GDPR

What is GDPR?

The General Data Protection Regulation (also known as Regulation (EU) 2016/679 or “GDPR”, or “GDPR” in English) is an EU law regulation on data protection and privacy in the EU and the European Economic Area (EEA). Although it was drafted and approved by the European Union (EU), it imposes data protection obligations on organizations worldwide, provided they target or collect data on people in the EU.

What is Personal Data?

Personal data is any information that refers to a natural person who can be directly or indirectly identified. Multiple pieces of information, collected together, can lead to the identification of a particular person and therefore constitute personal data.

Personal data that has been depersonalized, encrypted, or anonymized, but can be used to re-identify a person, remains personal data and falls within the scope of the law.

Here are some examples of personal data:

• a first and last name;
• an address;
• an email address;
• an ID card number;
• location data;
• an IP address;
• Cookie ID;
• the advertising identifier of the phone.

What Does Processing Data Mean?

The definition of data processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying personal data. If you do anything with data in the manner mentioned above, you are processing data.

What is a Data Controller or a Data Processor?

A data controller is an organization, institution, or person who sets the standards and rules for processing personal data. In practice, this means that a controller is responsible for determining how and why data will be used by an organization. Most often, the data controller is a person or organization that collects the data and then determines how it will be used.

This is different for a data processor. According to GDPR, a processor is an organization, institution, or person who implements the data processing standards established by the controller. Typically, a processor is a party that processes data according to the instructions and at the discretion of a data controller. A processor does not own the data it processes and has no control over it. This means that the processor cannot change the meaning of the data, nor determine how the data is used, and is bound by instructions.

There are a few questions to ask to understand the difference between the roles of data controller and data processor:

The Data Controller makes the following decisions:

• the organization that collects the data in the first place and has a legal basis for doing so;
• the use of personal data;
• whether the data should be disclosed and, if so, to whom;
• whether the data subjects’ rights of access and other individual rights apply or if there are exemptions;
• the duration of data retention or whether to modify the data in a way that is not customary.

The Data Processor makes the following decisions:

• the methods used for collecting and storing personal data;
• how the data is secured;
• the means used to transfer personal data from one organization to another;
• how personal data is retrieved;
• The method to ensure compliance with a retention plan;
• The manner in which personal data is deleted.

What are the GDPR Conditions for Processing Personal Data?

Article 6 of the GDPR lists the various conditions (also called legal basis) under which it is lawful to process personal data:

1. Consent. Consent means that the data subject has given explicit agreement to personal data processing activity for one or more specific purposes. The notion of purpose is essential here. If the data subject, also called the natural person, gives consent to processing without knowing the specific purpose(s) in their entirety and in an easily understandable manner, the consent is not a legal basis for processing, as it must be freely given, specific, informed, and unambiguous. Consents must be granular and cannot be grouped together. Thus, for each data processing activity within a larger operation, the general rule is that separate consent is required for each activity.
2. The processing is necessary to execute or prepare for the conclusion of a contract to which the data subject is a party. An organization can rely on this legal basis if it needs to process an individual’s personal data to provide them with a contractual service or because they have asked the organization to do something before entering into a contract (for example, provide a quote).
3. It is necessary to process the data to fulfill a legal obligation. If the data controller has a legal obligation for which specific personal data must be processed, then the processing is authorized. Compliance with a legal obligation for which processing is necessary and to which the controller is subject is not new either.
4. Data processing is necessary to save someone’s life. This basis is also known as “vital interest”. In this case, the natural person does not necessarily have to be a data subject; it can also be another natural person. Of course, it is not up to the data controller to define what a vital interest is. This basis is more about life-threatening situations where there is no other legal basis for processing, but where not processing the personal data would essentially mean that someone would die if the processor did not take action and therefore needed to know something about the natural person in danger.
5. The processing is necessary for the performance of a task in the public interest or in the exercise of official authority. An organization can rely on this legal basis if it needs to process personal data “in the exercise of public authority”. These are the public functions and powers provided for by law, or the performance of a specific task in the public interest provided for by law.
6. The controller has a legitimate interest in processing an individual’s personal data. The processing of personal data in this context is not necessarily justified by a legal obligation or carried out to fulfill the terms of a contract with an individual. In this case, the processing of personal data can be justified on grounds of legitimate interest. For example, a processor has a legitimate interest when processing takes place in the context of a customer relationship, for direct marketing purposes, to prevent fraud, or to ensure the network and information security of computer systems.

How Does Consent Work under the GDPR?

There are strict rules regarding an individual’s consent to the processing of their data:

• Consent must be “freely given, specific, informed, and unambiguous”.
• Requests for consent must be “clearly distinguished from other matters” and presented in “clear and plain language”.
• Data subjects can withdraw the consent they have previously given whenever they wish, and you must respect their decision. It is not possible to simply change the legal basis of processing to one of the other justifications.
• It is necessary to keep documentary evidence of consent.

What are the Individual Rights under the GDPR?

The GDPR provides the following rights for individuals:

1. The right to “be informed” (individuals have the right to be informed about how companies collect and use their personal data, how long they plan to keep this data, and with whom they will share it);
2. The right of access (individuals have the right to know exactly what information companies have collected, how they store and process this data, and what they will do with it);
3. The right to rectification (individuals have the right to have incomplete data completed and inaccurate data corrected);
4. The right to erasure (individuals have the right to have personal data permanently erased. This right is also known as the “right to be forgotten”);
5. The right to restrict processing (if individuals cannot require data controllers to erase their personal information, they can restrict the data controllers’ ability to process this data);
6. The right to data portability (individuals have the right to obtain and reuse their personal data for their own purposes across different services);
7. The right to object (individuals have the right to object to the processing of their personal data in certain circumstances);
8. Rights related to automated decision-making and profiling (individuals have the right to demand human intervention, rather than entrusting important decisions to algorithms).

What are the Seven Principles of GDPR?

According to the GDPR, there are seven key principles for data protection and accountability:

1. Lawfulness, fairness, and transparency. Processing must be lawful, fair, and transparent for the data subject.
2. Purpose limitation. Data processing must be carried out for legitimate purposes explicitly specified to the data subject at the time of collection.
3. Data minimization. The collection and processing of data must be limited to what is absolutely necessary for the specified purposes.
4. Accuracy. Personal data must be accurate and up-to-date.
5. Storage limitation. Personal data may only be kept for the duration necessary to fulfill the specified purpose.
6. Integrity and confidentiality. Processing must be carried out in a manner that ensures appropriate security, integrity, and confidentiality (for example, by using encryption).
7. Accountability. The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Does GDPR Require that EU Residents’ Personal Data Remain in the EU?

GDPR does not provide a direct restriction for personal data of EU residents to remain only in the EU. However, EU data protection operates on the principle “The GDPR stays with the data”, which means that the rules protecting personal data continue to apply regardless of where the data is located. This principle also applies when personal data is transferred to a country that is not an EU member.

Does the BINA Endowment Fund Process Personal Data?

Yes, the BINA Endowment Fund may process personal data.

There are five main scenarios during which we may process this information:

1. When requesting a listing of a Work created by the artist Ladislas KIJNO
2. When requesting information about a Work by the Artist Ladislas KIJNO.
3. When you visit the website https://www.kijno.fr/
4. As part of the collaboration between the owner of a Work by the Artist Ladislas KIJNO and the BINA Endowment Fund for the creation of the Catalogue Raisonné
5. In the context of an online purchase

What Types of Data about Me Can be Processed by the BINA Endowment Fund?

The BINA Endowment Fund may process different types of data, depending on the scenario of the interaction with you.

When Requesting to List a Work Created by the Artist Ladislas KIJNO, We Can:

• Catalog the works
• Catalog the owners of the works

When You Register on the Website Https://Www.Kijno.Fr, We may Process:

• Information about you (name, first name, email, address, phone number, and your photos).
• Information you share with us about the work you own
• Unique identifiers for our Services (such as your username and password).

If You Visit our Website, We may Process:

• Information you provide by filling out forms, which may contain your personal information and contact details.
• Cookie ID (via a GDPR-compliant tool).
• Your IP address to determine your country location.

During Collaboration between the Owner of a Work by Artist Ladislas KIJNO and the BINA Endowment Fund for the Creation of the Catalogue Raisonné, We may Process:

• Information about you (name, first name, email, address, phone number, and your photos).
• Information you share with us about the work you own

What is the Purpose and Legal Basis of the Processing?

• All data we receive through the website is processed solely to provide you with information about Ladislas KIJNO’s work. Furthermore, this means we do not collect any data that is not specifically necessary to provide you with such information
• If you decide to subscribe to our newsletter, we will send you information about us and our latest updates via email. We rely on your consent, which you give by confirming your registration on our website. Additionally, we will personalize these emails based on the information we have about you, to make them more relevant and useful to you.
• We use the data you share with us from the information you provided during your registration.

Where is the Information Stored?

All types of data that The BINA Endowment Fund may collect from you are stored in the storage cloud located in FRANCE (within the EEA); the choice of data storage location is subject to the availability of OVH infrastructure.

How Long is the Information Kept?

The data is kept for the duration of your registration on the website https://www.kijno.fr.

However, certain types of data (such as name and contact details mentioned in the website registration) may be kept longer than the cooperation period to respect the traceability of Ladislas KIJNO’s work.

Who Has Access to the System and Information on the BINA Endowment Fund Side?

The BINA Endowment Fund follows the principles of minimizing availability and minimizing privileges when accessing data. Thus, access to data can only be granted to BINA Endowment Fund employees responsible for supporting the process of preserving and conserving the “Artist’s” work. When BINA Endowment Fund staff access the data, their equipment is protected by an encryption system and other tools, in accordance with the strictest technical standards in the market. All employees have signed a confidentiality agreement and undergo an annual data protection assessment. All staff actions are logged and the logs are automatically checked in real-time. If there is any doubt about excessive access, we restrict access and immediately begin investigating the matter. Nevertheless, we would like to emphasize that the BINA Endowment Fund never accesses data without a valid legal basis for such access.

What Does the BINA Endowment Fund Do to Comply with Global Data Protection Laws? How Does the BINA Endowment Fund Demonstrate Compliance with GDPR?

To comply with international data protection laws, The BINA Endowment Fund implements a significant number of measures, mechanisms, and procedures. For example, The BINA Endowment Fund applies the principles of data processing limitation (privacy by design and by default), data minimization, access control, data processing policies (storage, processing, deletion policies, etc.). For data transfers, The BINA Endowment Fund uses various measures, including organizational and technical measures and Standard Contractual Clauses. You can find more information about this in the Data Transfer section.

How Can I Exercise My Privacy Rights?

To exercise your privacy rights (delete your personal data, object to it or be informed about it, restrict processing, etc.), you can contact us at the email address rgpd@kijno.fr

With whom Can the BINA Endowment Fund Share My Data? What Types of Data Can be Shared and in What Cases?

In general, we can only share your personal data when it is necessary for the preservation and conservation of the Artist’s work. This data may be disclosed with your consent to Museum Curators, Art Galleries…

We may share your contact details (such as mobile phone number, username, and email) with Museum Curators, Art Galleries “or” other independent or non-independent collectors, if you request or consent to it. Please note that these Museum Curators, Art Galleries “or” other independent or non-independent collectors will become independent data controllers, responsible for processing your personal data. Despite the fact that we choose reputable partners, we recommend that you check their privacy policy before asking us to transfer your data to the selected companies.

For certain needs, The BINA Endowment Fund may use the services of third-party processors located outside the EEA. These needs may include data hosting, technical communication for registration, installation, and other organizational activities via email or telephone.

The BINA Endowment Fund takes the necessary steps to ensure that these transfers are carried out in compliance with all applicable data protection laws. Consequently, the BINA Endowment Fund will need to sign Data Processing Agreements (DPAs) with all processors (including Standard Contractual Clauses (SCCs) in the case of cross-border data transfers), as well as additional measures in the case of data transfers and processing. All processors of the BINA Endowment Fund have their own privacy policy and other privacy-related documents.

List of processors approved by the BINA Endowment Fund:

What are Standard Contractual Clauses?

Standard Contractual Clauses (SCCs) are standardized and pre-approved data protection clause templates that allow controllers and processors to comply with their obligations under European data protection legislation. They can be incorporated by controllers and processors into their contractual agreements with other parties, such as business partners. The clauses can be used voluntarily to demonstrate compliance with data protection requirements, which requires a binding contractual commitment to adhere to them. The European Commission has the power to adopt SCCs (1) regarding the relationship between the controller and processor and (2) for the transfer of personal data to countries outside the EEA.

What are Additional Measures?

Additional Measures are specially implemented technical and organizational procedures to achieve an effective level of assurance on transferred data equivalent to data processing within the EEA.

The BINA Endowment Fund has implemented, among others, the following organizational measures:

• Regular training and review of BINA Endowment Fund employees;
• An automated real-time monitoring system for breaches and vulnerabilities;
• Continuous logging of all processes;
• Regular and customized control and validation of the BINA Endowment Fund system to detect vulnerabilities.

The BINA Endowment Fund has implemented, among others, the following technical measures:

• Measures to prevent unauthorized persons from accessing data processing systems located on premises and facilities (including databases, application servers, and related hardware) where personal data is processed, including the creation of security zones, restriction of access routes, creation of access authorizations for employees and third parties, door locking, alarm.
• Measures to prevent the use of data processing systems by unauthorized persons, including user identification and authentication procedures, security procedures for identifiers and passwords, encryption of archived data media.
• Measures to ensure that persons authorized to use a data processing system only have access to personal data in accordance with their access rights, and that personal data cannot be read, copied, modified or deleted without authorization, including internal policies and procedures, control authorization systems, differentiated access rights (profiles, roles, transactions and objects), monitoring and logging of access, disciplinary measures against employees who access personal data without authorization.
• Measures to ensure that personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on media (manual or electronic) and that it is possible to verify to which companies or other legal entities personal data are disclosed, including encryption, logging and transport security. All personal data is encrypted with the SHA256 algorithm at rest and is subject to transfer via HTTPS with SHA128 encryption and TLS 1.2.
• Measures to control whether data has been entered, modified or deleted (erased) and by whom in data processing systems, including logging and reporting systems, audit trails and documentation.
• Measures to ensure the protection of personal data against accidental destruction or loss (physical/logical), including backup procedures, uninterruptible power supply (UPS), remote storage, antivirus/firewall systems, disaster recovery plan, business continuity plan.
• Measures to ensure that personal data collected for different purposes can be processed separately, including database separation, usage limitation, separation of functions (production/test).

What is a Transfer Impact Assessment (TIA) for Personal Data?

A Transfer Impact Assessment (TIA) is an analysis conducted by a data controller or data processor on the security implications of transferring personal data to countries outside the EU/EEA or those with an adequacy decision.