Wiseman Fine Art Ltd Privacy Policy

Introduction

Wiseman Fine Art Ltd (Trading as Sarah Wiseman Gallery, website name www.wisegal.com) are committed to protecting and respecting your privacy and personal data. We ask your consent to store it (you can withdraw this consent at any time). We store it securely. We process it fairly and lawfully. We never share it with anyone. We will delete it if you ask us to. We won't contact you if you ask us not to.

This Privacy Policy sets out how Wiseman Fine Art Ltd collect, use and process your personal data both when you use this website and elsewhere. This policy is compliant with the General Data Protection Regulation (GDPR)

Our Date Promise: Last updated 22/10/21

Wiseman Fine Art Ltd may update this Privacy Policy from time to time by amending this web page. Please check this page regularly for changes to this Privacy Policy. If we make any material changes to this Privacy Policy we will notify you before they take effect. Any such material changes will only apply to personal data collected after the revised Privacy Policy took effect.

If you have any queries regarding this policy and / or your data privacy, please contact us using any of the following:

Email: info@wisegal.com
Phone: 01865 515123

Address: Wiseman Fine Art Ltd, T/A Sarah Wiseman Gallery (website www.wisegal.com), 40/41 South Parade, Summertown, Oxford, OX2 7JL

Contents

  •  Who we are?

  •  What is 'personal data'?

  •  How do we collect personal data?

  •  What type of personal data is collected and processed?

  •  What are our lawful bases for processing personal data?

  •  How do we use personal data?

  •  How long do we keep personal data?

  •  What will we not do with personal data

  •  How secure is personal data that we process?

  •  What are your rights in relation to your personal data?

  •  How we use cookies

  •  Links to other websites

Who are we?

Data Controller: Wiseman Fine Art Ltd, trading as Sarah Wiseman Gallery (website name www.wisegal.com). Registered Limited Company in England and Wales registration no. 3511154,VATno. 68580310, the registered address is: 40/41 South Parade, Summertown, Oxford, OX2 7JL

What is 'personal data?

The GDPR applies to 'personal data', meaning any information relating to an identifiable person who can be directly or indirectly identified from that information.

How do we collect personal data?

We collect personal data about you if you use our website, if you contact us about products and services, via the website or in person at the gallery or at events, if you're a customer or supplier, or if you register to receive our newsletter.

What type of personal data is collected and processed?

We collect and process the following personal data:

Name

Contact information including email address

Information you give us. You may provide us with personal information about you by

completing the request forms on our website or by corresponding with us by phone,

e-mail or otherwise.

You may also provide us with information when you search for a particular service,

order a service or product on our website, contact us via the website or report a

problem with our website

What are our lawful bases for processing personal data?

The GDPR demands that we have a valid lawful basis to process personal data. There are six available legal bases for processing. We rely on at least one of the following legal bases when we collect personal data in the ways described above:

  •  Your consent, which is explicitly given and can be easily withdrawn

  •  A legitimate interest, ours and / or yours. If you ask us for information, it is in your

    legitimate interest that we process your personal data. If we have a contractual relationship with you, it is in both our legitimate interests that we process your personal data to fulfil our contractual obligations.

    How do we use personal data?

    Wiseman Fine Art Ltd use personal data for the following reasons:

  •  To respond to explicit requests about our products and services

  •  To improve our products and services

  •  To manage our employees, suppliers, clients, contractors, prospects and contacts

  •  To maintain our own accounts and records

  •  To inform you of Sarah Wiseman Gallery news, events, activities and services.

How long do we keep personal data?

We keep personal data so long as we have consent to keep it or a legitimate interest in keeping it.

What will we not do with personal data?

 We will not sell, share, distribute or lease your personal data with third parties unless we have your permission or we are required by law to share it.

How secure is the personal data we process?

Wiseman Fine Art Ltd is committed to ensuring that personal data is secure. Personal data is treated as strictly confidential.

To prevent unauthorised access or disclosure, we have put in place suitable physical, technical and managerial procedures to safeguard and secure personal data.

Any information you give us relating to debit/credit card details is handled by a PCI DSS compliant third party and encrypted using secure server technology. We do not hold any debit/credit card information on a server.

 

The gallery uses www.constantcontact.com to manage our email newsletter, by subscribing to our newsletter you are permitting us to transfer your details to Constant Contact. You can read their privacy statement here: https://www.constantcontact.com/uk/legal/privacy-statement

You can unsubscribe at any time by clicking the link in the newsletter.

 

At Wiseman Fine Art Ltd we have been assured by all our suppliers that they are compliant with the new GDPR law. We have to take their statements on trust that they have taken the necessary precautions to be compliant with the law within their own business. We will review all of these policies and statements on a regular basis

 

If you place an order with us your information may be processed by our staff or by the staff of our suppliers to the extent necessary to fulfil your order. By submitting your personal information to us, you agree to the transfer of your personal information, its storage and processing.

 

The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us via the website or email; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

 

CCTV - in the gallery we use a closed CCTV system for security, this system cannot be accessed via the internet. The system is vital for the security of art works and staff. The images on the system are stored for three weeks. The system is regularly maintained by a security company. Only the gallery director, members of the police or insurance company officials have access to this information. The information is only accessed if there has been an incident in the gallery. Access to the information is occasionally applied for by the Police if an incident occurs and the footage is thought to be relevant or in the public interest.

 

What are your rights in relation to your personal data?

The GDPR gives individuals the following rights in relation to their personal data:

The right to be informed about the collector, collection, and processing of your personal data (which is what we are doing in this Privacy Policy)

  •  The right to access their personal data, i.e. you can ask us for a copy of your personal data. We must respond to such requests within one month

  •  The right to rectification, i.e. you can ask us to amend your personal data if it is inaccurate or out of date. We must respond to such requests within one month

  •  The right to request that your personal data is erased where there is no compelling reason for its continued processing

  •  The right to request that we restrict processing of your personal data if you contest its accuracy or the legitimacy of its processing

  •  The right to data portability, i.e. the right to request that we provide you with your personal data in a structured, commonly used and machine-readable format

  •  The right to object to the processing of personal data for legitimate interests, the performance of a task in the public interest / exercise of official authority, direct marketing, and / or scientific or historical research and statistics

  •  The right to escalate any data privacy complaints to the Information Commissioners' Office.

Data Protection Complaints Policy

1.            Purpose

This policy explains how Wiseman Fine Art Ltd Trading as Sarah Wiseman Gallery handles data protection complaints fairly, promptly, and in line with UK data protection law, including the internal complaints process requirements introduced by the Data (Use and Access) Act 2025 and set out in DPA 2018, s.164A.

2.            Scope

This policy applies where an individual complains that we have infringed data protection law in connection with their personal data (or personal data of someone they are authorised to act for).

It covers complaints received from customers, staff, suppliers, website users, and any other individuals whose personal data we process. The duty to operate a complaints process applies broadly and the Information Commissioner’s Office (ICO) states there are no exemptions.

Personal data (or personal information) means information that identifies or relates to an individual.

The ICO is the UK’s independent regulator for data protection and privacy. It provides guidance to organisations, investigates complaints, and has legal powers to take enforcement action where organisations do not comply with data protection law.

3.            What is a “data protection complaint”?

A data protection complaint is any expression of dissatisfaction where the person considers we have breached data protection legislation in how we handled their personal information, and they do not need to use legal terms or cite legislation.

Examples include complaints about:

             how we responded to a subject access request (SAR) (a request for a copy of personal information we hold about the individual) or other rights request;

             security measures used to protect personal data (including concerns following a breach, whether or not reportable to the ICO);

             how we collected, used, stored, retained, or kept personal data accurate.

4.            What is not a data protection complaint?

Sometimes people complain about service or other issues while also exercising data protection rights; the ICO explains that this doesn’t count as a data protection complaint (for example, an employee grievance combined with a request for copies of personal data, or a customer service complaint combined with a deletion request).

Where a complaint raises both data protection issues and other concerns (such as service or employment matters), we will treat it as a “mixed complaint”. We will handle the data protection aspects under this policy and ensure they are identified, recorded, and responded to separately and alongside any non-data protection issues.

If it is unclear whether the person intends to raise a data protection complaint, we will ask them to clarify.

5.            How people can complain to us

We provide clear routes for individuals to complain directly to us, and we will accept complaints however they are received.

Preferred contact details: Sarah Wiseman

Email:  sarahjane@wisegal.com

Post:  40-41 South Parade Oxford OX2 7JL

Telephone:  01865 515123

We may invite use of the preferred routes above, but people can complain via any channel (including to any staff member, or via social media if we have an online presence), and we must accept the complaint regardless.

Where a complaint comes in via social media, we will request an alternative contact method because social media is generally not a secure way to exchange personal information.

6.            Our legal duties

We will facilitate the making of complaints, by providing a complaint form, that can be requested

from sarahjane@wisegal.com

When we receive a data protection complaint, we will:

6.1.        Acknowledge receipt within 30 days (the 30 days run from when the complaint is received).

6.2.        Without undue delay - take appropriate steps to respond (including making appropriate enquiries and keeping the complainant informed of progress).

6.3.        Without undue delay - inform the complainant of the outcome.

7.            Making people aware of their right to complain

We will tell people that they can complain to us (and that they can also complain to the ICO) at the point we collect their personal information, for example in our privacy notice, using clear and plain language.

We will also include information about this right when we respond to a subject access request.

8.            Identity and authority checks

We will verify identity where necessary. If we have doubts about the complainant’s identity, we may ask for proof of ID and we will do this as early as possible; if we already have enough information to confirm identity, we will not request more.

If someone complains on behalf of another person, we must check they are authorised to act for that person (for example, by a signed letter of authority or appropriate power of attorney). If we do not have evidence of authority, we will not investigate until we receive it.

9.            Our process (step-by-step)

9.1.        Logging and triage (Day 0 onward)

We will log the complaint on receipt, record the channel it came through, and route it promptly to Sarah Wiseman. The duty to investigate begins when the complaint is received, not after the acknowledgement is sent.

We will check whether it is a data protection complaint (see section 3) and, if unclear, we will ask the individual to clarify their intent.

9.2.        Acknowledgement (within 30 days)

We will acknowledge the complaint within 30 days. The acknowledgement will confirm receipt, that we will look into it, and the next steps. The 30 days start the day after receipt, including weekends/bank holidays, and if the last day falls on a weekend or public holiday the deadline moves to the next working day.

We will make operational arrangements to ensure acknowledgements are sent even during staff absence.

9.3.        Investigation (without undue delay)

We will investigate without undue delay (meaning as soon as reasonably possible, and without unnecessary delay). What is “undue” depends on the circumstances, and factors such as complexity, scale, and any harm caused by any delay.

In most cases, we aim to provide a substantive response within one month, although complex complaints may take longer.

Our investigation will be proportionate and may include reviewing relevant records, speaking to staff, comparing the complaint with the data we hold, and checking compliance with our own policies and standards.

If we need more information to understand the complaint, we will ask as soon as possible. We may also ask what outcome the individual is seeking to help resolve matters efficiently.

9.4.        Keeping the complainant informed (without undue delay)

We will keep the complainant updated about progress without undue delay, including timeframes, and where there are delays, the reason for these will be explained.

9.5.        Outcome (without undue delay)

Once we have finished our investigation, we will inform the complainant of the outcome without an unjustifiable or excessive delay.

Our response will clearly explain what we did, what we found, and (where appropriate) what we changed or corrected. If we consider we complied with data protection law, we will explain why and provide enough detail to help the complainant understand how we reached that view; the ICO suggests itemising complaint points and responding to each.

If the complaint is upheld, we may (as appropriate) correct data, amend processes, provide training, or take other remedial steps.

10.          Review/escalation within the organisation

If the complainant remains unhappy, we may offer a review by a different decision-maker or a senior member of staff, where practical. The ICO indicates organisations could consider having a review process, but people can complain to the ICO at any point and do not have to wait for an internal review.

11.          How to complain to the ICO

Individuals can complain to the ICO at any time. The ICO will, in most cases, ask individuals to raise their complaint with the organisation first, but the ICO remains available to handle eligible data protection complaints.

ICO complaint information: https://ico.org.uk/make-a-complaint/data-protection-complaints/

12.          Record keeping and retention

We will keep records to demonstrate compliance, including:

date received;

acknowledgement;

key communications and documents;

outcome; and

actions taken.

We will not retain personal information for longer than necessary.

We may also monitor themes and trends to identify recurring issues and improve compliance.

13.          Children and vulnerable individuals

Children have the same rights as adults, but merit specific protection; if we receive a complaint from a child, we will use clear, plain language and assess competence to exercise rights.

If we are within scope of the Age Appropriate Design Code (ICO rules for protecting children’s personal data online), we will also follow the ICO’s expectations for complaint mechanisms and escalation routes for urgent and/or safeguarding issues.

 

14.          Joint controllers and processors

If we act as a joint controller (meaning we decide together with another organisation how and why personal data is used), we will maintain a transparent arrangement that covers complaint handling and coordination, noting that the timeframe starts when any joint controller receives the complaint.

Where we use data processors (organisations that process personal data on our behalf), we will ensure contracts/support arrangements enable us to meet our complaint-handling obligations; processors may assist administratively but the duty remains with us as controller.

15.          Staff training and internal awareness

We will train staff to recognise data protection complaints and route them appropriately, because complaints can be received through any part of the organisation.

16.          Policy ownership and review

Policy owner:
Wiseman Fine Art Ltd trading as Sarah Wiseman Gallery
Approved by:
Sarah Wiseman
Effective date:
19/06/2026
Next review date: 15/06/2027

This policy will be reviewed at least annually and after any significant complaint trend or regulatory/guidance change.

 

How we use cookies

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. A cookie cannot read data from your hard disk or read cookie files created by other sites.

The gallery website www.wisegal.com uses Google Analytics Tracking, visitor software that uses cookies to track information about how visitors come to the website, which pages they visit, and other actions that visitors make whilst on the site. This data is then used in order to improve the user experience of the web site. All user data collected in this manner is anonymous.

Should you wish to do so, you can refuse cookies by disabling them in your web browser's settings, and you do not need to have cookies turned on to successfully use our website. Most browsers are defaulted to accept and maintain cookies, you can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it or not. Please consult the support documentation for your web browser, which can be found online, for more information.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement