2.03. What regulations apply to data?

The processing of personal data in Europe is governed by the General Data Protection Regulation (GDPR¹). The GDPR applies to any private or public organisation that collects and/or processes data, regardless of its sector or size. It applies to all organisations established within the European Union, as well as to any organisation based outside the EU whose activities directly target EU residents.
Cultural venues are therefore fully subject to this regulation.

What is personal data?
According to the CNIL (France's data protection authority), personal data is defined as "any information relating to an identified or identifiable natural person."

There are two types of identification:

• Direct identification (name, surname, etc.)
• Indirect identification (ID number, code, etc.)

What is personal data processing?
Any operation or set of operations performed on personal data is considered personal data processing. The CNIL gives the following examples of data processing activities:

• Maintaining a customer database
• Collecting contact details from prospects via a questionnaire
• Updating a supplier file

As a regulatory framework for businesses and organisations, the GDPR requires economic actors to explicitly obtain individuals' consent before using their data. In doing so, it has given citizens greater power and control over their personal data.

All personal data stored and processed by a cultural venue is therefore subject to the GDPR. This includes, of course, data related to audiences - but also data concerning your staff and professional contacts.
Your human resources, production, or supplier relationship management tools must be treated with the same care and oversight as your ticketing software or customer relationship management (CRM) system.  

• Any collection of data must have a clear, specific, and lawful purpose. It is not permitted to collect personal information "just in case" it might be useful one day.
• As a processor or controller of personal data, you must guarantee that individuals have full control over their data. This requires, on the one hand, full transparency about how their data will be used, and on the other, that individuals have the ability to correct or delete their data. It is your responsibility to define the procedures through which they can exercise these rights.
• Personal data cannot be stored indefinitely. You must establish reasonable retention periods that are consistent with the purpose for which the data was collected. Once this period has passed, the data must be deleted or anonymised.
• Any personal data you hold must be kept secure, and you are required to take all necessary measures to prevent data theft.
• Personal data must be accurate and, where necessary, kept up to date.
• Good data management is a process of continuous improvement. It depends on the diligence of teams responsible for processing data, the regular updating of data management procedures, and the effective monitoring of compliance - especially regarding requests for data deletion or anonymisation.  

Create a data processing register

This involves identifying all the data and processing activities you already carry out. This register must include data and processing related not only to your audiences, but also to your teams (employees, volunteers, seconded staff, etc.).

For each activity (e.g. payroll processing or ticket sales statistics), the register should specify:

• The purpose of the processing
• The categories of data used
• The people and organisations with access to this data as part of the process (including suppliers and hosting providers)
• The retention period for the data

The CNIL - France's data protection authority - provides a register template on its website.

Sort through the data you have just identified

You can now review each entry in your register and determine:

• Whether the data you collect is appropriate, necessary, and consistent with your activity. For example, you may be asking customers to provide their full postal address when purchasing tickets or subscriptions - but do you actually need it? If you don't systematically send printed brochures by post, this request could be reconsidered.
• Whether access to the data is appropriately limited to those who truly need it (e.g. ensuring not all staff have access to customers' personal data).
• Whether your data retention periods are appropriate and justified.

Ensure your data collection tools clearly inform users about collection and usage

Each data collection medium must indicate the purpose of the collection, the legal basis for the processing, who has access to the data (persons or organisations), how long it will be stored, and how the individuals concerned can exercise their rights to access, correct, or delete their data.

Again, the CNIL provides sample wording for these notices on its website.  

The GDPR allows the processing of personal data when it is based on one of the following six legal grounds:

1. The data subject's explicit consent The individual has given their clear and explicit consent for their data to be processed.
This legal basis applies, for example, when you send promotional campaigns to someone who has explicitly opted in - for instance, by ticking a box during the ticket booking process.

2. The performance of a contract Processing is necessary for the execution of a contract to which the individual is a party.
This applies when you retain audience members' personal data for several months during a performance season. These data are subject to implied consent (no opt-in is required) as long as communications are transactional and directly related to the ticket purchase.

3. Legitimate interest Processing is necessary for the legitimate interests of the organisation or a third party, provided this does not override the fundamental rights and interests of the data subject.
This is the legal basis you use when conducting digital marketing campaigns aimed at contacts in your CRM who have previously booked performances.

4. Legal obligation Processing or storing the data is required by law (e.g. the French Commercial Code in the case of ticket sales, or the prohibition on deleting account data while an outstanding balance has not been reconciled).

These first four legal bases are the most relevant to the performing arts sector. The remaining two apply more broadly:

5. The performance of a task carried out in the public interest Processing is necessary for the execution of a public service mission.

6. The protection of vital interests Processing is necessary to protect the vital interests of the data subject or of another person.  

To oversee and ensure compliance with all of these processes, the GDPR has introduced a new role within (or outside) organisations: the Data Protection Officer (DPO). This person - or an external entity such as a specialised firm or the organisation's legal counsel - is responsible for implementing the necessary measures to ensure compliance with the GDPR.

To fulfil this role effectively, the DPO must have the required level of expertise to ensure proper compliance. This includes a solid understanding of the regulation itself, the ability to document existing procedures, comprehend data processing operations, and communicate with relevant stakeholders.

For cultural organisations that do not have in-house legal expertise, it is often advisable to appoint an external DPO, supported by designated internal contacts.

If this setup is not feasible, the DPO role may be assigned to an internal staff member. To avoid conflicts of interest, this person should not be directly involved in processing personal data as part of their primary duties. In this internal configuration, it is essential to provide the DPO with the tools they need to carry out their responsibilities effectively. This includes appropriate training before they take up the role, as well as ensuring their authority and independence are clearly established and respected.

In conclusion, the Data Protection Officer should be considered the conductor of a broader, cross-functional system, based on a process of continuous improvement and ongoing data stewardship.
To help foster this dynamic among all teams working with or around data, the process should be approached as a change management initiative, applying the same steps and methodologies.

The CNIL provides a comprehensive guide for DPOs, available in both French and English.

In each EU Member State, a national authority is responsible for ensuring GDPR compliance.  

• (FR) MOOC certifiant Le RGPD 7 ans après - fondamentaux et nouveaux enjeux proposés (external link) par le Conservatoire National des Arts et Métiers (CNAM) 
  
• (FR) Comprendre le RGPD en 5 questions (external link), Le Monde, 2018
• (EN) GDPR : What Is It And How It Might Affect You ? (external link) The Wall Street Journal, mai 2018
  
• (FR)  Fiche : sachez que faire quand votre entreprise communique et/ou vend en ligne (external link) BPI France / CNIL
• (EN) Practical Guide GDPR for Data Protection Officers (external link), CNIL
  
• (FR) Le guide du délégué à la protection des données (external link), CNIL, 2022
• (FR) RGPD : petit guide à propos du règlement général sur la protection des données à l’usage du spectacle vivant (external link), EntréeDirecte.fr, TMNlab, 2018