Privacy Policy
Personal Data Protection Charter
This Personal Data Protection Charter describes the commitments made by LUMA/Arles, as the data controller, to ensure the protection of your personal data. Through this Policy, LUMA Arles aims to inform you clearly about how your personal data is collected and used when you use our website www.luma.org (the “Site”) and/or our mobile application LUMA (the “Application”), as well as in the context of your relationships of any nature with LUMA Arles.
Accordingly, LUMA Arles is committed to complying with the European General Data Protection Regulation (GDPR) (No. 2016/679) as well as French Law No. 78-17 on Information Technology, Data Files, and Civil Liberties.
This Charter may be updated. In such cases, we will indicate the date of the latest update at the bottom of this Charter. Your consent will always be required if the update to this privacy statement impacts the way your personal information is used compared to the provisions outlined in this Charter at the time your information was collected.
Contents
1. Scope
2. Principles Applied to Protect Your Data
3. What Data Is Processed and How Do We Collect It?
4. What Are the Legal Bases for Collecting Your Data?
5. When Is Your Personal Data Collected?
6. How Long Is Your Data Retained?
7. Who Is Responsible for Data Collection and Processing?
8. Who Are the Recipients of the Data?
9. How Is the Data Secured?
10. Use of Cookies
11. Data Transfers Outside the European Union
12. What Are Your Rights, and How Can You Exercise Them?
1. SCOPE
The following entities are covered under this Charter:
• LUMA Arles Endowment Fund, 35 Avenue Victor Hugo, 13200 Arles
• SAS LUMA Arles, 35 Avenue Victor Hugo, 13200 Arles
• SCI Ateliers d’Arles Immobilier, 35 Avenue Victor Hugo, 13200 Arles
• SCI des Ateliers, 35 Avenue Victor Hugo, 13200 Arles
2. PRINCIPLES APPLIED TO PROTECT YOUR DATA
In compliance with applicable regulations, LUMA Arles abides by the following principles:
• Lawfulness: We only use personal data if:
• We have obtained the person’s consent, OR
• It is necessary for the performance of a contract to which the person is a party, OR
• It is necessary to comply with a legal obligation, OR
• It is necessary to protect the vital interests of the person, OR
• It is based on our legitimate interest, provided that this use does not infringe on the freedoms and rights of the person.
• Fairness: We explain why personal data is collected and how it will be used.
• Purpose Limitation and Data Minimization: We only collect personal data that is strictly necessary for a specific purpose. If we can achieve the same result using less personal data, we ensure that only the minimum required data is used.
• Transparency: We inform individuals of how we use their data.
• Rights Facilitation: We make it easy for individuals to exercise their rights, including accessing, rectifying, erasing, or objecting to the processing of their data.
• Retention Periods: Personal data is only kept for limited periods.
• Data Security: We ensure the integrity and confidentiality of personal data.
• Third-Party Use: If third parties need to use personal data, we ensure they are capable of protecting it.
• Data Transfers Outside the EU: If personal data is transferred outside the European Union, we ensure the transfer is governed by appropriate legal mechanisms.
• Data Breaches: In the event of a data breach, we notify the relevant data protection authorities and the individuals concerned if the breach is likely to pose a high risk to their rights and freedoms.
3. WHAT DATA IS PROCESSED AND HOW DO WE COLLECT IT?
3.1. Your Data
LUMA Arles strives to collect only the data strictly necessary for the purpose for which it is processed
The term “data” refers to any personal information that can identify you as an individual, which you provide as part of your interactions with us.
When collecting your data through a digital form, required information is indicated by an asterisk or any equivalent indicator.
Optional data (not marked with an asterisk or equivalent indicator) allows us to better understand your needs and improve our communications and services. However, you are not obligated to provide it.
For individuals under 18 years old, data collection is limited to specific circumstances and is restricted to name, nationality, and date of birth. These details can only be provided by an adult. Please ensure your children do not provide us with personal data without your consent (especially via the Internet). If such data has been shared, you may contact the Data Protection Officer (see section 12) to request its deletion.
3.2. Methods of Collection
• Data You Provide to Us:
We collect socio-professional data such as your name, email address, home and professional addresses, phone number, nationality, and date of birth, provided when you purchase or use one of our products or services, during visits, while connecting to our Wi-Fi, or through other interactions (e.g., signing up for newsletters, surveys, promotions, or contacting customer support).
For reservations, we (or our financial service providers) collect payment-related personal data necessary to process your request, including credit or debit card details.
• Data We Collect Automatically:
When you browse our Site, we collect data about your commercial interactions with us (e.g., purchases, visits, correspondence, or phone exchanges). We also collect data about the device you use to browse the Site, such as your device’s unique identifier, IP address, operating system, browser, usage, diagnostic data, and geolocation.
• Data from Our Partners:
We may collect information from our trusted partners, provided they confirm they have legitimate reasons to share this data with us.
4. WHAT ARE THE LEGAL BASES FOR COLLECTING YOUR DATA?
The processing of your personal data by LUMA Arles is based on one or more of the following legal grounds:
• Your consent: When you have explicitly consented to the processing of your personal data for specific purposes (e.g., subscribing to newsletters, accepting cookies).
• Contractual necessity: When the processing is required for the performance of a contract to which you are a party, such as the purchase of tickets or other services.
• Legal obligation: When the processing is required to comply with legal or regulatory obligations.
• Protection of vital interests: In cases where the processing is necessary to protect your vital interests or those of another individual.
• Legitimate interest: When the processing is necessary for the legitimate interests pursued by LUMA Arles, provided this does not infringe on your rights and freedoms.
5. WHEN IS YOUR PERSONAL DATA COLLECTED?
Your personal data may be collected in the following contexts:
• Activities related to visits:
• Ticket sales
• Group visits
• Guided tours
• Sale of products or services:
• Private events
• Online store
• Educational activities
• Parking services:
• On-site parking
• Online parking reservations
• Marketing programs or activities:
• Participation in satisfaction surveys
• Subscriptions to newsletters
• Participation in promotional events
• Job applications
• Video surveillance
6. HOW LONG IS YOUR DATA RETAINED?
We only retain your personal data for as long as necessary to achieve the purposes outlined in this Privacy Policy or as required by applicable law. In general, the retention period for your personal data depends on the type of data and the purpose for which it is collected. Retention periods are determined by:
• Specific legal or regulatory provisions, including:
• Commercial Code
• Civil Code
• Labor Code
• Social Security Code
• Consumer Code
• Postal and Electronic Communications Code
• Guidelines issued by the French Data Protection Authority (CNIL)
• Operational needs: Retention periods are proportional to the purpose of the data processing and comply with the rights and freedoms of individuals.
Once these periods expire, your data will either be deleted or anonymized.
You have the right to request the deletion of your personal data at any time, subject to legal obligations requiring us to retain certain information.
However, even after you request the deletion of your data or after the retention periods have expired, your personal data may be archived temporarily to comply with legal, accounting, or tax obligations, or to account for any applicable statutes of limitation.
7. WHO IS RESPONSIBLE FOR DATA COLLECTION AND PROCESSING?
The subscription, access, and/or use of certain services involve the processing of personal data.
The entities listed in Article 1 of this Charter are jointly responsible for processing users’ personal data.
SAS LUMA Arles, located at 35 Avenue Victor Hugo, 13200 Arles, and registered in the Trade and Companies Register of Tarascon under number 812 901 700, has been designated to handle requests from individuals regarding their data. SAS LUMA Arles is therefore responsible for implementing and maintaining systems for managing such requests.
LUMA Arles recognizes the trust you place in us when providing your personal information for the use of our services.
As such, LUMA Arles is committed to complying with this Charter, which you accept when subscribing to our products or using our services.
LUMA Arles has appointed a Data Protection Officer (DPO) tasked with ensuring the protection of personal data. You can contact the DPO at dpo@luma-arles.org.
LUMA Arles cannot be held responsible for the content, security levels, or privacy practices of websites to which links on its platforms may refer.
8. WHO ARE THE RECIPIENTS OF THE DATA?
With Service Providers, Subcontractors, and Partners
In the course of providing its services, LUMA Arles may share or grant access to your data to its internal services and the following subcontractors:
• The subcontractor responsible for managing the Site and analyzing site traffic.
• The subcontractor responsible for hosting the Site.
• Providers of statistical analysis tools and remarketing solutions.
Regarding banking data:
Transactions related to payments for purchases and fees via our platform are managed by an external payment service provider. This provider ensures the proper processing and security of transactions. The provider collects and stores your personal data, including credit/debit card details, on behalf of and as instructed by us. However, LUMA Arles does not have access to this data.
Your card’s CVV2 security code is not stored.
Upon request, we can disclose the identity of our subcontractors who may have access to your personal data.
Internal Recipients at LUMA Arles
Your data may be shared internally with a limited number of authorized departments to enhance your experience. These include:
• Communication Department
• IT Department
• Legal Department
• Accounting Department
• Human Resources Department
• Development Department
• Public Services Department
• Partnerships and Sponsorships Department
• Security Team
9. HOW IS THE DATA SECURED?
LUMA Arles ensures the security of your data by implementing robust technical and physical security measures to maintain the integrity and confidentiality of your data. Specifically:
• Encryption: Personal data is systematically encrypted during transmission to ensure confidentiality and prevent unauthorized third-party access.
• Restricted Access: LUMA Arles’ servers are located in secured areas with access restricted to necessary personnel. Logical access to personal data is strictly limited to automated processes and staff requiring access for operational purposes.
10. USE OF COOKIES
We use various cookies on the Site and/or the Application to enhance the interactivity of the platform and our services.
What is a “cookie”?
A cookie is a small text file placed on your device (computer, mobile, or tablet) when visiting a website or viewing an advertisement. Cookies collect information about your browsing activity and deliver personalized services, such as remembering your preferences or enabling targeted advertising.
Cookies may be managed directly through your browser settings.
Types of Cookies Used
• Strictly Necessary Cookies: Essential for the proper functioning of the Site and cannot be disabled.
• Analytics Cookies: Provide insights into how the Site or Application is used.
• Third-Party Cookies: Set by third parties (e.g., advertising agencies or partners) for audience measurement and targeted advertising.
Managing Cookies
You can modify your cookie preferences at any time via the “Cookie Management” page available on every page of the Site/Application.
11. DATA TRANSFERS OUTSIDE THE EUROPEAN UNION
As a general rule, LUMA Arles stores personal data within the European Union (EU).
However, in some cases—such as when certain service providers are located in countries outside the EU (“Third Countries”)—LUMA Arles may transfer some of your personal data to those Third Countries. This may include countries that do not benefit from a “adequacy decision” issued by the European Commission.
In such cases, LUMA Arles ensures that these transfers are conducted in compliance with applicable regulations and guarantee an adequate level of protection for the privacy and fundamental rights of the individuals concerned. These guarantees may include, for example, the use of standard contractual clauses approved by the European Commission.
When transferring data to countries with lower data protection standards than those required in the EU, LUMA Arles implements contractual, technical, and organizational safeguards to ensure that your data is protected.
12. WHAT ARE YOUR RIGHTS, AND HOW CAN YOU EXERCISE THEM?
Under European Regulation 2016/679 (GDPR) of April 27, 2016, French Law No. 2018-493 of June 20, 2018, and French Law No. 78-17 of January 6, 1978 (known as the “Information Technology and Civil Liberties Act”), you have the following rights:
12.1. Your Rights
1. Right of Access:
• You have the right to obtain confirmation from LUMA Arles as to whether or not your personal data is being processed and to receive a copy of your data held by us.
2. Right to Rectification:
• You have the right to request the correction of inaccurate or outdated personal data.
3. Right to Erasure (“Right to Be Forgotten”):
• You can request the deletion of your personal data, except when we are legally required to retain it or when we have a legitimate reason to do so.
4. Right to Object:
• You may object to the processing of your personal data at any time for reasons related to your particular situation, especially in cases of data processing for marketing purposes.
• You can also object to processing based on LUMA Arles’ legitimate interests unless there are compelling and legitimate reasons for the processing that override your rights and freedoms or for the establishment, exercise, or defense of legal claims.
5. Right to Restriction of Processing:
• You can request a restriction of processing in the following cases:
• While the accuracy of your personal data is being verified after you have requested its correction.
• When you have objected to processing based on legitimate interests, pending verification of whether LUMA Arles’ legitimate interests outweigh yours.
• When processing is unlawful, and you prefer to restrict the use of your data rather than have it erased.
• When you need the data for the establishment, exercise, or defense of legal claims, even though we no longer need the data for processing.
6. Right to Data Portability:
• You can request to receive the personal data you provided to LUMA Arles in a structured, commonly used, and machine-readable format. This applies to data processed based on your consent or a contract and when processing is carried out by automated means.
• You also have the right to request the transfer of this data to another data controller.
7. Right to Define Instructions for Post-Mortem Data:
• You can specify how your personal data should be managed after your death.
12.2. How to Exercise Your Rights
These rights can be exercised under the conditions and limits set out in applicable regulations. To confirm your identity, LUMA Arles may request supporting documentation. Incomplete requests cannot be processed.
To exercise your rights:
• Contact our Data Protection Officer (DPO) by filling out the following form: Form.
• You may also email the DPO at dpo@luma-arles.org.
If a justification of identity is required and not provided, we will not be able to process your request. In such cases, the response time will be suspended until the requested additional documents are provided.
If no satisfactory solution is found or if a dispute persists, you have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL) or the data protection authority of the EU Member State where you habitually reside.
Date of last update: September 2024