January 2024
Introduction
At Victoria Miro, we are committed to protecting your privacy and personal information. Personal information that can identify you, which we gather, or you provide, is referred to as personal data ('Personal Data').
This privacy policy outlines the Personal Data we gather, how we manage or handle it, and the parties with whom we might share it. Additionally, it details your legal rights concerning your Personal Data.
Our Legal obligations regarding your Personal Data
We collect and process your Personal Data in accordance with applicable laws that regulate data protection and privacy. This includes, without limitation, the EU General Data Protection Regulation (2016/679) ('GDPR') and the UK Data Protection Act 2018 ('DPA') together with other applicable UK and EU laws that regulate the collection, processing and privacy of your Personal Data (together, 'Data Protection Law').
What Personal Data do we collect and use?
The Personal Data about you that we collect and use includes the following:
(a) Your name;
(b) Your email address, telephone number, billing address and delivery address;
(c) Payment details, including debit and credit card information
(d) Information from accounts you link to us (e.g. Facebook, Twitter, Instagram);
(e) Your contact history and purchase history;
(f) Information about your personal preferences and background;
(g) Information about your use of our website (see 'Cookies' below).
How do we collect your information?
Direct Interactions
Most of the personal data we process about you comes directly from you (whether face to face, over the telephone, on a paper form, by email or online).
For example, we collect data from you directly:
when you express an interest in buying or selling an artwork to one of our staff or representatives;
when you attend a Victoria Miro event;
when you visit us at an art fair;
when you purchase an artwork;
when you purchase goods from our shop;
when you subscribe to receive news about upcoming shows and events;
when you ask us to send you information, including about artists and their works and
when you visit the Website
Your image may be collected by Victoria Miro if you attend our premises; in particular, we use CCTV on site, including in our gallery spaces, for the security of our staff, our visitors and the artworks that we exhibit and sell. We may also have staff photographers documenting events.
Collection from other sources
We may also obtain information about you and/or the artworks that you own or wish to buy or sell or collect from other third party sources; for example:
Identity and contact data, when someone introduces you to us (e.g. because they believe an artist or work may interest you);
Identity and contact data, when we research artworks and we find information about you in sources such as newspaper articles, exhibition catalogues, public auction results, or one of our contacts gives us feedback in relation to artworks or persons they have been told about.
We may receive or obtain:
Contact, transaction and financial data from providers of technical, payment and delivery services;
Identity and contact data from art platforms such as Artsy;
Usage data (being information about how you use our website and/or about recipients of our mailshots) from third parties, such as Google Analytics.
We may also collect, use and share aggregated data, such as statistical or demographic data, for any purpose (Aggregated Data). Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.
Please note that if you do not provide Personal Data when we ask for it, it may delay or prevent us from providing products or services to you.
Information about third parties
Please ensure that any Personal Data you supply to us which relates to third party individuals is provided to us with their knowledge of our proposed use of their Personal Data.
How and why we use your Personal Data
Under Data Protection Law, we can only use your Personal Data if we have a proper reason for doing so e.g.:
(a) To comply with our legal and regulatory obligations;
(b) For the performance of a contract between us or to take steps at your request before entering into a contract;
(c) For our legitimate interests or those of a third party (where we have a business or commercial reason to use your Personal Data, so long as this is not overridden by your own rights and interests, including ensuring the successful continuing our business operations, updating our client and contact records, improving our offerings, marketing our offerings and preventing fraud); or
(d) Where you have given consent.
If we process sensitive data as referred to above we will only do this with your explicit consent; or, to protect your vital interests (or those of someone else) in an emergency; or, where you have already published such information; or, where we need to use such sensitive data in connection with a legal claim that we have or may be subject to.
We may use your Personal Data for one or more of the following purposes:
(a) To fulfil requests, including providing products or services to you, responding to any requests you may have regarding products or services;
(b) Maintaining business operations, including updating client and visitor records, identifying areas for operational improvement, such as improving efficiency, training and quality control, getting to know you and your preferences in order to provide you with a more tailored service and marketing communications we consider may be of interest to you, operating our website and analysing its use (we may use cookies to assist with this);
(c) Marketing, including adding you to our mailing list and providing you with direct marketing communications about what we are doing as well as products, services and/or events which may be of interest to you by post or phone. If required under applicable law, where we contact you by SMS, email, fax, social media and/or any other electronic communication channels for direct marketing purposes, this will be subject to you providing your express consent. You can object or withdraw your consent to receiving direct marketing from us at any time by contacting us using the email address below;
(d) To enforce and/or defend any of our legal claims or rights; and/or
(e) For any other purpose required by applicable law, regulation, the order of any court or regulatory authority.
Disclosing your Personal Data to third parties
We will not sell or rent your Personal Data. We will only share your Personal Data as set out in this section 7, including sharing with:
(a) the offices of other companies within the Victoria Miro group;
(b) third parties we use to help deliver our products and services to you, e.g. payment service providers and delivery and shipping companies;
(c) other third parties we use to help us run our business, e.g. our client database providers; and
(d) third parties approved by you, e.g. social media accounts you choose to link your account with us to or third party payment providers.
We only allow our service providers to handle your Personal Data if we are satisfied they take appropriate measures to protect your Personal Data. We also impose contractual obligations on service providers to ensure they can only use your Personal Data to provide services to us and to you.
We may also share personal information with external auditors in relation to the audit of our accounts, and we may disclose and exchange information with law enforcement agencies and regulatory bodies without telling you to comply with our legal and regulatory obligations.
We may also need to share some Personal Data with other parties, such as potential buyers of some or all of our business or during a restructuring. Usually, information will be anonymised, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
Cookies and similar technologies
A cookie is a text file that downloads small bits of information to your device. Our website uses cookies to distinguish you from other users. This helps us provide you with a good experience when you browse and also allows us to improve our website.
Our website uses the following types of cookies:
(a) Necessary cookies: these cookies are essential for the website to function properly and cannot be disabled without severely affecting the usability of the website. The law does not require us to ask consent to use these cookies and they will always be placed when you use our website.
(b) Functional cookies: these cookies remember various choices you make on the website to improve your experience. They are also used to display recommendations for you based on your past activity on the website. Functional cookies may be required for actions such as watching a video.
Any Personal Data that these cookies collect is anonymised before being used for any other purpose, so we don’t keep records of your data or track you personally, or monitor how you browse on other websites.
We also use cookies from social media platforms like Facebook and Twitter to allow you to share information via your timeline or by liking or sharing content.
(c) Analytics cookies: these cookies gather anonymous data on how visitors use the website e.g. what pages are most visited and how long visitors stay on them as well as what device and operating system you are using. They also gather information on errors which may occur during visits which can help us fix them.
Managing cookies: most web browsers allow you to manage which cookies you accept via their settings. You can normally use the ‘Help’ functionality on your browser to find out about how it handles cookies and how you can manage your cookie preferences.
You can also view and manage the advertising cookies placed on your device by visiting Your Online Choices here.
Some of our marketing emails to you may include a unique URL. If you click that URL (link), then we may measure your responsiveness to our communications on different subjects.
How long we retain your Personal Data for
Victoria Miro only retains Personal Data identifying you for as long as you have a relationship with us, as is necessary to perform our obligations to you (or to enforce or defend contract claims), or as is required by applicable law.
We have a data retention policy that sets out the different periods we retain data for in respect of relevant purposes in accordance with our duties under Data Protection Law. The criteria we use for determining these retention periods is based on various legislative requirements; the purpose for which we hold data; and guidance issued by relevant regulatory authorities including but not limited to the UK Information Commissioner's Office (ICO).
Personal Data we no longer need is securely disposed of and/or anonymised so you can no longer be identified from it.
Security that we use to protect Personal Data
We employ appropriate technical and organisational security measures to protect your Personal Data from being accessed by unauthorised persons and against unlawful processing, accidental loss, destruction and damage.
We also endeavour to take all reasonable steps to protect Personal Data from external threats such as malicious software or hacking. However, please be aware that there are always inherent risks in sending information by public networks or using public computers and we cannot 100% guarantee the security of all data sent to us (including Personal Data).
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our website, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any Personal Data which you provide whilst visiting such websites because such websites are not governed by this Privacy Policy. You should exercise caution and look at the privacy statement applicable to the website in question.
Your personal data rights
In accordance with your legal rights under applicable law, you have a 'subject access request' right under which you can request information about the Personal Data that we hold about you, what we use that Personal Data for and whom it may be disclosed to as well as certain other information. Usually, we will have a month to respond to such a subject access request. We reserve the right to verify your identity if you make such a subject access request, and we may, in case of complex requests, require a further two months to respond. We may also charge for administrative time in dealing with any manifestly unreasonable or excessive requests for access. We may also require further information to locate the specific information you seek before we can respond in full and apply certain legal exemptions when responding to your request.
Under Data Protection Law you also have the following rights, which are exercisable by making a request to us in writing:
(a) that we correct Personal Data that we hold about you which is inaccurate or incomplete;
(b) that we erase your Personal Data without undue delay if we no longer need to hold or process it;
(c) to object to any automated processing (if applicable) that we carry out in relation to your Personal Data, e.g. if we conduct any automated credit scoring;
(d) to object to our use of your Personal Data for direct marketing;
(e) to object and/or to restrict the use of your Personal Data for purposes other than those set out above unless we have a legitimate reason for continuing to use it or
(f) that we transfer Personal Data to another party where the Personal Data has been collected with your consent or is being used to perform contact with you and is being carried out by automated means.
All of these requests may be forwarded to a third-party provider who is involved in the processing of your Personal Data on our behalf.
If you would like to exercise any of the rights set out above, please contact us at the address below.
If you make a request and are not satisfied with our response or believe that we are illegally processing your Personal Data, you have the right to complain to the Information Commissioner's Office (ICO) – see https://ico.org.uk/.
Changes to this Privacy Policy
Our Privacy Policy may be subject to change at any time. If we are going to use your Personal Data differently from that stated at the time of collection, we will try to contact you via email. We encourage you to review this Privacy Policy regularly for any changes.
Glossary
Compliance with a legal obligation - processing is necessary to ensure we comply with our legal and regulatory obligations.
Consent – you have given specific consent to the processing of your personal data.
Data Controller – the person who determines the purposes and means of processing personal data.
EEA – the European Economic Area which comprises countries that are members of the European Union
Legitimate Interests - processing is necessary for our legitimate interests in carrying on, managing and administering our business effectively and properly and giving our clients the best service possible. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of a contract – processing is necessary to carry out our contractual duties, exercise our contractual rights or otherwise perform our contract with you or to take steps at your request to enter a contract.
Personal Data - any data relating to an identified or identifiable natural person.
Processing - any operation performed on personal data, such as collection, recording, storage, retrieval, use, combining it with other data, transmission, disclosure or deletion.
Public Interest – processing is necessary for the performance of a task carried out in the public interest.
Website – Victoria Miro’s website at victoria-miro.com
Security of your data
Your data is securely stored with a third party. This third party provider has in place the appropriate safeguards to protect your data.
Your legal rights
Victoria Miro aims to be as transparent as we can be about the data that we process and encourage you to ask us if you have questions about the data we hold on you.
Contact
If you have any queries regarding this Privacy Policy or wish to make a further request relating to how we use your Personal Data as described above, please contact:
Name: Robert Holzberger
Telephone:+44(0)2073368109
Email: dpo@victoria-miro.com