Who we are
Galway City Museum (“GCM”) operates under the auspices of Galway City Council, the democratically elected unit of local government in Galway City. Under the provisions of the Local Government Acts (as amended) and various statutory provisions, Galway City Council is responsible for providing a range of services to meet the economic, social and cultural needs of the people of the City. Under this remit, Galway City Museum serves to advance the cultural and heritage life of Galway city.
The GCM wholly respects your right to privacy and actively seeks to preserve the privacy rights of those who share information with the Museum in accordance with the General Data Protection Regulation 2018 (“GDPR”) and other applicable national and European privacy legislation and regulations (“Data Protection Law”).
This Policy applies to the domain and website owned by Galway City Museum. You will find links on this website to external websites – please note Galway City Museum is not responsible for the content or privacy policies of third-party websites.
Galway City Museum is committed to protecting your privacy when you use our services. This Policy explains how we use information about you and how we protect your privacy. The information provided below sets out how we use your data, our legal basis and how we secure it.
What information is collected?
This is data that can be used to directly identify you and may include your name, address, telephone number, email address or IP address. Such information is only collected from you where it is volunteered by you, such as by sending us an email or subscribing for news and updates from us.
This is data that relates to the operation of our website and is not associated with any specific personal identity. Like many other website we gather statistical and analytical information relating to our website visitors and how they use our website and social media. Examples of such non-personal data may include the pages visited on our website, web browser types or unique URL’s visited within our website.
How Galway City Museum uses your data
Galway City Museum will process any personal information you share with us as follows:
(a) To provide you with the goods or services you have specifically requested;
(b) To contact you, if required, in relation to your communication or order or to respond to any other communication you may send to us.
(c) to complete files on the acquisition or borrowing of objects to the museum collections so that a register can be maintained – no donor or lender information is displayed in the public exhibition areas without your consent.“Non-Personal Data”
We use the non-personal data gathered from our website in an aggregate form for reporting on the usability, performance and effectiveness of our website, to provide more relevant content and to gain a better understanding of where our visitors come from.
We also gather non-personal data in our visitor surveys, which we use to collect qualitative and quantitative information on the museum visitor experience. Visitors are also invited to leave a comment in our Visitors’ Book.
The table below outlines the categories and types of data we collect. The types of data we collect may change over time; the following table is an indicative list to help you understand the types of data we collect.
|Process||Purpose||Lawful Basis||Type of Data|
|CCTV||CCTV is present within GCM and its external environs. It is used to protect the Museum Collection, the investigation, detection or prosecution of criminal offences, and the protection of staff and visitors.||Processing is necessary for compliance with a legal obligation to which the controller is subject.|
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
|Donations||To receive collection donations||Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with GCM.||Name, email, address, telephone number|
|To receive monetary donations from our sponsors||Name, email, address, telephone number, financial information|
|Collections||To register and maintain collections information.||Processing is necessary as a performance of a task.||Name, contact details, image.|
|Exhibitions||To display panels and information to visitors at our exhibitions.||Processing is necessary as a performance of a task||Name, image, possible special categories dependent on exhibition.|
|Event hire and filming||Facilitating the use of GCM for events and film production||Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with GCM.||Name, address, email address, phone number, bank details|
|Rights and Reproductions||Purchasing the rights to use GCM images and photographs||Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with GCM.||Name, address, email address, financial information.|
|Education||To facilitate online and on-site educational events||Performance of a task||Name, email, address, telephone number|
|Photography||Taking photographs at any of our events for marketing purposes.||Consent||Name, Image|
|Regulatory Compliance||To comply with financial regulations and any other relevant laws and regulations.||Processing is necessary for compliance with a legal obligation to which the controller is subject.|
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
|Annual Financial Statements|
|Annual Reports and Publications|
|Minutes of Board Meetings / Strategic Plans|
|Archiving or destruction of Records|
|FOI and Data Protection Requests|
|Third Party Data Sharing||To allow us to conduct and carry out functions with third party service providers that enable us to deliver our services.||Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.||Dependent on third party.|
|Back-ups||To store personal data and make back-ups of that data in case of emergencies and for disaster recovery purposes.||Processing is necessary for compliance with a legal obligation to which the controller is subject.||All soft copy versions of GCM data is backed-up regularly.|
|Marketing||To send out our marketing materials such as our museum newsletter, survey forms or any information on our exhibits and events.||Consent||Name, Email Address|
|Utilising photographs taken at events for marketing materials||Name, image|
|Managing our social media accounts||Legitimate interests – to provide customer service and answer queries||Name, Email address|
|Admin||To perform administrative tasks which are a standard operation at GCM.||Processing is necessary for the performance of a task.|
Processing is necessary for compliance with a legal obligation to which the controller is subject.
|Agendas of Meetings|
|Minutes of Meetings|
|Communications||To enable communications between staff members internally and externally with third parties.||Legitimate interest||Emails|
|Technical and Usage Data||Utilising cookies and AdWords to generate statistics||Consent||Technical information, including the Internet Protocol (IP) address used to connect your computer to the internet, the type of browser and operating system, the date and time of when you access our site, the pages you visit; and the website from which you accessed our site including any search terms used.|
Cookies and Adwords
|Accident Reports||To compile a report should an accident or incident occur||To comply with a legal obligation||Name, imagery, medical data.|
|Making or Receiving Payments|
To make or receive any payments in the discharge of normal business functions, or to carry out any other payment requirements.
N.B. All museum payments are processed through Galway City Council.
|Processing is necessary for compliance with various employment and revenue laws.|
Processing is necessary for the performance of a contract to which the data subject is party.
|Tax reference number, bank name, bank address, BIC, IBAN, invoice payments.|
Who Galway City Museum shares your data with
We will not disclose your personal data to third parties, outside of Galway City Museum, unless you have consented to this disclosure or unless the third party is required to fulfil your order (in such circumstances, the third party is bound by similar data protection requirements). We will disclose your personal data if we believe in good faith that we are required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order, or other statutory requirement. When making these transfers, we will take steps to ensure that your personal data is adequately protected and transferred in accordance with the requirements of the Data Protection Law. This may involve the use of data transfer agreements in the form approved by the European Commission or another mechanism recognised by data protection law as ensuring an adequate level of protection for Personal Data transferred outside the EEA (for example, standard contractual clauses).
We may provide non-personal data to third parties, where such information is combined with similar information of other users of our site. The third parties to whom we may provide this information may include, potential or actual advertisers, providers of advertising services (including website tracking services), commercial partners, sponsors, licensees, researchers and other similar parties.
Change of Use
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our data protection officer at the contact details listed in this Policy. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with this Policy, where this is required or permitted by law.
Consequences of not providing us with information
You can choose not to give us personal information; however, this may have an effect on you. We may need to collect personal information by law, or to enter into or fulfil a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from fulfilling our contract with you or doing what we must do by law.
Recipients of Data
We may share your personal data with outside organisations.
While the parties we engage may change occasionally, we believe it is important you are aware of the types of parties we share data with. The categories and types of third parties outlined below is a non-exhaustive list but provides an indication of the parties we share data with.
Other Third Bodies
Third parties for the purposes of internal and external audits, carrying out research, and or third parties who may improve our processes and services (such as handling of payments or recruitment assistance)
Government Departments, Bodies or Agencies
GCM is legally obligated to share personal data with state actors which is outlined in the Data Protection Act 2018. Recipients of this data include Government departments, agencies, bodies, investigatory bodies, local authorities and the Gardaí.
On exception, where personal data is transferred outside the European Economic Area, GCM use safeguards, such as standard contractual clauses (SCCs).
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
As a data subject, you will have the following rights are outlined in this section. However, restrictions may apply in certain situations.
Please send all requests to our DPO, contact details at the end of this Policy document.
A.RIGHT TO RECTIFICATION
You have the right to have GCM correct any inaccurate personal data we have collected about you. You also have the right to have incomplete personal data completed; you may provide us with supplementary information to do this.
B.RIGHT TO ERASURE
In certain instances, you have the right to have GCM erase the personal data we have collected about you. Your right of erasure will apply in the following circumstances:
- We no longer need the data for the purpose that it was originally collected;
- Where data is processed on the basis of consent, you withdraw your consent to the processing and no other lawful basis exists.
- You object to the processing and the organisation has no overriding legitimate interest for the processing;
- We have collected the data unlawfully; or
- The data must be erased to comply with a legal obligation;
This right will not apply where we are required to process personal data in certain circumstances including the following:
- For exercising the right to freedom of expression and information;
- For compliance with a legal obligation;
- For the performance of a public interest task or exercise of official authority;
- For health purposes in the public interest;
- For archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
- For the establishment, exercise or defence of legal claims.
Please note that the where the legal basis for our processing of personal data is on the basis of a legal obligation or public authority, some processing in relation to your data may not be subject to the right to erasure.
To determine your request for erasure, we will carry out an assessment of the justification for the retaining your personal data where a legal requirement applies and contact you if we are unable to fulfil your request.
Please be aware that in some circumstances we may need to retain some information to ensure all of your preferences are properly respected. For example, we cannot erase all information about you where you have also asked us not to send you marketing material. Otherwise, we would delete your preference not to receive marketing material.
C.RIGHT TO OBJECT
You have the right to object to the processing of your personal data. However, the processing must have been undertaken on the basis of public interest or legitimate interest by us.
If you wish to object to the processing of data, please contact us with your request. We will then stop the processing of personal data unless it is required for legal proceedings.
D.RIGHT TO RESTRICTION
You have the right to restrict the extent of personal data processed by us in circumstances where:
- You believe the personal data is not accurate (restriction period will exist until we update your information).
- The processing of the personal data is unlawful, but you wish to restrict the processing of data rather than erase it.
- Where the personal data is no longer required by us, but you require retention of the information for the establishment, exercise, or defence of a legal claim.
- You have a pending objection to the processing of the personal data.
When processing is restricted, your personal data will only be processed: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of other people; or for reasons important to public interest.
We will contact you confirm where the request for restriction is fulfilled and will only lift the restriction after we have informed you that we are doing so.
E.RIGHT TO ACCESS
You have the right to know what personal data we hold on you, why we hold the data, and how we are processing your personal data.
When submitting your request, please provide us with information to help verify your identity and as much detail as possible to help us understand the information you wish to access.
There is usually no charge applied to access your personal data (or to exercise any of the other rights). However, if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee. Alternatively, we may refuse to comply with your request in these circumstances.
F.RIGHT TO PORTABILITY
You have the right to receive personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You also have the right to provide this data to another controller or have GCM transmit this data to another controller on your behalf, where technically feasible. This right to portability is limited to the following situations.
- Where the processing is based on the legal basis of consent
- Where the processing is based on the legal basis of a contract
- Where the processing is carried out by automated means
G.RIGHT TO WITHDRAW CONSENT
Where we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time.
H.RIGHT TO COMPLAIN
If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights, then you have the right to complain to the Data Protection Commission (DPC). Please see end of this Policy document for contact details of the DPC.
For marketing purposes, we may contact you in relation to events, upcoming exhibitions, competitions and to issue our newsletter, via email.
Consent will always be provided in the form of a clear opt-in. You have the right to withdraw your consent at any time using the contact details listed in this section. If you would prefer not to receive this type of communication from us, you can email: firstname.lastname@example.org .
All emails will contain a link to unsubscribe or opt-out of future marketing communications from GCM.
There may be instances where it is necessary for us to transfer your data outside of the European Economic Area (“EEA”) where privacy laws may not be as protective as those in your jurisdiction. There are special requirements set out under Chapter V of the GDPR to regulate such data transfers and ensure that adequate security measures are in place to safeguard and maintain the integrity of your personal data on transfer.
Where we transfer your personal data outside the EEA, we will make sure that it is protected to the same extent as in the EEA and we will use at least one of the following safeguards:
- Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA
- Put in place a contract with the recipient that means they must protect it to the same standards as the EEA (Standard Contractual Clauses).
- Transfer it to organisations that are compliant with the EU/US Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to those used and expected within the EEA.
The Galway City Museum is committed to protecting the privacy needs of children and we encourage parents and guardians to take an active role in their children’s online activities and interests. The Galway City Museum does not knowingly collect information from children under the age of 16 through it’s website.
We won’t use the personal data of children or young people for marketing purposes and we won’t profile it. Personal data about children and young people is only accessible by our staff on a strictly need-to-know basis.
GCM will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Policy. We will use all reasonable efforts to put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, other recipients and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use reasonable procedures and security features to try to prevent unauthorised access. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Cookies are small text files that are placed on your computer by website that you visit with the aim of making the site work, improving a user’s experience and/or making their activity more efficient. Web browsers allow control of cookie usage through the browser settings.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Updating, Verifying and Deleting Personal Data
In accordance with our obligations under Data Protection Laws you have a right to be given a copy of all personal data that we hold about you. You also have the right to have your data corrected, if inaccurate, or erased, if Galway City Museum does not have a legitimate reason for retaining the data.
Where can I get advice or make a complaint
We have a Data Protection Officer who makes sure we respect your rights and comply with the law. If you have any concerns or questions about how we look after your personal information, please contact our Data Protection Officer at:
Data Protection Officer
Galway City Hall
You may lodge a complaint with the Data Protection Commissioner with respect to our processing of your personal data. Write to the Data Protection Commissioner by using the form available from the Data Protection Commission website and send to email@example.com or The Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28. Phone: 01 7650100 / 1800437 737.