Data protection policy

Preamble
The Réunion des Musées Nationaux – Grand Palais builds with its visitors and its customers, strong, long-lasting relationships, based on mutual trust. Guaranteeing the security and confidentiality of your personal data is therefore a strong commitment.

We apply a personal data management policy that complies with the Computing and Freedoms Act of 6 January 1978 amended and the (EU) General Data Protection Regulation of 27 April 2016 (or GDPR). Our policy is based on the following principles:
1. you stay in control of your data
2. your data is processed in a clear, confidential and protected way
3. we commit ourselves to ensuring continuous protection of your data
4. the services providers involved in processing your data all meet our level of requirement in managing personal data

This protection policy sets out our commitments regarding your personal data collected on our art workshops website (hereafter “the Website”).
Its purpose is to inform you about:
  • the data we collect
  • the reasons why we need it;
  • the way we process your personal data;
  • the rights you have in this regard and how to exercise them.
It may be amended at any time to take account of any regulatory, editorial or technical change. Please peruse them regularly in order to take note of the most recent version.
Who is responsible for processing your data?
The public establishment of the Réunion des musées nationaux et du Grand Palais des Champs-Élysées
Head office: 254/256 rue de Bercy – 75570 Paris cedex 12 – France
RCS Paris B 692 041 585
What personal data do we collect?
Personal data is information directly or indirectly relating to an identifiable natural person.
We collect your personal data in three ways:
You may communicate personal data to us, in particular, in the following cases:
- you contact us for a request or a complaint;
- you visit our Website;

We also collect information about you on the occasion of our relationship with you (transactions, purchase history, statistics) or automatically when you visit our Website.

Finally we may collect your data from social media:
- when you log in to one of your online accounts and/or personal space with your Facebook/Twitter/Instagram/Pinterest accounts. Please manage your privacy settings on these social media platforms before logging in to your online account/personal space.
- when you sign up to our Facebook, Twitter, Instagram and YouTube pages from some of our Websites in order to follow our news. The data that we may collect in this context is anonymous and processed for purely statistical purposes (in particular to monitor the number of subscribers that follow these pages).

We are not responsible for the processing which your personal data may undergo by social media websites that have their own data protection policy. Please peruse their policies to find out your rights with respect to each of them, and to manage your privacy settings.
Personal data is information directly or indirectly relating to an identifiable natural person.
In this context, we may collect the following personal data:
your identity: last name, first name;
- your contact information: postal address, email address, phone number;
- your order and payment information;
- information about your navigation and connection to our Website that are required for their proper technical operation or to allow us to measure the audience, or to offer targeted advertising: cookies, hash tags, tags, domain name, type of Internet browser, etc. To learn more, see the cookie management section;
- any other information that you provide to us directly and voluntarily: comments and opinions, preferences, etc.
We take care to ensure that the collection of this data is relevant, appropriate, non-excessive and strictly needed for our activities.

Certain information is essential to be able to benefit from the service in question (indicated by an asterisk). If it is not communicated to us, you will be unable to benefit from this service.

And if you communicate personal data belonging to a third party to us: you must ensure that the data subject accepts his/her personal data being communicated to us.
Do we collect personal data from individuals under 18?
Our products and services are for adult individuals with the legal capacity to commit themselves.
Why we collect your personal data
The collection and processing of your personal data is only possible for a specific purpose about which you are aware when it is collected and from which you derive an identified and tangible benefit.

We are committed to ensuring that your data is collected for the following purposes:
Process your orders
(purchases, transactions and information messages relating to the order)
The legal basis in this context is performance of the contract. The collection and use of your data for this purpose does not require your consent to be obtained


And/or
Respond to your requests and complaints
(e.g. Returning an item, product availability, etc.)
In this context, the legal basis of the processing is either the contractual performance if the request is related to a contractual relationship, or the legitimate interest of the Rmn-Grand Palais, more specifically our economic interest in communicating clearly with you and understanding your needs and your requirements. The collection and use of your data for this purpose does not require your consent to be obtained


And/or
Improve the use of our website
In this context, the legal basis of the processing is the legitimate interest of the Rmn-Grand Palais, more specifically its economic interest in continuously improving its Website and its services and of understanding your needs to meet your requirements.


And/or
Compile statistics or carry out surveys
These are carried out using anonymised data allowing us to improve knowledge of our activities. In this context, the legal basis of the processing is the legitimate interest of the Rmn-Grand Palais, more specifically its economic interest in continuously improving knowledge of its customers and their requirements.


And/or
Meet our legal obligations and/or assert our rights
(in the event of control by the competent authorities, management of unpaid debts and/or disputes).
he legal bases in this context are, according to the case, either compliance with a legal obligation, or legitimate interest. The collection and use of your data for these purposes do not require your consent to be obtained.
Who has access to your personal data?
Your personal data is only intended to be used by the Réunion des Musées Nationaux-Grand Palais and is only accessible by our staff who are empowered to manage it, according to the collection purposes (commercial or administrative departments, departments responsible for the control, marketing departments).

As an exception, it may be communicated to:
- service providers, in particular for computer services (hosting, storage, analysis, data processing, databases management or computer maintenance services). These service providers act on instructions of the Rmn-Grand Palais and the terms of intervention and access to data are strictly regulated by a contract.
- third parties as part of compliance with a legal obligation or in order to guarantee our rights (authorities and courts, lawyers, tax inspector, etc.)
Where is your data stored? And how is it protected?
Your personal data are stored on servers located within the European Union, either internally on our secure servers, or externally by a duly chosen service provider.

As the controller, we implement the security and confidentiality procedures required to prevent any risk of fraudulent access, theft, damage or accidental loss of your data.

When a service provider is involved in processing personal data, we attach paramount importance to the technical and organisational measures that it undertakes to take to preserve the security and confidentiality of the data.

We also reserve the right to commission audits of our service providers.
For how long and how do we keep your data?
The retention periods of your data are defined by us in relation to the legal and contractual obligations. These periods are set in accordance with the purposes pursued. When these periods have elapsed, the data are either deleted or retained after having been anonymised, i.e. modified to make their link to a person permanently impossible.
Data relating to the commercial relationship
The data is stored during the commercial relationship (including exercise of the legal guarantees ) and then archived with restricted access and retained for the additional time required for compliance with our legal obligations or for the purposes of defending or asserting our rights. At the end of this period, your personal data is anonymised or deleted.
Data collected via audience and advertising cookies
This data is retained for a maximum period of 13 months from when it is recorded. After this time, it is deleted.
What are your rights? How to exercise them
Right to information
You have the right to be informed about why we collect your data, how we process it, the rights that you have and how to exercise them.
Right of access
You have the right to ask us whether we have data about you and to request a copy of it in an understandable format. This right thus allows you to check the accuracy of the data and, as necessary, have it corrected or deleted.
Right to rectification
You may directly correct, update or complete your online data on your account/space. You may also ask us to update or complete the personal data that we have.
Right to withdraw consent
You also have the right to withdraw your consent for the placement of analytical and advertising cookies at any time. To do so, you simply have to configure the Internet browser on your computer, tablet or mobile. (For more information see the Cookie management section).
Right to object
When we collect your data for the purpose of performing the contract or on the basis of a legitimate interest, you have the right, for legitimate reasons, to object to your data being disseminated, transmitted or stored. The objection right allows you to object to us using your data for a specific purpose provided you put forward reasons relating to your particular situation.
Right to restriction of processing
If you dispute the accuracy of the data collected or if you object to your data being processed, you may ask us, when making your request to correct data or object to their use, to suspend use of your data pending the processing of your request.
Right to erasure (right to be forgotten)
You have the right to obtain the erasure of your personal data at any time in the following cases:
- the data is not or no longer required for the purposes for which we initially collected or processed it;
- you have withdrawn your consent to the use of your data;
- your data must be erased to comply with a legal obligation.

We may refuse to erase your data when it is required:
- to meet our legal obligations;
- for noting, exercising or defending rights judicially;
- for scientific or historical research purposes or for their use for statistical purposes in the public interest.
Right to portability
You have the right to obtain a copy of the data that you have sent to us within the context of a contract or that we have collected with your agreement, in a structured, commonly used and legible format. This copy may be transmitted or sent to another party, at your request.
Right to communicate after-death instructions
At any time, you may give instructions regarding the retention, erasure and the communication of your personal data after your death.
How to exercise your rights
We recommend that you directly contact the department specified in the latest communication that you have received.

In order to enable us to understand your request and to respond to it quickly, please state in your request:
- the right that you wish to exercise and, where relevant, the reasons for your request (e.g. deletion of a customer account/personal space, update of your data)
- your last names, first names and email address and postal address (if you wish to receive a reply by postal mail)

The rights from which you benefit are rights of an individual nature and may therefore only be exercised by the owner of the data. To meet this obligation, when making your request, please provide proof of your identity by giving a customer number or via an authentication space whenever possible, or by sending us a copy of a valid identity document. The copy of your proof of identity will of course be deleted by our services as soon as the identity check has been completed.

We will endeavour to reply to your request within a reasonable time, and in any event, in accordance with the legal requirements.
Right to complain
If you believe that your rights are not being respected or that the protection of your personal data is not provided in accordance with the applicable regulations, you may lodge a complaint with the French National Commission of Data Processing and Freedoms (CNIL).
Cookie management
What are cookies used for?
Cookies are computer files automatically placed on the hard disk on your computer, tablet or mobile device when you browse our Site. They are managed by your browser (Internet Explorer, Firefox, Safari or Google Chrome).

We use different kinds of cookies on our Website:
- cookies are needed for the operation of the Website: they allow you to use the main features of our Website. Without these cookies you will not be able to use our Website normally.

- analytical cookies or audience-measuring cookies of the Website that allow us to find out the use and audience performances of our Website and to improve their operation for our visitors; e.g. establish traffic statistics and volumes and the use of the various components of our Websites (sections and content visited, pathways), in order to improve the interest and ease of use of our Website.

- social media (Facebook and Twitter) cookies stored by social media when you share content of our Websites with other people or give them your opinion about this content via an application button (plug-in). We have no control over the processes used by social media for collecting information on your browsing of our website and how they associate this with the personal data that they have. Please peruse their data protection policies to find out your rights with respect to each of them, and to manage your privacy settings.
How to configure cookies
You have the choice of setting your browser to accept or reject all cookies, to periodically delete cookies or to see when a cookie is placed, how long it is valid for, what it contains and to refuse it being recorded on your hard disk.

You can choose to block or disable these cookies at any time by changing the settings of your internet browser on your computer, tablet or mobile, in line with the instructions provided by your browser provider as shown by the websites mentioned below:

With Internet Explorer
Open the "Tools" menu, then choose "Internet Options"; Click on the "Privacy" tab, then the "Advanced" tab and choose the desired level or click on the link below:
http://windows.microsoft.com/fr-fr/windows-vista/block-or-allow-cookies

With Mozilla Firefox
Open the "Tools" menu, then choose "Options"; click on the "Privacy" tab, then choose the desired options or click on the link below:
http://support.mozilla.org/fr/kb/activer-desactiver-cookies

With Safari
Choose "Safari > Preferences" then click on "Security"; From the "Accept cookies" section, choose the desired options or click on the link below:
http://support.apple.com/kb/index?page=search&fac=all&q=cookies%20safari

With Google Chrome
Open the configuration menu (the one with the wrench logo), then choose "Options"; click on "Advanced options" then from the "Confidentiality" section, click on "Content settings" and choose the desired options or click on the link below:
https://support.google.com/chrome/answer/95647?hl=fr

With iOs
http://support.apple.com/kb/HT1677?viewlocale=fr_FR

You can also type "cookies" into your browser’s Help page to find setting instructions.
For more information, you can also view the following pages on the CNIL website:
https://www.cnil.fr/cnil-direct/question/198