Gallery Accessibility & Privacy Policy

Sanderson Gallery Limited - Privacy Statement

 

This version was updated on 2nd December 2024.

 

INTRODUCTION

We respect your privacy and are committed to protecting your personal information. Sanderson Gallery Limited complies with the New Zealand Privacy Act 2020. 

This privacy notice applies to all Sanderson Gallery Limited operations. It explains the type of information that we collect and hold about you and our reasons for doing so, as well as your privacy rights and how the law protects you.

Please use the Glossary to help you understand the meaning of some of the terms used in this privacy notice, such as “data” and “processing”.

We may update this privacy notice from time to time and will post any revised notice on this web page. Where appropriate we may notify you by email or by a notice on our website if there are material changes to our privacy notice.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

This privacy notice is presented under the following headings:

 

  1. WHO WE ARE
  2. HOW WE COLLECT YOUR INFORMATION
  3. WHAT PERSONAL INFORMATION DO WE PROCESS AND WHY?
  4. WHO SEES YOUR PERSONAL INFORMATION?
  5. IS YOUR PERSONAL INFORMATION TRANSFERRED OUT OF AOTEAROA NEW ZEALAND?
  6. HOW LONG WILL WE KEEP YOUR PERSONAL DATA?
  7. WHAT STEPS DO WE TAKE TO KEEP YOUR PERSONAL DATA SECURE?
  8. YOUR RIGHTS
  9. CONTACT INFORMATION AND COMPLAINTS
  10. GLOSSARY

 

 

  1. WHO WE ARE

 

“Sanderson”, “Sanderson Contemporary” and “Sanderson Gallery” consists of Sanderson Gallery Limited operating in Aotearoa New Zealand.

 

The company’s registered address is: Osborne Lane, 2 Kent Street, Newmarket, 4 Kent Street, Newmarket, Tāmaki Makaurau Auckland 1023.

This privacy notice is issued on behalf of Sanderson Gallery Limited so that when we mention “Sanderson”, “we” or “us” in this privacy notice, we are referring to the relevant company Sanderson Gallery Limited that is responsible for processing your data.

 

2. HOW WE COLLECT YOUR INFORMATION

 

Direct Interactions

 

Most of the personal data we process about you comes directly from you (whether face to face, over the telephone, on a paper form, by email or online).

For example, we collect data from you directly:

  • when you express an interest in buying or selling an artwork to one of our staff or representatives;
  • when you attend a Sanderson event;
  • when you visit us at an art fair;
  • when you purchase an artwork;
  • when you purchase goods from our shop;
  • when you visit our online viewing rooms and provide your contact details;
  • when you subscribe to receive news about upcoming shows and events;
  • when you ask us to send you information, including about artists and their works; and
  • when you visit the Website

 

Your image may be collected by Sanderson if you attend our premises; in particular, CCTV operates on our premises and in our district in Tāmaki Makaurau Auckland, for the security of our staff, our visitors and the artworks that we exhibit and sell. We may also have staff photographers documenting events.

Collection from other sources:

 

We may also obtain information about you and/or the artworks that you own or wish to buy or sell or collect from other third party sources; for example:

 

  • Identity and contact data, when someone introduces you to us (e.g. because they believe an artist or work may interest you);

 

  • Identity and contact data, when we research artworks and we find information about you in sources such as newspaper articles, exhibition catalogues, public auction results, or one of our contacts gives us feedback in relation to artworks or persons they have been told about

 

We may receive or obtain:

  • Contact, transaction and financial data from providers of technical, payment and delivery services;
  • Identity and contact data from publicly availably sources, such as Companies House and the Electoral Register;
  • Identity and contact data from art platforms such as Artsy or Ocula;
  • Usage data (being information about how you use our website and/or about recipients of our mailshots) from third parties, such as Google Analytics.

 

We also collect, use and share aggregated data, such as statistical or demographic data, for any purpose (Aggregated Data). Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.

 

Personal data collected through the Website


Among the types of personal data that the Website collects, by itself or through third parties are: trackers; usage data; first name; email address.

You may freely provide your personal data. Usage data is collected automatically when using the Website.

Unless specified otherwise, all data requested by the Website is mandatory and failure to provide this data may make it impossible for the Website to provide its services. In cases where the Website specifically states that some personal data is not mandatory, you are free not to communicate this personal data without consequences to the availability or the functioning of the Website.

You are responsible for any third-party personal data you publish or share through the Website and confirm that you have the third party's consent to provide their personal data to Sanderson.

The data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Sanderson, in some cases, the personal data may be accessible to certain types of persons involved with the operation of the Website (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as data processors by Sanderson. The updated list of these parties may be requested from the Sanderson at any time.

 

Detailed information on the processing of Personal Data

 

Personal Data is collected for the following purposes and using the following services:

 

Advertising

 

This type of service allows User Data to be utilized for advertising communication purposes. These communications are displayed in the form of banners and other advertisements on this Website, possibly based on User interests.


This does not mean that all Personal Data are used for this purpose. Information and conditions of use are shown below.


Some of the services listed below may use Trackers to identify Users or they may use the behavioral retargeting technique, i.e. displaying ads tailored to the User’s interests and behavior, including those detected outside this Website. For more information, please check the privacy policies of the relevant services.


Services of this kind usually offer the possibility to opt out of such tracking. In addition to any opt-out feature offered by any of the services below, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section "How to opt-out of interest-based advertising" in this document.

 

Salesforce (Salesforce.com, Inc.)

 

Salesforce is an advertising service provided by Salesforce.com, Inc.

 

Personal Data processed: Trackers; Usage Data.

 

Privacy Policy – Opt Out.

 

Category of Personal Information collected - internet or other electronic network activity information.

 

Meta ads conversion tracking (Meta pixel) (Meta Platforms)

Meta ads conversion tracking (Meta pixel) is an analytics service provided by Meta Platforms that connects data from the Meta Audience Network with actions performed on this Website. The Meta pixel tracks conversions that can be attributed to ads on Facebook, Instagram and Meta Audience Network.

 

Personal Data processed: Trackers; Usage Data.

 

Meta Privacy Policy – Opt out.

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020 and the New Zealand Privacy Act 2020 internet or other electronic network activity information.

 

Analytics

 

The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.

Google Analytics (Universal Analytics) (Google LLC)

 

Google Analytics (Universal Analytics) is a web analysis service provided by Google LLC (“Google”). Google utilizes the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualize and personalize the ads of its own advertising network.

 

In order to understand Google's use of Data, consult Google's partner policy.

Personal Data processed: Trackers; Usage Data.

 

Google Privacy Policy – Opt Out.

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020 and the New Zealand Privacy Act 2020 internet or other electronic network activity information.

 

Google Analytics 4 (Google Australia Pty. Ltd and Google New Zealand)

 

Google Analytics 4 is a web analysis service provided by Google Australia Pty. Ltd and Google New Zealand (“Google”). Google utilizes the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualize and personalize the ads of its own advertising network. In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation.

 

In order to understand Google's use of Data, consult Google's partner policy.

Personal Data processed: number of Users; session statistics; Trackers; Usage Data.

 

Google Privacy Policy – Opt Out.

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020 and the New Zealand Privacy Act 2020 internet or other electronic network activity information.

 

Meta Events Manager (Meta Platforms)

 

Meta Events Manager is an analytics service provided by Meta Platforms. By integrating the Meta pixel, Meta Events Manager can give the Owner insights into the traffic and interactions on this Website.

Personal Data processed: Trackers; Usage Data.

 

Privacy Policy – Opt out.

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020 and the New Zealand Privacy Act 2020 internet or other electronic network activity information.

 

Contacting the User

 

Contact form (this Website)

 

By filling in the contact form with their Data, the User authorizes this Website to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header.

 

Personal Data processed: email address; first name.

 

Category of Personal Information collected according the New Zealand Privacy Act 2020.

 

This processing constitutes:

 

Mailing list or Newsletter (this Website)

 

By registering on the mailing list or for the newsletter, the User’s email address will be added to the contact list of those who may receive email messages containing information of commercial or promotional nature concerning this Website. Your email address might also be added to this list as a result of signing up to this Website or after making a purchase.

 

Personal Data processed: county; email address; first name; last name.

Category of Personal Information collected according to the New Zealand Privacy Act 2020.

 

Interaction with live chat platforms

 

This type of service allows Users to interact with third-party live chat platforms directly from the pages of this Website, in order to contact and be contacted by this Website‘s support service.


If one of these services is installed, it may collect browsing and Usage Data in the pages where it is installed, even if the Users do not actively use the service. Moreover, live chat conversations may be logged.

 

WhatsApp Business Chat widget (Meta Platforms)

 

WhatsApp Business Chat widget is a service for interacting with the WhatsApp instant messaging app and platform provided by Meta Platforms.

 

Personal Data processed: answers to questions; contents of the email or message; Data communicated while using the service; date of the message; first name; last name; phone number; profile picture; sender of the message; time the message was sent; user content.

 

Whatsapp Privacy Policy

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020: identifiers; internet or other electronic network activity information; audio, electronic, visual, thermal, olfactory, or similar information; inferences drawn from other personal information.

 

WeChat Business Chat widget

 

WeChat Business Chat widget is a service for interacting with the WeChat instant messaging app and platform provided WeChat.

 

Personal Data processed: answers to questions; contents of the email or message; Data communicated while using the service; date of the message;

 

first name; last name; phone number; profile picture; sender of the message; time the message was sent; user content.

 

WeChat Privacy Policy

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020: identifiers; internet or other electronic network activity information; audio, electronic, visual, thermal, olfactory, or similar information; inferences drawn from other personal information.

 

Platform Services and Hosting

 

These services have the purpose of hosting and running key components of this Website, therefore allowing the provision of this Website from within a unified platform. Such platforms provide a wide range of tools to the Owner – e.g. analytics, user registration, commenting, database management, e-commerce, payment processing – that imply the collection and handling of Personal Data.


Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

 

Shopify (Shopify International Limited)

 

Shopify is a platform provided by Shopify International Limited that allows the Owner to build, run and host an e-commerce website.

Personal Data processed: billing address; email address; first name; last name; payment info; phone number; shipping address.

 

Shopify Privacy Policy

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020; commercial information.

 

Registration and authentication provided directly by this Website

By registering or authenticating, Users allow this Website to identify them and give them access to dedicated services. The Personal Data is collected and stored for registration or identification purposes only. The Data collected are only those necessary for the provision of the service requested by the Users.

 

Direct registration (this Website)

 

The User registers by filling out the registration form and providing the Personal Data directly to this Website.

Personal Data processed: email address; first name; last name.

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020.

 

Tag Management

 

This type of service helps the Owner to manage the tags or scripts needed on this Website in a centralized fashion.


This results in the Users' Data flowing through these services, potentially resulting in the retention of this Data.

 

Google Tag Manager (Google LLC)

 

Google Tag Manager is a tag management service provided by Google LLC.

In order to understand Google's use of Data, consult Google's partner policy.

Personal Data processed: Trackers; Usage Data.

Place of processing: United States – Privacy Policy.

 

Category of Personal Information collected according to the New Zealand Privacy Act 2020: internet or other electronic network activity information.

3. WHAT PERSONAL INFORMATION DO WE PROCESS AND WHY?

 

We will only use your personal data when the law allows us to do so.

Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you;
  • Where it is necessary for our Legitimate Interests, or those of a third party, and your interests and fundamental rights do not override those interests;
  • Where we need to comply with a legal or regulatory obligation;
  • With your consent.

 

4. WHO SEES YOUR PERSONAL INFORMATION?

Your personal data will be processed by the company within Sanderson Gallery Limited who initially receives it, and may also be transferred to and processed by other entities within Sanderson Gallery Limited.

 

Sanderson uses the Ne approved standard contractual clauses to regulate the transfer and processing of data between group companies.

 

Outside Sanderson Gallery Limited

 

We do not transfer your personal data to organisations who wish to use it for their own marketing promotions or other purposes.

We will transfer your personal data to other organisations where it is necessary to enable us to provide you with the services you have requested. For example, we may transfer your data to our bank, payment card acquirers, shippers, warehouses, insurers, experts who help us with artworks (such as conservators), photographers, IT consultants and IT systems and cloud storage providers, online viewing platform and virtual exhibition providers, our email marketing providers Artlogic, Mailchimp, our online e-commerce platform Shopify, professional advisers, regulatory bodies, event venues, including art fairs (where you wish to have a pass), and caterers and direct marketing fulfilment and distribution.

 

Where we do so it will be on the basis that these organisations are required to keep the information confidential and secure, and they will only use the information to carry out the instructed services. Some of these organisations may be located outside Aotearoa New Zealand and you should refer to the section “Is your personal information transferred out of Aotearoa New Zealand?” for more information.

We may also need to keep and disclose certain information about you to appropriate agencies to conduct anti-money laundering and trade sanction checks and to assist with fraud and crime prevention and detection.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third parties to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

In the case of clients, we may share a copy of your invoice for a particular artwork with the artist who made it for their provenance records or a shipping agent for import / export duties.

5. IS YOUR PERSONAL INFORMATION TRANSFERRED OUT OF AOTEAROA NEW ZEALAND?

 

In the course of our normal business, Sanderson may transfer your personal data outside of the original country to Sanderson representatives and to other organisations who need to process your data in connection with the services that Sanderson provides to you (see the section “Who sees your personal information?”).


Different countries, particularly countries other than Aotearoa New Zealand and the Republic of Korea, offer varying standards for the protection of  personal data and your privacy rights and in some cases these standards are lower than equivalent Aoteaora New Zealand or Korean standards. When we send your personal data outside Aotearoa New Zealand, we seek to put in place the Aotearoa New Zealand standard contractual clauses in the form of an appropriate data transfer agreement.

If you have any questions or would like further information about how we make personal data available to Aotearoa New Zealand, please contact us. If you are based in Korea and would like further information about how we make personal data available outside of Korea, please contact us.

 

6. HOW LONG WILL WE KEEP YOUR PERSONAL DATA?


We will retain your personal data for as long as we consider necessary to provide the relevant services and to maintain business records for tax, legal and regulatory reasons.


In the context of our research and records relating to sales and ownership of artworks to assist with checks on authenticity, provenance and title, we will keep this data for as long as the record is relevant to our legitimate business interest and the public interest.

We keep an archive, which documents artists, their practices, exhibitions and events over a number of years. All information stored in the archive is kept securely. Information in the archive is held by Sanderson indefinitely, consistent with our legitimate interest in documenting the careers of the artists represented by or exhibited by Sanderson.

 

7. WHAT STEPS DO WE TAKE TO KEEP YOUR PERSONAL DATA SECURE?


We use appropriate technical and organisational measures to protect the security and integrity of your personal information.

Although we have in place modern security systems and procedures, we cannot guarantee the complete security of personal data held in our systems, nor that that information you supply through the internet or any computer network is entirely safe from unauthorised intrusion, access or manipulation during transmission. Any transmission is at your own risk and we will not be liable for any resulting misuse of your personal data.

Sanderson’s emails and website may contain links to third party websites not operated by us. Those third party websites may collect and share personal information about you in accordance with their own privacy practices. Sanderson cannot accept any responsibility for the privacy practices or content of those websites. We encourage you to read the privacy notice of every website you visit.

 

8. YOUR LEGAL RIGHTS

 

We aim to be as transparent as we can be about the data that we process and encourage you to ask us if you have questions about the data we hold on you.

Your rights


If you are a resident of Aoteaora New Zealand, you have the legal right to request access to your data (commonly known as a “subject access request”). If you exercise this right and we process personal data about you, we are required to provide you with a description and copy of that personal data, and to tell you why we are processing it.

 

As well as your subject access right, you may have the right to have your personal data rectified or deleted, to object to its processing or have its processing restricted. You may also request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a commonly used, machine-readable format.

You may withdraw consent at any time where we are relying on consent to process your personal data.

Where personal data is processed for a public interest, in the exercise of an official authority vested in Sanderson or for the purposes of the legitimate interests pursued by Sanderson, you may object to such processing by providing a ground related to your particular situation to justify the objection.

You should know that, however, should your personal data be processed for direct marketing purposes, you can object to that processing at any time, free of charge and without providing any justification. Where you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

Please contact us at info@sanderson.co.nz if you would like to exercise any of the rights set out above in relation to your personal data.

 

No fee usually required

 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

 

What we may need from you

 

Should you want to exercise your right to access your personal data (or to exercise any of your other rights) we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond


We try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 

9. CONTACT INFORMATION AND COMPLAINTS


If you have a query or complaint in relation to Sanderson’s processing of your personal data, please contact at info@sanderson.co.nz


10. GLOSSARY

 

Compliance with a legal obligation - processing is necessary to ensure we comply with our legal and regulatory obligations.

 

Consent – you have given specific consent to the processing of your personal data.

 

Data Controller – the person who determines the purposes and means of processing personal data.


Performance of a contract – processing is necessary to carry out our contractual duties, exercise our contractual rights or otherwise perform our contract with you, or to take steps at your request to enter a contract.


Personal Data - any data relating to an identified or identifiable natural person.

 

Processing - any operation performed on personal data, such as collection, recording, storage, retrieval, use, combining it with other data, transmission, disclosure or deletion.


Public Interest – processing is necessary for the performance of a task carried out in the public interest.


Website – Sanderson’s website at sanderson.co.nz

Your privacy rights under the New Zealand Privacy Act 2020 and how to exercise them

 

The right to access personal information: the right to know and to portability

You have the right to request that we disclose to you:

  • the categories of personal information that we collect about you;
  • the sources from which the personal information is collected;
  • the purposes for which we use your information;
  • to whom we disclose such information;
  • the specific pieces of personal information we have collected about you.

 

You also have the right to know what personal information is sold or shared and to whom. In particular, you have the right to request two separate lists from us where we disclose:

  • the categories of personal information that we sold or shared about you and the categories of third parties to whom the personal information was sold or shared;
  • the categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

 

The disclosure described above will be limited to the personal information collected or used over the past 12 months.

If we deliver our response electronically, the information enclosed will be "portable", i.e. delivered in an easily usable format to enable you to transmit the information to another entity without hindrance — provided that this is technically feasible.

The right to request the deletion of your personal information

You have the right to request that we delete any of your personal information, subject to exceptions set forth by the law (such as, including but not limited to, where the information is used to identify and repair errors on this Website, to detect security incidents and protect against fraudulent or illegal activities, to exercise certain rights etc.).

If no legal exception applies, as a result of exercising your right, we will delete your personal information and notify any of our service providers and all third parties to whom we have sold or shared the personal information to do so — provided that this is technically feasible and doesn’t involve disproportionate effort.

The right to correct inaccurate personal information


You have the right to request that we correct any inaccurate personal information we maintain about you, taking into account the nature of the personal information and the purposes of the processing of the personal information.

The right to opt out of sale or sharing of personal information and to limit the use of your sensitive personal information

You have the right to opt out of the sale or sharing of your personal information. You also have the right to request that we limit our use or disclosure of your sensitive personal information.

The right of no retaliation following opt-out or exercise of other rights (the right to non-discrimination)


We will not discriminate against you for exercising your rights under the New Zealand Privacy Act 2020. This means that we will not discriminate against you, including, but not limited to, by denying goods or services, charging you a different price, or providing a different level or quality of goods or services just because you exercised your consumer privacy rights.

However, if you refuse to provide your personal information to us or ask us to delete or stop selling your personal information, and that personal information or sale is necessary for us to provide you with goods or services, we may not be able to complete that transaction.

To the extent permitted by the law, we may offer you promotions, discounts, and other deals in exchange for collecting, keeping, or selling your personal information, provided that the financial incentive offered is reasonably related to the value of your personal information.

How to exercise your rights


To exercise the rights described above, you need to submit your verifiable request to us by contacting us via the details provided in this document.

For us to respond to your request, it’s necessary that we know who you are. Therefore, you can only exercise the above rights by making a verifiable request which must:

 

  • provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative;
  • describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We will not respond to any request if we are unable to verify your identity and therefore confirm the personal information in our possession actually relates to you

Making a verifiable consumer request does not require you to create an account with us. We will use any personal information collected from you in connection with the verification of your request solely for the purposes of verification and shall not further disclose the personal information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.

If you cannot personally submit a verifiable request, you can authorize a person registered within Aotearoa New Zealand to act on your behalf.

If you are an adult, you can make a verifiable request on behalf of a minor under your parental authority.

You can submit a maximum number of 2 requests over a 12 month period.

 

How and when we are expected to handle your request

We will confirm receipt of your verifiable request within 10 days and provide information about how we will process your request.

We will respond to your request within 30 days of its receipt. Should we need more time, we will explain to you the reasons why, and how much more time we need. Please note that we may take up to 90 days to fulfill your request.

Should we deny your request, we will explain you the reasons behind our denial.

 

We do not charge a fee to process or respond to your verifiable request unless such request is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee, or refuse to act on the request. In either case, we will communicate our choices and explain the reasons behind it.