Policy last updated on 24th April 2020
On 28 April 2020, the regulations surrounding how companies and organisations can hold your personal data changes. This policy tells you how we handle your personal data and the rights you have, when we hold it. This policy is intended to comply with the provisions of the General Data Protection Regulation EU 2016/679 (GDPR) which governs how personal data is processed within the European Economic Area (EEA).
We are always happy to explain anything which this document does not make clear to you. You will find our contact details at the end of this document.
Who we are
Rabley Gallery and Drawing Centre is a contemporary gallery and art school. We represent and sell the work of contemporary artists via our gallery and exhibitions, at art fairs and online. We also run art courses and events.
Our registered business address is: Rabley Drawing Centre, Rabley Barn, Mildenhall, Marlborough, Wiltshire SN8 2LW. Rabley Drawing Centre CIC is a Community Interest Company and our company number is 7140842.
We are the “data controller” for the purposes of GDPR. This means that we decide how your Personal Data is processed and for what purposes.
Your Personal Data – what is it?
‘Personal Data’ is data that relates to a living individual who can be identified from that data. We might be able to identify you from the data itself or by linking that data to other information we have access to. GDPR tells us how we must process your Personal Data.
How do we collect Personal Data from you?
We receive information about you from you:
- when you purchase an artwork, course or other service from us in person, online or over the phone;
- when we purchase an artwork, product or service from you;
- when you subscribe to our newsletter online or by adding your name and email to a list;
- when you complete forms on/from our website or as a direct form link in an email from
- when you contact us to make an enquiry about any of our artworks, courses or services
in person, by phone, email, direct mail, or,
- when you click a link in an email from us
If you give us somebody else’s Personal Data:
If you provide us with personal data about a third party (for example when registering another person onto a course), you warrant that you have obtained the express consent from the third party for the disclosure and use of their personal data.
What type of data do we collect?
The type of data that we collect will vary according to the nature of our contact with you and the information you provide. Here is a list of the types of data that we collect:
- your name and contact information such as your address, email address and telephone number;
- We may collect your financial details such as your bank name, account number and sort code if we need to make a payment to you;
- when you sign up to our newsletter we collect your name, email address, IP address, time of consent and any marketing preferences that you select;
- when you interact with marketing emails, your personal data may be automatically collected by our email platform Mailchimp. This information includes but is not limited to: the device you have used; the location of the device; the mode of access – such as the type software or operating system used. It does not include your name, address, phone, email payment information or any other such sensitive personal data.
- In the event you contact us in person, by phone, email or post, we retain a record of your query along with any personal information that you provide.
Why do we hold your personal data?
Data protection laws state that we are only able to process personal data if we have valid reasons to do so. We collect and use personal data for the following purposes:
- To fulfil a contract of service. A contract of service is entered into when you purchase one or more of our products or services.
- For customer service purposes such as to provide information about a product or service that you have requested or purchased or to share your contact details with officials and other authorised people and companies for the purpose of delivering the service we provide.
- To manage and process payments for the organisation we run.
- For any legal statutory or accounting purposes.
- For marketing purposes, to inform you of news, events, activities or services that you have
expressed an interest in.
How do we process your Personal Data?
We comply with our obligations under GDPR in the following ways:
- by keeping Personal Data up to date;
- by storing and destroying it securely;
- by not collecting or retaining unnecessary or excessive amounts of data;
- by protecting Personal Data from loss, misuse, unauthorised access and disclosure; and
- by ensuring that appropriate technical measures are in place to protect Personal Data.
What is the legal basis for processing your personal data?
- You have entered into a contract with us for the provision of goods or services and have agreed to our terms and conditions of service. We need to keep certain information to adequately manage your purchase or booking.
- When you have provided goods or services to us we must hold your information to adequately process our transaction and for legal and accounting purposes.
- We have legal requirements to hold customer information for accounting purposes.
- You have given us explicit consent to hold and use your personal data.
Data Retention – How long do we keep your Personal Data?
Customer Service & Legal Obligations
If you purchased an artwork, course or any other product or service from us: We will keep your Personal Data for as long as you are a customer of our organisation. After you leave, we will keep your information for no longer than we reasonably need, in accordance with applicable laws. Any Personal Data that we hold following the end of our contractual obligation to provide goods or services to you, will be for legal, accountancy or insurance purposes and not for any marketing purposes.
If you have subscribed to our newsletter or requested in writing to be on our mailing list, we will keep your personal data indefinitely or until you unsubscribe from our mailing list or request removal of your information from our marketing list.
Data that is automatically collected when you interact with our emails may be kept indefinitely. If you unsubscribe from our mailing list, any analytical data will become anonymous.
Access and Sharing
Your Personal Data will be treated as strictly confidential and will be shared only with organisations whose services are required in order to provide the services we offer such as courier services. We also use companies such as Google, MailChimp and PayPal to help us process your Personal Data.
Third parties that we use may operate outside the EEA. In these cases, we will make sure that robust securities exist to protect your Personal Data.
When you give your consent to our holding of your Personal data you agree to us sharing your Personal Data (including special categories of Personal Data – where we have your explicit consent) with third party processors and sub-processors located both inside and outside the EEA.
All personal data we collect from you is stored in secured locations. Where your data is stored on company devices, these devices are password secured and running the latest security software that is regularly updated. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We store data on the Google cloud platform that is certified to ISO and SOC standards. Google’s security has independent verification and regularly undergoes audits of security, privacy, and compliance controls. Information is stored on secure servers in the EEA but may be transferred to and stored in a country outside the EEA in relation to provision of services to you. However, we will ensure that reasonable steps are taken to protect your data in accordance with data protection laws.
Any sensitive data (payment details for example) are encrypted and protected. We do not have access to your card details when you pay online. These are encrypted and processed by our third- party processor PayPal. PayPal is fully GDPR and PCI compliant. Use of our payment terminal is fully secure and PCI certified.
Where we have given you (or where you have chosen) a password which enables you to access parts of our website or mailing list, you are responsible for keeping the password confidential. We ask you not to share a password with anyone.
We agree to take reasonable measures to protect your data in accordance with applicable laws and in accordance with our General Terms and Conditions
In the event of a data breach, we shall ensure that our obligations under applicable data protection laws are complied with where necessary.
Your rights and your Personal Data.
Unless we have an exemption under GDPR, you have the following rights with respect to your Personal Data: –
- The right to request a copy of the Personal Data which we hold about you, without any charge.
- The right to request that we correct any Personal Data found to be inaccurate or out of date.
- The right to request that your Personal Data is erased where it is no longer necessary for us
to keep it.
- The right to withdraw your consent to the processing we carry out at any time.
- The right to request that we provide you with your Personal Data and, where possible, to
send that data directly to another data controller.
- The right, where there is a dispute in relation to the accuracy or processing of your Personal
Data, to ask us to restrict further processing.
- The right to object to the processing of Personal Data.
- The right to lodge a complaint with the Information Commissioners Office and to seek legal
If we wish to use your Personal Data for a new purpose, not covered by this Notice, then we will provide you with a new notice explaining this new use. We will do this before we start processing for the new use. We will set out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
Contact Details & Complaints
If you have a problem, complaint or, if there is something you don’t understand, please contact us first using the following details:
Email: [email protected]
Tel: +44 (0)1672 511999
Address: Rabley Drawing Centre, Rabley Barn, Mildenhall, Marlborough, Wiltshire SN8 2LW.
You can also contact the Information Commissioners Office Tel: 0303 123 1113 Email: https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Changes to this policy
Any changes we make to our policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our policy. This Policy Document was updated on Tue 28 April 2020 by Rabley Gallery and Rabley Drawing CentreCIC>
We collect information about you during the checkout process on our store.
What we collect and store
While you visit our site, we’ll track:
- Products you’ve viewed: we’ll use this to, for example, show you products you’ve recently viewed
- Location, IP address and browser type: we’ll use this for purposes like estimating taxes and shipping
- Shipping address: we’ll ask you to enter this so we can, for instance, estimate shipping before you place an order, and send you the order!
When you purchase from us, we’ll ask you to provide information including your name, billing address, shipping address, email address, phone number, credit card/payment details and optional account information like username and password. We’ll use this information for purposes, such as, to:
- Send you information about your account and order
- Respond to your requests, including refunds and complaints
- Process payments and prevent fraud
- Set up your account for our store
- Comply with any legal obligations we have, such as calculating taxes
- Improve our store offerings
- Send you marketing messages, if you choose to receive them
If you create an account, we will store your name, address, email and phone number, which will be used to populate the checkout for future orders.
We generally store information about you for as long as we need the information for the purposes for which we collect and use it, and we are not legally required to continue to keep it. For example, we will store order information for XXX years for tax and accounting purposes. This includes your name, email address and billing and shipping addresses.
We will also store comments or reviews, if you choose to leave them.
Who on our team has access
Members of our team have access to the information you provide us. For example, both Administrators and Shop Managers can access:
- Order information like what was purchased, when it was purchased and where it should be sent, and
- Customer information like your name, email address, and billing and shipping information.
Our team members have access to this information to help fulfill orders, process refunds and support you.
What we share with others
We share information with third parties who help us provide our orders and store services to you;
We accept payments through Stripe. When processing payments, some of your data will be passed to Stripe, including information required to process or support the payment, such as the purchase total and billing information.
What data is collected
Information shared with a payment provider to process payments includes:
- Unique payment identifier
- Payment provider identifier