This Privacy Policy applies to any personal data processed by Kulterra Association For The Promotion of Arts, headquartered in Bucharest, District 1, 104 – 106 Stirbei Voda Street, Tax ID 45041485 (Kulterra, or us), the data controller (as defined under Article 4(7) GDPR) of all processing activities in connection with this website.
Questions, comments and requests regarding this Privacy Policy are welcome and should be addressed here:
office@kulterra.art.
What data to we process, why and for how long.
Depending on the reason for your relationship with us, we may process the following types of data:
- Technical data:
When you use our website, we collect the IP address of your terminal device and other technical data in order to ensure the functionality and security of our website. This data includes logs with records of the use of our systems. Technical data includes the IP address and information about the operating system of your terminal device, the date, region and time of use and the type of browser that you use to access our offerings. This may help us to provide an appropriate layout of the website or, for example, to display a sub-page for your region. We know through which provider you access our offerings (and therefore also the region) because of the IP address, but usually this does not tell us who you are. We generally keep technical data for 5 years.
- Communication data:
When you are in contact with us via the contact form, by e-mail or elephone we collect the data exchanged between you and us, including your contact details and the metadata of the communication. If we have to determine your identity, for example in relation with a request for information, a request for press access, etc., we may collect data to identify you (for example a copy of an ID document). We process such data for relationship management and, with your consent, for marketing purposes, such as sending you updates regarding future events. We generally keep this data for 5 years from the last exchange between us. This period may be longer where required for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. E-mails in personal mailboxes and written correspondence are generally kept for at least 10 years.
- Contract data:
This means data that is collected in relation with the conclusion or performance of a contract, for example information necessary when you purchase online tickets on our website (eg. name, bank account, email address) or when you rent a MoBU booth (eg. name, bank account, title, power of attorney etc.), information required or used for performing a contract, and information about feedback (for example complaints, feedback about satisfaction, etc.). If we enter contracts with you, we process contract data to provide you services and to comply with applicable laws and regulations. We generally keep this data for 10 years from the last contract activity but at least from the end of the contract. This period may be longer where necessary for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons.
- Other data:
we may process your technical, communication, contractual data, or obtained from photos, videos and audio recordings for marketing purposes - with your consent, for security purposes, and for the fulfillment of administrative or judicial procedures. The retention period of these data depends on the purpose of processing, and varies between a few days, for data obtained through security cameras, up to 5 years, for data required in administrative or judicial procedures.
Who do we share your data with and where do we store it.
We may share your data with our sevice providers eg.: agents and consultants (eg. accountants), IT providers, payment service providers and advertising service providers. Whenever we share your data with third parties we enter into contracts with these providers that include provisions to protect your data.
Data storage: The personal data we collect from you is stored
in the European Union on Cloud Servers of Amazon Web Services EMEA S.A.R.L. (“AWS”) with a business seat in Luxembourg[TC1] . This data may, however, be processed by sub-processors operating outside of the European Economic Area (“EEA”) based on a data processing agreement, as long as the additional requirements of Article 44 et seq. GDPR for the processing of personal data in third countries are met (e.g. if the sub-processor can provide appropriate safeguards under Article 46 GDPR, such as but not limited to standard data protection clauses, binding corporate rules, approved code of conduct or exceptional circumstances under Article 49 GDPR) and any necessary additional measures based on case-by-case assessments.
Your data subject’s rights.
Under GDPR you have various rights in relation to your personal data. You can contact us at
office@kulterra.art for any questions regarding your data. To verify your request, we will take reasonable steps such as asking you to send us a confirmation from the email address associated with your account, so that we can verify that you are the owner of this email account.
- Right to withdraw consent:
Where the processing of your data relies on your prior consent, you have the right to withdraw such a consent at any time by notifying us here. By withdrawing your consent, the lawfulness of the processing based on consent up until the point of withdrawal will not be affected.
- Right to object:
you have a right to object where the processing is based on legitimate interests, on grounds relating to your particular situation, at any time, to the processing of your personal data, including profiling based on those provisions. In the event of an objection relating to your particular situation, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. If we process your personal data for statistical purposes, you have the right to object to such processing for reasons arising from your particular situation. In the event of such an objection, we will no longer process the personal data concerned for this purpose.
- Right to be informed:
you have a right to obtain confirmation from us as to whether we are processing your personal data or not. If so, you also have the right to obtain access to your personal data held by us. This includes information regarding the purposes of the processing, the categories of personal data that are being processed, and the recipients or categories of recipients to whom the personal data have been or will be disclosed.
- Right to be forgotten:
you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Article 17(1) GDPR applies. You can do this by deleting your account, in the App, at any time. If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data
- Right to restriction of processing:
you have a right to restriction of processing under the conditions provided in Article 18 GDPR. This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Article 18(1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data.
- Right to data portability:
you have a right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from us where the processing is based on consent or on a contract. In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller where technically feasible.
- Right to rectification:
have the right to receive from us, without undue delay, the rectification of inaccuracies in your personal data and completion of incomplete personal data.
- Right to complain:
As a data subject, you have a right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is the Romanian Data Protection Authority, Address: 28-30 G-ral Gheorghe Magheru Bld.; Telephone: +40.318.059.21; E-Mail: anspdcp[at]dataprotection.ro.
Changes to this policy
Any changes we make to our Privacy Policy in the future will be posted on this page, and where appropriate, notified to you by email. We therefore encourage you to review it from time to time to stay informed about the way we are processing your data.
Last Update: December 7th, 2023.