1. INTRODUCTION

This Privacy Policy describes how we use data in the context of the Tutankhamun. Discovering the Forgotten Pharaoh. exhibition

The Data Controller for the use of this data is Tempora S.A. (hereinafter ‘Tempora), whose registered office is located at Rue des Anciens Etangs, 44-46 à 1190 Forest, Belgium with company registration number CBE 0465.174.782.

Tempora is mainly active in the cultural sector. In this context, Tempora designs, produces, realises and promotes cultural events for the public, both in Belgium and abroad.

To achieve its corporate purpose, Tempora is required to process information about you.

2. Definitions

Supervisory authority or Authority: A supervisory authority designated by the Member State under Article 51 of the GDPR. In Belgium this is theAutorité de protection des données/GegevensbeschermingsautoriteitIn France, this is the Commission nationale de l’informatique et des libertés..

Customer: Natural or legal person in a regular or occasional contractual relationship with the Data Controller for a good or service.

Personal data (or Data): Any information relating to an identified or identifiable natural person (hereinafter the ‘ Data Subject ’). An ‘identifiable natural person’ is deemed to be a natural person who can be identified, whether directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more elements specific to his/her physical, physiological, genetic, psychological, economic, cultural or social identity.

Sensitive data: Personal data relating to sensitive aspects such as racial identity or ethnic origin, political opinions, religion or any other beliefs, health or any medical condition, criminal history, trade union membership, or sexual orientation. Sensitive data may be processed with the Data Subject’s consent. If the Data Subject communicates sensitive data, he/she consents to the Processing of this data by the Data Controller.

Internaute : Natural person visiting the website domain name www.expo-toutankhamon.com.

Notification: Information provided to the Authority by the Data Controller, in accordance with Article 33 of the GDPR, in the event of a Personal Data Breach.

Data Subject: Natural person whose Data is processed by the Data Controller.

Privacy policy or Policy: This policy, which concerns the protection of Personal Data.

Prospect : Natural or legal person for whom commercial and/or communication operations are put in place so that this person becomes a Customer of the Data Controller.

Data Controller: The natural or legal person, public authority, service or any other body which determines the purposes and means of the Processing, in this instance this is Tempora.

RGPD : Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 /46/EC (General Data Protection Regulation).

Processing: Any operation or series of operations, whether or not performed using automated processes and applied to data or sets of personal data, such as the collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, linking or interconnecting, limiting, erasing or destroying data.

Personal Data Breach or Breach: A breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data transmitted, stored or otherwise processed, or unauthorised access to such data.

3. Which Data is collected and for which purpose does the Data Controller retain this Data?

3.1. Principle

In accordance with the GDPR, Data is collected for specific purposes.

Data collection must also be based on one of the legal bases provided for in Article 6 of the GDPR.

If the Data Controller decides to use the Data for a purpose other than that set out in the Policy, it will provide prior information to the Data Subject about this other purpose.

The purpose of this Policy is to inform the Data Subject of the purposes and legal bases that apply to the use of his/her Personal Data.

3.2 Categories of collected Data

Personal Data is categorised according to the Recommendation of the Data Protection Authority (Recommendation No. 06/2017 of 14 June 2017 relating to the Register of processing activities (Article 30 of the GDPR)).

The data in each category is cited so that the Data Subject can measure the data that relates to a stated category.

Debts, expenses	total expenses
Personal identification data	name, title, (private or professional) address, (private or professional) telephone number, email address
Current job	Job title and description
Image recordings	Films, photos, video recordings, digital photos.
Financial transactions	amounts due and paid by the data subject, overview of payments

3.3. Processing that is performed on all Data Subject categories under this Policy

The following Data Processing is performed:

Backup management of the IT infrastructure of Tempora: 

• Purpose: Backup management; 
• Personal Data categories: Anything in IT resources.
• Legal basis: Legitimate interests of the Data Controller (Preservation of business continuity). 

3.4. The Data Subject is an internet user

The following Data is processed:

Contact using the Data Subject’s contact address: 

• Purpose: Management of requests; 
• Personal Data categories: Personal identification data; 
• Legal basis: Legitimate interests of the Data Controller (reply to questions when contacted). 

Subscription to a newsletter (e.g., for new exhibitions): 

• Purpose: Direct marketing; 
• Personal Data categories: Personal identification data; 
• Legal basis: Consent.  

Retention of consent for receiving the Newsletter: 

• Purpose: Consent management; 
• Personal Data categories: Personal identification data; 
• Legal basis: Legitimate interests of the Data Controller (Ensure the Data Subject’s consent). 

3.5. The Data Subject is a Prospect

The following Data is processed:

Request for a quotation (B2B): 

• Purpose: Customer management; 
• Personal Data categories: Personal identification data, Current job; 
• Legal basis: Necessary for the performance of a contract. 

3.6. The Data Subject is a Customer

The following Data is processed:

Management of bookings: 

• Purpose: Customer management; 
• Personal Data categories: Personal identification data; 
• Legal basis: Necessary for the performance of a contract. 

Purchase of a ticket to the exhibition: 

• Purpose: Customer management; 
• Personal Data categories: Personal identification data, Financial transactions; 
• Legal basis: Necessary for the performance of a contract. 

Booking of a guide: 

• Purpose: Customer management; 
• Personal Data categories: Personal identification data; 
• Legal basis: Necessary for the performance of a contract. 

Purchase of a ticket to the exhibition: 

• Purpose: Customer management; 
• Personal Data categories: Personal identification data, Financial transactions; 
• Legal basis: Necessary for the performance of a contract. 

Management of customer records (B2B): 

• Purpose: Customer management; 
• Personal Data categories: Personal identification data, Current job; 
• Legal basis: Necessary for the performance of a contract. 

Management of customer records (B2C): 

• Purpose: Customer management; 
• Personal Data categories: Personal identification data, Financial transactions; 
• Legal basis: Necessary for the performance of a contract. 

Accounting management (billing): 

• Purpose: Customer management; 
• Personal Data categories: Debts, Expenses, Personal identification data, Financial transactions; 
• Legal basis: Necessary for the performance of a contract. 

Emailings about future exhibitions: 

• Purpose: Direct marketing; 
• Personal Data categories: Personal identification data; 
• Legal basis: Legitimate interests of the Data Controller (Promotion of new exhibitions to existing customers).

Dissemination of private individuals or private property on the website/social media:

• Purpose : Direct marketing;
• Personal Data categories: Image recordings;
• Legal basis: Consent of the Data Subject.

Retention of consent for photos/videos: 

• Purpose: Consent management; 
• Personal Data categories: Personal identification data; 
• Legal basis: Legitimate interests of the Data Controller (Ensure the Data Subject’s consent). 

4. 4. How long is the Data retained?

The Data Controller retains the Data for the time necessary to achieve the purpose of the processing and to comply with its legal obligations.

The retention periods are determined based on several criteria such as the legal obligations to which the profession is subject, the type of processing, the purpose of said processing, the place where the Data is stored, the type of Person concerned or even the type of Data collected. The retention period for a particular data processing operation may be communicated to the Data Subject if he/she requests this.

In any case, the Data Controller shall retain the Data in accordance with the legal retention periods.

5. Who collects the Data?

Data may be collected by the Data Controller or through the web host or by the Data Controller's subcontractors. The Data is then passed on to the Data Controller.

The list of Subcontractors can be provided on request.

Certain intermediaries may be based in a third country outside the European Economic Area which guarantees an adequate level of protection of Personal Data, as determined by the European Commission.

When intermediaries are based in countries that do not grant an equivalent level of privacy protection, the Data Controller declares to take specific measures, in accordance with the data protection legislation in force in the EEA in order to protect this Personal Data.

6. How is the Data collected?

The Data is collected during exchanges with the Data Controller, whethere visu, in person, by telephone, post, email or fax, online or through its subcontractors (confirmation of a ticket order, for example).

Data may also be collected through cookies (for specific information on this subject, please refer to our Cookie Policy).

7. Why do we collect your Data?

We collect your Data to offer quality cultural events to the public.

Data may also be collected for the purpose of the proper performance of the contract, or may be used for the management of Suppliers, subsidies, or contracts related to services by/for the latter.

They may also be used for:

• Respond to requests for information and ensure follow-up.
• Inform Customers of any changes in the services offered and/or the applicable regulations.

The Data is also collected in order to meet legal obligations, in particular in terms of accounting, to comply with a court decision, to respond to a request from public authorities, to protect the Data Controller’s interests as well as those of its partners, protect its services, the privacy policy and any applicable text, formulate any recourse, or limit any damage that the Data Controller may suffer.

Finally, the Data may, in certain cases and for security purposes, be collected in the legitimate interest of the Data Controller or a third party.

8. With whom will this Data be shared?

Your Data may possibly be communicated to third parties in direct relation with the Data Controller, when necessary and in particular to the entities listed below:

• The service providers selected by the Controller, who are in charge of the supply of the material, the transport, and the delivery or any other similar service in order to enable them to provide said services.
• Towards a potential buyer, in the event of the (total or partial) transfer of the Data Controller's activities (merger, sale, transfer of assets, judicial reorganisation, and so on).
• In the event of a dispute, Data may be transmitted to a third party responsible for managing disputes (law firm, collection company, and so on), which will also ensure compliance with the applicable legislation with regard to this information;
• Accountant, public authority..., in order to comply with the Data Controller’s legal obligations (communication of Data to the Company’s accountant, responding to a request from public authorities, complying with a court decision, and so on).

The list of service providers can be provided on request.

9. How do we secure your Data?

Appropriate technical and organisational measures have been put in place to guarantee a level of security adapted to the risks, including among others, as required:

• Means to guarantee the constant confidentiality, integrity, availability, and resilience of processing systems and services;
• Means to restore the availability of Personal Data and access to it within an appropriate time frame in the event of a physical or technical incident;
• An internal policy concerning the processing of Personal Data;
• Limited retention periods;
• Access to the information system is limited to authorised personnel responsible for the protection of personal data;

The details of these security measures can be provided on request.

10. Which rights do you have as a Data Subject?

Depending on the type of Processing performed on Personal Data, the Data Subject may exercise several of the following rights:

10.1 Right of information

Any Data Subject for which Personal Data is processed has a right of information concerning the Data collected. The Data Controller provides this information through this Privacy Policy.

The Data Subject who wishes to obtain more information about which Personal Data is collected may be refused this information in the following cases:

1. The Data Subject already has this information;
2. If the request requires disproportionate or impossible efforts;
3. If providing this information could seriously compromise the purpose of the processing.

10.2 Right of access

All Data Subjects shall have the right of access to their Personal Data.

The Data Subject must make a request to the relevant department of the Data Controller so that the latter can provide him/her with details of the exact Data that it holds about him, subject to the rights and freedoms of others which may not be impacted.

The Data Controller must respond within one month of receipt of the Data Subject’s request. However, this period may be extended by an additional month depending on the complexity and the number of requests. In such a case, the Data Subject will be informed within one month of his/her request relating to the right to access.

The Data Controller is entitled to request payment of a ‘reasonable fee’ based on the administrative costs incurred to edit these documents in the event that the request recurs excessively, is unfounded, or manifestly intended to abuse this right of access.

10.3 Right of rectification

Data Subjects have the right to obtain from the Data Controller without undue delay the rectification of inaccurate Personal Data concerning him/her.

Data Subjects may also request to have incomplete data completed, in particular by means of providing a supplementary statement.

The Data Controller will notify the Data Subject when this process has been completed.

10.4 Right to erasure (right to be forgotten)

The Data Subject shall have the right to obtain from the Data Controller the erasure of Personal Data concerning him/her where one of the following grounds applies:

• The Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed by the Data Controller;
• The Data Subject wishes to withdraw their consent and there is no other legal ground for this processing;
• The Data Subject objects to the processing necessary for the purposes of the legitimate interests pursued by the Controller or by a third party;
• The Data Subject has a right to object which he/she exercises;
• The Data has been unlawfully processed;
• The Data must be erased for compliance with a legal obligation provided for by Union or Member State law to which the Controller is subject;

In the context of such a request, the Data Controller will take reasonable measures to erase this data, within one month of the request.

The Data Controller will notify the Data Subject when this process has been completed.

In the event that the Data Controller does not wish to grant this request, his refusal must be motivated.

The right to erasure does not apply to the extent that the processing is necessary:

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
• for the establishment, exercise or defence of legal claims;
• for archiving or statistical purposes as provided for under Article 89 of the GDPR.

A noter que si la personne concernée demande l’effacement total de ses données, et que sa demande a été accordée, la personne concernée ne pourra plus demander des duplicatas de ses certificats obtenus lors de l’accompagnement.

10.5 Right to restriction of processing

The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

• the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
• the processing is unlawful and the Data Subject opposes erasure of the Personal Data and requests the restriction of their use instead;
• the Controller no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
• the Data Subject has objected to processing pursuant to his or her right to object, pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.

This request for limitation implies that Personal Data may, with the exception of storage, only be processed with the Data Subject’s consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of the Union or of a Member State.

The Data Controller will notify the Data Subject when this process has been completed.

10.6 Right to data portability

Where the processing of the Data Subject's Personal Data is based on the consent given by the Data Subject, or on a contract, and such processing is carried out by automated means, and provided that the data has not been anonymised, the Data Subject may request to receive such data in a structured, commonly used, machine-readable format, where technically feasible.

The Data Subject may transmit this data to another Controller, without the Controller being able to prevent this.

10.7 Right to object

The Data Subject has the right to object at any time, for reasons relating to his/her specific situation, to the processing of Personal Data concerning him/her based on the public interest or the Data Controller’s legitimate interest, including profiling based on these interests.

The Data Subject may also object to the processing of Data based on his/her consent or on a contract provided that the Data has been collected for prospecting purposes or for archiving and statistical purposes.

The Data Controller will no longer process this data, unless it can demonstrate that there are legitimate and compelling reasons for the processing which override the Data Subject’s interests and rights and freedoms, or for the recognition, exercise or defence of legal claims.

11. How to assert your rights?

A request for information may be submitted by email to: privacy@tempora.eu.

In the event that you consider that the follow-up given to your request is inadequate, you may always exercise one of the rights provided for above, or lodge a complaint with the Supervisory Authority of your country of residence.

You can contact it as follows:

In France :

Commission Nationale de l’Informatique et des Libertés (‘CNIL’):

• By phone: (+33) (0)1 53 73 22 22;
• Online contact form: https://www.cnil.fr/fr/plaintes ;
• By post: Commission nationale de l'informatique et des libertés, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France;

In Belgium: :

Autorité de protection des données/Gegevensbeschermingsauthoriteit:

• By phone: (+32) (0)2 274 48 00;
• Email: contact@apd-gba.be;
• Online contact form:
  https://www.autoriteprotectiondonnees.be/introduire-une-requete-une-plainte;
• By post: Autorité de Protection des Données/Gegevensbeschermingsautoriteit, rue de la Presse 35, 1000 Brussels, Belgium;
• Fax: (+32) (0)2 274 48 35.