Privacy Notice
The National Museum of Ireland (“NMI”) respects your right to privacy and complies with our obligations under relevant data protection legislation including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act, 2018.
The purpose of this Privacy Policy (“Policy”) is to outline how we process personal data, including special categories of data and the basis on which personal data is obtained from you or collected about you from third parties.
We take great care with any personal data we hold, so that we provide the highest standard of service to you, whilst taking steps to keep your data secure and to ensure it is only used for the specified, explicit and legitimate purposes stated within this Policy.
Unless otherwise stated, the controller (as defined in the GDPR) of your personal data for all purposes outlined in this Policy is the NMI. We can be contacted by post at National Museum of Ireland, Block 19, Collins Barracks, Benburb Street, Dublin 7, D07 XKV4 Ireland by phone +353 1 6777444 or by email at Marketing@museum.ie.
Our data protection officer (“DPO”) can provide you with additional information on this Policy and your rights. Their contact details are below:
Address: Data Protection Officer, National Museum of Ireland, Block 19, Collins Barracks, Benburb Street, Dublin 7, D07 XKV4.
Email: dataprotection@museum.ie
1.About us
‘We’, ‘our’, ‘us’, ‘NMI’ refers to the National Museum of Ireland. Our Museums include the Decorative Arts and History Museum, the Country Life Museum, the Natural History Museum and the Archaeology Museum.The National Cultural Institutions Act, 1997 established the National Museum of Ireland as a non-commercial semi-state body under an autonomous Board.
2.Your Personal Data
We collect 'personal data', which is information that identifies a living person, or which can be identified as relating to a living person.
When we talk about 'you' or 'your' in this policy we mean any living person whose personal data we collect.
We collect personal data to enable the provision of services to support the purposes of NMI. This includes when you access our Museum.ie website, when you purchase anything from our online store, when you submit information through our website (contact us forms), when you apply for a job over our website and when you visit any of our locations.
The table below outlines the categories and types of data we collect. The types of data we collect may change over time; the following table is an indicative list to help you understand the types of data we collect.
| Process | Purpose | Lawful Basis | Type of Data |
| Booking Tickets | To allow you to book a ticket to an NMI museum site through our website or booking forms. | Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with the NMI. | Name, email, address, telephone number, country |
| Processing is necessary for public interest. | COVID-19 verification | ||
| CCTV | CCTV is present within the NMI and its external environs. It is used to protect the National Collection, the investigation, detection or prosecution of criminal offences, and the protection of staff and visitors. | Processing is necessary for compliance with a legal obligation to which the controller is subject. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. |
Image |
| Donations | To receive collection donations | Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with the NMI. | Name, email, address, telephone number |
| To receive monetary donations from our sponsors | Name, email, address, telephone number, financial information | ||
| Collections | To register and maintain collections information. | Processing is necessary as a performance of a task. | Name, contact details, image. |
| Exhibitions | To display panels and information to visitors at our exhibitions. | Processing is necessary as a performance of a task | Name, image, possible special categories dependent on exhibition. |
| Event hire and filming | Facilitating the use of NMI sites for events and film production | Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with the NMI. | Name, address, email address, phone number, bank details |
| Rights and Reproductions | Purchasing the rights to use NMI images and photographs | Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with the NMI. | Name, address, email address, financial information. |
| Online Store | To facilitate the purchasing of goods through our online store. | Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with the NMI. |
Name, email, address, telephone number, financial information |
| Education | To facilitate online educational events | Performance of a task | Name, email, address, telephone number |
| Photography | Taking photographs at any of our events for marketing purposes. | Consent | Name, Image |
| Pre-Recruitment, Recruitment & Selection | To register a prospective candidate’s interest in recruitment for employment. To complete the recruitment process and assess candidate suitability. |
Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with the NMI. Processing relates to our obligations in employment and for assessing your work capacity. |
Contact details, date of birth, application form or CV, work and educational history and interview notes |
| Proof of identity, proof of qualifications, undertake Garda Vetting, reference check, fitness to work medical assessment | |||
| Garda Vetting | |||
| Making or Receiving Payments | To make or receive any payments in the discharge of normal business functions, or to carry out any other payment requirements. | Processing is necessary for compliance with various employment and revenue laws. Processing is necessary for the performance of a contract to which the data subject is party. |
Tax reference number, bank name, bank address, BIC, IBAN, invoice payments. |
| Regulatory Compliance | To comply with financial regulations and any other relevant laws and regulations. | Processing is necessary for compliance with a legal obligation to which the controller is subject. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. |
Annual Financial Statements |
| Annual Reports and Publications | |||
| Minutes of Board Meetings / Strategic Plans | |||
| Archiving or destruction of Records | |||
| FOI and Data Protection Requests | |||
| Third Party Data Sharing | To allow us to conduct and carry out functions with third party service providers that enable us to deliver our services. | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. | Dependent on third party. |
| Back-ups | To store personal data and make back-ups of that data in case of emergencies and for disaster recovery purposes. | Processing is necessary for compliance with a legal obligation to which the controller is subject. | All soft copy versions of NMI data is backed-up regularly. |
| Marketing | To send out our marketing materials such as our newsletter or any information on our exhibits and events. | Consent |
Name, Email Address |
| Utilising photographs taken at events for marketing materials | Name, image | ||
| Managing our social media accounts | Legitimate interests – to provide customer service and answer queries | Name, Email address | |
| Admin | To perform administrative tasks which are a standard operation at NMI. | Processing is necessary for the performance of a task. Processing is necessary for compliance with a legal obligation to which the controller is subject. |
Diaries (office) |
| Agendas of Meetings | |||
| Minutes of Meetings | |||
| Complaints | |||
| Communications | To enable communications between staff members internally and externally with third parties. | Legitimate interest | Emails |
| Email Archives | |||
| Sharefiles | |||
| Technical and Usage Data | Utilising cookies and AdWords to generate statistics | Consent | Technical information, including the Internet Protocol (IP) address used to connect your computer to the internet, the type of browser and operating system, the date and time of when you access our site, the pages you visit; and the website from which you accessed our site including any search terms used. Cookies and Adwords |
| Accident Reports | To compile a report should an accident or incident occur | To comply with a legal obligation | Name, imagery, medical data. |
2.1.Change of Use
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our data protection officer at the contact details listed in this Policy. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with this Policy, where this is required or permitted by law.
2.2.Consequences of not providing us with information
You can choose not to give us personal information; however, this may have an effect on you. We may need to collect personal information by law, or to enter into or fulfil a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from fulfilling our contract with you or doing what we must do by law.
3.Recipients of Data
We may share your personal data with outside organisations.While the parties we engage may change occasionally, we believe it is important you are aware of the types of parties we share data with. The categories and types of third parties outlined below is a non-exhaustive list but provides an indication of the parties we share data with.
3.1.Other Third Bodies
Third parties for the purposes of internal and external audits, carrying out research, and or third parties who may improve our processes and services (such as handling of payments or recruitment assistance)3.2.Government Departments, Bodies or Agencies
NMI is legally obligated to share personal data with state actors which is outlined in the Data Protection Act 2018. Recipients of this data include Government departments, agencies, bodies, investigatory bodies, local authorities and the Gardaí.3.3.International Transfers
On exception, where personal data is transferred outside the European Economic Area, NMI use safeguards, such as standard contractual clauses (SCCs).4.Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.Please be advised, the National Museum of Ireland is a place of deposit under the National Archives Act, 1986 and complies with the guidelines issued by the National Archives of Ireland on GDPR and the National Archives Act.
5.Subject Rights
As a data subject, you will have the following rights are outlined in this section. However, restrictions may apply in certain situations.Please send all requests to our DPO at:
Email: dataprotection@museum.ie ; or
Address: Data Protection Officer, National Museum of Ireland, Block 19, Collins Barracks, Benburb Street, Dublin 7, D07 XKV4.
A.RIGHT TO RECTIFICATION
You have the right to have NMI correct any inaccurate personal data we have collected about you. You also have the right to have incomplete personal data completed; you may provide us with supplementary information to do this.B.RIGHT TO ERASURE
In certain instances, you have the right to have NMI erase the personal data we have collected about you. Your right of erasure will apply in the following circumstances:- We no longer need the data for the purpose that it was originally collected;
- Where data is processed on the basis of consent, you withdraw your consent to the processing and no other lawful basis exists.
- You object to the processing and the organisation has no overriding legitimate interest for the processing;
- We have collected the data unlawfully; or
- The data must be erased to comply with a legal obligation;
- For exercising the right to freedom of expression and information;
- For compliance with a legal obligation, such as the National Archives Act, 1986 which requires NMI to retain data indefinitely;
- For the performance of a public interest task or exercise of official authority;
- For health purposes in the public interest;
- For archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
- For the establishment, exercise or defence of legal claims.
To determine your request for erasure, we will carry out an assessment of the justification for the retaining your personal data where a legal requirement applies and contact you if we are unable to fulfil your request.
Please be aware that in some circumstances we may need to retain some information to ensure all of your preferences are properly respected. For example, we cannot erase all information about you where you have also asked us not to send you marketing material. Otherwise, we would delete your preference not to receive marketing material.
C.RIGHT TO OBJECT
You have the right to object to the processing of your personal data. However, the processing must have been undertaken on the basis of public interest or legitimate interest by us.If you wish to object to the processing of data, please contact us with your request. We will then stop the processing of personal data unless it is required for legal proceedings.
D.RIGHT TO RESTRICTION
You have the right to restrict the extent of personal data processed by us in circumstances where:- You believe the personal data is not accurate (restriction period will exist until we update your information).
- The processing of the personal data is unlawful, but you wish to restrict the processing of data rather than erase it.
- Where the personal data is no longer required by us, but you require retention of the information for the establishment, exercise, or defence of a legal claim.
- You have a pending objection to the processing of the personal data.
We will contact you confirm where the request for restriction is fulfilled and will only lift the restriction after we have informed you that we are doing so.
E.RIGHT TO ACCESS
You have the right to know what personal data we hold on you, why we hold the data, and how we are processing your personal data.When submitting your request, please provide us with information to help verify your identity and as much detail as possible to help us understand the information you wish to access.
There is usually no charge applied to access your personal data (or to exercise any of the other rights). However, if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee. Alternatively, we may refuse to comply with your request in these circumstances.
F.RIGHT TO PORTABILITY
You have the right to receive personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You also have the right to provide this data to another controller or have NMI transmit this data to another controller on your behalf, where technically feasible. This right to portability is limited to the following situations.- Where the processing is based on the legal basis of consent
- Where the processing is based on the legal basis of a contract
- Where the processing is carried out by automated means
G.RIGHT TO WITHDRAW CONSENT
Where we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time.H.RIGHT TO COMPLAIN
If you are not satisfied with our use of your personal data or our response to any request by you to exercise any of your rights, then you have the right to complain to the Data Protection Commission (DPC). Please see below for contact details of the DPC.The Data Protection Commission,21 Fitzwilliam Square South, Dublin 2, D02 RD28
Ireland. Phone: 01 7650100 / 1800437 737 Email: info@dataprotection.ie.
6.Marketing
For marketing purposes, we may contact you in relation to events, upcoming exhibitions, competitions and to issue our newsletter, via email.
Consent will always be provided in the form of a clear opt-in. You have the right to withdraw your consent at any time using the contact details listed in this section.
If you would prefer not to receive this type of communication from us, you can do any one of the following;
- Email: marketing@museum.ie
All emails will contain a link to unsubscribe or opt-out of future marketing communications from NMI.
7.International Transfers
There may be instances where it is necessary for us to transfer your data outside of the European Economic Area (“EEA”) where privacy laws may not be as protective as those in your jurisdiction. There are special requirements set out under Chapter V of the GDPR to regulate such data transfers and ensure that adequate security measures are in place to safeguard and maintain the integrity of your personal data on transfer.
Where we transfer your personal data outside the EEA, we will make sure that it is protected to the same extent as in the EEA and we will use at least one of the following safeguards:
- Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA
- Put in place a contract with the recipient that means they must protect it to the same standards as the EEA (Standard Contractual Clauses).
- Transfer it to organisations that are compliant with the EU/US Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to those used and expected within the EEA.
8.Children’s Privacy
The National Museum of Ireland is committed to protecting the privacy needs of children and we encourage parents and guardians to take an active role in their children's online activities and interests. The National Museum of Ireland does not knowingly collect information from children under the age of 16 through its websites.
We won't use the personal data of children or young people for marketing purposes and we won't profile it.
Personal data about children and young people is only accessible by our staff on a strictly need-to-know basis.
9.Cookies
For further details on our use of cookies, please refer to our Cookie Policy which you can view by visiting https://www.museum.ie/en-IE/Cookies.
10.Security
NMI will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Policy. We will use all reasonable efforts to put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, other recipients and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use reasonable procedures and security features to try to prevent unauthorised access. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
11.Changes to the Website Privacy Statement
Any changes to this Privacy Policy will be posted on this website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.12.Questions or Complaints
Contact us. If you have any questions or complaints relating to this Policy, please contact us at:
Address: Data Protection Officer, National Museum of Ireland, Block 19, Collins Barracks, Benburb Street, Dublin 7, D07 XKV4.
Email: dataprotection@museum.ie
Effective date of this Statement: Friday, July 30 2021