In accordance with the General Data Protection Regulation (GDPR), we have implemented this privacy policy to inform you of the types of data we process about you. We also include within this policy the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.


Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

a) processing is fair, lawful and transparent
b) data is collected for specific, explicit, and legitimate purposes
c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
g) we comply with the relevant GDPR procedures for international transferring of personal data


We collect ‘personal data’, which is information that identifies a living person, or which can be identified as relating to a living person.
When we talk about ‘you’ or ‘your’ in this policy, we mean any living person whose personal data we collect.


Personal data you provide

We collect data you provide to us. This includes information you give when you communicate with us, purchase tickets and/or products, sign up to receive communications from us, apply for employment, volunteer or enter into a contract with us. For example we may hold:

a) personal details (name, gender, date of birth, email, address, telephone etc.)
b) family and spouse/partner or next of kin details
c) financial information (such as credit/debit card details)
d) your response to a special Twist Museum event or your intention to meet a Member of our staff
e) details of the ways in which you wish to be contacted by us

Personal data generated by your involvement with the Museum

Your activities and involvement with the Museum will result in personal data being generated. This could include:
a) details of your interaction with exhibits in the Museum’s collection
b) your attendance at special events
c) where you have asked us for information or written to us
d) your visits to our websites
e) images of you captured by our CCTV systems
f) your use of our public wifi
g) your purchasing history
h) where you have applied for a job with us.

Personal data from third parties

We sometimes receive personal data about you from third parties, for example, if we’re partnering with another organisation or where we may use third parties to help us conduct research and analysis about you to determine the success of our public offer and to help us provide you with a better experience (and this can result in new personal data being created).
We may collect information from social media about you, or if you post on any of our social media pages.

Occasionally, we may collect personal data about you (for example if you’re particularly well known or influential) from the media and other publicly available sources. This may come from public databases (such as Companies House), news or other media. The sort of information we obtain from these sources might include details of other charities you may support and indicators of your leisure interests and financial status such as house value or post code.

Special category (‘sensitive’) personal data

We don’t normally collect or store special categories of personal data. However, there are some situations where we may need to do so. These may include, for example, if you work or volunteer with us or apply to do so, or if we need to know about any access, medical or dietary requirements you, or someone in your care, may have.



We use your personal data to communicate with you in order to promote our activities and events. This includes keeping you up to date with our exhibitions, events and products in our shop.


We use your personal data for administrative purposes including:

a) maintaining databases of our visitors
b) managing custody of our collection including our intellectual property rights
c) carrying out due diligence to meet our compliance duties (for example, before making any acquisition into our collections, accepting financial support or making agreements for the supply of goods and services)
d) processing enquiries and requests for information managing feedback, comments and complaints we receive
e) fulfilling orders for tickets, goods or services (whether placed online, over the phone or in person)
f) helping us respect your choices and preferences
g) recruitment and staff management including pay, tax and pensions administration
h) management of suppliers of goods and services
i) managing your visit to Twist Museum (for example, health and safety, security, lost property, cloakroom and incident management)

Internal research and profiling

We carry out research and analysis on our visitors, and other supporters to determine the success of our public offer and programmes and other activities in the public interest and to help us provide you with a better experience (for example so that you only receive communications about areas of our activities or research you’re mostly likely to be interested in).

We may evaluate, categorise and profile your personal data in order to tailor materials, services and communications (including targeted advertising) to your needs and your preferences and to help us to understand our audiences. This information helps us to ensure communications are relevant, timely and in the best interest of our visitors’ experience.


The law on data protection allows us to process your data for certain reasons only. We only ever use your personal data with your consent, or where necessary in order to:

a) enter into, or perform, a contract with you
b) comply with a legal duty
c) protect your vital interests
d) carry out a task in the public interest
e) for our own (or for a third party’s) legitimate interests, provided your rights don’t override these interests

In any event, we’ll only use your personal data for the purpose or purposes for which it was obtained.

The information below categorises the types of data processing, appropriate to your status, we undertake and the lawful basis we rely on.

Activity requiring your data Lawful basis
Marketing Our legitimate interests
Administration Performance of the contract
Internal research and profiling Our legitimate interests


We must ask you to ‘opt-in’ to receive marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages.

When you receive a communication from us, we may collect information about your response and this may affect how we communicate with you in future.


We will never sell your personal data.
If you’ve opted-in to marketing, we may contact you with information about our selected partners. These communications will always come from us and will usually be incorporated into our own marketing.

We may share your personal data with contractors or suppliers who provide us with services. Information is transferred to data processors securely, and we retain full responsibility for your personal data as the data controller. These activities are carried out under a contract which imposes strict requirements on our suppliers to keep your personal data confidential and secure.

Occasionally, we arrange events with other organisations. We may share your personal data with such organisations, for example where you register to attend events. We will only share information when necessary.

We may share your personal data where required to do so for prevention of crime or for taxation purposes (for example, with the police, HMRC) or where otherwise required to do so by other regulators or by law (e.g. Companies House).


We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of those aged 13 or younger.

We won’t use the personal data of children or young people for marketing purposes and we won’t profile it.
Personal data about children and young people is only accessible by our staff on a strictly need-to-know basis.


We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Staff receive data protection training and we maintain a set of data protection procedures which our staff are required to follow when handling personal data.


We only keep your data for as long as it is required for the purposes for which we collected it (for example, we have a genuine and legitimate reason and we’re not harming any of your rights and interests). This will depend on our legal obligations and the nature and type of information and the reason for which we collected it. For example, should you ask us not to send you marketing emails, we’ll stop storing your email address for marketing purposes. However, we will need to keep a record of your preference.

We continually review what information we hold and will delete personal data which is no longer required.


Automated decision making means making decision about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.


You have the following rights in relation to the personal data we hold on you:

a) the right to know whether we hold your personal data and, if we do so, to be sent a copy of the personal data that we hold about you (a ‘subject access request’) within one month
b) the right to have your personal data erased (though this will not apply where it’s necessary for us to continue to use the data for a lawful reason)
c) the right to have inaccurate personal data rectified
d) the right to object to your personal data being used for marketing or profiling
e) (where technically feasible) the right to be given a copy of personal data that you have provided to us (and which we process automatically on the basis of your consent or the performance of a contract) in a common electronic format for your re-use
f) there are some exceptions to the rights above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.
g) if you’d like further information on your rights or wish to exercise them, please contact our Data Protection Officer at the address below
h) should you wish to make a subject access request, we can provide you with a template form which includes guidance on how to do this. Please contact us for a copy of the template for a subject access request.


Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.


Our websites use local storage (such as cookies) in order to provide you with the best possible experience and to allow you to make use of certain functionality (such as being able to purchase tickets online).


This Website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.


If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.


Any questions about this Privacy Policy should be sent to our Our Data Protection Officer at Twist Museum, 242-248 Oxford Street, London W1C 1DH or email [email protected]

This policy was approved by Twist Museum in August 2023. It will be reviewed no later than 2025.