For the purpose of the EU General Data Protection Regulation (“GDPR”) and complementary UK legislation, we are the data controller for any personal information gathered by this website or by other sources. Our registered address is 27 St. James’s Place, London, SW1A 1NR.
We do update this Policy from time to time so please do review this Policy regularly.
How we collect and use information
We may collect and process data about you for the following reasons:
Visitors to the website – if you visit the Spencer House website we, the third party that runs the website on our behalf, and a third-party analytics service, may collect information relating to your visit including, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access. The analytics information is only processed in a way which does not identify anyone. We do not make, and do not allow the analytics service provider to make, any attempt to find out the identities of those visiting our website. Please also see our Terms and Conditions and our Cookies Disclaimer for further information about the use of the website.
Persons booking events at Spencer House – if you book an event at Spencer House then we will hold any personal data that is collected as part of the booking process, such as name, email address, telephone address and other contact details. We will process personal financial data if you make payments from a personal account (rather than a business account). If payment is taken using a personal credit or debit card, then Lloyds Bank, the provider of the card payment device, will also process your data. We may also receive personal data about you or your guests if you provide any in the context of the event. Should you provide us with personal data on individuals other than yourself, you confirm that you have their consent to do so. Correspondence and booking information in respect of your event will be retained for up to two years after your event for accounting purposes and to address any queries that arise following your event. After this time your personal data will be deleted, unless (i) it is required for a legal reason, or (ii) you have requested to receive information about future Spencer House events, in which case we will retain your contact information, which will be used only for this purpose.
Persons booking tours at Spencer House – if you book a tour at Spencer House then we will hold any personal data that is collected as part of the booking process, typically your name, but also including any other information that you provide such as email address, telephone number or other contact details. We will process personal financial data if you make payments using a personal debit or credit card (rather than a business card); if payment is made through the website, collection of this payment is taken via PayPal, who will also process your personal data; if payment is taken over the phone then Lloyds Bank, the provider of the card payment device, will also process your data. Debit and credit card details will be kept for 3 months after your tour for accounting purposes and to address any queries that may arise. Name and any other personal data is deleted shortly after your tour unless you have requested to receive future information about Spencer House, in which case we will retain your contact information, which will be used only for this purpose.
Persons making enquiries about Spencer House – if you contact us with an enquiry by filling in forms on our website or by emailing us, we will keep a record of that correspondence and the personal contact details that you provide with your query, for two years. If you contact us through completing a form on our website, you will be asked whether you would like to opt-in to our mailing list for information about future events. If you do not opt-in, we will only use your data in order to respond to your query. If you do opt-in, or if you ask in email correspondence to be added to our mailing list, from time-to-time we may also use your contact information to send you information about future events at Spencer House.
If your enquiry relates to the collections at Spencer House, your correspondence will be directed to and answered by our curator, The Rothschild Foundation, rather than by Spencer House Limited. The Rothschild Foundation will keep a record of that correspondence and the personal contact details that you provide with your query.
Visitors to our buildings – in order to protect the security of our buildings, staff, tenants and visitors, it is in our legitimate interest to record security footage within our buildings and in the direct surroundings of our buildings. CCTV security footage is deleted after 30 days and is only shared with third parties if a lawful request is made by a legitimate body, for example by the Metropolitan Police, Counter Terrorism Unit or London Fire Brigade.
People we do business with – we hold personal data in respect of persons with whom we have business relationships, or potential business relationships. This data is typically limited to basic personal information such as name, email address, telephone number, as well as details related to the nature of the business relationship. Information is processed in accordance with any contractual agreement in place or in the legitimate interests of our business activities.
Lawful basis for processing
Under the GDPR there must be a lawful basis for processing your personal data. As outlined above, we will only do so for the purpose of running our business, to provide information to you that you request from us relating to our products or services, to fulfil contractual obligations, or to provide information to interested parties making reasonable enquiries. In terms of the GDPR, we will be processing either on the lawful basis of fulfilling a contractual obligation, or the lawful basis of being in the legitimate interests of our business or customers. Finally, we may process on the lawful basis of fulfilling a legal obligation if this is applicable.
We also process your personal data on the lawful basis of consent where you have opted to receive information about future events at Spencer House. You may withdraw this consent at any time by unsubscribing from our mailing list as described above. We do not ever sell or pass personal data to third parties for marketing purposes.
Finally, we also rely on the lawful basis of consent if you apply for a job at Spencer House and agree for us to retain your details for potential future positions.
We never give your details to third parties to use your data to enable them to provide you with information regarding unrelated goods or services.
Who we do share information with
We will only share your personal data with other third parties where it is necessary for the purposes outlined above and in accordance with the relevant lawful basis for processing. Examples of the third parties that may process personal data on our behalf are: suppliers that you agree will be part of your event at Spencer House, our professional advisers, our auditors, the companies that help us administer this website and any payment taken on it, organisations that provide other services that are required in the provision of our services to you. Third parties that process data on our behalf are also subject to all of the requirements of the GDPR and owe us a contractual obligation to only use your personal data for the applicable purpose and to keep your data secure.
We may also disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
Finally, in the event that we sell or buy any business or assets, we may disclose personal data to the prospective seller or buyer of such business or assets. If we are acquired by a third party, personal data will be one of the transferred assets.
How information is kept secure
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect personal data in our possession, we cannot guarantee the security of data when being transmitted; any transmission of your personal data to us at our site or via email or other transmission method is at your own risk.
Transfers of data outside of the EEA
Personal data that we collect from you will only be transferred to or stored at a destination outside the European Economic Area (“EEA”) or processed by staff operating outside the EEA who work for us or for one of our suppliers if the organisation or country has data protection measures that have been deemed equivalent to those in the EEA or if we have put adequate safeguards in place to ensure equivalent treatment of your personal data. By submitting your personal data, you agree to this transfer, storing or processing for the purpose indicated, provided one of the conditions above is met.
Your individual rights
The GDPR gives you rights in respect of your personal data. For more information about your rights please see.
We would draw your attention to the following procedures that we have in place in respect of your rights:
Right to access – you may request that we provide you with confirmation on whether we are processing your data and, if applicable, a copy of your personal data (not personal data in respect of any other individual) and other relevant processing information such as that provided in this privacy notice. To make a request, please email the contact address provided below. There will be no charge for requests that are reasonably made. We will aim to respond to you in writing within one month.
Right to rectification – if personal data that we hold on you is incorrect, please email the contact address below, and we will update our records (or let you know if we believe our records are accurate, if appropriate).
Right to erasure – you may request that personal data that we hold on you be deleted, however, we are only obliged to erase your data if we no longer have a lawful basis for processing it. Please email the contact address below providing the reason for your request and sufficient detail to accurately identify your records, and we will write to you to let you know the action we have taken.
Right to object – you may object to the processing of your personal data. You must give specific reasons for your objection and we are not obliged to comply with your request if we have a compelling reason to continue processing your personal data in accordance with a lawful basis. Please email the contact address below and we will write to you to let you know the action we have taken. If we do not agree with your objection we will explain why and, if you wish, how you may raise a complaint with the Information Commissioner’s Office.