Your personal data
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession.
The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
Who we are
Historic Royal Palaces, including our subsidiary Historic Royal Palaces Enterprises Limited, (also referred to as "we", “us” or “our”) is fully committed to both protecting and respecting your privacy. We are registered with the Information Commissioners Office and our registration number is Z7917960.
Historic Royal Palaces (Reg. Charity number 1068852) is a charitable organisation with the aim to manage, conserve, renovate and repair the Palaces in our care to a high standard consistent with their status; to help everyone to learn about the Palaces, the skills required for their conservation and the wider story of how monarchs and people together have shaped society, by such means as are appropriate.
Historic Royal Palaces Enterprises Limited (Reg. Co. number 03418583) carries on a range of commercial trading activities to generate income for Historic Royal Palaces including sale of gifts and souvenirs at shops and online, income from commercial partnerships including sponsorship, affinity marketing and product licensing and commercial activities that are deemed outside the charitable purposes of Historic Royal Palaces. These activities include events, intellectual property rights, and access to properties for filming rights and advertising revenues.
By visiting this or any of our websites (also referred to as “sites”) you are accepting and consenting to the practices described in this policy.
The data controller is Historic Royal Palaces of Hampton Court Palace, Surrey, KT8 9AU. This means it decides how your personal data is processed and for what purposes.
How do we process your personal data?
We comply with our obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes:
- To enable us to provide a service for the benefit of the public as specified in our constitution;
- To administer membership records;
- To fundraise and promote the interests of the charity;
- To manage our employees and volunteers;
- To maintain our own accounts and records (including the processing of gift aid applications);
- To inform you of news, events, activities and services running at Historic Royal Palaces.
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of your personal data are available in our retention policy and schedule that you can request a copy of by contacting us at [email protected].
Information we may collect from you
We may collect and process the following data about you:
Information you give us
- You may give us information about you by filling in forms on our website or at any of our sites, purchasing tickets, membership or other products / services or by corresponding with us by telephone, email or otherwise.
- This includes information you provide when you subscribe to our newsletter, or place an order on one of our sites; when you report a problem with our site; or if you join one of our special public engagement programmes.
- The information you may give us may include your name, email address, postal address and telephone number and financial and credit card information.
- You may also provide us with the above information, as well as certain information about your employment, if you participate in one of our schools initiatives such as the HRP Teacher Network or Access Fund.
Information we collect about you on the Historic Royal Palaces website
With regard to each of your visits to our site we may automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
Information we receive from other sources
- We may receive information about you if you use any of the other websites we operate or the other services we provide. There are certain third parties with whom we have to work closely (including, for example, business partners, professional advisers, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and we may receive information about you from them;
- If we are doing business with you or accepting a donation, we may have to conduct due diligence on you, for example where we are under a legal or regulatory requirement;
- We may combine information we receive from other sources with information you give to us and information we collect about you;
- We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
Uses made of the information
We use information held about you in the following ways:
Information you give to us:
- When using an online form:
- We ask for your details so we can respond in an appropriate way, for example when enquiring about a venue for hire or requesting materials.
- In accordance with your preferences, you may be contacted with relevant promotions, offers or information that you have expressed an interest in or that might be of interest to you. If you wish us to stop contacting you please email [email protected].
- When signing up for e-mail updates:
- We ask for your details so we can add you to our email database and send you updates you’ve requested.
- This information will not be given to any third party, except to the extent and for the purpose we may be required to do so by any law, or where you have consented to it. If you wish us to stop contacting you please email [email protected].
- When purchasing a ticket or other product online:
- We collect various personal details about you when you purchase tickets or other products and services (e.g. memberships, retail goods and image library content) online, including name, home address, billing address, telephone number, email etc.
- We use the information to process orders and to provide a more personalised service.
- Collecting these details allows our system to create a customer account for you in order that we can sell you such products and services.
- Having a record of your personal details also allows us to identify you if we need to contact you regarding your booking or other order, if you need to contact us to change your booking or order, or to help identify you if collecting tickets at one of our palaces.
- We are also able to help if tickets or orders are lost by checking your personal details on the database.
- Additionally, our bank recommends that we take the billing address of people purchasing tickets in advance as this can help to prevent fraudulent use of credit cards.
- The information we collect in this way will not be given to any third party, except to the extent and for the purpose we may be required to do so by any law.
- When filling in a form during a visit or applying for one of our programmes or events:
- We ask for your details so we can fulfil your specific request in accordance with your preferences. This will be explained to you at the time and on the relevant form.
- When joining the HRP Teacher Network:
- We ask for your details so we can provide you with the benefits of membership, which will include keeping you and your school up to date with what is happening.
- In accordance with your preferences, we may offer products and services that will be of interest and relevance to you or your school.
Information we collect about you:
We will use this information:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our website to ensure that content is presented in the most effective manner for you and for your computer, or other device being used to access our site;
- to allow you to participate in interactive features of our service, when you choose to do so; as part of our efforts to keep our site safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
- to build profiles of lookalike customers for advertising and marketing purposes on social media using website visitor data and online booking data.
Disclosure of your information
We may share personal information held about you in the following ways:
Within HRP, for legitimate purposes only.
We may share your information with selected third parties including:
- Suppliers, sub-contractors and business partners for the performance of any contract we enter into with you or them.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site
- We may disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If HRP or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
Where we store your personal data
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers.
All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which we hold about you;
- The right to request that we correct any personal data if it is found to be inaccurate or out of date;
- The right to request your personal data is erased where it is no longer necessary for us to retain such data;
- The right to withdraw your consent to the processing at any time;
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller (known as the right to data portability);
- The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
- The right to object to the processing of personal data;
- The right to lodge a complaint with the Information Commissioner’s Office.
No fee is usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Sensitive personal data
The Act defines ‘sensitive personal data’ as information about racial or ethnic origin, political opinions, religious beliefs or other similar beliefs, trade union membership, physical or mental health, sexual life, and criminal allegations, proceedings or convictions. In certain limited circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee:
- We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consent.
- We will process data about, but not limited to, an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding our equal opportunities policies and related provisions.
- Data about an employee’s criminal convictions will be held as necessary.
- Data about an employee’s religious affiliations where they are employed at Hillsborough Palace are collated as required by NI Equal Opportunities Legislation
What are cookies and why do we use them?
Cookies are tiny text files that are stored on your browser if you agree. Most cookies contain a unique identifier called a cookie ID: a string of characters that websites and servers associate with the browser on which the cookie is stored. This allows us to distinguish your browser from other browsers, to recognise your browser by its unique cookie ID and to store information about your preferences on a particular website. This information may remain on your computer or other internet enabled device after your internet session finishes and you leave the website, but you can delete them using some browsers, manually or using system utilities. Most internet browsers are pre-set to accept cookies.Cookies cannot be used by themselves to identify you. We may share statistical information regarding cookies with third parties.
The cookies we use on our website last for different time periods depending on the use:
- Session cookies are temporary cookies, which remain in the cookie file of your browser until you leave the site; and
- Persistent cookies remain in the cookie file of your browser for much longer (though how long will depend on the lifetime of the specific cookie).
What cookies do we use?
The cookies we use fall into the following categories.
1. Strictly necessary cookies
These cookies help us to run the website efficiently and allow access to features on the website.
2. Functional cookies
Functional cookies allow us to remember preferences and settings to improve a website visit.
3.Performance and analytical cookies :
4.Targeted/ advertising cookies:
During your visits to this website you may be delivered cookies by third-party websites. When you visit a page with content embedded from, for example, Facebook, Twitter, YouTube or Flickr, you may be presented with cookies from these websites. You should check the privacy policies of these third-party websites for more information about these.
How to manage cookies
You have the ability to accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our site if cookies are disabled. You may wish to visit www.aboutcookies.org which contains comprehensive information on how to modify the cookie settings on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile phone or tablet you will need to refer to your device manual. If you'd like to opt out of advertising cookies, please go to the Network Advertising Initiative website http://www.networkadvertising.org/ (please note that we are not responsible for the content of external websites).