stored.

5. How do we treat young people’s information?

We offer a range of content and events aimed at families and young people but always recommend that a parent or guardian supervises the young people while they are online. We are dedicated to the protection of children’s and young people’s personal Information.

If you are under 16 years of age you should always ask your parent or guardian before:

  • Responding to anything on our website
  • Asking us to send anything to you or another young person

A parent or guardian may submit a request to datacontroller@vandadundee.org to stop any further use of a child or young person’s personal information or to request that we suppress any information as far as we are able. Before disclosing information about a child, we may request that the parent or guardian provide reasonable information for identification purposes.

6. How we use cookies

Our website uses cookies to provide you with a good user experience as you move through our website. Cookies are are text files containing small amounts of information, often including a unique identifier, which are downloaded to your computer when you visit a website - if your browser preferences allow it. Cookies are then accessed by the originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s computer.

If you wish to restrict or block the cookies which are used on our website, you can do this this through your browser settings.

7. Other websites and web applications

Our website may contain links to third party websites or applications. V&A Design Dundee is not responsible for the privacy policy of services on third party websites (for example Facebook, Twitter, YouTube, etc). These applications are owned and operated by third parties, and are governed by their own specific terms. You should refer to the appropriate privacy policies of each individual third party website for further information about them and their terms. We will not accept responsibility for third party applications or for any loss or damage arising from your use of them.

8. Disclosure of your information

Design Dundee Limited will share your personal information with:

Dundee Museums Foundation; a Scottish Charitable Incorporated Organisation, registered Scottish Charity No: SC043889, registered office address 34 Reform Street, Dundee , DD1 1RJ, strictly for the purposes of record keeping, if you have made any donations and for marketing and fundraising for V&A Dundee. Dundee Museums Foundation will not share your personal information with any third party and will remove your personal information from its records either on request by you (except in relation to donations) or once no longer required, whichever is the earlier.

Third party data processors for distributing marketing materials. Where we do this, we require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We may disclose your personal information if we are under a legal obligation to do so.

If we go through a period of transition that involves selling or buying any business or assets, we may disclose your personal information to the prospective seller or buyer. If we or all of our assets are acquired, the data we hold on our marketing database may be one of the transferred assets.

Other than as set out in this Policy, we will not otherwise disclose your personal information to third parties without asking your permission first or without a legally valid request (except when we believe in good faith that the disclosure of information is necessary).

9. Storing your information

All information you provide to us is stored on secure servers based in the UK and is not transferred outside the EEA. The transmission of information via the Internet, unfortunately, is not completely secure, and any transmission is at your own risk. Once we have received your information, we will use strict physical, electronic and managerial procedures and security features to help prevent unauthorised access, to safeguard and secure the information we collect online.

10. Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:

  • If we are relying on your consent, you can withdraw your consent at any time, at which point we shall stop processing your personal data in that way. Please note this does not affect the legality of our processing up to the date of your withdrawal of consent.
  • You can seek to restrict our processing of your personal data, ask us to rectify any personal data we hold about you or object to us processing your personal data for the purposes stated above.
  • You have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think that we have infringed your rights. You can find more information about reporting a matter to the ICO at the following link: https://ico.org.uk
  • You have the right to access personal data held by us about you and to have any inaccuracies in your information corrected
  • In certain circumstances you have the right to ask us to provide you with your personal data in a structured, commonly used and machine-readable format to allow you (or us on your behalf) to transmit this information to another party. More information can be found at https://ico.org.uk
  • In certain circumstances, you have the right to ask us to erase the personal data we hold about you. Such circumstances include (a) where we no longer need your personal data for the purposes set out above; (b) if you withdraw your consent to our processing; (c) if you object to our processing based on our legitimate interest and we have no overriding legitimate grounds to continue processing your personal data; (d) if we process the data unlawfully; or (e) where the personal data has to be erased to comply with legal obligation to which we are subject. We will consider any such request in line with GDPR. Please note this is not an absolute right and there may be circumstances where we choose not to delete all of the personal data we hold about you. More information about your right of erasure can be found at https://ico.org.uk

11. Contact

If you have any questions or concerns about this privacy policy, or wish to exercise any of your rights set out above, please do not hesitate to contact us at datacontroller@vandadundee.org.

Please note we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Information Commissioner’s Office

If you are unhappy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO),the UK supervisory authority for data protection issues:

Website www.ico.org.uk

Post Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Call 0303 123 1113

Email casework@ico.org.uk

We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.