Privacy Policy

This Privacy Notice applies to visitors to ("our website)" or individuals who contact us by telephone, e-mail or other ways, including other electronic means.

1. Who we are

We are Historic Environment Scotland (HES), an executive non-departmental public body, incorporated and established under the Historic Environment Scotland Act 2014, being a registered charity (Scottish Charity number SC045925) and having its principal office at Longmore House, Salisbury Place, Edinburgh, EH9 1SH.

We are a data controller for the purposes of the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018).

2. How to contact us

If you have any questions about this Privacy Notice or our data protection policies generally, please contact us:

By post:
The Data Protection Officer
Historic Environment Scotland
Room G.50
Longmore House
Salisbury Place
Edinburgh, EH9 1SH                

By email:

By phone: 0131 668 8600

3. Privacy Notice

Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

4. The data we collect about you

5. How is your personal data collected?

6. How we use your personal data

7. Purposes for which we will use your personal data


Type of data

Lawful basis for processing including basis of legitimate interest

Where you fill in forms on websites requesting that we contact you

(a) Identity

(b) Contact

(a) Necessary for our legitimate interests (to respond to customer enquiries)

(b) Necessary for us to carry out a specific task in the public interest which is laid out by law

Where you sign up for a newsletter

(a) Identity

(b) Contact

(c) Marketing & Communications Data

On the basis of your consent (by signing up for a newsletter you are taking a positive action to opt-in to receiving marketing material from us)

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to leave a review or take a survey

(a) Identity

(b) Contact

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To administer and protect our business and these websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Identity

(b) Contact

(c) Technical

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To use data analytics to improve our websites, products/services, customer relationships and experiences

(a) Technical

(b) Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant and to develop our business


8. Disclosures of your personal data

9. How long do we retain your data?

10. Marketing

We will only use your personal data for direct marketing purposes where you have consented to be contacted for such purposes. We do not share your personal details with any third party for their marketing purposes. You have the right to withdraw consent to marketing at any time by contacting us using the details above or by unsubscribing where there is an option to do so. 

We use trusted third-party media agencies to help us with our advertising, but we do not share your personal details with any third party for their marketing purposes. You have the right to withdraw consent to our marketing at any time by contacting us using the details above.

If you receive marketing from us on social media platforms, you are able to withdraw your consent by adjusting your privacy settings within each social media platform itself. You may see our adverts if your settings allow for targeted advertising based on attributes of your social media profile, such as your location, age, and interests. For example, if you live near one of the historic properties we care for, you may see an advert (ad) for an event at that specific property. 

You may also see our online advertising as a result of your information being automatically profiled by the social media platform and your account being selected as part of the audience for the ad. You can prevent this type of targeting by adjusting your privacy settings within each social media platform or by adjusting your cookie settings in the browser. You can also interact with the ad itself and select the options that prevent further targeted advertising using your information in this way.

11. Cookies

You can set your browser to refuse all or some browser cookies or to alert you when a website sets or accesses cookies. You can also accept all, reject all, or select specific cookies within our websites’ cookie banner. 

If you disable cookies in a browser or refuse them within a cookie banner, please note that some parts of these websites may become inaccessible or not function properly.

For more information regarding the cookies we collect on the Rock Art website, please read our Cookie Policy.

12. Additional Information

13. Data transfers

We only transfer personal data outside of the United Kingdom (UK) and European Economic Area (EEA) when we can ensure it will be protected to a similar degree as within the UK and EEA.

For some of our services, such as ticket sales and social media management, we need to transfer data outside of the EEA. Your data may be transferred to Canada, which is deemed by the European Commission to provide an adequate level of protection for personal data. We may also transfer personal data to the United States to recipient organisations that are contractually bound to treat our data to a similar standard.

14. Data Security

15. Your rights