Privacy policy
The Fundación Colección Thyssen-Bornemisza, F.S.P., with Tax Identification Number, G-79015251, is a cultural non-profit entity, owner of the Museo Nacional Thyssen-Bornemisza in Madrid (“Museum”), located in Paseo del Prado no. 8, with the purpose of, among others, managing the Museum and the conservation and dissemination of the works of art housed in its Museum. The Foundation has placed special emphasis on disseminating its collections, with programs aimed at engaging audiences of all kinds in its cultural project.
This objective continues in force as well as the goal of satisfying visitors’ demand and achieving a streamlined administration, striving to maximize revenue generation and control the expenditure necessary for implementing an intensive cultural programme and guaranteeing the upkeep of the rooms, the maintenance of the facilities and the level of services.
We are committed to remaining a benchmark in the Spanish cultural world through transparent and efficient management. In turn, another of our main commitments concerns the protection of the information we manage, and in particular the personal data we handle, both the data provided by our visitors and by the Museum’s collaborators.
This management extends to compliance with current legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/CE (the “GDPR”), and thus, through this data protection policy we inform you about the way we collect and process the data.
This Privacy Policy establishes the bases on which the Fundación Colección Thyssen-Bornemisza, F.S.P. processes the personal data you provide, either through the Foundation's websites (www.museothyssen.org , www.educathyssen.org, entradas.museothyssen.org and tienda.museothyssen.org - the "Websites") or by any other means, either digital or analogue.
We remind you that whenever you use the Websites and submit any type of information, such as your name, email, billing or shipping address, telephone number, type of device or debit or credit card number, etc. (the "Personal Data") either to browse the Websites, to purchase our products or make use of the services or features accessed through the Websites, this Privacy Policy applies, along with The Terms of Use of each Website, which we invite you to read to verify that you agree to them.
The terms of use of the Websites can be found at the following addresses:
- www.museothyssen.org: Legal Terms
- www.educathyssen.org: Legal Terms
- Tienda.museothyssen.org: https://tienda.museothyssen.org/en/legal
- Entradas.museothyssen.org:General Terms and Conditions of use PDF
1. Our privacy commitment
- We respect our users’ privacy and their choices.
- We ensure that privacy and security are an integral part of all the activities carried out by the Museum.
- We do not send commercial or marketing communications unless you authorise us to do so. In this case, and if you want us to stop sending you these communications, you can object at any time to the processing of your personal data for that purpose.
- We do not assign your data to third parties.
- We agree to keep your data safe and secure, which means that we only collaborate with suppliers who comply with the data protection legislation in force.
- On our website www.museothyssen.org you can find our transparency portal for further queries you may have.
- We do not use your data for purposes other than those we have informed you about.
- We respect your rights and always try to accommodate your requests in accordance with our own legal duties.
For more information about our privacy practices, below we establish what types of personal information we can collect, how we use it, with whom we can share it, how we protect it, and how you can exercise your rights with respect to that data.
We suggest that you please read this information carefully. If you have any questions or concerns about your personal information, contact us at @email.
2. Data controller
The data controller defined in the Foundation’s Processing Activities Record is Fundación Colección Thyssen-Bornemisza, F.S.P. domiciled at Paseo del Prado 8, 28014 Madrid.
The Foundation is not obliged to appoint a Data Protection Officer.
3. Collection of personal data and purposes of processing
We remind you that before using any of the services offered by the Foundation, you must read this Policy carefully.
Failure to provide certain information when it is marked as required, may imply that we cannot process your user registration or impede the use of certain features or services available through the Websites.
You guarantee that the Personal Data you provide to the Foundation is true and accurate and agree to notify any change or modification of that data. You will be solely liable for any loss or damage caused to the Websites, to the Data Controller or to any third party through the communication of erroneous, inaccurate or incomplete information in the registration forms.
3.1 What data are collected?
One of the Foundation's main objectives is to ensure visitor satisfaction, keep the relationship with its collaborators and make sure they feel protected when they provide their data to operate with the Foundation. To this end, there are several ways to share your personal data with the Foundation.
The tables shown at the end of this section contain a summary of the following aspects related to the different personal data processing tasks that the Foundation carries out depending on the purpose for which you have provided the data:
- Processing activity and the purpose for which the data have been collected.
- Who are the data subjects of the collected data.
- Categories of data collected, including identifying data, professional contact data, academic data and financial data, among others.
- Lawfulness of processing. I.e., the legal grounds for collecting the data, such as contractual performance, consent of the data subject or a legal obligation.
- The recipients, i.e., people or entities to which the Foundation will communicate the personal data.
- Whether international transfers of data to other countries are contemplated.
- The period during which the data will be processed and after which the Foundation will proceed to its erasure. Storage periods are established based on the varying legal obligations imposed by legislation depending on the purpose of the processing.
3.2 Additional information for users on the different data processing tasks carried out by the Foundation
Additional information on the different data processing tasks carried out by the Foundation is shown below.
3.2.1 Friends of the Museum
| Activity: | Friends of the Museum |
|---|---|
| Purpose: | Managing the Friends of the Museum program, making requests for donations and sponsorship for the FOUNDATION’s purposes and informing about the Museum’s activities. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects directly or through their authorised representative, through the Friends of the Museum program Registration Form. |
| Categories of data: | Name and surnames, Phone, Address, Tax Identification Number, Email, date of birth and account number. |
| Legal grounds: | The legal basis for processing the data from contracts signed by the FOUNDATION and the data subject is found in section 6.1.b) of the GDPR, i.e., the performance of a contract. You must provide your personal information to the FOUNDATION for the correct performance of the contract. Otherwise, you cannot join the Friends of the Museum program. |
| Recipients of shared or transferred data: | The data will be communicated to Google LLC, domiciled in the USA, in its capacity as Data Processor, providing information society services to the FOUNDATION (in particular, the GSuite - Google Cloud service). That entity adheres to the "Privacy Shield" agreement between the US and the European Union. You can find more information by clicking on the name of this organization. The data will be communicated to Ipdea Land, S.L. in its capacity as Data Processor, which provides the "Teenvio" service to the FOUNDATION for sending emails to third parties. The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The data will be kept as long as it is necessary for the provision of the services requested and during the legally required term to determine potential liabilities derived from the service provided. |
3.2.2 Online ticket sales
| Activity: | Online ticket sales |
|---|---|
| Purpose: | Managing the online purchase of tickets on the website entradas.museothyssen.org. We inform you that your data will be used by the FOUNDATION to create profiles for purely statistical purposes on the public visiting the Museum and its shop. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects, directly or through their authorised representative, through the customer registration form and/or purchase confirmation form. |
| Categories of data: | Name and surnames, Phone, Address, Tax Identification Number and Email. |
| Legal grounds: | The legal basis for processing the data from contracts signed by the FOUNDATION and the data subject is found in section 6.1.b) of the GDPR, i.e., the performance of a contract. You must provide your personal data to the FOUNDATION for the correct performance of the ticket sales contract. Otherwise, the FOUNDATION will not be able to provide the online ticket sales service to you. |
| Recipients of shared or transferred data: | The data will be communicated to the Data Processor companies, currently TIQUETEO SPAIN, S.L., which provides ticketing services to the FOUNDATION. The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The data will be kept as long as it is necessary for the provision of the services requested and during the legally required term to determine potential liabilities derived from the service provided. |
3.2.3 Online sale of products
| Activity: | Online sale of products |
|---|---|
| Purpose: | Managing the online purchase of products and print on demand on the website tienda.museothyssen.org and customer service arising from such transaction. The FOUNDATION will use your data to develop profiles of data subjects in order to inform them about offers, discounts, activities or products of the FOUNDATION similar to those in which the data subject has previously shown interest. The data subject has the right to object this processing at any time, by sending an email to rgpd@museothyssen.org as detailed in the "Rights" section. In addition, the FOUNDATION will use your data for statistical purposes regarding the public that visits the Museum shop. |
| Source of data: | The FOUNDATION obtains the personal data of the data subject, through themselves or their authorized representative, by means of the Form of sale of products online. |
| Categories of data: | Name, surname, telephone, address, ID card or tax identification number, email. |
| Legal grounds: | The legal basis for processing the data from contracts signed by the FOUNDATION and the data subject is found in section 6.1.b) of the GDPR, i.e., the performance of a contract. You must provide your personal data to the FOUNDATION for the correct performance of the online product sales contract. Otherwise, the FOUNDATION will not be able to provide the online product sales service to you. |
| Recipients of shared or transferred data: | The data will be communicated to the Data Processor companies, currently La Museoteca, S.L., which provides custom printing services to the FOUNDATION, and companies that provide transport and logistics services, in general, FEDEX SPAIN, S.L. and G.M.S., S.L. The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The data will be kept as long as it is necessary for the provision of the services requested and during the legally required term to determine potential liabilities derived from the service provided. |
3.2.4 Register as a user in the online shop.
| Activity: | Register as a user in the online shop. |
|---|---|
| Purpose: | Managing the user's access to the website of the FOUNDATION's online shop. The FOUNDATION will use the data to create profiles of data subjects in order to inform them about FOUNDATION offers, discounts, activities and products similar to those in which they have previously shown an interest. The data subject has the right to object at any time to this processing, by sending an email to rgpd@museothyssen.org as detailed in the section "Rights". |
| Source of data: | The FOUNDATION obtains the personal data of the data subjects through their registration in the different forms available on the Website of the FOUNDATION Shop. |
| Categories of data: | Name, surname, email, address, telephone. |
| Legal grounds: | The legal basis for the processing of personal data is based on the consent of the data subject, according to article 6.1.a) of the RGPD. |
| Recipients of shared or transferred data: | The FOUNDATION will not transfer your data to any third party, except under legal obligation. |
| Storage period: | The processing of data will continue until the user requests the deletion of the account. |
3.2.5 Contact form and cancellation of orders from the online shop for products and publications.
| Activity: | Contact with the Museum’s store and technical support. |
|---|---|
| Purpose: | Managing any incident, request for information, cancellation of an order or any need for contact that has the data subject relating to the operation of the Museum’s online shop. No profiles of the data subject will be elaborated and no automated decisions will be taken based on this profile. |
| Source of data: | The FOUNDATION obtains the personal data of the data subject, through themselves or their authorized representative, by means of the Online Store Contact Form and/or the Help and Support form. |
| Categories of data: | Name, telephone and email. |
| Legal grounds: | The legal basis for the processing of personal data of the data subject by the FOUNDATION is found in article 6.1.a) of the RGPD, that is, the consent of the data subject. |
| Recipients of shared and transferred data: | The data will be communicated to the company in charge of the online customer and user service management platform, currently Freshworks Inc., which provides the FOUNDATION with the "Freshdesk" service for managing incidents, requests and other communications with users and customers of the Museum's online shop. The FOUNDATION will not transfer the data to any third party, except under legal obligation. |
| Storage period: | The FOUNDATION will store the data for one year from the time of the consultation, to be able to follow-up the request. |
3.2.6 Subscription to e-mails from the online shop for products and publications.
| Activity: | Information and promotion of the activities of the Museum shop. |
|---|---|
| Purpose: | To inform about the Museum's shop, its activities, products, offers, promotional and marketing activities. The FOUNDATION will use the data to create profiles of data subject in order to inform them about offers, discounts, activities or products of the FOUNDATION similar to those in which they have previously shown interest. The data subject has the right to object this processing at any time, by sending an email to rgpd@museothyssen.org as detailed in the "Rights" section. |
| Source of data: | The FOUNDATION obtains the personal data of the data subject by registering on the different forms available on the FOUNDATION's Websites or at the Museum's customer service points. |
| Categories of data: | Name, surname, email. |
| Legal grounds: | The legal basis for the processing of personal data of the data subject by the FOUNDATION is found in article 6.1.a) of the RGPD, that is, the consent of the data subject. |
| Recipients of shared and transferred data: | The data will be communicated to the Data Processors companies, currently Ipdea Land, S.L. which provides the FOUNDATION with the "Teenvío" service for sending e-mails to third parties. The FOUNDATION will not transfer its data to any other third party, except under a legal obligation. |
| Storage period: | The processing of data will continue until the request for removal by the data subject. |
3.2.7 Management of users of the website Museothyssen.org
| Activity: | Management of users of the website Museothyssen.org |
|---|---|
| Purpose: | Offering access to non-public content channels: press channel, tourism professionals channel and the Friends of the Museum channel called "Friends Area". No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects, directly or through their authorised representative, through the online user registration form of the website museothyssen.org |
| Categories of data: | Name and surnames, Phone, Address, Tax Identification Number and Email. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is found in section 6.1.a) of the GDPR, i.e., the consent of the data subject. |
| Recipients of shared or transferred data: | The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The processing of data will continue until the user requests the deletion of the account. |
3.2.8 Management of users of Educathyssen.org
| Activity: | Management of users of Educathyssen.org |
|---|---|
| Purpose: | Offering access to non-public content channels where users can participate in online projects and upload content and comments. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects, directly or through their authorised representative, through the online user registration form of the website educathyssen.org. |
| Categories of data: | Name and surnames, Phone, Address, Tax Identification Number and Email. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is found in section 6.1.b) of the GDPR, i.e., the performance of a contract. |
| Recipients of shared or transferred data: | The FOUNDATION will not transfer your data to any other third party unless legally required. For those actions carried out through Thinkific.com, international transfers of data will be made to Canada, the location of infraestructure supporting the platform. This transfer has been declared to have an adequate level of protection by the European Commission Decision 2002/2/EC of 20 December 2001. |
| Storage period: | The processing of data will continue until the user requests the deletion of the account. |
3.2.9 Online information request
| Activity: | Online information request |
|---|---|
| Purpose: | Processing requests for information about exhibitions, activities, corporate events, collaboration and sponsorship options, purchases of tickets and products. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects, directly or through their authorised representative, through the Information Request Forms and Help Forms of the FOUNDATION’s Websites. |
| Categories of data: | Name and surnames, email address, phone and, if applicable, name of the company the user belongs to. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is the FOUNDATION’s legitimate interest, provided for in section 6.1.f) of the GDPR. |
| Recipients of shared or transferred data: | The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The FOUNDATION will store the data for one year from the time of the consultation, to be able to follow-up the request. The processing of data will continue until the request for removal. |
3.2.10 Wi-Fi service
| Activity: | Wi-Fi service |
|---|---|
| Purpose: | Offering free Wi-Fi in the Museum’s rooms and other spaces. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data directly from the data subject via an internet login form when a user accesses internet through the free Wi-Fi of the FOUNDATION in the Museum. |
| Categories of data: | Email Address. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is the FOUNDATION’s legitimate interest, provided for in section 6.1.f) of the GDPR. |
| Recipients of shared or transferred data: | The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | 1 year |
3.2.11 Sending digital postcards
| Activity: | Sending digital postcards |
|---|---|
| Purpose: | Sending of digital postcards by visitors or users of the website to third parties. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data of the postcard's sender by means of the form provided to send digital postcards. The FOUNDATION does not incorporate the personal data of postcard senders in its databases. |
| Categories of data: | Name and surnames and email. |
| Legal grounds: | The legal basis for processing the data from contracts signed by the FOUNDATION and the data subject is found in section 6.1.b) of the GDPR, i.e., the performance of a contract. The sender of a digital postcard must provide their personal data to the FOUNDATION to allow the FOUNDATION to provide the service of sending digital postcards to a third party on their behalf, through the Websites of the FOUNDATION. |
| Recipients of shared or transferred data: | The FOUNDATION will not transfer your data to any third party unless legally required. |
| Storage period: | The data will be kept as long as it is necessary for the provision of the requested services. |
3.2.12 Crowdfunding
| Activity: | Crowdfunding |
|---|---|
| Purpose: | Participating in Crowdfunding campaigns promoted by the FOUNDATION to finance its own projects. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data directly from the data subject by means of a form provided to make the donations. |
| Categories of data: | Name and surnames, email, Tax Identification Number, or alternative identification document and address. |
| Legal grounds: | The legal basis for processing the data from contracts signed by the FOUNDATION and the data subject is found in section 6.1.b) of the GDPR, i.e., the performance of a contract. |
| Recipients of shared or transferred data: | The data will be communicated to the Data Processor company, currently Stockcrowd S.L., which provides services to the FOUNDATION to carry out crowdfunding campaigns. The FOUNDATION will not transfer your data to any third party unless legally required. |
| Storage period: | The data will be kept as long as it is necessary for the provision of the requested services. |
3.2.13 Recruitment processes
| Activity: | Recruitment processes |
|---|---|
| Purpose: | Managing candidates in public recruitment processes. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data directly from the data subjects through the channels provided to send CVs, or through their authorised legal representatives. |
| Categories of data: | Name and surnames, Phone, Address, Tax Identification Number, Photograph, Academic data, Professional data and other data included on the CV. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is the FOUNDATION’s legitimate interest, provided for in section 6.1.f) of the GDPR. |
| Recipients of shared or transferred data: | The FOUNDATION will not transfer your data to any third party unless legally required. |
| Storage period: | 1 year from receipt or until the selection process is completed, whichever is later. |
3.2.14 Media communications
| Activity: | Media communications |
|---|---|
| Purpose: | Informing interested media about the cultural activities organised by the FOUNDATION as well as sending invitations to exhibitions and events. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects themselves. |
| Categories of data: | Name and surnames, Telephone, Address, Email. Name of the media organisation to which the data subject belongs. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is the FOUNDATION’s legitimate interest, provided for in section 6.1.f) of the GDPR. |
| Recipients of shared or transferred data: | The data will be communicated to Ipdea Land, S.L. in its capacity as Data Processor, which provides the "Teenvio" service to the FOUNDATION for sending emails to third parties. The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The processing of data will continue until the request for removal by the data subject. |
3.2.15 Institutional communications
| Activity: | Institutional communication |
|---|---|
| Purpose: | Informing interested parties about the cultural activities organised by the FOUNDATION as well as sending invitations to exhibitions and events. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects themselves. |
| Categories of data: | Name and surnames, Telephone, Address, Tax Identification Number, Email and Occupation Position. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is the FOUNDATION’s legitimate interest, provided for in section 6.1.f) of the GDPR. |
| Recipients of shared or transferred data: | The data will be communicated to Ipdea Land, S.L. in its capacity as Data Processor, which provides the "Teenvio" service to the FOUNDATION for sending emails to third parties. The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The processing of data will continue until the request for removal by the data subject. |
3.2.16 Communication with professionals
| Activity: | Communication with professionals |
|---|---|
| Purpose: | Informing about the Museum’s activities, products and exhibitions for professionals, in the context of the contractual and pre-contractual relationships established with each professional. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects themselves. |
| Categories of data: | Name and surnames, Telephone, Address, Tax Identification Number, Email and Occupation Position. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is the FOUNDATION’s legitimate interest, provided for in section 6.1.f) of the GDPR. |
| Recipients of shared or transferred data: | The data will be communicated to Google LLC, domiciled in the USA, in its capacity as Data Processor, providing information society services to the FOUNDATION (in particular, the GSuite - Google Cloud service). That entity adheres to the "Privacy Shield" agreement between the US and the European Union. You can find more information by clicking on the name of this organization. The data will be communicated to Ipdea Land, S.L. in its capacity as Data Processor, which provides the "Teenvio" service to the FOUNDATION for sending emails to third parties. The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The processing of data will continue until the request for removal by the data subject. |
3.2.17 Sending commercial and promotional communications
| Activity: | Sending commercial and promotional communications |
|---|---|
| Purpose: | Informing about the Museum, its activities, products, exhibitions, promotional and marketing actions. The FOUNDATION will use the data to prepare profiles of the data subjects for the purpose of informing them about the FOUNDATION's activities and products similar to those they have previously expressed an interest in. |
| Source of data: | The FOUNDATION obtains the personal data from the data subjects through their registration in the different forms available on the FOUNDATION’S Websites or the Museum's customer service points. |
| Categories of data: | Name and surnames and Email. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is found in section 6.1.a) of the GDPR, i.e., the consent of the data subject. |
| Recipients of shared or transferred data: | The data will be communicated to Ipdea Land, S.L. in its capacity as Data Processor, which provides the "Teenvio" service to the FOUNDATION for sending emails to third parties. The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The processing of data will continue until the request for removal by the data subject. |
3.2.18 "Perspectivas" Newsletter
| Activity: | |
|---|---|
| Purpose: | Periodically informing about the Museum’s news, programme and promotional actions. No profiles will be prepared of the data subjects nor will automated decisions be taken based on such profiles. |
| Source of data: | The FOUNDATION obtains the personal data from the data subject through the “Perspectivas” subscription form. |
| Categories of data: | Name and surnames, Telephone, Address, Tax Identification Number and Email. |
| Legal grounds: | The legal basis for processing the data subject’s data by the FOUNDATION is found in section 6.1.a) of the GDPR, i.e., the consent of the data subject. |
| Recipients of shared or transferred data: | The data will be communicated to Ipdea Land, S.L. in its capacity as Data Processor, which provides the "Teenvio" service to the FOUNDATION for sending emails to third parties. The FOUNDATION will not transfer your data to any other third party unless legally required. |
| Storage period: | The processing of data will continue until the request for removal by the data subject. |
4. Your rights and options
The Foundation, in compliance with the GDPR and the Spanish Data Protection Act, makes it easy for its users to exercise the rights set forth in those regulations.
These rights are as follows:
- Right to information: Right to obtain clear, transparent and easy to understand information about how we use your personal data and about your rights.
- Right to access: Right to access the personal data we have about the Foundation’s users.
- Right to rectification: Right to have your personal data rectified when they are inaccurate or have ceased to be valid or to update any data that is incomplete.
- Right to erasure / right to be forgotten: Right to have your personal data erased or removed.
- Right to object: Right to object to the processing of the data or request the processing to cease when consent is not required for processing, on reasonable and justified grounds.
- Right to data portability: Right to transmit, copy or transfer data from our database to a different one. This right may only be exercised with respect to data that you have provided, when the processing is based on the performance of a contract or on your consent and the processing is carried out by automated means.
- Right to restriction of processing: Right to request the restriction of processing of your data.
Anyone has the right to obtain confirmation on whether, at the Foundation, we are processing personal data that concerns them, or not.
Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its erasure when, among other reasons, the data are no longer necessary for the purposes for which it was collected and in compliance with prevailing legislation.
In certain circumstances, data subjects may request the limitation of the processing of their data, in which case we will only keep the data for the exercise or defence of claims.
In certain circumstances, and for reasons related to their individual circumstances, data subjects may object to the processing of their data. The Foundation will stop processing the data, except where legitimate purposes prevail, or to exercise or defend against possible claims.
Likewise, the data subject has the right to receive the personal data submitted to the Foundation in a structured, commonly used and machine-readable format. This last right will be limited by the following exceptions: that the data covered by this right was provided by the data subject; that the Foundation processes the data by automated means (computerised processing).
5. Who can access the personal data?
Your personal data can be processed on our behalf by our trusted third-party providers (Data Processors). We sign contracts with them to carry out a variety of commercial operations on our behalf.
They are only furnished with the information they need to perform the service.
We always employ our best efforts to ensure that all third parties with whom we work maintain your personal data secure.
6. How long do we store personal data?
Only we store the Personal Data submitted for the periods established by legislation in order to meet users’ needs or to comply with legal obligations. In any case, the Foundation periodically reviews the data it handles in order to erase data that are no longer necessary for the purpose for which they was collected.
7. Security of personal data
The Foundation agrees to store your personal data in a secure manner, taking into account all the precautions established by the GDPR and the Law.
Contracts entered into with third party data processors include confidentiality clauses with regards to processing personal data.
In order to guarantee the security of the personal data, the Foundation follows the principles established by the National Security Plan (ENS- Esquema Nacional de Seguridad) regulated by Spanish Royal Decree 3/2010, of 8 January, establishing the security policy to be applied in the use of electronic media.
8. Links to third-party websites
The Foundation’s Websites and digital applications may contain links to and from the websites of our associated networks and sponsors. If you follow a link to any of these web pages, bear in mind that they have their own privacy policies and that the Foundation is not responsible for them or for any issues that may arise as a result of the use of third-party websites. Consult the privacy policies of each website before sending or publishing personal data.
9. Cookies
The Websites (www.museothyssen.org, www.educathyssen.org, tienda.museothyssen.org and entradas.museothyssen.org) collect information through the use of proprietary and third-party cookies and similar technologies (invisible pixels). Cookies are small text files that are automatically saved on your computer or mobile device when you visit a website. Cookies and invisible pixels are stored by your internet browser. They contain basic information about your internet usage. Your browser forwards these cookies to the Websites each time you visit them so that your computer or mobile device is recognised and to customise and improve your browsing experience.
You can consult the cookies policy of each Website at the following addresses:
- www.museothyssen.org and tienda.museothyssen.org: Cookies
- www.educathyssen.org: Cookies
- Entradas.museothyssen.org: Política de cookies en PDF
10. Social networks and user-generated content
Some of the Foundation's Websites and digital applications allow users to upload their own content. Remember that any content sent to one of our platforms could be visible publicly, and therefore, you must take precautions when providing certain personal information (for example, photographs, financial information or your address details). The Foundation will not be held liable for any publication that contains personal data and uploaded to our Websites or third-party social networks, using the “share” or “comment” features of those sites.
11. Contact
For any questions or queries about the processing and use of your data or the exercise of your lawful rights, please contact rgpd@museothyssen.org.