Privacy policy

The Fundación Colección Thyssen-Bornemisza, F.S.P., with Tax Identification Number, G-79015251, is a cultural non-profit entity, owner of the Museo Nacional Thyssen-Bornemisza in Madrid (“Museum”), located in Paseo del Prado no. 8, with the purpose of, among others, managing the Museum and the conservation and dissemination of the works of art housed in its Museum. The Foundation has placed special emphasis on disseminating its collections, with programs aimed at engaging audiences of all kinds in its cultural project.

This objective continues in force as well as the goal of satisfying visitors’ demand and achieving a streamlined administration, striving to maximize revenue generation and control the expenditure necessary for implementing an intensive cultural programme and guaranteeing the upkeep of the rooms, the maintenance of the facilities and the level of services.

We are committed to remaining a benchmark in the Spanish cultural world through transparent and efficient management. In turn, another of our main commitments concerns the protection of the information we manage, and in particular the personal data we handle, both the data provided by our visitors and by the Museum’s collaborators.

This management extends to compliance with current legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/CE (the “GDPR”), and thus, through this data protection policy we inform you about the way we collect and process the data.

This Privacy Policy establishes the bases on which the Fundación Colección Thyssen-Bornemisza, F.S.P. processes the personal data you provide, either through the Foundation's websites (www.museothyssen.org , www.educathyssen.org, entradas.museothyssen.org and tienda.museothyssen.org - the "Websites") or by any other means, either digital or analogue.

We remind you that whenever you use the Websites and submit any type of information, such as your name, email, billing or shipping address, telephone number, type of device or debit or credit card number, etc. (the "Personal Data") either to browse the Websites, to purchase our products or make use of the services or features accessed through the Websites, this Privacy Policy applies, along with The Terms of Use of each Website, which we invite you to read to verify that you agree to them.

The terms of use of the Websites can be found at the following addresses:

• www.museothyssen.org: Legal Terms
• www.educathyssen.org: Legal Terms
• Tienda.museothyssen.org: https://tienda.museothyssen.org/en/legal
• Entradas.museothyssen.org:General Terms and Conditions of use PDF

1. Our privacy commitment

• We respect our users’ privacy and their choices.
• We ensure that privacy and security are an integral part of all the activities carried out by the Museum.
• We do not send commercial or marketing communications unless you authorise us to do so. In this case, and if you want us to stop sending you these communications, you can object at any time to the processing of your personal data for that purpose.
• We do not assign your data to third parties.
• We agree to keep your data safe and secure, which means that we only collaborate with suppliers who comply with the data protection legislation in force.
• On our website www.museothyssen.org you can find our transparency portal for further queries you may have.
• We do not use your data for purposes other than those we have informed you about.
• We respect your rights and always try to accommodate your requests in accordance with our own legal duties.

For more information about our privacy practices, below we establish what types of personal information we can collect, how we use it, with whom we can share it, how we protect it, and how you can exercise your rights with respect to that data.

We suggest that you please read this information carefully. If you have any questions or concerns about your personal information, contact us at @email.

2. Data controller

The data controller defined in the Foundation’s Processing Activities Record is Fundación Colección Thyssen-Bornemisza, F.S.P. domiciled at Paseo del Prado 8, 28014 Madrid.

The Foundation is not obliged to appoint a Data Protection Officer.

3. Your rights and options 

The Foundation, in compliance with the RGPD and the Law on the Protection of Personal Data, makes it easier for users to exercise the rights set out in the respective regulations mentioned. These rights are as follows: 

• Right to information: Right to obtain clear, transparent and easy to understand information about how we use their personal data and about their rights. 
• Right of access: the right to access the personal data we hold about users of the Foundation. 
• Right of rectification: The right to have your personal data rectified where it is inaccurate or no longer valid or to have it completed where it is incomplete. 
• Right to erasure / right to be forgotten: the right to have your personal data erased or deleted. 
• Right to object: the right not to have the processing carried out or to have the processing cease when your consent to the processing is not necessary for a legitimate and well-founded reason. 
• Right to portability: the right to move, copy or transfer data from our database to another database. It is only possible to exercise this right with respect to data you have provided, where the processing is based on the performance of a contract or on your consent and the processing is carried out by automated means. 
• Right to restrict processing: The right to request the restriction of the processing of your data. 

Any person has the right to obtain confirmation as to whether or not the Foundation is processing personal data concerning them. 

Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the fulfilment of the purposes for which it was collected and in compliance with current legislation. 

In certain circumstances, data subjects may request the limitation of the processing of their data, in which case they will only be kept for the exercise or defence of claims. 

In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. The Foundation will cease to process the data, except for compelling legitimate reasons or for the exercise or defence of possible claims. 

The data subject also has the right to receive the personal data he or she has provided to the Foundation in a structured, commonly used and machine-readable format. This last right shall be limited by the following exceptions: the data to which this right applies must have been provided by the data subject; the data must be processed by the Foundation by automated means (computerised means). 

4. Who can access personal data? 

Your personal data may be processed on our behalf by our trusted third party suppliers. We contract with them to perform a variety of business operations on our behalf. They are only provided with the information they need to perform the service. We always do our best to ensure that all third parties we work with maintain the security of your personal data. 

5. How long do we keep Personal Data? 

We only keep the Personal Data provided for the period of time required by law in order to meet the needs of users or to comply with legal obligations. In any case, the Foundation periodically reviews the data it processes in order to delete them when they are no longer necessary for the purpose for which they were collected. 

6. Security of personal data 

The Foundation undertakes to store your personal data securely, taking into account all the precautions established by the RGPD and the Law. Contracting with third parties that handle personal data requires the signing of confidentiality clauses when processing such data. In order to guarantee the security of personal data, the Foundation follows the principles established by the National Security Scheme (ENS), regulated by Royal Decree 3/2010, of 8 January, which determines the security policy to be applied in the use of electronic media.

7. Links to third party websites 

The Foundation's Websites and digital applications may contain links to and from the websites of our partner networks and sponsors. If you follow a link to any of these websites, please note that they have their own privacy policies and that the Foundation is not responsible for these policies or any issues that may arise as a result of your use of third party websites. Please check the policies of each website before submitting or posting personal data. 

8. Cookies 

The Foundation's websites (www.museothyssen.org, www.educathyssen.org, tienda.museothyssen.org and entradas.museothyssen.org) collect information through the use of cookies and other similar technologies (invisible pixels), both its own and those of third parties. Cookies are small text files that are automatically stored on your computer or mobile device when you visit a site. Cookies and web beacons are stored in your web browser. Cookies contain basic information about your internet usage. Your browser sends these cookies back to the Websites each time you visit so that your computer or mobile device is recognised to personalise and enhance your browsing experience.You can view the Websites' cookie policy at the following addresses: 

• www.museothyssen.org y tienda.museothyssen.org: Cookies

• www.educathyssen.org: Cookies (in Spanish)

• Entradas.museothyssen.org: Política de Cookies (in Spanish)

9. Social networks and user-generated content

Some of the Foundation's Websites and digital applications allow users to upload their own content. Remember that any content sent to one of our platforms could be visible publicly, and therefore, you must take precautions when providing certain personal information (for example, photographs, financial information or your address details). The Foundation will not be held liable for any publication that contains personal data and uploaded to our Websites or third-party social networks, using the “share” or “comment” features of those sites.

10. Contact

For any questions or queries about the processing and use of your data or the exercise of your lawful rights, please contact @email.