Privacy Policy

PRIVACY POLICY

This Policy is established by ARTEUM SERVICES, based at 16 rue Gaillon - 75002 Paris, with company number: RCS 808 799 704 Paris (hereinafter the 'data controller').

The aim of this Policy is to inform visitors to the website hosted at : https://boutique.museedesconfluences.fr/en/ (hereinafter the 'website') of the way in which their data will be collected and processed by the data controller.

This Policy has been established to reflect the data controller's commitment to acting transparently and in compliance with national regulations and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter the 'General Data Protection Regulation').

The data controller is particularly concerned by its users' privacy and is committed to taking the reasonable required precautions to protect collected personal data against loss, theft, disclosure or unauthorised use.

'Personal data' is defined as all personal data that concerns the user, i.e. all information that may identify them directly or indirectly as a natural person.

If the user wishes to react to one of the practices described below, they may contact the data controller at the postal address or email address provided in the 'contact details' section of this Policy. 

WHAT KIND OF DATA DO WE COLLECT? 

What kind of data do we collect?

The data controller collects and processes the following personal data in accordance with terms and principles described below:

- domain (automatically detected by the data controller's server), including dynamic IP address;
- email address, if revealed by the user, perhaps by sending messages or queries on the website, communicating with the data controller via email, taking part in discussion forums, accessing the restricted part of the website by logging in, etc.;
- all information regarding the pages the user has visited on the website;
- any information the user has provided voluntarily, e.g. via surveys and/or registration on the website, or by accessing the restricted part of the website by logging in.

The data controller may also need to collect non-personal data. This data is deemed non-personal data as it cannot identify an individual directly or indirectly. This data may be used for any purpose, e.g. to improve the website, the products or the services offered or for advertising purposes by the data controller.

Should non-personal data be combined with personal data so that the concerned individuals may be identified, this data will be processed as personal data, until it can no longer be used to identify individuals.

COLLECTION METHODS 

The data controller collects personal data through the following means:

- Web form (registration, contact, etc.)
- Contact through email
- Newsletter

PURPOSES OF PROCESSING 

Personal data is only collected and processed for the purposes mentioned below:

- to manage and monitor the execution of the services offered;
- to send and track orders and invoices;
- to send promotional information on the data controller's products and services;
- to send promotional materials;
- to respond to the user's queries;
- to gather statistics;
- to improve the quality of the website and/or the services offered by the data controller;
- to send information on the data controller's new products and/or services;
- to carry out direct marketing activities;
- to get a better understanding of the user's interests.

The data controller may need to carry out processing activities that have not yet been provided for in this Policy. In this case, they will contact the user before reusing their personal data to inform them of the changes and to offer them the opportunity, if applicable, to oppose this reuse.

LEGITIMATE INTEREST 

Some of the processing carried out by the data processor is founded on the legal basis of the data controller's legitimate interest. This legitimate interest is proportionate to the respect of the user's rights and freedoms. If the user would like to be informed of the details of the purposes founded on the legal basis of legitimate interest, they should contact the data controller (see 'contact details' section).

RETENTION PERIOD 

Generally, the data controller only keeps personal data for the period deemed reasonably necessary for the purposes established and in accordance with legal and regulatory requirements.

The customer's personal data will be retained for a maximum of 10 years after the end of the contractual relationship between the customer and the data controller.

After this retention period, the data controller must ensure that the personal data has been made unavailable and inaccessible.

APPLICATION OF RIGHTS

The data controller reserves the right to verify the user's identity in order to apply the rights detailed below.

This request for extra information will be made within a month of the user's request.

ACCESS TO DATA AND COPIES

The user may obtain a written communication or copy of the personal data collected that concerns them free of charge.

The data controller may request payment of the reasonable fees based on administrative costs for any extra copy requested by the user.
When the user makes this request electronically, the information will be provided in a commonly used electronic format, unless the user requests otherwise.

Unless an exception is provided for by the General Data Protection Regulation, the copy of the data will be sent to the user within a month of the request being received.

RIGHT TO RECTIFICATION

The user may request the rectification of their personal data if it is inaccurate, incomplete or irrelevant, or completion of their personal data if it is incomplete. This will be carried out as soon as possible and within a month at the latest.

Unless an exception is provided for by the General Data Protection Regulation, any request to apply the right to rectification will be processed within a month of when it is submitted.

RIGHT TO OBJECT TO DATA PROCESSING

At any time and for reasons relating to their particular situation, the user may freely object to the processing of their personal data, when:

the processing is required for the execution of a public interest activity or to exercise the public authority vested in the data controller;
the processing is required due to the legitimate interest pursued by the data controller or a third party, unless the interests, freedoms and fundamental rights of the concerned party prevail and require the personal data to be protected (especially when the concerned party is a child).

The data controller may refuse to apply the user's right to object if they can prove the existence of a pressing, legitimate reason that justifies the processing and prevails over the user's interests, rights and freedoms, or if they need to record, exercise or defend a legal claim. In the case of a dispute, the user may make an appeal in accordance with the 'Claims and complaints' section of this Policy.

The user may also object to the processing of their personal data, at any time, without justification and free of charge, when this data is collected for direct marketing purposes (including profiling).

When personal data is processed for scientific or historical research purposes or for statistical purposes in accordance with the General Data Protection Regulation, the user may object to the processing of personal data concerning them for reasons relating to their particular situation, unless the processing is required for the execution of a public interest activity.

Unless an exception is provided for by the General Data Protection Regulation, the data controller is required to respond to the user's request as soon as possible and within a month of the request and to provide reasons if they do not plan to follow up on the request.

RIGHT TO RESTRICT PROCESSING

The user may restrict the processing of their personal data in the following cases:

- when the user contests the accuracy of some data, only for the period in which the data controller is in control of the data;
- when the processing is illegal and the user would prefer to restrict the processing than to have their data erased;
- when, although the data is no longer needed for the processing purposes, the user needs it to record, exercise or defend a legal claim;
- for the time necessary for the legitimacy of an objection request from the user to be examined. In other words: the time the data controller requires to weigh up their own legitimate interests against those of the user.

The data controller will inform the user when the processing restriction has been lifted.

RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN)

The user may have their personal data erased for any of the following reasons:
- the data is no longer necessary for the processing purposes;
- the user has revoked their consent to their data being processed and there is no other legal basis to the processing;
- the user objects to the processing and there is no pressing reason for the processing and/or the user exercises their specific right to object to direct marketing (including profiling);
- the personal data has been processed illegally;
- the personal data must be erased to comply with a legal obligation (according to European Union law or the member state's law to which the data controller is subject);
- the personal data was collected within the framework of providing information society services aimed at children.

However, data shall not be erased in the following cases:

- when the processing is necessary for exercising the right to freedom of expression or freedom of information;
- when the processing is necessary to comply with a legal obligation that necessitates processing provided for by European Union law or the member state's law to which the data controller is subject, or for the execution of a public interest activity or to exercise the public authority vested in the data controller;
- when the processing is necessary for public interest reasons relating to public health;
- when the processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided always that the right to erasure may seriously compromise the achievement of the processing aims in question or render it entirely impossible;
- when the processing is needed to record, exercise or defend a legal claim.

Unless an exception is provided for by the General Data Protection Regulation, the data controller is required to respond to the user's request as soon as possible and within a month of the request and to provide reasons if they do not plan to follow up on the request.

RIGHT TO DATA PORTABILITY

At any time and free of charge, the user may request to receive their personal data in a structured, widely used and machine-readable format, especially with a view to passing it on to another data controller, when:

- the data processing is carried out through automated procedures; and when
- the processing is based on the user's consent or on a contract entered into by the user and the data controller.

In the same conditions and under the same terms, the user has the right to have the data controller pass on their personal data directly to another data controller, as far as this is technically possible.

The right to data portability does not apply to processing required for the execution of a public interest activity or to exercise the public authority vested in the data controller.

RECIPIENTS OF DATA AND TRANSFER TO THIRD PARTIES

The recipients of the collected and processed data are - other than the data controller, the data controller's employees and other subcontractors - the data controller's carefully selected commercial partners, based in Belgium or elsewhere in the European Union, who collaborate with the data controller within the framework of selling products or providing services.

Should the data be passed on to third parties for direct marketing or market research purposes, the user will be informed of this beforehand, so that they can choose whether or not to accept the transfer of their data to third parties.

When this transfer is based on user consent, the user may revoke their consent to this specific purpose at any time.

The data controller will respect the legal and regulatory provisions in force and will always ensure that their partners, employees, subcontractors and other third parties with access to this personal data respect this Policy.

The data controller will disclose the user's personal data if a law, a legal procedure or an order from a public authority makes this disclosure necessary.

The data controller will not transfer personal data outside of the European Union.

SECURITY

The data controller has implemented the appropriate technical and organisational measures to guarantee the security of the processing of the collected data in terms of the risks presented by the processing and the nature of the data to be protected, at a level that is adapted to the risk itself. The data controller will analyse the state of knowledge, the implementation costs and the nature, reach, context and purposes of the processing, as well as the risks posed to users' rights and liberties.

The data controller will always use the encryption technologies recognised as the industrial standard within the IT sector when they receive or transfer data on their website.

The data controller has implemented the appropriate security measures to protect the data and prevent the loss, misuse or alteration of information received on the website.

Should the personal data controlled by the data controller be compromised, the data controller will act swiftly to identify the cause of the breach and implement the appropriate solutions.

The data controller will inform the user of this incident, if the law so requires.

CLAIMS AND COMPLAINTS

If the user wishes to react to one of the practices described in this Policy, they may contact the data controller directly.

The user may also lodge a complaint with their national data protection authority, the details of which are provided on the official European Commission website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

The user may also file a complaint with the national competent court.

Data protection officer

The manager of the Musée des Confluences online store as defined by the GDPR and other national data protection laws of the member states as well as other data protection provisions is:

ARTEUM SERVICES - 16 rue Gaillon - 75002 PARIS

Contact details

For any questions or claims regarding this Policy, the user may contact the data controller:

Via email: contact@arteum.com
By post: ARTEUM SERVICES - 16 rue Gaillon - 75002 PARIS. 

MODIFICATION

The data controller reserves the right to modify the provisions of this Policy at any time. The modifications will be published directly on the data controller's website.

APPLICABLE LAW AND COMPETENT COURT

This Policy is governed by the national law of the data controller's main headquarters.

Any dispute arising from the interpretation or execution of this Policy will be submitted to the jurisdiction of this national law.

Manage Cookies

Last updated on June 21, 2022