This privacy policy sets out how we use and protect any personal information that you give to us. It is being issued in accordance with the GDPR, or European General Data Protection Regulation.

We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy statement.

The GDPR aims to consolidate and strengthen the protection of personal data. It introduces improved data protection rights for individuals and places enhanced compliance, governance and accountability obligations upon organisations involved in the processing of personal information of individuals.

This privacy policy is effective from 25 May 2018.

The data that we may collect

We may collect the following information:
• name and job title, place of work or study
• contact information including email address
• demographic information such as salary band, postcode, preferences and interests
• other information relevant to customer surveys and/or offers
• bank details for direct debit processing
• IP addresses
• access and dietary requirements or health information
• date of birth, gender, sexual orientation, ethnicity, disability and other information for monitoring diversity

Why we require this information

1. Members

For internal record keeping including membership processing, and in order to deliver your membership benefits including e.g. your membership card and the Museums Journal. 

For marketing, market research, and to use the information to improve our products and services. 

Legal basis for processing members’ data

We process the following data under contractual obligation as part of the information required in order for us to process your membership and deliver your benefits.
• Name.
• Contact information including email address.
• Bank details for direct debit processing.
• IP address.

We process the following types of data under our legitimate business interest, which is to keep our members informed and provide the best products and services we can.
• Name.
• Contact information including email address.
• Job title, place of work or study.
• Demographic information such as salary band, postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.

With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail. 

2. Subscribers

For internal record keeping including processing of your subscription order; in order to ensure that the products you subscribe to are delivered to you correctly and to inform you about the MA’s activities.

For marketing, market research, and to use the information to improve our products and services.

Legal basis for processing subscribers data

We process the following data under contractual obligation as part of the information required in order for us to process your subscriptions.
• Name.
• Contact information including email address.
• Bank details for direct debit processing.
• IP address.

We process the following types of data under our legitimate business interest, which is to keep you informed and provide the best products and services we can.
• Name.
• Contact information including email address.
• Job title, place of work or study.
• Contact information including email address.
• Demographic information such as salary band, postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.

With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail. 

3. Events attendees

For internal record keeping including processing of your order; in order to ensure that you are correctly booked on your chosen event/s and that any preferences e.g. around access and dietary requirements are correctly recorded, and to inform you about our activities.
For marketing, market research, and to use the information to improve our products and services. 

Legal basis for processing event attendees data

We process the following data under contractual obligation as part of the information required in order for us to process your events attendance.
• Name.
• Contact information including email address.
• Bank details for payment processing.
• IP address.

We process the following types of data under our legitimate business interest, which is to keep you informed and provide the best products and services we can.
• Name.
• Contact information including email address.
• Job title, place of work or study.
• Demographic information such as salary band, postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.

With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail. 

Sensitive data with consent and under the special condition of explicit consent:
• dietary requirements, access requirements, health information where relevant. 

4. Website users

For internal record keeping in order to monitor the number of users our website receives and the demographics of users, and to inform you about the MA’s activities.
For marketing, market research, and to use the information to improve our products and services. 

Legal basis for processing website users data

We process the following data under our legitimate business interests in order for us register you as a website user, to keep you informed and provide the best products and services we can.
• Name and job title, place of work or study.
• Contact information including email address.
• Demographic information such as salary band, postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.
• IP address.

With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail. 

Processing of sensitive personal data

Sensitive personal data includes information relating to the following matters:
• your racial or ethnic origin 
• your political opinions
• your religious or similar beliefs
• your trade union membership
• your physical or mental health or condition
• your sex life, or
• the commission or alleged commission of any offence by you.

The MA will only collect and process sensitive data primarily where it is necessary to enable the MA to meet its legal obligations, and in particular to ensure adherence to health and safety and vulnerable groups protection legislation or for equal opportunities monitoring purposes. 

Currently we may collect sensitive data for the following purposes.

Equality, Diversity and Inclusion surveys where we may collect:
• date of birth, gender, sexual orientation, ethnicity, disability with consent, and also under the special condition of explicit consent

Events attendance where we may collect:
• dietary requirements, access requirements, health information where relevant, with consent and under the special condition of explicit consent

In most cases the MA will not process sensitive personal data without your consent.

Who we share your data with

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law. 

We will share relevant data with external organisations, e.g. mailing houses, in order to process the mailing of the Museums Journal and other publications, and payment processing companies, e.g. Smart Debit to process subscription payments.

Your rights around your personal data

1. Withdrawing your consent

When you register you can set your user preferences as to how and about what we may contact you. 

We will require at least one method of contact to communicate with you in order to administer your membership or other products and services.  

If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to us at the address below, or emailing us at info@museumsassociation.org.

The Data Controller, Museums Association, C/O Stone King LLP, Boundary House, 91-93 Charterhouse Street, London, EC1M 6HR or via email at info@museumsassociation.org.

2. How you may request the information we hold about you

You may request details of personal information which we hold about you under the GDPR 2018. 

If you would like a copy of the information which we hold about you, please contact us using the details above. We will send this information to you in no more 30 days.

3. Data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

For example, this could apply if you wanted to transfer your data to another pension provider.

The right to data portability only applies:
• to personal data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract; and
• when processing is carried out by automated means.

If required we will provide the personal data in a structured, commonly used and machine-readable form, free of charge. 

You can make a request verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.

4. Disclosure of information

We will ensure that your information will not be disclosed to government institutions or authorities except if required by law or when requested to by regulatory bodies or law enforcement organisations.

5. Right to rectification and erasure

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. 

You can make a request for rectification verbally or in writing. We will respond to your request within 30 days.

The GDPR also introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. You can make a request for erasure verbally or in writing. However, there may be a legal basis for us to refuse the request, e.g. where we are required to hold the data, for example in relation to financial transactions.

You can make a request for erasure verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.

6. Right to object

The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances, for example you have an absolute right to stop your data being used for direct marketing.

You can make a request verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.

7. Complaints procedure

If you have a concern about the way we are handling your personal information – perhaps we hold information about you that is incorrect, we have held it for too long, or we are not keeping it securely, you can make a complaint verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.

You may also wish to raise your concerns with the ICO (the Information Commissioner’s Office), particularly if you do not feel that MA’s response has not been adequate.

If the ICO think the organisation has not complied with its obligations it can give the organisation advice and ask it to solve the problem. They do not award compensation. Their main aim is to improve the information rights practices of organisations. You can raise a complaint with the ICO through the following link: https://ico.org.uk/concerns/

What information security we have in place

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.

All our employees and data processors that have access to and are associated with the processing of your personal information are obliged to respect the confidentiality of your information.

We regularly review policies, data management processes and procedures to ensure they are compliant with the new GDPR. All employees who process your data will be required to familiarise themselves with these policies and agree to abide by them.

Please be aware that communications over the internet, such as emails/webmails, are not secure unless they have been encrypted. Your communications may route through a number of countries before being delivered – this is the nature of the world wide web/internet. The MA cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.

What we will do in the event of a data breach

The MA ensures that sufficient policies, processes and procedures are in place to detect, report and investigate a personal data breach.

We will notify the ICO (and where required individuals or organisations) of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

How we will update our contracts or agreements with data controllers and data processors 

Data controllers and data processors are other organisations (or individuals) which control and/or process information on our behalf. 

Under the GDPR, our contracts or agreements with data controllers and data processors need to contain certain minimum provisions, such as a description of the scope, nature and purpose of processing. 

We are reviewing and updating our agreements and contracts with third parties to ensure they have appropriate policies and security measures in place to comply with the GDPR and safeguard the personal data we hold. 

When we appoint new third parties to act as data controllers and data processors on our behalf, we will ensure that there are appropriate provisions in relation to their own compliance with the GDPR and other relevant matters such as compliance, monitoring and reporting.

Links to other websites

Our website may contain links to enable you to easily visit other websites of interest to museum professionals. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. 

Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the privacy policy applicable to the website in question.

How long we will retain data

Data will only be processed in accordance with the purpose or purposes that it was originally collected for and will only be kept for as long as necessary. We will review at regular intervals the length of time we keep personal data.

We will consider the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it.

We will securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date.

Transfer of data to outside the EU

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.

There are no current circumstances where the MA will transfer your data outside the EU.

How we use cookies on our website

Cookie Policy
 What are cookies?
 How do we use cookies?  Types of cookies we use
 Manage cookie preferences
Consent Preferences

You can modify your cookie settings anytime by clicking the ‘Consent Preferences’ button above. This will allow you to revisit the cookie consent banner and update your preferences or withdraw your consent immediately.

Additionally, different browsers offer various methods to block and delete cookies used by websites. You can adjust your browser settings to block or delete cookies. Below are links to support documents on how to manage and delete cookies in major web browsers.

Chrome: https://support.google.com/accounts/answer/32050

Safari: https://support.apple.com/en-in/guide/safari/sfri11471/mac

Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectslug=delete-cookies-remove-info-websites-stored&redirectlocale=en-US

Internet Explorer: https://support.microsoft.com/en-us/topic/how-to-delete-cookie-files-in-internet-explorer-bca9446f-d873-78de-77ba-d42645fa52fc

If you are using a different web browser, please refer to its official support documentation.