The Al Thani Collection
We collect, use and are responsible for that personal information. When we do so, we are subject to the UK Data Protection Act 2018 and the General Data Protection Regulation ("GDPR"), which applies across the European Union ("EU") and in the United Kingdom ("UK").
For the purposes of the UK Data Protection Act 2018 and the GDPR, the data controller is The Al Thani Collection ("we" or "us"), a company incorporated and registered in the Republic of the Seychelles with company number 089019 whose registered office is Suite 103 Premier Building, Victoria, Mahé, Republic of Seychelles. All personal information collected by us or on our behalf via the website will be processed in accordance with the GDPR and applicable data laws.
Information we may collect from you
You may give us information about you by filling in forms on our website or by corresponding with us by phone, e-mail or other methods.
This includes information you provide if you register with The Al Thani Collection, subscribe to any of our services, make a request or enquiry in respect of any artworks or galleries, participate in social media platforms/boards, enter a competition, promotion or survey, visit our website and report a problem with our website.
We do not request information in order to allow you to view the art works on our website, but you may provide or we may request during an exchange, your name, address location, e-mail address and/or phone number as well as your enquiry description so we can action the enquiry for you.
When you browse our website, like all websites, we may collect information regarding your device or browsing, including:
- technical information, including the Internet protocol ("IP") address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators ("URL") clickstream to, through and from our website (including date and time);
- products you viewed or searched for; and
- page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
Information we receive from other sources
We do not
usually obtain information about you from third party sources. In the main, we
only collect information you provide when submitting an enquiry on our website.
From time to time, we may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, advertising networks, analytics providers, search information providers) and may receive information about you or your device from them.
Purposes for collecting data
Under the GDPR, we can only use your personal information if we have a proper reason for doing so, for example:
- for the performance of our contract or to take steps at your request
- for our legitimate interests or those of a third party;
- to comply with our legal and regulatory obligations; or
- where you have given consent.
A legitimate interest includes when we have an artistic, business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We conduct a balance test of our respective rights to ensure there are no surprises or unexpected uses of personal information, including when actioning your enquiries in respect of the Al Thani Collection.
All personal information collected by us will be used for the lawful purposes of providing you with our services, including our legitimate interest in promoting The Al Thani Collection and responding to your enquiries in respect of The Al Thani Collection if any from time to time.
From time to time, we may also use your device data in relation to analytics, research, marketing and regulatory purposes and may provide your data to trusted third parties for the express purpose of carrying out these tasks, where permitted under GDPR and e-privacy laws.
Uses made of the information
We use information held about you in the following ways:
- to respond to queries you raise;
- to carry out our obligations arising from any contracts entered into between us from time to time;
- to comply with any and all legal obligations for us to provide information to relevant authorities;
- to provide you with information about other collections and art services that you have already enquired about including where you have opted-in to our newsletter mailing list (this will only relate to The Al Thani Collection and galleries in various locations, not third party collections, unless you have provided your consent);
- to notify you about changes to in respect of the website; and
- to ensure that content from our website is presented in the most effective manner for you and for your browsing device.
Note that where the law permits, all such personal information will be anonymised or pseudonymised.
Disclosure of your information
We may share your personal information with:
- any member of our group of galleries;
- hotels if we arrange any events;
- our consultants who operate our website or respond to your enquires;
- our service providers and business partners for example, those providing the IT services website or hosting services and marketing platforms or agencies;
- our advisers;
- business partners or suppliers;
- a law and regulatory enforcement agency or body, if legally required to do so under legislation or an order, or if required for safety, compliance or security purposes;
- advertising technology networks that may require devise data to select and serve relevant adverts to you;
- social media, analytics and search engine providers that assist us in the improvement and optimisation of our website;
- social networking channels and dedicated fan pages or profiles etc., regarding the collection; and
- a prospective seller or buyer including their advisers, if we sell or buy any business or assets or sell The Al Thani Collection. Personal information held by us may be one of the transferred assets.
We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services.
We may use your personal information to tell you about relevant Al Thani Collections and artwork, including via email and newsletters. Where required by data protection laws for communications regarding collections we think you may be interested in, we will seek your consent via:
- our website forms;
- in writing including via email; or
- over the phone.
We do not usually require a further consent when simply responding to your specific and solicited enquires that you may make to us.
We do not sell or rent any of your personal information to third parties or share your data with third parties for direct marketing communications without consent.
We will usually inform you (before collecting your contact details) if we intend to use your data for such purposes or, if from time to time, we intend to disclose your information to any third party for such purposes.
You can exercise the right to object to direct marketing or withdraw your consent at any time by contacting us using the details below. You can exercise your right to prevent or withdraw such contact by checking certain boxes on the forms we use to collect your data on the website, by writing to us or simply responding "unsubscribe".
We will record your preferences on our marketing suppression lists if you update them without undue delay. You may still receive important information and communications from us such as legally required communications or information regarding changes to our services – which are not marketing messages.
Your individual rights
The GDPR conveys several rights to you as a data subject regarding the control, usage and storage of your personal information. The following rights may be available depending on the circumstances:
- access: the right to be provided with a copy of your personal information that we hold or control and explain how it is processed;
- rectification: the right to request that we correct any inaccurate information held or controlled by us about you;
- portability: the right to request a copy of your personal information for the purposes of transferring it to another data controller;
- objection: the right to object to the processing of your personal information by us or a third party if we are relying on our legitimate interests as the lawful basis;
- restriction: the right to require us to restrict processing of your personal information – in certain circumstances, e.g. if you contest the accuracy of the data;
- to be forgotten: the right to require us to delete your personal information – in certain situations. This does not include data that we are legally obliged to keep a record of;
- withdraw consent: the right to withdraw your consent, for example for mailings about other art collections; and
- stopping automated decision making: the right to object to a decision made as a result of a solely automated process, such as profiling where such a decision may have a legal or other significant effect (although we do not currently undertake such activity in connection with this website).
You can make any request to exercise these rights using the contact details provided below.
Upon receiving your request, we will review our records and databases as necessary. Where any such request is made by you, we will provide you with a response as soon as is practicable without undue delay but in any event within 30 days from the data of receipt of your request.
In certain circumstances, we may require you to confirm your identity prior to responding to any request received. Where your identity cannot be verified we may not be able to respond to your request. We will also contact any data processor or third party instructed by us to make sure your request is handled in accordance with the GDPR.
If we consider we need more time to respond, we will let you know and in certain cases we can extend the timescale to respond by a further 60 days.
We are committed to safeguarding the privacy of any personal information, to ensure it is secure at all times and treated in strict confidence. All information you provide to us is stored on secure servers. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access or disclosure. We limit access to your personal information to those who have a genuine need to access it.
We put in place appropriate technical, contractual and organisational measures to prevent information being subject to a security breach incident, including a data loss, destruction or unauthorised transfers or access. The processes we implement consider various factors including the current state and cost of technology or other measures, as well as the risks to your privacy rights and other freedoms. Please note any information that is transmitted over the internet is not always 100% secure.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
The personal information we process about you will be handled in the UK and the Seychelles. We may forward your request or enquiry to a location outside the UK if the person that deals with that request or aspect of the collection, is based outside the UK.
Where it is necessary to transfer or access your personal information outside the UK, we will ensure we put in place appropriate measures to comply with the GDPR for IT services or otherwise, including if necessary, putting in place EU approved model and standard contractual clauses to ensure adequate treatment of the information outside the UK by a third party. These transfers are subject to special rules under European and UK laws because there may not be the same data protection rules in place in the country to which the personal information is transferred.
The model transfer contracts are in a format approved by competent regulatory and/or government authorities. Please contact us if you would like more information on the model clauses or a copy of them, which can also be accessed from the EU Commission's website.
Data minimisation and retention
We will not ask for more information than we need for the purposes we are collecting it in connection with your enquiries and will securely dispose of the information when it is no longer needed for the given purpose. In essence, we will only keep personal information for the minimum periods of time that are necessary. Your personal information is retained by us in accordance with applicable laws and regulations. Our data retention periods vary depending on the nature and context of the personal information that we have in our care, and are calculated taking into account the following factors:
- how long we need to keep the data to fulfil the original purpose for which it was collected;
- potential complaints, claims or litigation;
- guidance from official bodies such as relevant regulatory authorities; and
- legal obligations to which we are subject.
This means that, in general, we delete personal information when: the purpose for its processing has been fulfilled or the relationship with you has ended; all mutual queries or claims have been fulfilled; and there are no other legal obligations to retain the personal information nor legal bases for further processing.
Links to third party sites
Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and which we cannot control. Please check these policies before you submit any personal information or visit other websites.
How to complain
We hope that we can resolve any query or concern you may raise about our use of your information.
The GDPR also gives you the right to lodge a complaint with a supervisory authority, in particular in the EU member state where you work, normally live or where any alleged infringement of data protection laws has occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at: First Contact Team, Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, https://ico.org.uk/concerns.
Questions, comments and requests including to exercise your rights are welcomed and should be addressed to The Al Thani Collection: email@example.com