- This Privacy Notice
1.1 Historic Environment Scotland respects your privacy and is committed to protecting your personal data. This privacy notice applies to individuals who either purchase a membership from us or are gifted a membership from someone else.
1.2 This privacy notice sets out how and why Historic Environment Scotland collects and processes your personal data, which will differ depending on how you interact with us.
1.3 Please read the following privacy notice carefully to understand our practices regarding your personal data and how we will treat it. - Who we are?
2.1 We are Historic Environment Scotland, an executive non-departmental public body, incorporated and established under the Historic Environment Scotland Act 2014, being a registered charity (Scottish Charity number SC045925) and having our principal office at Longmore House, Salisbury Place, Edinburgh, EH9 1SH (referred to as “HES”, “we”, “us” or “our” in this privacy notice). We also use the trading name “Historic Scotland”.
2.2 We are registered with the Information Commissioner's Office (the "ICO"), the UK regulator for data protection issues. Our data protection registration number is ZA143443.
2.3 We are a data controller for the purposes of the Data Protection Act 2018 and related data protection legislation, including the General Data Protection Regulation (Regulation (EU) 2016/679) as it applies in the United Kingdom (“UK GDPR”) and related data protection legislation. - How can you contact us?
We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
By post:
The Data Protection Officer
Historic Environment Scotland
Room G.50
Longmore House
Salisbury Place
Edinburgh, EH9 1SH
By email: dataprotection@hes.scot
By phone: 0131 668 8600 - Changes to this privacy notice
We keep our privacy notice under regular review and will place updated versions on our website when changes are made. If any significant changes are made then we will notify you. This version was last updated on 29 January 2026. - Changes to your personal data
5.1 We need to ensure that your personal data is accurate and up to date in order that we can register and manage your membership. If you do not provide us with your personal data or do not inform us of any changes to your personal data then we may not be able to perform necessary tasks in relation to your membership and/or membership application.
5.2 Please keep us informed if your personal data changes during your relationship with us. - Website and Cookies
For details of how we may use your personal data as a visitor to our website: www.historicenvironment.scot or individuals who contact us by telephone, e-mail or other ways (including other electronic means) and for information about our use of cookies please see our main privacy notice. - What is personal data and how do we collect it?
7.1 Personal data is any information about a living individual from which that person can be identified. It does not include data where the identity of the individual has been removed ("anonymised data").
7.2 We mainly collect personal data from you through your direct interactions with us including when you:
-
complete and submit a membership application;
-
create an account on our website;
-
request marketing communications to be sent to you;
-
enter a competition, promotion or survey; or
-
give us feedback or contact us.
7.3 We may collect personal data through automated technologies or other interactions (for example, cookies) when you use our website.
7.4 We may also obtain your personal data from third parties where we are legally permitted to do so, for example, someone purchasing a membership on your behalf, from publicly available sources such as Companies House, or social media sources.
7.5 We will also collect personal data when you use your membership card.
7.6 Unless specifically stated we do not collect any "special categories of personal data" about you. Such data would include information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We also do not collect any information about criminal convictions or offences. -
- Purposes for which we will use your personal data
8.1 We have set out in each section of this privacy notice a description of the ways we may collect and use your personal data, and the legal bases we would rely on to do so. HES must have a legal basis for processing your personal data and throughout this privacy notice we have highlighted our legal basis for each purpose in bold.
8.2 Where we consider the processing is necessary for our legitimate interests we make sure we have considered and balanced any potential impact on you and your rights (both positive and negative) before we process your personal data.
8.3 We may need to process or disclose your personal data in order for us to comply with any legal obligations binding on us; to protect the rights, property, or safety of our staff, our customers, or others; and to establish, exercise or defend our legal rights.
8.4 We may process your personal data based on more than one legal basis, depending on the specific purpose or purposes for which we are using your data. Please contact us if you would like more information about the specific legal basis or bases we are relying on to process your personal data.
8.5 We may also collect, use and share anonymised aggregated data (such as statistical or demographic data). Aggregated anonymised data may not directly or indirectly reveal your identity. However, if we combine or connect anonymised aggregated data with your personal data so that it can directly or indirectly identify you, this combined data is treated as personal data and will be used in accordance with this privacy notice.
8.6 Where we generate anonymised aggregated data we do so on the basis of our legitimate interests to create statistical or demographic data relating to our services. - Purposes for which we will use your personal data
9.1 We may collect or obtain the following personal data:
-
Name, contact address and postcode, email address, billing address, telephone number to register you and your family as new members and manage our relationship with you.
-
We may need to collect your date of birth if you are applying for concession membership.
-
Your bank or card details and payment information in order that we can process your membership payments.
-
Details of Gift Aid declarations.
9.2 We need to collect this information so we can perform our contract with you and deliver membership benefits to you in terms of our membership terms and conditions. This will include confirming the purchase of membership and sending you membership pack and cards, information on how to use your membership and information on membership renewal. We also have a legitimate interest in delivering good customer service and ensuring our website is up to date and fully functional.-
We will also collect technical and usage data through our website including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data.
-
- If you have purchased or received a gift membership to Historic Environment Scotland
10.1 We may collect or obtain the following personal data:
-
Your name, contact address and postcode, email address, billing address, telephone number to register the new members and manage our relationship with you.
10.2 We need to collect this information so we can perform our contract with you and deliver membership benefits to the new members in terms of our membership terms and conditions. This will include confirming the purchase of membership, sending information about membership renewal and sending the new members their membership pack and cards and information on how to use their membership. We also have a legitimate interest in delivering good customer service and ensuring our website is up to date and fully functional.-
Name, contact address and postcode and telephone number of the new members so we can provide them with the membership.
-
We may need to collect the date of birth of a member if you are applying for concession membership.
-
Your bank or card details and payment information in order that we can process membership payments.
-
Details of Gift Aid declarations.
-
We will also collect technical and usage data through our website including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data.
10.3 If you have been registered as a member by someone else, please see the section for members above at paragraph 9. -
- Using your membership card
We use barcodes on our membership cards and in the member area of the Historic Scotland (HS) App. These barcodes hold a digital membership card relating to you. When the barcode on your membership card or HS App is scanned, we will collect information regarding your visits to our properties (for example, the date and location of your visit) and your purchases in our shops or restaurants. We use this information in anonymised, aggregated form to understand visiting trends with regard to our properties and to help tailor our communications to you to be more relevant, where you have agreed to our sending you such communications. Where we generate anonymised aggregated data we do so on the basis of our legitimate interests to create statistical or demographic data relating to our services. - Marketing and communications
12.1 If you are not a member (or have not purchased a membership) we will only use your personal data for direct marketing purposes where you have consented to be contacted for such purposes. For more information on marketing please see our main privacy notice.
12.2 Where you have purchased, or been gifted, a membership from us, we may use your postcode and email address information to do demographic profiling. We also keep a record of how memberships are used, the places that members visit the most and how members have supported us, including through purchasing other goods or services. We do this to ensure that our communications with you are relevant to you and where we think these may be of interest to you. We collect this information to better understand our members' use of their membership and to provide marketing activities and communications in line with our members' interests. When we process your personal data for the above purposes, we do so in order to exercise our legitimate interests in keeping you up to date with membership offers and activities and pursuing our business aims and objectives.
12.3 If you do not want to receive any communications or marketing material from us if you are a member (or purchased a membership) you can contact members@hes.scot.
12.4 We may send you communications relating to our fundraising activities. We will always ask for your consent before doing so by text, email or other electronic means and you may opt-out of receiving such communications at any time. We may send you information on our fundraising activities by post where we have a legitimate interest in doing this however you can ask us to stop sending these communications at any time. - Social media
13.1 If you receive marketing from us on social media platforms, you are able to withdraw your consent by adjusting your privacy settings on the social media platform itself. You may see our adverts if your settings allow for targeted advertising based on attributes of your social media profile, such as your location, age, and interests. For example, if you live near one of the historic properties we care for, you may see an advert for an event at that specific property.
13.2 You may also see our online advertising as a result of your information being automatically profiled by the social media platform and your account being selected as part of the audience for the ad. You can prevent this type of targeting by adjusting your privacy settings within each social media platform or by adjusting your cookie settings in the browser. You can also interact with the advert itself and select the options that prevent further targeted advertising using your information in this way.
13.3 We do not share your personal details with any third party for their marketing purposes. - Access to and sharing of personal data
14.1 Only HES employees, officers, volunteers and other members of staff that need to know information in order to perform the activities listed in this privacy notice will be able to access your personal data. In some circumstances we will share your personal data with organisations who we have contracted with in order to provide good or services to us (or on our behalf) for example, by having mailing houses send membership literature to you or having service providers host membership information and support our membership systems. These third-party processors only process data on our behalf for specified purposes and in accordance with our instructions and we will always have an agreement in place with them
14.2 There may be circumstances in which we need to share your personal data with certain third parties who will also be controllers of that data. This means they will determine the purpose of processing and make decisions about how your personal data is processed in accordance with UK data protection laws. If you require any further information please refer to each organisation's own privacy notice. The third parties with whom we may share your personal data include:
14.2.1 Professional advisers including lawyers, accountants and auditors to receive legal, accountancy and other professional services,
14.2.2 Insurers, to receive insurance services and to make or defend insurance claims,
14.2.3 Banks and financial advisers, to receive financial services and advice,
14.2.4 Any relevant fraud prevention or law enforcement agency (including Police Scotland) to comply with our legal obligations, including to report any heritage crime,
14.2.5 Any relevant government or regulatory authority (including the Scottish Ministers, OSCR, ICO and HM Revenue & Customs), courts and tribunals to comply with our legal obligations and to comply with any reporting obligations.
14.3 We will only share your personal data where we have a legal basis to do so. - Transfers of personal data
15.1 We seek to hold all personal data we process within the UK, however some of the organisations with whom we interact and some of our third-party service providers have headquarters or are based (or maintain data storage) outside the UK. This means that, where such parties require to process your personal data, your personal data may be transferred and processed outside the UK.
15.2 Whenever we transfer, or a third party provider transfers, your personal data outside the UK, we will ensure a similar degree of protection (as within the UK) by using appropriate safeguards, which may include the following:
15.2.1 we will only transfer your personal data to countries that have been deemed by the ICO to provide an adequate level of protection for personal data (including all EEA countries) or
15.2.2 where there is no deemed adequate protection, we may use specific contracts (or “International Data Transfer Agreements”) or standard contractual clauses approved by the ICO which give personal data the same protection as it has in the UK.
15.3 The safeguards used will depend on the circumstances of the transfer and the location of the transfer and processing. - How long do we keep personal data?
16.1 We will usually retain your personal data for up to six (6) years following expiry or termination of any contracts or arrangements between us, unless we are obliged to retain your personal data for a longer period as a result of an overriding legal obligation or in order to establish, defend or exercise legal rights.
16.2 To determine the appropriate retention period for personal data, we consider the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. - How secure is my personal data?
17.1 We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to only those employees, officers, volunteers, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality and a duty to keep your personal data secure.
17.2 We have in place procedures to deal with any actual or suspected personal data breach. We will notify you and the ICO of a breach where we are legally required to do so. - Your rights
18.7 Data portability. You have the right to request the transfer of your personal data to you or to a third party (also known as "data portability"). We will provide you, or a third party you have chosen, with your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use, or where we used the information to perform a contract with you.
Your personal data is protected by legal rights, which include your rights to:
18.1 Be informed. This privacy notice provides you with information about how we collect, store, process and share your personal data.
18.2 Access. You have the right to request access to your personal data (also known as a "data subject access request"). You can request to receive a copy of the personal data we hold about you and to check that we are lawfully processing your personal data.
18.3 Rectification. You have the right to request correction of inaccurate or incomplete personal data that we hold about you. In some cases, we may need to verify the accuracy of the new data you provide to us.
18.4 Erasure or deletion. You have the right to request erasure of your personal data (also known as the "right to be forgotten"). You can ask us to delete or remove your personal data from our systems where there is no good reason for us to continue to process it. We may not always be able to comply with your request due to specific legal reasons, however if this is the case we will notify you of these reasons at the time of your request.
18.5 Objection. You have the right to object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and you feel this processing impacts on your fundamental rights and freedoms, or where we are processing your personal data for direct marketing purposes.
18.6 Restriction. You have the right to request restriction of our processing of your personal data. You can ask us to suspend the processing of your personal data in the following scenarios:-
if you want us to establish the data's accuracy;
-
where you believe our use of the data is unlawful but you do not want us to erase it;
-
where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
-
you have objected to our processing of your data but we need to verify whether we have overriding legitimate grounds to use it.
18.8 Withdrawing consent. You have the right to withdraw your consent to our processing your personal data at any time where we are relying on this consent as our basis for this processing. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
18.9 Automated decision making and profiling. You have the right not to be subject to decisions (or be subject to profiling) based solely on automated processing if it will significantly affect you or have a serious negative impact on you. We do not currently carry out any decision making or profiling about you where none of our employees or any other individuals have been involved on the process. -
- Exercising your rights
19.1 If you want to exercise any of these rights, please contact us using the details above.
19.2 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your other rights. This is a security measure to ensure that your personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to help speed up our response.
19.3 You will not usually have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
19.4 You also have the right to complain to the Information Commissioner's Office about how we are processing your personal data. Please visit the ICO's website for more information on how to make a complaint: Make a complaint | ICO. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
