Legal aspects

Any person using the information, documents, products, software, and services (hereafter collectively referred to as the “Services”) provided on the website https://www.mnaha.lu (the “Site”) will be deemed to be aware of, and to have accepted, all the general terms and conditions of use.

“Body” means the government authority, ministry, administration, or the public institution which is, solely or jointly, responsible for the Site.

1.1 User obligations

The Site is accessible via the Internet. Users declare that they are aware of the risks involved and that they accept those risks. Users must guard against the effects of computer hacking by adopting a suitable and secure computing environment.

The Body accepts no liability for any loss or damage that users may suffer, directly or indirectly, in connection with browsing on the Site or using the Services which it offers, or from accessing any of the other websites to which it refers.

The use of the Site is free.

1.2 Cookie management

The Site uses cookies. These are small text files transmitted from the Site to users’ browsers. They allow the analysis of the users’ navigation on the Site (frequency of visits, duration of visits, pages viewed, etc.).

Users can decide for themselves, through their browsers’ settings, whether or not they allow the Site to store cookies in their browsers. In the aforementioned settings, they can also, at any time, delete the cookies that have already been stored.

If users opt to refuse cookies from the Site, some of the Site’s features may not work as expected or may be disabled. Hence, it is recommended that users update their browser settings to accept cookies from the Site.

For more information, please see the Cookie policy on the Site.

1.3 Changes to the Site

The Body reserves the right to develop, modify or suspend the Site without prior notice, for maintenance or updating purposes or for any other reason which may be deemed necessary.

The Body can, at any time, withdraw, add to or clarify all or part of the information and Services of the Site. The Body cannot be held liable for any loss or damage, whether indirect or indirect, in connection with any such changes.

1.4 General limitations of liability

The Body will do its utmost to ensure that the Site is always available. However, it accepts no liability should the Site become temporarily or wholly unavailable.

The Body will do its utmost to ensure the security of the computer system. However, it accepts no liability should there be a cyberattack or should the Site become temporarily or wholly unavailable.

The Body will do its utmost to ensure that the information published on the Site is accurate. However, the Body accepts no liability for not updating a piece of information or a form, for errors committed while manipulating the system or its code, nor for missing, inaccurate or erroneous information.

Indeed, the aim is to disseminate accurate, up-to-date information emanating from a variety of sources, but the Body is unable to avoid all risks of hardware error. None of the information on the Site should be considered to be exhaustive or a commitment from the Body.

Translations and explanations in layman’s terms are provided solely for information purposes. Only legal texts published in the Mémorial (Official Journal of the Grand Duchy of Luxembourg) shall be deemed authoritative. The information appearing on the Site is of a general nature. The information is not tailored to individual or specific circumstances and thus cannot be regarded as personal, professional, or judicial advice to users.

1. Limitations of the Site’s liability

The Site expressly cannot accept liability for any consequences, whether direct or indirect, arising from:

• Incompatibility between the Service offered and users’ or any third party’s equipment, applications, procedures or infrastructures;
• Any security breaches caused by users or a third party, and more generally any security breaches not directly attributable to the Site;
• Any errors and/or fraudulent acts committed by users or a third party;
• Any unavailability or malfunction of electronic communication systems or networks.

1.6 Links to other websites

For users' convenience, the Site may contain links to other websites. The Body does not systematically monitor the content of those websites. Consequently, it cannot be held liable for their content.

1.7 Intellectual property

The Site, all its elements (including the layout), as well as the information and Services, are protected by the relevant intellectual property and copyright laws.

Unless otherwise specified, the Body grants no licence or authorisation with regard to the intellectual property rights which it holds for the Site, its elements or its Services. Moreover, reproduction of the information or Services, either in full or in part, and in whatever form or by whatever means, is forbidden without the prior written consent from the Body.

Unless otherwise specified, users are authorised to view, download and print the available documents and information available, on the following conditions:

• The documents may only be used for personal purposes, for information and in a strictly private context;
• The documents and information cannot be modified in any way whatsoever;
• The documents and information cannot be disseminated outside of the Site.

The rights implicitly or expressly granted to users constitute an authorisation to use the Site; under no circumstances do they constitute a transfer or assignment of property rights or other rights in relation to the Site.

1.8 Changes to the general terms and conditions of use

These general terms and conditions of use may be modified or supplemented at any time, without prior notice, to reflect changes made to the Site or changes in the law, or for any other reason which may be deemed necessary.

It is the users’ responsibility to familiarise themselves with the general terms and conditions of use of the Site, of which only the most up-to-date online version shall be considered to be in force. It is possible that, in the interval between two visits to the Site, the general terms and conditions of use may have changed, and it is thus the users’ responsibility to read through those conditions before every visit to the Site.

1.9 Applicable law and courts of competent jurisdiction

All disputes concerning the use of the Site and its Services shall be governed by Luxembourg law, and the courts of the Grand Duchy of Luxembourg shall have exclusive jurisdiction to hear and settle such disputes.

2.1 General information

The personal data communicated by the users are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The Body collects no personal data other than the IP address contained in the server logs for security reasons. User consent is not required before visiting the Site.

The controller for these processing operations is the Body.

Users can file claims relating to the protection of their data by contacting the Body’s data protection officer (DPO):

email hidden; JavaScript is required

Délégué à la protection des données (DPO)

Musée national d’archéologie, d’histoire et d’art

Marché-aux-Poissons

L-2345 Luxembourg

Furthermore, users can contact the Commission nationale pour la protection des données (National Commission for Data Protection) whose registered office is located at 15, Boulevard du Jazz L-4370 Belvaux.

2.2 The Site’s contact forms

The Body is the recipient of user data collected through the Site’s contact forms. These data need to be processed by the Body to carry out users’ request.

By filling in the form, users agree that their personal data will be processed in connection to their request. The Body will keep a user’s data for as long as necessary to finish processing that user’s request.

The Body will tell users how long their data will be kept or the criteria used to determine that length of time, on an ad hoc basis, upon users’ requests.

Under the terms of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, users have the right to access, rectify and, where applicable, request the erasure of any information relating to them. Users also have the right to withdraw their consent at any time.

Additionally, unless the processing of users’ personal data is compulsory, they can, for legitimate reasons, oppose the processing of such data.

If users wish to exercise these rights and/or obtain a record of their information, they can contact the Body according to the contact details in the form. Alternatively, users can send a complaint to the Commission nationale pour la protection des données (National Commission for Data Protection), at its head office at 15, Boulevard du Jazz, L-4370 Belvaux.

2.3 Data protection in connection with audience measurement

When users visit the Site, the Body collects certain data about the hardware and software used by users, but which cannot be used to identify users. The sole purpose of collecting such data is to gather statistics on website traffic (type of browser, resolution, approximate location, etc.) in order to provide users with the best possible user experience.

These data are retained and hosted in Europe, in a solution provided by a contractor called Adobe Systems Inc. This contractor is subject to the same legal obligations regarding the protection of personal data.

In this context, users’ IP addresses are never retained in full. In order to obtain general statistics, only part each user’s IP address is retained. This part does not reveal the user’s identity.

The data is retained for no longer than is necessary to observe how audiences evolve with regard to the hardware and software they use, or other available statistics.

The Body is the controller of these operations.

1. Introduction

This information notice aims to inform about the video surveillance processing implemented by the Musée national d'archéologie, d'histoire et d'art (MNAHA) concerning the individuals involved (staff, visitors, external service providers, suppliers, etc.) within and outside a MNAHA site.

2. Data controller

Following Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 regarding the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the "GDPR"), the data controller of the video surveillance system is the Musée national d'archéologie, d'histoire et d'art (MNAHA) under the supervision of the Ministry of Culture, which operates the video surveillance system.

The data controller can be contacted at the following address:

Musée national d'archéologie, d'histoire et d'art
Marché-aux-Poissons
L-2345 Luxembourg

3. Contact person

For any requests related to the protection of personal data, you can contact our Data Protection Officer (DPO):

• By email at email hidden; JavaScript is required
• By postal mail at the following address:

Musée national d'archéologie, d'histoire et d'art
Attn: Data Protection Officer
Marché-aux-Poissons
L-2345 Luxembourg

4. Legal basis for video surveillance processing

The processing related to video surveillance is necessary for compliance with a legal obligation to which the data controller is subject and for the purposes of the legitimate interests pursued by the data controller. The legal bases are Article 6(1)(c) and (f) of the GDPR.

The legal obligations referred to are those to which the data controller is subject under the law of 19 March 1988 concerning security in state administrations and services, public institutions, and schools.

5. Purposes of processing

The data controller processes data from video surveillance to:

• Control access to MNAHA premises and deter unauthorized entries;
• Ensure the safety and health of personnel, visitors, external service providers, suppliers, etc.;
• Protect property belonging to or made available to the data controller (buildings, technical installations, equipment, goods, cash, etc.) or belonging to individuals frequenting the building from theft and vandalism;
• Detect and identify unauthorized access or suspicious or dangerous behavior that could cause accidents or harm to the safety or health of people and property;
• Intervene in the event of unauthorized access or suspicious or dangerous behavior that could cause accidents or harm to the health or safety of people and property to assist the concerned person, stop, or amend or pursue the perceived harm to health and safety;
• Precisely identify the origin and course of an incident or harm to the health or safety of people and property and document accountability;
• Organize and supervise the rapid evacuation of people in the event of an accident;
• Clarify any doubts in the event of a fire or intrusion alarm;
• Timely alert rescue services, fire services, or law enforcement and facilitate their intervention;

Processing based on the legitimate interest in protecting property and fulfilling legal obligations regarding the safety and health of employees and users is done based on an initial suspicion and in accordance with the principle of progressively intensifying controls.

6. Surveillance

Video surveillance is implemented within the premises and outside the MNAHA sites.

Surveillance of interior premises and the building’s surroundings

Video surveillance cameras are installed:

• In the reception hall on the ground floor;
• In the exhibition rooms;
• On the building's facades.

All cameras are visibly positioned, and no camera is hidden.

7. Data minimisation

The data controller only records what is strictly necessary to achieve the pursued purposes (adequate, relevant, and limited data to what is necessary) and respects the principle of proportionality concerning processing operations related to video surveillance.

8. Categories of data processed

Recorded images that can identify filmed individuals, location, date, and time from surveillance cameras. The camera used to open the parking barrier only reads the license plate number without recording the individuals in the vehicle. This processing is the subject of a separate notice.

9. Categories of data recipients

As a public administration, the data controller is bound by an obligation of confidentiality and can only share the processed data under strict and controlled conditions.

The data controller may share the data with its subcontractors as required by law and solely for the needs of the services entrusted to them.

The data controller is also required to share the data with competent administrative, police, or judicial authorities acting within the framework of judicial or other procedures where the data controller is required to defend its interests or is subject to legal cooperation obligations.

Thus, images may be viewed, in the event of an incident or offense, by duly authorized personnel and competent administrative, police, or judicial authorities.

The data remains within the European Union and is not transferred to third countries.

Data from video surveillance is retained for a maximum period of 3 months. However, the retention period may be extended in case of an incident, offense, or ongoing judicial procedure. These data will then be erased without undue delay if they are no longer necessary to achieve the purpose for which they were collected.

10. Transparency

When the data controller conducts video surveillance, individuals are informed of this surveillance by displaying signs and pictograms in the areas under video surveillance, in addition to the information notice available on the data controller’s website.

11. Documentation

The data controller inventories and documents each video surveillance system in accordance with personal data protection requirements.

12. Data Protection

The data controller has implemented appropriate technical and organizational measures to ensure the security and confidentiality of the data being processed.

13. Your Rights

Under the conditions and within the limits provided by legislative and regulatory provisions, the data subject has a number of rights regarding the processing of their personal data. You can contact our Data Protection Officer (DPO) for any requests.

First, you have the right to information, which allows you to obtain additional information about this notice.

You also have the right to request access to personal data from the data controller, to correct or erase it, or to limit the processing related to the data subject, or to object to the processing and to data portability.

To follow up on your rights exercise, the data controller may ask you to specify, before providing any data, the data/processing operations/period and/or specific location concerned by your request.

To process the request and for identification purposes, providing a copy of the requester’s identity document is necessary.

14. Complaints

If you believe that the processing of your data does not comply with the GDPR, you can file a complaint with our Data Protection Officer. You also have the right to file a complaint regarding the processing of your personal data by the Ministry of Public Service with the National Commission for Data Protection through the website: https://cnpd.public.lu/fr/particuliers/faire-valoir/formulaire-plainte.html or by postal mail:

National Commission for Data Protection
Complaints Service
15, Boulevard du Jazz
L-4370 Belvaux

16. Updates

This information notice may evolve to better protect your personal data. The latest version in force is available on the data controller’s website.