What are personal data?
‘Personal data’ refers to any information relating to an identifiable natural person, e.g. your personal identity number, name, postal address, e-mail address and photographs. Encrypted information of various kinds, electronic identities (e.g. IP numbers and cookies) are personal data if they can be linked to a natural person.
What is processing of personal data?
Any operation involving personal data is processing, whether or not this is automated or manual. Examples of processing include collecting, recording, organising, structuring, altering, storing, adapting, disseminating, transmitting, and erasing.
What personal data are collected by the Thiel Gallery?
Bookings of venues and services
In order to process bookings of venues and services, including tours and courses, we collect the following data:
Contact details (postal address, e-mail address, telephone number and organisation/personal identity number)
The processing consists of receiving, changing or cancelling bookings and other communication relating to bookings.
The legal basis is to fulfil agreements. Data collection is necessary in order to fulfil our side of the agreement. The data is stored until the service has been delivered.
The Foundation’s obligations
The following data are collected in order to fulfil our legal obligations, e.g. accounting laws:
Personal identity number (when applicable)
Contact details (e.g. e-mail address, postal address and telephone number)
The legal basis is obligations by law and is relative to applicable laws and regulations. Data are stored for the period stipulated by law.
Services and enquiries
The following data are collected in order to provide services and answer enquiries:
Name or user name
Contact details (e.g. e-mail address and telephone number)
Processing consists of communications relating to this type of matter.
The legal basis is public interest resulting from the activities of the Thiel Gallery.
The information is stored for the duration of the service or enquiry.
Information requests from the public
We collect the following data in order to answer requests from persons wishing to receive information about our activities:
E-mail address and telephone number
Processing consists of collecting personal data from individuals wishing to subscribe to our newsletters or receive other e-mail information, including newsletters, press releases and invitations to events.
The legal basis is consent. Processing is required in order to distribute information, and the data is stored until you unsubscribe.
Information to the public
In order to inform the public about activities at the Thiel Gallery.
Name and professional title
Audio and video recordings
The processed data include information about current lecturers, exhibiting artists, courses and conference organisers, and images and video recordings of artists, exhibition staff and, on some occasions, visitors. The information is used in the Gallery’s official communication channels, including the website, mail shots and social media.
The legal basis is to inform the general public about the Gallery’s activities, and the data are stored as long as they are relevant and needed, after which they are erased.
Access to the Thiel Gallery collections
For showing, sharing and providing access to the Gallery’s collections.
Contact details (postal address, studio information, telephone, e-mail address)
Date of birth
Place of birth and country of work
Processing includes collecting and recording data relating to acquired, donated and borrowed works and their provenance. The legal basis is public interest, and the data are stored as long as required for access to the Gallery’s collection.
Donations, lending and borrowing works of art
For managing donations, lending and borrowing of works of art.
Contact details (e-mail address, postal address, telephone number)
Processing consists of collecting data on the institutions and natural persons who borrow, lend or donate works of art. Correspondence with architects, artists, institutions, donors, sellers and lenders.
We collect personal data relating to companies that forward and handle the works. The legal basis is contracts, and data are stored for the duration and term of each respective contract.
For processing research enquiries.
Contact details (e-mail address and correspondence or telephone number and messages)
Personal identity number (for the retrieval of objects)
Organisation or equivalent
The legal basis is public interest, and data are stored until the visit is over and the object has been returned and its condition checked.
Participation in events
For performing and processing participation in events.
Collecting and recording data on persons wishing to attend an event at the Thiel Gallery. Data are stored until the event is over.
Recruitment of staff
For the purpose of recruiting staff.
Personal identity number
Contact details (postal address, e-mail address and telephone number)
Data are collected when recruiting and in communications with applicants in connection with interviews.
Public interest and contracts. Data are stored until the recruitment is completed and for 24 months after a decision has been made.
Sponsorship and support
For managing sponsorship and support for the Gallery.
Collection of personal data for the parties involved in sponsorship agreements, partnerships or membership in a support or funding group for the Thiel Gallery.
For distributing event invitations, publications and information about special activities. Also for communications about sponsorship and membership.
The legal basis is the fulfilment of agreements; data are stored for the duration of the sponsorship or membership and for 12 months thereafter.
Who is responsible for personal data?
The Thiel Gallery, Sjötullsbacken 6-8, 115 25 Stockholm, Sweden, is responsible for ensuring compliance with the GDPR. Tel: +46 (0)8 662 5884, Reg No 802005-9245.
How do we collect personal data?
In addition to the data you supply or we collect from you, we may also collect data in connection with the documentation of our activities and events. The data collected in that context will consist of photographs, and sound and video recordings.
With whom do we share your personal data?
Personal data assistants.
When necessary in order to provide our services to you, we will share your personal data with so-called personal data assistants. A personal data assistant is a company that processes data on our behalf and in accordance with our instructions. The Gallery has personal data assistants to help us with:
1. Marketing and information (services including newsletters and mail shots, media and web firms, distribution)
2. Transport (logistics and delivery companies)
3. Bookings and services (handling events, tours and courses)
4. IT services (companies that handle necessary operations, technical support and maintenance of IT solutions)
Your personal data are only shared with personal data assistants in accordance with the purposes for which the data were collected (e.g. to fulfil contracts and agreements). We have written contracts with all our personal data assistants, stipulating that they guarantee the confidentiality of any personal data they process and undertake to comply with our security requirements and restrictions and the rules of the GDPR.
Companies with independent responsibility for personal data
The Gallery also shares your personal data with certain companies that are independently responsible for your personal data. They are independent controllers, meaning that we do not control how the data provided to the them is handled.
1. Government organisations (the police, tax authorities or other government agency) if we are legally bound to do so or if criminal activities are suspected.
2. Companies that provide payment services (card issuers, banks and other payment service providers).
Where do we process your personal data?
We always strive to process your personal data within the EU/EEA, and all our own IT systems and the personal data assistants we consult are within the EU/EEA. In the event that one of our service providers needs your data in connection with IT support and maintenance, we ensure that a data protection agreement is in place, so that the recipients handle your data in accordance with our instructions.
In cases where your data will be used outside the EU, e.g. by one of our service providers, we always ensure that protection measures such as data transfer agreements are in place to regulate that the recipients comply with our regulations for processing your data.
What are your rights?
Right of access
You have the right, at any time, to access your personal data from the Gallery in the form of a printed record.
Right to rectification
You can request that your personal data are corrected if the information is incorrect. You are also entitled to complement any incomplete personal data.
Right to erasure
You can request that your personal data in our records be erased if:
The data are no longer necessary for the purposes for which they were originally collected or processed.
Personal data have been processed unlawfully.
Personal data need to be erased to comply with a legal obligation involving the Gallery.
The Gallery may be entitled to refuse your request if there are legal obligations preventing the immediate erasing of certain personal data. This includes obligations in accordance with accounting and tax laws, banking and money-laundering laws, and consumer protection laws.
Processing of your personal data may also be required in order to establish, assert or defend our legal claims. If we are prevented from granting your request for erasure, we will instead block your data so that they cannot be used for any purpose other than the purpose preventing them from being erased.
Right to restrict processing.
You can request restricted processing of your personal data. If you claim that the personal data in our processing are incorrect, you may request restricted processing for the time it takes for us to check your personal data.
Right to data portability
If our right to process your personal data is based either on consent or fulfilment of an agreement, you are entitled to request that the data pertaining to you that you have submitted to us be transferred to another controller (data portability). One condition for data portability is that the transfer is technically possible and can be automated.
Right to object
You are entitled to object to our processing of your personal data. The objection should be made to the Swedish Data Protection Authority, the supervisory body in Sweden.
How do we process personal identity numbers?
We only record personal identity numbers when strictly necessary for our purposes, to verify the identity of natural persons, or for other important purposes. Normally, we only record the year, month and date of birth and leave out the last four digits.
How do we protect your personal data?
We use IT systems to protect the confidentiality and privacy of, and access to, any personal data. We have taken special precautions to protect your personal data against unlawful or unauthorised processing (e.g. unlawful access, loss, destruction or damage). Your personal data can only be accessed by those persons who actually need to process them for us to fulfil our specified purposes.
How can you contact us about data protection?
Please contact us if you have any queries about how we use your personal data or require other information on data protection. Our Data Protection Officer is Andreas Bertman, firstname.lastname@example.org, or by post, Sjötullsbacken 6-8, 115 25 Stockholm, Sweden.