Personal Data Protection Policy
This data protection policy duly completes the general conditions for use of the Websites.
1. Purpose
The purpose of this data protection policy is to define CITIA’s commitments as data processor or controller, in view of protecting personal data (hereinafter termed "the Data") collected and processed when using its Internet websites (hereinafter termed "the Websites") https://www.citia.org/, https://www.annecyfestival.com/, http://www.lespapeteries.com/ and the Annecy Festival App (iOS and Android version) and more generally for events (hereinafter "the Events") which CITIA organizes and services it offers (hereinafter "the Services").
2. Personal data controller
The Data is collected, processed and stored by CITIA, Image et industries créatives (Image and Creative Industries) – Établissement public de coopération culturelle (EPCC – Public Institution for Cultural Cooperation), registered at the Annecy RCS under the number 489 885 111, with its headquarters at c/o Conservatoire d'art et d'histoire, 18 avenue du Trésum, CS 50038 – Annecy – FR-74001 Annecy Cedex, represented by its chairman, Mr. Dominique PUTHOD.
3. Data collected
As data collector, CITIA may harvest several categories of Data, detailed hereinafter.
The Data results from information which you provide to CITIA by several channels, notably: browsing the Websites, enrolling or participating in Events, creating user accounts on the Websites, requesting to be contacted by CITIA, seeking information on Events and Services, and signing up for CITIA e-mailing campaigns.
In the Data collection forms, only starred items denoted by an asterisk (*) are obligatory for processing your request. Replies provided in the non-starred (*) fields are merely optional.
3.1 Data which you may be asked to provide to CITIA
To participate in a CITIA-organized event:
- Last name/First name
- Details (eg. Mr., Mrs.)
- E-mail address
- Postal address
- Phone number: land line and mobile
- Sector of activity
- Job title
- Copy of student card (for students)
- Copy of press card (for journalists)
To obtain a letter of invitation necessary for visa acquisition
All of the abovementioned information, as well as:
- Name on passport
- Passport number
- Date of birth
- Place of birth
- Nationality
- Passport issue date
- Passport expiry date
- Passport issue authority
To create a user account:
- Last name/First name
- Details (eg. Mr., Mrs.)
- E-mail address
- Country
To sign up for an e-mailing campaign:
- E-mail address
To obtain information from or be contacted by CITIA
- Last name/First name
- Company
- E-mail address
3.2 Data provided to/by third parties or CITIA partners
Some Data may be supplied/transmitted to/by third parties or CITIA partners, in accordance with current rules and regulations (for example, after having been informed of your right to refuse, you gave your consent or expressed no objection to the transfer of your data to CITIA for marketing purposes).
3.3 Connection Data generated when browsing the Websites
When you visit our Websites CITIA also collects your IP address, log-in data and cookies (under the conditions stipulated in Article 9).
4. Purposes of the processing
When browsing the Websites, creating user accounts, filling in contact forms, enrolling in Events or signing up for e-mail campaigns, you are informed that CITIA is collecting, using and processing your data for the following purposes:
- to ensure that you are correctly enrolled and/or signed-up for an Event
- to enable you to create a user account
- to enable you to be contacted by CITIA
- to enable you to receive communications from CITIA and/or its partners
- to enable you to take advantage of all Services or benefits CITIA provides
- to establish personalized preference criteria
- to compile statistics and aggregated research reports so as to improve the algorithms, measure and comprehend how the Services are used and, beyond that, to develop new products, Services or features.
5. Recipients of the processing
The Data is solely reserved for CITIA and its specially-authorized staff members, in strict compliance with the processing purposes listed in Article 4 hereinabove.
CITIA may deem it necessary to communicate certain Data points to its sub-contractors and service-providers, in order to process your requests. The sub-contractors and service-providers are legally bound to respect the privacy and security of any Data which might be communicated to them, and are legally bound to use said Data solely to assist in their sub-contracting or service-provision.
CITIA pledges that your Data will not be disclosed to any non-authorized third parties, without your prior agreement.
If necessary, and only under very particular circumstances, CITIA may be obliged to disclose the Data if this is ordered by judicial or administrative authorities.
6. Data storage
To assess the most pertinent time period for Data storage, CITIA distinguishes between prospects who have never before had a contractual relationship with CITIA and/or partner(s), and those with whom CITIA now has an ongoing contractual relationship or already had one in the past.
The Data is stored by CITIA for a period not exceeding the strict time necessary for the collection purposes detailed above; moreover, in no case shall the Data be stored:
- beyond the contractual relationship with you
- beyond three years from the time of your last contact with CITIA.
At the end of the planned storage period, it is possible that the Data be reprocessed for statistical and research report purposes, as long as it is subject to pseudonymization.
7. Exercising rights over data
In compliance with the measures of the amended January 6, 1978 law and with the General Data Protection Regulation (or GDPR), you are entitled to the following rights:
- right to access, in other words obtaining confirmation from CITIA that your personal Data has been processed, or not. If it has, you are entitled to access said Data, as well as other information such as the processing purposes, your personal Data category, the Data recipient(s), and so forth
- right to rectify – at the earliest opportunity – any of your Data which is inexact, incomplete, expired, or ambiguous, or else any Data whose collection and processing were forbidden
- right to refuse the processing of the Data by CITIA or transfer of said Data, unless there are compelling and legitimate grounds prevailing against your interests
- right to erase your Data for the following reasons:
- your Data is no longer necessary for the purposes for which CITIA collected or processed it
- you have withdrawn your consent on which the processing was based, and no other legal reason for processing the Data remains
- you object to the processing of the Data and no higher interest justifies this processing
- your Data has been unlawfully processed
- your Data must be erased so as to comply with a legal obligation potentially binding CITIA
- your Data was collected when you were underage
- right to organize, during your lifetime and in advance, the conditions under which you allow Data collected and processed by CITIA to be kept and communicated after your death
- right to portability and recovery of Data so that you can receive the Data you provided to CITIA in a commonly-used machine-readable structured format, then transfer this to another data controller, without opposition by CITIA, to whom this Data was initially provided
If you wish to exercise one of the abovementioned rights, you can request this:
- by e-mail to the following address: dpo@citia.org
- by filling in the contact form available on the Website: https://www.citia.org/contacts
- by postal mail to the following address: CITIA, c/o Conservatoire d'art et d'histoire,
18 avenue du Trésum, CS 50038 – Annecy – FR-74001 Annecy Cedex.
In the event that you exercise one of these rights by electronic means, CITIA will provide said Data via electronic means when appropriate or possible, unless you have specifically requested that this be done otherwise.
Likewise, you have the right to lodge a complaint with the French Data Protection Authority (CNIL) www.cnil.fr.
8. Data security
CITIA applies sufficient, adequate and relevant measures in order to preserve Data security and, notably, to prevent Data being skewed or damaged and to forestall non-authorized third party access to them.
In particular, these measures include:
- designating a Data Protection Officer (DPO)
- selecting our sub-contractors and commercial partners with regard to Data protection
- creating awareness of Data protection among our collaborators
- installing authentication measures with an identifier and password for your access to your user account
- securing access to our physical facilities
- protecting servers where the Data is stored, by means of firewalls and anti-virus/spam filters
- pseudonymizing the Data
- encrypting the Data through SSL protocol
- disclosing a security flaw, vulnerability or violation via a message sent to CITIA using its specific contact form or by e-mail, to the following address: alerte-rgpd@citia.org.
If CITIA itself discovers a security flaw, vulnerability or violation or is informed of one, it is legally bound to inform the supervisory authorities concerning:
- the nature of the security flaw, vulnerability or violation including, if possible, the categories and approximate number of individuals concerned by the flaw, vulnerability or violation, and the categories and approximate number of Data records involved
- the probable consequences of the personal Data violation
- measures taken or measures CITIA suggests taking to remedy the security flaw, vulnerability or violation including, if necessary, measures to attenuate potential negative consequences
If it is not possible to provide all the above information at a single time, it can be done in stages, within a reasonable time frame.
CITIA will not inform the supervisory authorities concerning any security flaws, vulnerabilities or violations which are unlikely to pose a risk to the rights and freedoms of individuals.
9. Cookies
Cookies are small data files which are sent to the browser and land on a computer’s hard disk, smartphone, touch tablet, etc. when you connect to the Websites.
In terms of memory, cookies only retain the identification code, barring the rest of your personal information. Thus the cookies derived from Website use do not allow for your personal identification to be revealed, but rather provide information on how the terminal browsed the Websites (pages viewed, date and time of viewing, etc.). It is this information that CITIA can refer to when you visit the Websites at a later date.
The duration of storage for cookies is not to exceed thirteen (13) months, starting from when they first arrive in your terminal.
There are several types of cookies which can be implemented in your browser by CITIA in order to:
- information concerning your browsing of the Websites, notably information pertaining to pages viewed and dates and times of these Website visits
- improve browsing on the Websites so that different features can be used, especially access to your individual account
- determine statistics and the volumes of traffic and use of different elements composing the Websites, and improve the value and ergonomics of the Website viewing
- recognize a user’s browser as belonging to a previously-recorded visitor, recalling preferences which can be sent when consulting Websites
- adapt Websites’ presentations to users’ terminal display options (preferred language, display resolution, operating system, etc) during users’ visits to the Websites, depending on the terminal’s hardware and viewing/reading software.
To deal with cookies and your options each browser is configured differently. This is detailed in your browser’s ‘help’ menu, and allows you to understand how to modify your choices about cookies.
This modification, however, will result in elimination of all cookies used by your Internet browser, included those related to other websites, and thus will mean that your Internet browsing may become more complex or even impossible.
10. Commercial prospection
CITIA may need to use, collect and process your Data for commercial prospection by dispatching its own direct prospection e-mails or those of its partners.
In these cases, you will be informed in advance that commercial prospection operations are underway and you must consent to this within the Data collection framework.
It is not necessary for your prior express consent to be given if you already are a CITIA customer and if the aim of these proposals is to offer you products or Services similar to those already being provided to you by CITIA.
In any case, you may refuse these proposals at any time by clicking on the special "unsubscribe" link displayed in e-mails sent by CITIA or its partners.
11. Modification of the data policy
CITIA reserves the right to modify this data protection policy and will inform you in advance of such, by a special note to this effect posted on the Websites.