Privacy & data protection
The information below is a general description of how the Royal Pavilion & Museums Trust (RPMT) processes personal data in pursuit of its charitable objects. More detailed information on the processing of personal data for particular purposes is described where possible in separate privacy notices issued to the affected data subjects.
Personal data is processed in accordance with the Data Protection Act 2018 and the General Directive on Data Protection Regulation (GDPR). RPMT is registered as a data controller with the Information Commissioner’s Office.
Data subject rights
Data subjects have several rights in relation to the processing of their personal data. This includes the right to object to processing.
If you wish to object to RPMT’s use of your personal information or wish to exert your other rights as a data subject, please use the enquiry form below.
You also have a right to lodge a complaint with a supervisory body. In the UK this is the Information Commissioner’s Office (ICO).
Most of the personal data collected and processed by RPMT is stored for limited time periods. The length of the period is determined by the lawful basis for processing, legal obligations, and recognised good practice in the museum sector.
Where possible, we will advise you of the retention period for your data at the point of collection.
If you would like more information on how long we hold personal data, please use the enquiry form below stating the type of personal information you are interested in.
Please also note that as a museum that is committed to the long-term preservation of its collections and their accompanying information, personal data may form part of our historic archives for research purposes. Information directly related to objects in our collections is usually held permanently.
RPMT Enterprises Ltd
Retail and other commercial activities such as venue hire and location filming are managed by RPMT Enterprises Ltd, a trading subsidiary of the Royal Pavilion & Museums Trust. Where personal data is processed for the purpose of fulfilling these contractual arrangements, it is managed by RPMT Enterprises Ltd under a dual controller relationship with RPMT. The Trust takes primary responsibility for responding to enquiries and managing data subjects’ rights.
RPMT Enterprises shares a registered business address and Data Protection Officer with the Royal Pavilion & Museums Trust.
Where possible, privacy notices are issued at the point that data is collected for processing. The information below provides an overview of how we manage specific business activities.
When you book tickets with us or make a purchase on our online shop, we will ask you for information specific to that order, including your billing address, shipping address, credit card information and email address. The information that you provide is used to process your orders and send tickets. We will also use this information to contact you if there is a problem with your order, such as a cancelled event. We may also send a single follow up information asking for feedback about your visit.
Unless you opt in to our mailing list at the time of your booking, we will not use your personal data for any other purpose.
Booking information is processed by TOR systems acting as a data processor on behalf of RPMT. Access to this information is limited to trained and authorised staff. Third parties may have occasional access to the data for the sole purpose of upgrading and maintaining our systems, but such work will be governed by a data processing agreement.
Payment transaction information is encrypted before it is transmitted across the internet.
When you purchase an item from our online shop, we will ask you for your name and address in order to despatch the order. We will also ask for either an email address or telephone number in case there are any issues with your order. You may also provide us with additional information when you make your order, such as if it is to be sent to a third party. You may also opt-in to our mailing list during the checkout process.
We use Shopify as our online retail platform. All payment transactions are securely carried out by Shopify and encrypted during transfer. You can read more about how Shopify handles personal data, including the web cookies it requires, on the privacy notice that accompanies our online shop.
Many Members pay for their membership through a regular direct debit. These transactions are handled by The Access Group acting as a data processor on behalf of the Royal Pavilion & Museums Trust.
We operate several mailing lists for marketing purposes. If you make a booking by telephone or online, you may be invited to opt in to this. You can unsubscribe from the list at any time, either using the links in the newsletter or by completing the contact form below.
Members and patrons will also receive regular newsletters as part of their membership.
We use Mailchimp for collecting data and sending the newsletter. Mailchimp uses secure servers in the United States, but these are certified compliant with the EU-US Privacy Shield.
We also operate smaller mailing lists for users with specialist interests, such as school teachers, youth workers and those working in the travel trade. In these cases, the contact list is maintained by the member of staff who works in this area. Subscribers to these lists can opt out at any time by contacting the member of staff who manages the list or by using the form below.
We regularly ask our visitors for information in the form of surveys, both in our museums, online and at other sites. This is so that we can measure whether we are reaching a diverse audience and evaluate the success of our work.
These surveys may contain information relating to gender, ethnicity and other demographic details which are considered Special Category Data. This information is collected solely for statistical and reporting purposes using forms which are designed to ensure the anonymity of those who complete them.
Survey data is often shared with funders, researchers and other stakeholders, but only in an anonymised or pseudonymised form.
In some cases we may conduct detailed research which requires us to process Special Category Data in a manner which cannot be anonymised. In these cases we will always obtain explicit consent from the data subjects before proceeding. Where such research takes place in collaboration with a university or other academic partner, we will always follow that organisation’s ethical research policy.
CCTV & BWV
The sites we operate are all protected by Closed Circuit Television (CCTV). Some security staff and contractors may also use Body Worn Video (BWV). This is to prevent crime and ensure the safety of our visitors.
The images captured by these devices will be kept for no longer than 30 days unless they are required as evidence of criminal activity. The Royal Pavilion & Museums Trust is the data controller for all such images. Where contracted security staff use BWV, this is managed under a data processing agreement on behalf of RPMT.
Images may also be shared with members of the Brighton & Hove Business Crime Reduction Partnership under the terms of RPMT’s data sharing agreement as a member.
Web cookies & tracking code
Our websites use small pieces of code which collect some personal data through your web browser. These are used to provide key functionality, understand how people are using our online services, and some limited marketing applications. See our cookie notice for more information on these.
One Minute app
One Minute is a native app for Android and iOS devices that visitors to Brighton Museum can use to learn more about the exhibits. In line with the requirements of Google Play and the App Store, a separate privacy notice is available for this app.
Royal Pavilion & Museums Trust
Royal Pavilion Gardens
Registered charity: 1186986
Company registration: 11774969
Data protection registration: ZA791555