Personal Data Policy
Voir la suite
CHARLESIII-VISITEUR-MUSEEGREVIN-cSYLVAINCAMBON

INFORMATION REGARDING PERSONAL DATA PROTECTION

Last update: [25/06/2024]

The protection of our customers' personal data is of paramount importance to us.

This document applies to the data we collect online, on our websites and mobile applications, but also to the data we collect offline in our theme parks, shops and hotels or during events. 

We would like to provide you with all the information you need to understand how your data is used:

(1) Who is responsible for the use of your data?

(2) With whom is your data shared?

(3) When is your personal data collected?

(4) What data do we collect?

(5) How do we use your data and how long do we keep it?

(6) Are there specific measures for children?

(7) Where is your personal data stored?

(8) How is your data secured?

(9) What are your rights regarding your data?

(10) Business partners

(11) Please contact us if you have any questions.

 

  1. Who is responsible for using your data?

 

When you book and/or access our services, your personal data is processed by:

  • La Compagnie des Alpes, parent company of the Compagnie des Alpes Group, with share capital of €25,266,567.50, registered with the Paris Trade and Companies Register under number 349 577 908, whose headquarters are located at 50-51 Boulevard Haussmann, 75009 Paris, France, 

And,

  • Musée Grévin, a subsidiary of the Compagnie des Alpes Group, with share capital of €4,603,326.10, registered with the Paris Trade and Companies Register under number 552 067 811, whose headquarters are located at 10 boulevard Montmartre, 75009 Paris, France.

 

In this policy, ‘we’ refers to these two companies, which may act as joint controllers for the processing operations referred to below. 

While La Compagnie des Alpes is responsible for managing and supervising the IT system used to collect and process your data, it is solely the responsibility of Musée Grévin, as an independent data controller, to manage the contractual relationship with you, provide you with the services you have ordered, and carry out marketing and advertising operations for its services and brands.

2. With whom is your data shared?

 

Recipients within the Compagnie des Alpes Group:

Your data is processed jointly by Musée Grévin and La Compagnie des Alpes, parent company of the Compagnie des Alpes Group.

Access to your data is limited number of people within these two companies, in specific departments (customer services, sales, IT, etc.), and only where such access is necessary for the performance of their duties.

However, your data is not shared with other companies belonging to the Compagnie des Alpes Group, unless you have expressly authorised this or you are a professional customer (e.g. tour operator, distributor, works council, etc.).

For our professional customers, your data may be shared with other companies in the Compagnie des Alpes Group that operate theme parks, so that you can receive our offers about all products that may be of interest to you, unless you object to this processing. The list of companies concerned is as follows:

  • Chaplin’s World - By Grévin (Registered in Geneva under number CH-660-0618000-4)
  • Family Park - M. Müller Gesellschaft m.b.H. (registered under number FN 126549 b)
  • France Miniature (registered with the Versailles Trade and Companies Register under number 348 677 196)
  • Futuroscope (registered with the Poitiers Trade and Companies Register under number 444 030 902)
  • Grévin et Compagnie – Parc Astérix (registered with the Compiègne Trade and Companies Register under number 334 240 033)
  • Walibi Belgium and Bellewaerde - Belpark (registered in Ypres under number 0439 050 308)
  • Walibi Holland - Harderwijk Hellendoorn Holding (registered under number KvK 34161632)
  • Walibi Rhône-Alpes - Avenir Land (registered with the Trade and Companies Register in Vienne under number 311 285 068)

Recipients outside the Compagnie des Alpes Group:

Your data may also be shared with recipients outside the Compagnie des Alpes Group:

  • All our technical service providers whose involvement is necessary for the processing operations mentioned below (IT service providers, payment service providers, printers, etc.), to process your order and improve our services, and exclusively within the limits of our instructions;

 

  • Social networks, only if you choose to create your customer account via the quick ‘Social Login’ procedure. If you choose this option, you can use your Facebook, Apple or Google account to register on our site without having to re-enter your personal information. By using this feature, you consent to sharing certain information with us about yourself from your social network. 

The data passed on to us by the social network is your last name, first name and email address. This data is necessary to create your customer account. We do not share information with social networks about your activities and orders on this site, however, these networks will have information about your account connections. Before using the ‘Social Login’ feature, we invite you to read the privacy policies of social networks to learn about how they use your data.

 

  • Where applicable, with national or local authorities, if required by law or as part of an investigation and in accordance with regulations.

 

3. When is your personal data collected?

 

We may collect your personal data on various occasions:

Online:

On our website, to receive our newsletters, or to log in to your account, place orders or use our digital services. 

At Musée Grévin:

When you use our facilities, alone or with your family and friends: taking photographs, accessibility for people with disabilities, access to reduced rates, public Wi-Fi, equipment rental and video surveillance. 

During our interactions with you:

When you open or reply to a newsletter, participate in a satisfaction survey or a competition. When you contact our customer service department to file a complaint.

 

Via our Partners:

 

When you access our services through an intermediary (e.g. travel agencies, partner distributors).

 

4. What data do we collect?

 

Data collected is limited to what is strictly necessary in relation to the purposes for which it is processed,

Depending on your experience at Musée Grévin or on our websites, we may collect the following information:

  • Information necessary to create your customer account (title, last name, first name, email address)
  • Payment information
  • Postal address
  • Telephone number
  • Date of birth
  • Video surveillance
  • Photographs
  • Browsing data (on this subject, see our information about cookies!)
  • If necessary and depending on the product purchased, the names and email addresses of your relatives for groups and families
  • Supporting documents for access to reduced rates or priority access, the conditions of which are detailed on our website. You will be asked to present the original supporting documents at our ticket offices in our resorts. A copy of this supporting document may be made, solely for the purposes of combating fraud.

 

5. How do we use your data and how long do we keep it?

 

At the end of the retention periods defined below, we delete it from our systems or anonymize it, so that it can no longer be used to identify you. 

PROCESSING

LEGAL GROUNDS

DATA RETENTION PERIODS

Customer account

Fulfilment of the contract

 For as long as your customer account is active, 

and up to 2 years after you last logged in to your account.

Processing of orders and bookings

Fulfilment of the contract

For online purchases : for five years from the date of purchase
if the amount of the order is under 120€, for ten years  
if the amount of the order is equal to or greater than 120€
(and for five years for transactions at the ticket office).

Your credit card details are kept for 13 months by
our payment service providers debit date
to serve as evidence in the event of a dispute about 
the transaction (15 months for deferred debit cards).

The cryptogram is not kept after the transaction.

Satisfaction surveys

Legitimate interest

5 years, renewable for 5 years
with the customer's consent. 

Competitions 

Completion of the competition

6 months from the end of the competition.

Sending newsletters/ marketing campaigns 
by email or text message

If you have also accepted cookies,
you may also receive shopping cart
reminders by email if you have not 
completed an ongoing purchase.

Consent or legitimate
interest if you are a 
business customer or if 
you have purchased a product
on our website

3 years for prospects and 5 years for customers,
from your last contact with us (e.g. a request
for sales documentation, a click on a hyperlink
featured in our newsletter).

Complaints handling procedure
and after-sales service

Fulfilment of the contract

5 years after the complaint has been handled.

Compilation of statistics

Legitimate interest

Time required to achive the desired statistical objective 
then the data will be anonymized.

Copies of supporting documents
for reduced and special rates.

Legitimate interest (fraud
prevention)

24 hours after collection.

Personalisation of 
browsing/profiling

Consent

12 months.

Photographs taken during
the tour of the museum

Fulfilment of the contract

On the day of the visit only, and if the photograph
is purchased : 3 months from the date of purchase.

Management of lost and found items

Fulfilment of the contract

Items containing personal data
(identity documents, telephones etc.) are
kept for two months and the handed over 
to the relevant authorities. Lost and returned items 
are kept for 1 year.

Video surveillance

Legitimate interest

30 days following the recording of the images.

Transfer of image rights

Fulfilment of the contract

5 years after the end og the transfer period.

Assistance provided to visitors

Safeguarding the vital 
interests of individuals

Bodily injury : up to the end of a 10 year period
from the date of the injury .

In the event of damage to property : for 5 years.

Exercising your GDPR rights

Legal obligations

10 years after the request has been closed.
when it has been necessary to collect proof of identity,
this is deleted as soon as the verification has been carried out.

Handling disputes

Legitimate interest

Until all avenues of appeal have been exhausted.

Job applications

Legitimate interest

2 years after data collection for 
unsuccessful applications.

Cybersecurity– Vulnerability assesment

Legitimate interest

6 years from receiving
the vulnerability assesment.

 

Focus on profiling to personalise our content:

We are able to personalise the display of content on our website and send you newsletters that are tailored to your needs. 

We only implement this personalisation on the basis of the information we have collected directly from you during your purchases (and this information alone), and your browsing data on our website once you have accepted cookies.

This information also allows us to better target our advertising campaigns on third-party sites (e.g. social networks) so that they are more relevant to your interests.

The data used to create this profile is based on:

  • A maximum of 5 years' history of your customer account data;
  • A maximum of 12 months' history of your browsing data on our website.

 

6. Are there any specific measures for children?

 

While the family aspect of our activities is central to our concerns, we do not specifically target children in our data processing.

If our services are used by persons under the age of 15, we recommend that they be accompanied by an adult. The consent of parents or legal guardians may be obtained at the time of data collection, if necessary.

 

7. Where is your data stored?

 

All your personal data is stored exclusively on servers located within the European Union or in countries offering a level of protection deemed ‘adequate’ (e.g. the United Kingdom, Switzerland).

Although hosted within the European Union, this data may be accessible from third countries when we use technical service providers (e.g. AWS, Adobe, Microsoft, Google) that are based abroad (namely: the United Kingdom, the United States, Israel). Access from these countries is considered a data transfer, but is necessary for the proper functioning and maintenance of the IT tools they offer. These service providers have real expertise that justifies their use.

We make every effort with these service providers to ensure that your data is protected in accordance with European regulations. These service providers act only in accordance with our instructions. A contract is systematically finalised with them and transfers of personal data are governed by the signing of reinforced contractual clauses specifically provided for this purpose (standard contractual clauses - SCC - published by the European Commission) when the laws of the country concerned do not offer protection equivalent to the GDPR (so-called ‘adequate’ countries). Where necessary, additional technical or legal measures are put in place.

 

8. How is your data secured?

 

The security of your personal data is a key concern for the companies in the Compagnie des Alpes Group, which pool their resources to ensure an appropriate level of security that is up to date with the latest technology.

To preserve the confidentiality and security of your personal data and, in particular, to protect it against unlawful or accidental destruction, accidental loss or alteration, or unauthorised disclosure or access, the Compagnie des Alpes Group takes appropriate technical and organisational measures and imposes the same requirements on its subcontractors. These measures are adapted according to the level of sensitivity of the data processed and the level of risk.

The Compagnie des Alpes Group has put in place procedures to detect, analyse and monitor security incidents and any suspected breaches of your personal data, and to be able to block access to the data at any time.  Procedures for managing personal authorisations have also been put in place to ensure that access to data is as restricted as possible.

Despite our efforts, vulnerabilities may still exist in our systems. If you believe you have detected a vulnerability, please contact us via this form (vulnerability disclosure page), in accordance with the principles described therein.

 

9. What are your rights regarding your data?

 

You have several rights regarding your personal data in our possession:

  • The right to object: You no longer wish to receive our marketing communications, object to a decision related to your profiling, or withdraw your consent.
  • The right to rectify your data: have you moved house? Changed your email address?
  • Let us know so we can keep your data up to date! The right to access your data: you can request a copy of all the personal data we hold about you in an understandable format.
  • The right to erase your data: You wish to delete your entire customer account and erase all your personal data in our possession. We will comply with your request, with the exception of accounting and tax records relating to your transactions and those necessary to create our evidence (in the event of a possible legal dispute), which must be retained.
  • The right to restrict the processing of your data: you are facing a legal dispute and wish to prevent your data from being deleted; your data will therefore be stored without being used.
  • The right to data portability: you wish to recover some of your data. You are then free to store it elsewhere or easily transfer it from one system to another for it to be reused for other purposes.

 

You will find all our contact details below to exercise these rights.

 

10. Business partners

In certain communications, we may offer you the opportunity to receive offers or news relating to our partners, without your personal data being shared with them.

 

Where you provide your explicit consent (opt-in), this authorizes us solely to send you communications about these partners on our behalf. 

The list of partners concerned can be viewed below. It includes entities belonging to the Compagnie des Alpes Group, to which our establishment is affiliated.

This list is subject to change. You may withdraw your consent at any time, in accordance with the terms and conditions set out in this policy.
 

  • Futuroscope (Société du Parc du Futuroscope)
  • Parc Astérix (Grévin et Compagnie)
  • Walibi Rhône-Alpes (Avenir Land)
  • Walibi Holland
  • Walibi Belgium & Aqualibi Belgium (Belpark)
  • Bellewaerde Park and Bellewaerde Aquapark (Belpark)
  • France Miniature
  • FamilyPark
  • Chaplin's World (By Grevin)
  • Belantis (Event Park)
  • Urban Soccer
  • Urban Padel
  • MMV
  • Travelski (Travel Factory)
  • Yoonly (Djay)
  • Mountain Collection (Mountain Collection Immobilier)
  • Evolution 2 (CDA Evolution 2)
  • ADS Domaine de Montagne Les Arcs / Peisey-Vallandry (ADS)
  • La Plagne Resort (Société d'Aménagement de la Plagne)
  • Tignes Ski Area (Société des Téléphériques de la Grande Motte)
  • Val d'Isère Cable Car (Société des Téléphériques de Val d'Isère)
  • Les Menuires - Saint Martin Ski Area (Société des Téléphériques de la Vallée des Belleville)
  • Méribel Alpina
  • Serre Chevalier Vallées (SCV Ski Area)
  • Domaine Grand Massif (GMDS) - Flaine, Morillon, Samoëns, Sixt-Fer-à Cheval
  • Pralognan Mountain Resort

 

11. Please contact us if you have any questions.

 

Do you have any questions? Would you like to unsubscribe from our newsletters? Delete your account?

We have appointed a data protection officer who is responsible for answering all your questions and ensuring the protection of your personal data.

To contact them, click here!

Please fill in the form provided for this purpose and your request will be processed within a maximum of one month. 

You can also contact them:

  • By writing to the following address: Musée Grévin - Personal Data Protection Department – 10, boulevard Montmartre 75009 Paris, France.

Or

 

If there is serious doubt about your identity and no alternative verification is possible, we may ask you to provide proof of identity in order to process your request, solely to ensure that we are dealing with the correct person.

If, despite our efforts, you consider our response to be incomplete, you may contact the CNIL https://www.cnil.fr/fr for further assistance.