Privacy policy

Trou de banche

Privacy policy

1. Who is responsible for data processing?

Your personal data is processed by Pinault Collection, 12, rue François 1er, Paris 8e, S.A.S. with a capital of 130.020.000 €, registered with the Registre du Commerce et des Sociétés de Paris under the number RCS Paris 807 902 036 (“Pinault Collection”).


2. What are the purposes and the lawful bases for processing your personal data?

Your personal data is processed for the purposes set out below, on the basis of a contract or pre-contractual steps, your consent, the Pinault Collection’s legitimate interests or on legal obligations it has to fulfil.


Ticket and membership card sales

  • Creation of an online client account
  • Management and tracking of ticket and membership card sales and orders, and guides’ accreditations
  • Bill generation, payment tracking
  • Management of guided tours and visit planning
  • Bill issuance

→ Pre-contractual steps or contractual arrangement

  • Retention of bank card number for future transactions

→ Consent

  • Communication and exchange of information further to the modification or cancellation of an event
  • Developing sales or traffic statistics
  • Satisfaction surveys
  • Site functioning and audience statistics tracking
  • User navigation tracking (cookies) 

→ Legitimate interests (Improving the offer, better customer familiarity)

Management and optimization of the website

  • Site and audience statistics tracking
  • User navigation tracking (cookies) 

→ Legitimate interests (Improving the offer, better customer familiarity) and consent

Marketing activities

  • Sending promotional, informational messages, newsletters providing the latest news about the Collection to professionals, by email or SMS

→ Legitimate interests or consent

  • Sending promotional, informational messages, newsletters providing the latest news about the Collection to (non-professional) clients by email or SMS
  • User navigation tracking (cookies)

→ Consent

  • Postal marketing
  • Technical data operations (standardization, data deduplication, corrections)
  • Selection of individuals to carry out marketing and communication activities
  • Satisfaction surveys
  • Tracking marketing dispatches
  • Cookies essential to the functioning of Internet sites
  • Unsubscription management

→ Legitimate interests (improving the offer, better customer familiarity)

  • Storing proof of consent

→ Legal requirements 

  • Sending newsletters to registered users
  • Managing subscription and unsubscription requests for the Pinault Collection newsletters

→ Consent

  • Creating newsletter statistics
  • Updating client data

→ Legitimate interests


  • Billing management

→ Legal requirements

Management of requests made through contact forms

  • Communication and exchange of information further to requests made through a contact form

→ Legitimate interests

Visitors’ and clients’ rights to exercise their rights

  • Management of potential client/client requests to exercise their data protection rights (right to access, right to refuse, right to limit…)

→ Legal requirements

Recruitment activities

  • Management of applications transmitted via the site

→ Legitimate interests

This Personal Data Policy is only applicable to data processing carried out by the Pinault Collection.

The other Internet sites associated with the Collection, specifically the bookshop website (, the Halle aux grains restaurant website ( and the Palazzo Grassi website ( are managed by other, independent data processing services, under the GDPR, that have their own policies. It is your responsibility to consult them to learn about their separate data handling policies.


3. What categories of personal data are processed?

We may collect and process the following personal data:

  • your identity data (surname, first name, email address, photo, date of birth, etc.);
  • data related to your ticket purchase history (museum and membership cards);
  • data related to your tickets;
  • professional data (eg. function, professional address, cv, Kbis, status, SIRET n°);
  • connection data (eg: IP address, connection logs);
  • data related to transaction regulations and payment;

Personal data is collected directly from you or as a result of your navigation on Internet sites.

In the event that your personal data is collected from a form, mandatory information will be indicated by an asterisk (*) or otherwise, by an indication next to the relevant fields. If you do not respond, the processing cannot be carried out and your request will not be completed successfully.

We only collect personal data strictly necessary for the purposes described below.


4. Who has access to your personal data?

Depending on the purposes and reasons for which they were collected, your personal data may be shared with the following recipients:

  • the Bourse de Commerce staff working for the marketing, administration, computer or legal services;
  • the monitoring staff (audit, compliance, Data Protection Officer) working for the Bourse de Commerce;
  • external service providers responsible for personal data processing, or in the context of advisory or assistance activities;
  • sub-contractors engaged by the Bourse de Commerce. If this were to be the case, the, Bourse de Commerce ensures that the contracts signed with the latter are carefully regulated (service provider responsible for hospitality/reception, sales and follow up of client relations, online payment service provider, guided visit service providers, ticket generation software publisher, digital marketing agency);
  • those involved in operations related to the life of the Bourse de Commerce (divesture, merger, transfer of assets …);
  • institutions, court officers and ministerial officers in the context of their duties, when required to fulfil our legal, regulatory, judicial and administrative obligations, and if we consider that it is necessary within reason to protect an individual’s safety, to handle any issues of a fraudulent, security or technical nature, or to protect the rights or property of our users. We always check the authorizations of the recipients of the data.

Your personal data is transferred to a country outside the European Union. In this case, the Bourse de Commerce ensures that the data transfer is only made to a country considered comparable, and if this is not the case, has included appropriate guarantees thanks to the signature of contractual clauses approved by the European Commission, which are available with the DPO.


5. For how long is your personal data stored?

Your personal data can only be stored for the period strictly necessary for the purpose for which it is collected and processed. For example, the main storage periods are as follows:

  • Creation of an online client account: until the client requests their erasure or for 3 years from the date of the termination of the commercial relationship (date of last connection to the account or last purchase)
  • Management and tracking of ticket sales and orders and membership cards: photographs associated with membership cards are erased 3 months after the membership card expires
  • Digital marketing activity (emails and/or SMS): 3 years after the last contact initiated by the potential client
  • Storage of bank card number: the Bourse de Commerce does not store bank card numbers. They are stored by the payment service provider for a period of 60 months, unless the consent is retracted before this date.
  • Bill management navigation monitoring and tracking: 14 months
  • Ticket related data: 5 years after provision of the service
  • Newsletter management: until reception of an unsubscribe request
  • Management of requests made via a contact form: 3 years after the request has been handled
  • Bill management: 10 years
  • Management of requests made by individuals to exercise their rights: 1 year for the right to access and rectify
  • Litigation management: legal duration of the acquisition set out in the legal directive. In the event of legal action, the data will be stored for up to 5 years after the end of the legal procedure (after the final judgement)

Your personal data may only be kept for the time strictly necessary to fulfil the purpose for which it is collected and processed.


6. How to manage cookies?

When you browse our site the following cookies may be deposited on your computer, smartphone or tablet:

  • Functional cookies: they ensure the proper functioning of the site and allow you to access its main functions.
  • Advertising and retargeting cookies: are deposited with your consent. Depending on the centres of interest identified when you browse our website, they make it possible to offer you targeted advertising when you browse (i) other sites (“App Nexus” cookie), (ii) Facebook and Instagram (“Social networks” cookies) and (iii) Google (“Google” cookies).

If you refuse these cookies, you can still browse our site. However, the advertising displayed will not take your interests into account, and we will not be able to offer you targeted advertising on other sites.


7. What are your rights over your personal data and how can you exercise them?

Your rights over your personal data are as follows:

  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restrict the subjection of your personal data to a single or several processes;
  • right to modify and/or withdraw consent to the processing of your personal data based solely on your consent, at any time;
  • right to object to the processing of your personal data;
  • right to personal data portability.

Any request to exercise your rights over your personal data can be made by contacting our Data Protection Officer (DPO) by email at or by post at : Pinault – Collection – DPO -, 48 rue Montmartre, 75002 Paris.

You may be asked to provide proof of identity. The right to exercise any of these rights may be refused if your request does not satisfy the conditions set out in the regulations. If this were to be the case, you will be duly informed.

If you are not satisfied with our services you have the right to contact the Commission Nationale de l’Informatique et des Libertés (CNIL): 3 place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07.