Data protection policyData protection policy

The new regulations that apply to the member countries of the European Union reinforce the rights of individuals and the responsibility of those organisations that process personal data.

The Établissement Public du Musée du Louvre ensures that the following principles are respected when collecting and processing personal data.

On 13th March 2019, the law firm Alain Bensoussan Selas was registered by the Établissement Public du Musée du Louvre as its Personal Data Protection Officer with the CNIL, the French Data Protection Authority.

The policy set out below may evolve according to changes in the applicable laws and regulations.


The principles applicable to personal data

Lawfulness and purpose limitation

1. Personal data is collected by the Musée du Louvre as part of its activities. It is only collected for specific, explicit, lawful purposes.

2. The purposes for which personal data is collected by the Musée du Louvre are as follows:

  • management of its public service missions, reception of visitors, sale of entry and event tickets;
  • management of customer loyalty and relations with sponsors;
  • management of its collections, exhibitions and scientific resources;
  • protection of its assets;
  • management of its commercial and contractual relations;
  • management of its events and communication;
  • management of its technical equipment;
  • carrying out of studies, audits and statistics.
  • management of its human resources and recruitment operations;
  • management of its financial and accounting obligations;
  • respect of any applicable legal obligations.

3. The data collected cannot be used subsequently in any way that is incompatible with the purposes set out above.

4.  In each instance, the Musée du Louvre shall only collect and process the data that is strictly necessary to achieve the objective concerned.

Fair, transparent data collection

5. To ensure fairness and transparency with regard to its visitors, website users, donors, partners, suppliers, service providers, customers and agents, the Musée du Louvre issues appropriate warnings to inform the persons concerned of how their data is to be processed.  These warnings are issued directly to the persons concerned but can also be obtained by writing to donneespersonnelles@louvre.fr.

6. The data is collected fairly; no data is collected without a person’s knowledge or without their being informed.

7. The Musée du Louvre can also be contacted at the following address for more detailed information on its personal data protection policy: donneespersonnelles@louvre.fr

Adequacy, relevance and minimisation of data collected

8. The Musée du Louvre does everything possible to minimise data by collecting data that is adequate, relevant and limited to what is necessary to the purposes for which it is processed.

9. The personal data collected is updated regularly and stored by the Musée du Louvre in its databases.

Personal data protection by design and default

10. The Musée du Louvre has adopted internal policies and processes and does everything possible to implement measures that respect the principles of personal data protection by design and default.

11. The right to the protection of data is thus taken into account from the design stage right through the lifecycle of applications (development, selection, use), services and products that are based on personal data processing.

12. If third-party applications, services or products are used, the Musée du Louvre ensures that the publishers meet the legal requirements and can thus provide full protection of the data processed.


Personal data security

13. The Musée du Louvre is particularly attentive to the security of personal data.

14. It implements technical and organisational measures adapted to the sensitivity level of the personal data collected, in order to ensure the integrity and confidentiality of the data and protect it from any malicious intrusion, loss, alteration or disclosure to unauthorised third parties.

15. The Musée du Louvre regularly conducts audits in order to ensure the proper operational application of the rules relating to data security.

16. It shall thus take all physical, technical and organisational measures necessary to:

  • protect its activities;
  • ensure the security of the personal data of its members, partners, website users, suppliers and service providers;
  • prevent any unauthorised access to data and any amendment, distortion, disclosure or destruction of the personal data in its possession.

17. However, the security and confidentiality of personal data rely on the good practices of each individual and the person concerned is invited to remain vigilant with regard to issues that may involve the use of his or her personal data.

18. In accordance with its commitments, the Musée du Louvre chooses its subcontractors and service providers carefully and requires that they respect the following:

  • a level of personal data protection equivalent to its own;
  • the use of personal data or information solely to ensure the management of the services they are to provide;
  • strict compliance with the applicable legislation and regulations on confidentiality, bank secrecy and personal data;
  • the implementation of all proper measures to ensure the protection of any personal data they may be required to process;
  • the definition of the technical and organisational measures needed to ensure security.

19. The agreements signed by the Musée du Louvre with its subcontractors shall therefore comply with the obligations required by the regulations and precisely define the terms and conditions of personal data processing.


Personal data processing carried out as part of running the website

20. As data controller, the Public Establishment of the Musée du Louvre (EPML), 75058 Paris CEDEX 01, may collect, use, transfer, store and carry out other processing of your personal data in connection with the running of its website.

21. More specifically, the www.louvre.fr website encompasses an ecosystem of websites that collect your personal data in the context of:

  • Purchase of admission tickets to the Louvre Museum (www.ticketlouvre.fr);
  • Registration for the Louvre newsletter (crm.e-deal.net/gerico/louvre_profile_edit.fl);
  • Contact page (www.louvre.fr/contacts; questions about the visit, complaints, lost property);
  • Satisfaction survey (manager.e-questionnaire.com/questionnaire.asp?a=LBhJbRLDCW);
  • Financial support (donations) (donate.louvre.fr).

22. Apart from the data collected in the contexts mentioned above, the www.louvre.fr website only processes personal data for the purpose of statistical analysis via Google analytics; these data are anonymized.

Purchase of admission tickets: ticketlouvre.fr

23. Data collection is necessary to conclude the sale of admission tickets to the Louvre Museum.

24. The purpose of the processing carried out by the museum in this context is to:

  • manage orders;
  • finalize transactions;
  • inform visitors and manage their relationship with EPML;
  • send information and requests;
  • conduct studies and gather statistics.

25. The recorded data are reserved for use by the ticketing operations team in the Public Reception and Surveillance Department, by the public development and loyalty team and by the person responsible for protocol visits in the External Relations Department, by the ticketing systems and public management team in the Legal, Financial and Resources Department and by the general cash desk department in the Accounting Office. The data may also be transmitted to external service providers, for the development and maintenance of the ticketing and electronic payment system.

26. The personal data collected in this way will be retained for the following periods:

  • administrative data relating to purchases made on the website are retained for 15 months from said purchase;
  • data relating to payments made in connection with purchases made are retained for 13 months from the full payment of said purchase or 15 months in the case of deferred debit cards, in order to manage any complaints.

27. The data collected are not subject to any cross-border flows.

Sending of newsletters

28. On the context of sending newsletter, personal data are collected on the basis of your consent and are necessary for sending you newsletters.

29. The purpose of the processing carried out by the museum in this context is to:

  • send information and requests;
  • conduct studies and gather statistics.

30. The data recorded are reserved for use by the Mediation and Cultural Programming Department (DMPC) and the External Relations Department (DRE) and may be transmitted to external service providers.

31. The personal data collected in this way are retained for 3 years from the last connection.

32. The data collected are not subject to any cross-border flows.

Contacts page (www.louvre.fr/contacts)

33. These data are collected on the basis of your consent and enable the processing of your request. The purpose of the processing carried out by EPML in this context is to manage relations with Internet users and visitors to the museum (answers to questions and management of complaints).

34. The data recorded are reserved for use by the Public Reception and Surveillance Department and the Legal, Financial and Resources Department of EPML.

35. The personal data collected in this way are retained for 3 years from the last exchange.

Satisfaction surveys

36. Personal data are processed by EPML in accordance with its legitimate interest to improve its activities and satisfy its audiences. The purpose of the processing carried out by EPML is to carry out an online satisfaction survey.

37. The recorded data are reserved for use by EPML and are not transmitted to external service providers.

38. The personal data collected in this way are retained for 3 years from completion of the survey.

39. The data collected are not subject to any cross-border flows.

Financial support

40. Personal data are processed by EPML in accordance with its legitimate interest to encourage donations, through patronage operations, from both individuals and companies, for the following purposes in particular:

  • managing and monitoring donations;
  • preparing and sending tax receipts;
  • granting consideration and thanks to donors;
  • sending information and requests;
  • conducting studies and gathering statistics.

41. The data recorded are reserved for use by the External Relations Department and the accounting agency of EPML and may be transmitted to the following external service providers: Iraiser, the service provider in charge of the donation platform; B&C; and Edeal for relations with sponsors.

42. The personal data collected in this way are retained for 3 years from the last contact with the donor.

43. The data collected are not subject to any cross-border flows.


Your rights in relation to your personal data

44. In accordance with the French Data Protection Act of 6 January 1978, as amended (Loi du 6 janvier 1978 modifiée known as Loi 'Informatique et Libertés'), and European Regulation 2016/679 of 27 April 2016 known as the ‘General Data Protection Regulation’, you have the right to access, query, correct, modify and delete your collected personal data. You may therefore require that any information about you that is inaccurate, incomplete, ambiguous or out of date be corrected, supplemented, clarified, updated or deleted. You may also exercise your rights to object to and restrict the processing of your data, as well as your right to data portability.

45. You may exercise such rights with regard to the following data:

  • only your personal data, excluding anonymized personal data or data that do not concern you;
  • declarative personal data as well as operational personal data;
  • personal data that do not infringe the rights and freedoms of third parties such as those protected by business secrecy.

46. This right is limited to processing based on consent or a contract, as well as to personal data that you have personally generated. This right does not include derived or inferred data, which constitute personal data created by the Data Controller.

47. Furthermore, you also have the right to establish instructions for the retention, erasure and transmission of your personal data after your death.

48. You may give specific post-mortem instructions and exercise your rights by post to the following address: Musée du Louvre, 75058 Paris CEDEX 01, or by email to the following address: donneespersonnelles@louvre.fr. To exercise your rights, please send a request to the following email address: donneespersonnelles@louvre.fr.

49. When exercising your rights, you must prove your identity by any means. If in doubt about your identity, EPML may request any additional information that may be necessary, including a photocopy of an identity document bearing your signature.

50. You may submit a complaint to the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), at the following address: 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, FRANCE.