Cookie & Privacy Policy

Privacy Policy

Lismore Castle Arts is committed to protecting your privacy and maintaining the security of any personal information received from you.

The Devonshire Group Privacy Policy

Contents of privacy policy

1. Introduction
2. About the Devonshire Group
3. Contact us
4. Explaining the lawful bases we rely on
5. When do we collect your personal data?
6. What sort of personal data do we collect?
7. How and why do we use your personal data?
8. Combining your data for personalised direct marketing
9. How can you stop the use of your personal data for direct marketing?
10. How we protect your personal data
11. Who do we share your personal data with?
12. Where your personal data may be processed
13. What are your rights over your personal data?
14. How long will we retain your data?
15. How to make a complaint
16. If you live outside the UK
17. Any questions?

1. Introduction

Here at The Devonshire Group, we take your privacy seriously. We promise to respect any personal data you share with us, and to keep it safe.

This privacy policy explains in detail who we are and the types of personal data we may collect about you when you interact with us. It also explains how we will use, store, and handle that data, and keep it safe.

We promise to use the information we collect about you in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). We aim to be clear that when we handle your data, we will not do anything you would not reasonably expect.

By visiting this website, you are accepting and consenting to the practices described in this policy.

This privacy policy applies to our website visitors, customers, participants, supporters, visitors, job/volunteer applicants, suppliers, and industry contacts.

Please read this information carefully, as by providing your data to us you acknowledge you have read this policy and understand we will process your data in accordance with its terms.

We know that there is a lot of information here, but we want you to be fully informed about your rights, and how the Devonshire Group uses your data.

We hope the following sections will answer any questions you have but if not, please do get in touch with us by emailing dataprotection@devonshiregroup.co.uk

It is likely that we will need to update this privacy policy from time to time. We will notify you of any significant changes, but you are welcome to come back and check it whenever you wish.

2. About the Devonshire Group

The Devonshire Group can be considered to comprise charities and businesses throughout the UK and Ireland, including Chatsworth, which sits within the Derbyshire Estate, the Bolton Abbey Estate in North Yorkshire, the Lismore Estate in County Waterford, and the Compton Estate in Sussex.

The Devonshire Group is the business name adopted by The Trustees of the Chatsworth Settlement whose place of business is: The Estate Office, Chatsworth, Edensor, Derbyshire DE45 1PJ.

The Devonshire Group can also be considered to be made up of a number of other related businesses and entities:

• Bolton Abbey Estates Company Limited
• The Chatsworth Settlement – the entity that owns and runs our estates in Derbyshire, Yorkshire and Eastbourne
• Chatsworth House Trust – the charity responsible for the house, garden, park, farmyard and playground
• Chatsworth House Enterprises Ltd – the organisation that runs events including the horse trials and country fair
• Chatsworth Estate Trading Ltd – the organisation that manages the shops and restaurants on the Chatsworth Estate
• Devonshire Hotels and Restaurants Group Limited and the Peacock Hotel (Baslow) Limited – the organisations that run our hotels and holiday cottages
• Devonshire Property Retail Ltd
• The Duke of Devonshire’s Charitable Trust
• The Devonshire Maintenance Fund
• Elm Tree Farm Limited
• The Lismore Estate and Lismore Castle & Gardens – our estate and hospitality business in Ireland including its associated companies Lismore Estates (Jersey) Limited, Lismore Estates (No 1) Limited and Lismore Estates (No 2) Limited

For the purpose of the UK GDPR, the data controller may be any of the entities listed above depending on which of these determines the purposes for which and the means by which the relevant personal data is processed. It will therefore depend on the nature of your interactions with the Devonshire Group. Please do contact us if you would like further guidance on the data controller in any specific circumstances.

For simplicity throughout this policy, ‘Devonshire Group’, ‘we’, ‘our’ and ‘us’ refers to the organisations listed above.

3. Contact us

Questions, comments and requests regarding this privacy policy are welcome.

Email us at: dataprotection@devonshiregroup.co.uk

Write to us at: Data Protection, The Information Technology Department, The Devonshire Group, The Estate Office, Bakewell, Derbyshire, DE45 1PJ

4. Explaining the lawful bases we rely on

When collecting your personal data, we will always make clear to you which data is necessary in connection with a particular service.

The law on data protection set out a number of different reasons (lawful bases) for which a company may collect and process your personal data, including:

Consent

In specific situations, we can collect and process your data with your consent. E.g., When you subscribe to receive e-newsletters or information about charitable fundraising activities from us.

Contract

In certain circumstances, we need your personal data to comply with our contractual obligations. E.g., If you order an item from us for home delivery, we will collect your address details to deliver your purchase, and we may pass them to our courier.

Legal obligation

If the law requires us to, we may need to collect and process your data. E.g., We can pass on details of people involved in fraud or other criminal activity affecting the Devonshire Group to law enforcement.

Legitimate interests

In specific situations, we use your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business, and which does not materially impact your rights, freedom or interests. E.g., We may use your purchase history or specified interests to send you or make available personalised offers, or may also use your email address to send you direct marketing information, telling you about products and services that we think might interest you. We will always include the option to unsubscribe from the specific business in marketing emails.

5. When do we collect your personal data?

We use the above lawful bases when collecting your data: consent (such as when you subscribe to one of our newsletters), contract (when you transact or enter into a contract with us), legal obligation (when data use is required by law) and legitimate interests (such as when we make personalised offers available to you).

• When you create or update an account with us
• When you visit our websites
• When you make any purchase, redeem vouchers, or book rooms, cottages, or tables in our restaurants
• When you book a conference or event e.g., a wedding
• When you use locations within the Devonshire Group for commercial filming purposes
• When you purchase a product or service, in person or by phone, but do not have (or do not use) an account
• When you make a donation
• When you supply us with a product or service
• When you purchase membership from us - including, but not limited to, Bolton Abbey Season Tickets, Bolton Abbey Season Rods, Friends of Chatsworth membership, Chatsworth Health & Fitness Club membership, and Chatsworth Fishery membership
• When you enter into a tenancy on one of our estates
• When you buy livestock from, or sell livestock to, one of our farms
• When you engage with us on social media
• When you communicate with us by post, email, telephone, social media, via our website, or in person
• When you enter prize draws or competitions
• When you enter a promotion
• When you choose to complete any surveys we send you
• When you comment on or review us publicly
• When you have given a third-party permission to share with us the information they hold about you
• We may collect data from publicly available sources (such as Land Registry) when you have given your consent to share information or where the information is made public as a matter of law
• When you visit our establishments or use our car parks, CCTV systems are usually operated for the security of both visitors and employees - these systems may record your image during your visit
• When you sign up to use our public Wi-Fi
• When you ask us to send you marketing communications
• When you apply for a job with the Devonshire Group

6. What sort of personal data do we collect?

• Title, first name and last name
• Your signature
• Contact details including organisation/company name and job title (if appropriate), postal address (billing/delivery), email address and contact telephone number(s)
• If you have a web account with us, we will keep your order details – for your security, we may also keep an encrypted record of your login password
• Your communication preferences
• If you are a young person (under 18) we may collect the contact details (including name, address, email and contact telephone number) of your parent/guardian
• If you are a teacher with whom we have professional relationship, your professional email, the name, address and telephone number of school/college
• If you are a job applicant, we may ask for details about your experience and qualifications
• If you are a job applicant, we may ask you for details about your experience and qualifications
• If you enter into a tenancy on one of our estates, we keep details about your rent and tenancy agreement
• If you complete one of our health questionnaires, undergo one of our health screenings, or sign up to swimming lessons, we may ask you for your doctor’s name and address as well as for details of any existing health and medical conditions
• Health, dietary or allergy information (for you or your party) related to your booking
• Date of birth and age
• Vehicle registration number
• Details of your interactions with us online, on the phone, or on the estate. E.g., We may collect notes from our conversations with you, details of any complaints or comments you make, details of purchases you made, items, web pages you visit and how and when you contact us
• Details of your interests and visiting habits. E.g., Which tickets you purchase, and when you visit us and/or details of your activities when you stay with us
• Details of your visits to our website and which site you came from to ours
• Information gathered by the use of cookies in your web browser.
• Transaction history, including billing and payment card information (last 4 digits)
• Donation history
• Bank details (e.g., for invoicing purposes if you are a supplier, or if you set up a direct debit with us).
• Your comments and product reviews
• Your image and likeness as captured on our CCTV cameras when you visit our establishments or use our car parks, and in photographs or video that we may use for promotional purposes
• To deliver the best possible web experience, we collect technical information about your internet connection and browser as well as the country and telephone code where your computer is located, the web pages viewed during your visit, the advertisements you clicked on, and any search terms you entered. This includes your IP address if you visited our websites from a link in one of our marketing communications.
• Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback
• We use a third-party provider to send our e-newsletters. We collect statistics, including email opens and clicks, using industry standard technologies, such as clear gifs, to help us improve our e-newsletter content making it more interesting and relevant.

7. How and why do we use your personal data?

We want to give you the best possible customer experience. One way to achieve that is to build the richest picture we can of who you are by combining the data we have about you.

We may then use this information to offer you promotions, products, and services that are most likely to interest you.

The data protection law allows this as part of our legitimate interest in understanding our customers and providing the highest levels of service.

Of course, if you wish to change how we use your data, you will find details in section ‘What are your rights over your personal data?’ (Section 13).

Here is how we may use your personal data and why:

• To process any orders that you make by using our website, on the phone or on site. If we do not collect your personal data during checkout, we will not be able to process your order and comply with our legal obligations. E.g., Your details may need to be passed to a third party to supply or deliver the product that you ordered, and we may keep your details for a reasonable period afterwards in order to fulfil any contractual obligations such as refunds, guarantees and so on.
• To respond to your queries, refund requests and complaints. Handling the information you sent enables us to respond. We may also keep a record of these to inform any future communication with us and to demonstrate how we communicated with you throughout. We do this on the basis of our contractual obligations to you, our legal obligations, and our legitimate interests in providing you with the best service and understanding how we can improve our service based on your experience.
• To protect our business and your account from fraud and other illegal activities. This may include using your personal data to maintain, update and safeguard your account. We may also monitor your browsing activity with us to quickly identify and resolve any problems and protect the integrity of our websites. We will do all of this as part of our legitimate interests.
• To protect our visitors, premises, assets and employees from crime, we operate CCTV systems across the Devonshire Group, which record images for security. We do this because of our legitimate business interests.
• To process payments and to prevent fraudulent transactions. We do this because of our legitimate business interests. This also helps to protect our customers from fraud.
• If we discover any criminal activity or alleged criminal activity through our use of CCTV, fraud monitoring, or suspicious transaction monitoring, we will process this data for the purposes of preventing or detecting unlawful acts. We aim to protect the individuals we interact with from criminal activities.
• On the basis of legitimate interest, we may use your personal data, preferences and details of your transactions to keep you informed by email, web, text message, and telephone about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on. Of course, you are free to opt out of hearing from us by any of these channels at any time by using the unsubscribe link provided in email or by contacting us.
• To send you relevant, personalised communications by post in relation to updates, offers, services and products. We will do this on the basis of our legitimate business interests. You are free to opt out of hearing from us by post at any time by contacting us.
• To send you communications required by law, or which are necessary to inform you about our changes to the services we provide you. For example, updates to this privacy policy, and legally required information relating to your orders. These service messages will not include any promotional content and do not require prior consent when sent by email, text message, or telephone. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.
• To display the most relevant content to you on our websites, we may use data we hold about where you live, your interests and so on. We do so on the basis of your consent for our website to place cookies or similar technology on your device. E.g., We might show you an advert for an event or ticket you have previously shown an interest in.
• To administer any of our prize draws or competitions that you enter, based on your consent given at the time of entering.
• To develop, test and improve the systems, services and products we provide to you. We will do this on the basis of our legitimate business interests. E.g., We may record your browser’s Session ID to help us understand more when you leave us online feedback about any problems you are having.
• To comply with our contractual or legal obligations to share data with law enforcement Government health departments.
• To send you survey and feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent. We have a legitimate interest to do so as this helps make our products or services more relevant to you. Of course, you are free to opt out of receiving these requests from us at any time by contacting us.
• To build a rich picture of who you are and what you like, and to inform our business decisions, we may combine data captured from across the Devonshire Group, third parties and data from publicly available sources as we have described in section 6 'What sort of personal data do we collect?' We will do this on the basis of our legitimate business interest. E.g., by combining this data, this will help us personalise your experience and decide which content to share with you. We also use anonymised data from customer purchase histories to identify trends in different areas of the country. This may then guide our advertising plans.
• To process your order (for example if you order a hamper for home delivery). Sometimes, we may need to share your details with a third party who is providing a service (such as delivery couriers). Without sharing your personal data, we would not be unable to fulfil your request.

8. Combining your data for personalised direct marketing

We want to bring you information, offers, promotions, products and services that are most relevant to your interests at particular times. To help us form a better, overall understanding of you as a customer, we may combine your personal data gathered across the Devonshire Group as described above. For this purpose, we may also combine the data that we collect directly from you with data that we obtain from third parties to whom you have given your consent to pass that data onto us – such as the Land Registry mentioned above. You can withdraw your consent for direct marketing at any time – for more details see section 9 ‘How can you stop the use of your personal data for marketing?’

9. How can you stop the use of your personal data for direct marketing?

There are several ways you can stop direct marketing communications from us:

• Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular organisation. Please note that if you are subscribed to communications from more than one of the organisations listed in section 2 ‘About the Devonshire Group’, we will only stop communications from the specific organisation that you unsubscribe from.
• Email dataprotection@devonshiregroup.co.uk
• Write to Data Protection, The Information Technology Department, The Devonshire Group, The Estate Office, Bakewell, Derbyshire, DE45 1PJ

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.

10. How we protect your personal data

We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.

We are located in the UK. Your data is held in the UK, when possible, and processed on secure systems owned or licensed by the Devonshire Group and details are only accessed by authorised and trained staff. Only employees, contractors and developers are granted access to personally identifiable information. This will be from time to time, and only when they need to perform a specific job or task. You can learn more about where your data will be processed in section 12.

We secure access to all areas of our website using ‘https’ technology.

We regularly monitor our system for possible vulnerabilities and attacks.

11. Who do we share your personal data with?

We sometimes share your personal data with trusted third parties. E.g., Delivery couriers, the organisations set out in section 2 ‘About the Devonshire Group’.

Here is the policy we apply to those organisations to keep your data safe and protect your privacy:

• We provide only the information they need to perform their specific services.
• They may only use your data for the exact purposes we specify in our contract with them.
• We work closely with them to ensure that your privacy is respected and protected at all times.
• If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

Examples of the kind of third parties we work with are:

• Ticket fulfilment/processing companies
• IT companies who support our website and other business systems
• Operational companies such as delivery couriers
• Google/Meta to show you products that might interest you while you are browsing the internet. This is based on either your marketing consent or your acceptance of cookies on our websites.

Sharing your data with third parties for their own purposes:

We will only do this in very specific circumstances, for example:

• For jewellery orders created on our online shop, shop.chatsworth.org, we share your order details with the jewellery manufacturer, C W Sellors, in order to fulfil your order. Billing information is never shared.
• For fraud management, we may share information about fraudulent or potentially fraudulent activity on our premises or systems. This may include sharing data about individuals with law enforcement bodies.
• For health emergencies we may provide details to Government health departments, both nationally and locally.
• We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government bodies, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.

12. Where your personal data may be processed

Your data may be shared with our estate and hospitality business in Ireland, The Lismore Estate and Lismore Castle & Gardens if you visit the Lismore Estate or show an interest in Lismore. All transfers of your data to Ireland (part of the EEA) will have appropriate safeguards under the UK GDPR.

Sometimes we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA), such as the USA.

Protecting your data outside the EEA:

The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway. We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA. E.g., Some third parties we use to store your data, such as those we use to send e-newsletters, may be based outside the EEA.

If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, we only work with organisations who have robust and trusted data protection policies, that meet the standards required within the EEA. If you wish for more information about these companies, please contact us.

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this privacy policy.

13. What are your rights over your personal data?

Under data protection law, you have the following rights:

• Your right of access: you have the right to ask us for copies of your personal information.
• Your right of rectification: you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure: you have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing: you have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to data portability: you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
• Your right related to automated decision-making including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Whenever we choose not to action a request, we will explain to you the reason for our refusal.

Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us as set out at the beginning of this privacy policy. Once we have received notification that you have withdrawn your consent, we will update your preferences and will no longer process your information for the purpose or purposes you originally agreed to.

Where we rely on our legitimate interests

In cases where we are processing your personal data because of our legitimate interests, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data, such as a contractual or legal obligation.

Checking your identity

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this privacy policy. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act on their behalf.

14. How long will we retain your data?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint, if we reasonably believe there is a prospect of a dispute in respect to our relationship with you or for our legitimate interests such as fraud prevention and enhancing users’ safety and security.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law we have to keep basic information about our customers for six years after they cease being customers for tax purposes. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

15. How to make a complaint

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by calling 0303 123 1113.

Or go online to www.ico.org.uk/make-a-complaint (opens in a new window; please note we cannot be responsible for the content of external websites)

If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.

16. If you live outside the UK

For all non-UK customers

By using our services or providing your personal data to us, you expressly consent to the processing of your personal data by us or on our behalf. Of course, you still have the right to ask us not to process your data in certain ways, and if you do so, we will respect your wishes, unless we are processing your data to fulfil a contract and/or legal obligation.

Sometimes we will need to transfer your personal data between countries to enable us to supply the services you have requested. In the ordinary course of business, we may transfer your personal data from your country of residence to ourselves and to third parties located in the UK, or elsewhere.

By dealing with us, you are giving your consent to this overseas use, transfer, and disclosure of your personal data outside your country of residence for our ordinary business purposes.

This may occur because our information technology storage facilities and servers are located outside your country of residence and could include storage of your personal data on servers in the UK, or elsewhere.

We will ensure that reasonable steps are taken to prevent third parties outside your country of residence using your personal data in any way this is not set out in this privacy policy. We will also make sure we adequately protect the confidentiality and privacy of your personal data.

16. Any questions

We hope this Privacy Policy has been helpful in setting out the way we handle your personal data and your rights to control it.

If you have any questions that have not been covered, please contact us:

Email us at: dataprotection@devonshiregroup.co.uk

Write to us at: Data Protection, The Information Technology Department, The Devonshire Group, The Estate Office, Bakewell, Derbyshire, DE45 1PJ

This policy was last updated on 27 November 2024.