Privacy Policy

1. Introduction

This privacy policy concerns the use of data produced within the framework of the exhibition. Passion Japan.

The person responsible for the use of this data is Tempora SA (hereinafter “Tempora”), whose registered office is located at Rue des Anciens Etangs, 44-46 in 1190 Forest, Belgium with the number BCE 0465.174.782

The Tempora company is essentially active in the cultural sector. In this context, Tempora designs, produces, produces and promotes cultural events for the general public in Belgium and abroad.

To achieve its corporate purpose, Tempora is required to process information that concerns you.

2. Definitions

Supervisory Authority or Authority: A supervisory authority designated by the Member State under Article 51 of the GDPR. In Belgium, this is theData Protection Authority. In France, this is the National Commission for Informatics and Liberties.

Client: Natural or legal person who is in a contractual relationship with the Data Controller concerning a good or service, habitually or occasionally.

Personal data (or Data): Any information relating to an identified or identifiable natural person (hereinafter referred to as “ Concerned person "). An “identifiable natural person” is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to their physical, physiological, genetic, psychological, economic, cultural or social identity.

Sensitive data : Personal data relating to sensitive aspects such as racial identity or ethnic origin, political opinions, religion or any other beliefs, health or any medical condition, criminal history, trade union membership or even sexual orientation. Sensitive data may in particular be processed with the consent of the person concerned. If the data subject communicates sensitive data, he or she consents to the Processing of this data by the Data Controller.

Internet user: Natural person visiting the domain name www.expo-toutankhamun.com.

Notice: Information to the Authority by the Data Controller, in accordance with article 33 of the GDPR, in the event of a Personal Data Violation.

Concerned person : Natural person whose Data is subject to Processing by the Data Controller.

Privacy Policy or Policy: This policy concerns the protection of Personal Data.

Prospect: Natural or legal person for whom commercial and/or communication operations are put in place so that they become Clients of the Data Controller.

Data controller: The natural or legal person, public authority, service or other body which determines the purposes and means of the Processing, in this case it is Tempora.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 /46/CE (General Data Protection Regulation).

Treatment : Any operation or set of operations carried out or not using automated processes and applied to data or sets of personal data, such as collection, recording, organization, structuring, conservation , adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, limitation, erasure or destruction.

Personal Data Breach or Violation: A breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data.

3. What Data is collected and for what purpose does the Data Controller keep this Data?

3.1. Principle

In accordance with the GDPR, Data is collected for specific purposes.

The collection of Data must also be based on one of the legal bases provided for in Article 6 of the GDPR.

If the Data Controller decides to use the Data for a purpose other than that stated in the Policy, he will provide prior information to the Data Subject about this other purpose.

This Policy aims to present to the Data Subject the purposes and bases which apply to the use of their Personal Data.

3.2. Categories of Data collected

Personal Data is categorized according to the Recommendation of the Data Protection Authority (Recommendation No. 06/2017 of June 14, 2017 relating to the Register of processing activities (Article 30 GDPR)).

The data included in each category is cited so that the Data Subject can measure the data that relates to a stated category.

Debts, expenses	Total expenses
Personally identifiable information	Name, title, address (private and professional), telephone number (private, professional), email address
Current job	Job title and description
Image recordings	Films, photographs, video recordings, digital photos.
Financial Transactions	Amounts due and paid by the person listed, overview of payments

3.3. Processing common to the categories of Data Subject of this Policy

The processing of Data carried out is as follows:

Management of backups of Tempora's IT infrastructure: 

• Purpose: Backup management; 
• Categories of personal data: Everything found in IT resources.
• Legal basis: Legitimate interests of the Data Controller (Preservation of business continuity). 
  
  

3.4. The Data Subject is an Internet User

The Data processing carried out is as follows:

Contact by contact address: 

• Purpose: Management of requests; 
• Categories of personal data: Personal identification data; 
• Legal basis: Legitimate interests of the Data Controller (Answering questions when making contact). 

Subscription to the Newsletter or information letter (e.g. at new exhibitions): 

• Purpose: Direct marketing; 
• Categories of personal data: Personal identification data; 
• Legal basis: Consent.  

 

Conservation of consents Newsletter: 

• Purpose: Consent management; 
• Categories of personal data: Personal identification data; 
• Legal basis: Legitimate interests of the Data Controller (Ensure the consent of the Data Subject). 

3.5. The Data Subject is a Prospect

The Data processing carried out is as follows:

Request a quote (B2B): 

• Purpose: Customer management; 
• Personal Data Categories: Personally Identifiable Information, Current Employment; 
• Legal basis: Necessary for the performance of a contract. 

3.6. The Data Subject is a Customer

The Data processing carried out is as follows:

Reservation management: 

• Purpose: Customer management; 
• Categories of personal data: Personal identification data; 
• Legal basis: Necessary for the performance of a contract. 

Purchase a ticket for the exhibition: 

• Purpose: Customer management; 
• Personal Data Categories: Personally Identifiable Information, Financial Transactions; 
• Legal basis: Necessary for the performance of a contract. 

Booking a guide: 

• Purpose: Customer management; 
• Categories of personal data: Personal identification data; 
• Legal basis: Necessary for the performance of a contract. 

Purchase a ticket for the exhibition: 

• Purpose: Customer management; 
• Personal Data Categories: Personally Identifiable Information, Financial Transactions; 
• Legal basis: Necessary for the performance of a contract. 

Management of customer files (B2B): 

• Purpose: Customer management; 
• Personal Data Categories: Personally Identifiable Information, Current Employment; 
• Legal basis: Necessary for the performance of a contract. 

Management of customer files (B2C): 

• Purpose: Customer management; 
• Personal Data Categories: Personally Identifiable Information, Financial Transactions; 
• Legal basis: Necessary for the performance of a contract. 

Accounting Management (invoicing): 

• Purpose: Customer management; 
• Categories of personal data: Debts, expenses, Personal identification data, Financial transactions; 
• Legal basis: Necessary for the performance of a contract. 

Sending emails for future exhibitions: 

• Purpose: Direct marketing; 
• Categories of personal data: Personal identification data; 
• Legal basis: Legitimate interests of the Data Controller (Promotion of new exposures to existing customers).

Dissemination of photos of people or private property on the website/social networks:

• finality : Direct marketing ;
• Categories of personal data : Image recordings;
• Legal basis : Consent of the Data Subject.

Retention of consents for photos/videos: 

• Purpose: Consent management; 
• Categories of personal data: Personal identification data; 
• Legal basis: Legitimate interests of the Data Controller (Ensure the consent of the Data Subject). 

4. How long is the Data kept?

The Data Controller keeps the Data for the time necessary to achieve the purpose of the processing and comply with its legal obligations.

The retention periods are determined on the basis of several criteria such as the legal obligations to which the profession is subject, the type of processing, the purpose thereof, the place where the Data is stored, the type of Person concerned or even the type of Data collected. The retention period for a particular Data processing operation may be communicated to the Data Subject who requests it.

The Data Controller shall in any case retain the Data in accordance with the legal retention periods.

5. Who collects the Data?

The Data may be collected by the Data Controller or through the site host or by the Data Controller's subcontractors. The Data is then passed on to the Data Controller.

The list of Subcontractors can be communicated on request.

Some intermediaries may be established in a third country outside the European Economic Area which guarantees an adequate level of protection of Personal Data, as determined by the European Commission.

When intermediaries are established in countries which do not grant an equivalent level of privacy protection, the Data Controller declares to take specific measures, in accordance with the Data protection legislation in force in the EEA in order to to protect Personal Data.

6. How is the Data collected?

The Data is collected during exchanges with the Data Controller.and visibly, by telephone, postal mail, e-mail or fax, via the web or by its subcontractors (confirmation of a ticket order for example).

Data may also be collected via cookies (see specific information on this subject in the cookies policy).

7. Why do we collect your Data?

The Data is collected in order to offer quality cultural events to the public.

The Data may also be collected for the purpose of proper execution of the contract, or be used for the management of Suppliers, subsidies and contracts linked to the services of/for them.

They can also be used to:

• Respond to requests for information and ensure follow-up.
• Inform of possible changes in the services offered and/or applicable regulations.

The Data is also collected in order to meet legal obligations, in particular in matters of accounting, to comply with a court decision, to respond to a request from public authorities, to protect the interests of the Data Controller, as well as those of its partners, protect its services, the confidentiality policy and any applicable text, formulate a possible appeal or limit any damage that the Data Controller could suffer.

Finally, in certain cases relating to security, the Data may be collected in the legitimate interest of the Data Controller or a third party.

8. Who will the Data be shared with?

The Data may possibly be communicated to third parties in direct contact with the Data Controller, when necessary and in particular to the entities listed below:

• The service providers chosen by the Data Controller, who are responsible for the supply of equipment, transport and delivery or any other similar service to enable them to provide said services.
• Towards a potential buyer, in the event of transfer (total or partial) of the Data Controller's activities (merger, sale, transfer of assets, judicial reorganization, etc.)
• In the event of a dispute, the Data may be transmitted to a third party responsible for managing disputes (law firm, collection company, etc.), which will also ensure compliance with applicable legislation regarding this information;
• Accountant, public authority, etc., in order to comply with the legal obligations of the Data Controller (communication of Data to its accountant, respond to a request from public authorities, comply with a court decision, etc.).

The list of service providers can be communicated on request.

9. How do we secure them?

Appropriate technical and organizational measures have been put in place to guarantee a level of security appropriate to the risks, including, among others, as necessary:

• Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
• Means to restore the availability of Personal Data and access to them within appropriate time frames in the event of a physical or technical incident;
• An internal policy regarding the processing of personal data;
• Limited retention periods;
• Access to the information system limited to authorized personnel responsible for the protection of personal data;

Details of these security measures can be communicated on request.

10. What rights do you have?

Depending on the type of Processing carried out on Personal Data, the Data Subject may assert several of the following rights:

10.1. Right to information

Any Person concerned by this Personal Data has a right to information concerning the Data collected. It is in particular through this Privacy Policy that the Data Controller wishes to fill in this information.

The Data Subject who would like to obtain more information about the Personal Data collected may have this request refused in the following cases:

1. The Data Subject already has this information;
2. If the request requires disproportionate or impossible efforts;
3. If the provision of this information could seriously compromise the purpose of the processing.

10.2. Droit d'acces

Any Data Subject has a right of access to their Personal Data.

To do this, the Data Subject must make a request to the relevant department of the Data Controller so that the latter can detail the precise Data that it holds about them, subject to the rights and freedoms of others who cannot be achieved.

A response must be provided within one month of the request made by the Data Subject. However, this deadline may be extended by an additional month depending on the complexity and number of requests. In the latter scenario, the Person concerned will be informed within the month following their request for right of access.

The Data Controller is entitled to demand the payment of “reasonable fees” based on the administrative costs incurred to edit these documents in the event that the request is excessively recurring, unfounded or clearly intended to abuse this right of access. .

10.3. Right of rectification

Any Data Subject has the right to obtain from the Data Controller, as soon as possible, the rectification of Personal Data concerning them which is inaccurate.

The Data Subject may also request that incomplete data be completed, in particular by providing a supplementary declaration.

The Data Controller will notify the Data Subject of the completion of this process.

10.4. Right to erasure

The Data Subject may claim the right to have their Data erased as soon as one of the following reasons arises:

• The Data is no longer necessary for the purposes for which it was collected or processed by the Data Controller;
• The Data Subject wishes to withdraw consent and there is no other legal basis for this processing;
• The Data Subject objects to the processing necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party;
• The Data Subject has a right of opposition which he or she makes use of;
• The Data has been the subject of unlawful processing;
• The Data must be erased to comply with a legal obligation which is provided for by Union law or by the law of the Member State to which the Data Controller is subject;

In the context of such a request, the Data Controller will take reasonable measures to erase this data, within one month of the request.

The Data Controller will notify the Data Subject of the completion of this process.

In the event that the Data Controller does not wish to grant this request, its refusal will be justified.

The right to erasure does not apply to the extent that the processing of this data is necessary:

• To exercise the right to freedom of expression and information;
• To comply with a legal obligation which requires processing provided for by Union law or by the law of the Member State to which the Data Controller is subject, or to carry out a mission of public interest or relating to the exercise of the public authority vested in the Data Controller;
• To establish, exercise or defend legal rights;
• For archival or statistical purposes provided for in Article 89 of the GDPR.

Please note that if the person concerned requests the total erasure of their data, and their request has been granted, the person concerned will no longer be able to request duplicates of their certificates obtained during support.

10.5. Right to restriction of processing

The Data Subject has the right to obtain from the Controller restriction of processing where one of the following applies:

• The accuracy of the Personal Data is contested by the Data Subject, for a period allowing the Data Controller to verify the accuracy of the personal data;
• The processing is unlawful and the Data Subject objects to their erasure and instead demands restriction of their use;
• The Data Controller no longer needs the Personal Data for the purposes of processing, but they are still necessary for the Data Subject to establish, exercise or defend legal claims;
• The Data Subject has objected to the processing by virtue of his or her right to object, pending the verification whether the legitimate grounds pursued by the Controller override those of the Data Subject.

This limitation request implies that Personal Data can, with the exception of storage, only be processed with the consent of the Data Subject, or for the establishment, exercise or defense of legal rights, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of the Union or of a Member State.

The Data Controller will notify the Data Subject of the completion of this process.

10.6. Right to portability

When the processing of the Data Subject's Personal Data is based on the consent given by the Data Subject, or on a contract, and this processing is carried out using automated processes, and provided that the data has not been anonymized, the Data Subject may request to receive this data in a structured, commonly used and machine-readable format, where technically possible.

The Data Subject may transmit this data to another data controller, without the Data Controller being able to obstruct this.

10.7. Right to object

The Data Subject has the right to object at any time, for reasons relating to his or her particular situation, to processing of Personal Data concerning him or her based on the public interest or the legitimate interest of the Controller, including including profiling based on these interests.

The Data Subject may also object to Data processing based on their consent or on a contract provided that the data was collected for prospecting purposes or for archival and statistical purposes.

The Data Controller will no longer process these data, unless it demonstrates that there are compelling legitimate grounds for the processing which override the interests and rights and freedoms of the Data Subject, or for the establishment, exercise or the defense of rights in court.

11. How can you assert your rights?

A request for information can be submitted via the email address: privacy@tempora.eu.

In the event that the follow-up given to your request is not suitable, you can always exercise one of the rights provided above, or file a complaint with the Supervisory Authority of your country of residence.

You can contact her as follows:

In France :

National Commission for Information Technology and Liberties (“CNIL”):

• By telephone: (+33) (0)1 53 73 22 22;
• Online contact form: https://www.cnil.fr/fr/plaintes ;
• By mail: National Commission for Information Technology and Liberties, 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France;

 

In Belgium :

The Data Protection Authority:

• By telephone: (+32) (0)2 274 48 00;
• E-mail: contact@apd-gba.be;
• Online contact form:
  https://www.autoriteprotectiondonnees.be/introduire-une-requete-une-plainte;
• By mail: Data Protection Authority, Rue de la Presse 35, 1000 Brussels, Belgium;
• Fax: (+32) (0)2 274 48 35.