GDPR Privacy Notice

THIS NOTICE DESCRIBES YOUR RIGHTS TO ACCESS AND CONTROL YOUR PERSONAL DATA AND HOW YOUR PERSONAL DATA MAY BE COLLECTED, STORED, USED, OR DISCLOSED BY THE CINCINNATI MUSEUM CENTER IN ACCORDANCE WITH GDPR.  PLEASE REVIEW THIS NOTICE CAREFULLY.

The General Data Protection Regulation (“GDPR”) is a regulation that protects the personal data of individuals located in the EU and the European Economic Area (collectively the “EU”) from possible privacy and data breaches.  The GDPR allows individuals to control of their personal data that is held or processed by data controllers, which includes the Cincinnati Museum Center and its affiliates,  subsidiaries, and aligned partners (including, but not limited to: Union Terminal Corporation, Union Terminal LLC, Mercury Museum Services; and Holocaust & Humanity Center) (collectively, “CMC”).

The GDPR defines “personal data” as:
“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

CMC is committed to protecting and maintaining the privacy of personal data. As a data controller, CMC is responsible for explaining to you how and why it processes personal data. CMC will collect and process your personal data lawfully, fairly, and in a transparent manner; process, use, and disclose your personal data only for valid purposes; keep the personal data it collects and maintains accurate and up to date; keep your personal data secure in accordance with applicable law and regulations; and store personal data only as long as necessary to meet CMC’s legitimate needs.

This GDPR Privacy Notice outlines CMC’s collection, use, processing, and disclosure of personal data that you provide to CMC. When you submit personal data to CMC, communicate with CMC, or you use CMC’s websites or other services, you consent to CMC’s collection, use, processing, and disclosure of your personal data as described in this GDPR Privacy Notice. In the event of a data breach that poses a high risk to your personal data, CMC will notify you of the breach without undue delay.

COLLECTION AND USE OF INFORMATION

CMC collects, receives, and records your personal data any time you contact CMC or interact with CMC, such as using CMC’s services, operations, or websites.  CMC may also combine personal data you provide to CMC with information from CMC’s affiliates or third parties from time to time.

You are not required to provide your personal data to CMC. Any personal data you provide to CMC is voluntary.

CMC also collects certain information when you use its websites, which is recordable anytime you use the internet or other means of communication.  This information, includes the Internet Protocol (IP) address used to connect your computer to the internet; your domain name, if any; and computer and connection information, such as a browser type and version.

Like other websites, CMC’s websites use “cookies” to record your activity while visiting CMC’s websites.  CMC uses this information to learn how you use CMC’s websites, to remember your preferences, and to diagnose problems. You can learn more about how CMC uses these systems and technology in CMC’s Privacy Policy which is available at: https://cincymuseum.org/privacy/

CMC collects, records, and processes your personal data as necessary to accomplish CMC’s legitimate interests, purposes, functions, and responsibilities.  For example, CMC collects and processes personal data from individuals who access benefits through CMC programs.

Information collected from such persons may be used to: register or enroll you in CMC programs or membership; conduct CMC’s operations; alert persons to CMC programs and products, and other CMC functions.

USE AND DISCLOSURE OF INFORMATION

CMC only uses or discloses your personal data if it has your consent, or it is otherwise authorized to do so by the GDPR or other applicable international, Federal, State, and local law or regulation. CMC may also use or disclose your personal data as follows:

  • Emergency Circumstances: CMC may share your personal data when necessary to protect your interests if you are physically or legally incapable of providing consent.
  • Necessity: CMC may share your personal data when necessary in accordance with applicable law, provided that your personal data is protected by appropriate safeguards to prevent further unauthorized use or disclosure.
  • Public Information: CMC may share your personal data if you have manifestly publicized your personal data.
  • Archiving: The may share your personal data for archival purposes such as public interest needs, public health, and for other historical research and statistical purposes.
  • Performance of a Contract: CMC may share your personal data if it is necessary to administer a contract you have with CMC.
  • Legal Obligation: CMC may share your personal data if disclosure is required or permitted by international, federal, and state laws and regulations.
  • Service Providers: CMC may use affiliate and third party service provides who have entered into a contract with CMC to assist CMC in performing its services, duties, functions, and operations. In these cases, CMC may share your personal data with such party provided that your personal data is protected by appropriate safeguards to prevent further unauthorized use or disclosure. Third party services providers may include: email marketing platforms, event and ticketing systems, membership and donation systems, and website systems.
  • CMC-Affiliated Programs: CMC may share your personal data with parties that are affiliated with CMC for the purpose of contacting you about products, services, or benefits that may be of interest to you.
  • De-Identified and Aggregate Information: CMC may use and disclose personal data in de-identified or aggregate form without limitation. However, this information will not include personally identifiable information, is purely statistical in nature, and cannot be tied to you.

CMC may use and disclose your personal data on its own behalf, share it with its affiliates and other third parties, or share it with other individuals or third parties to whom you have authorized CMC to disclose your personal data for the purposes of processing information; communicating with you on behalf of CMC; providing services or products that you have requested; or for other authorized activities or functions.  CMC may also use or disclose your personal data to conduct general demographic and statistical research to improve CMC programs and operations, to enforce CMC policies, and to comply with applicable laws and regulations.

Where your personal data is disclosed to CMC’s affiliates or third parties, CMC requires the recipient to agree to process and use personal data based on instructions from CMC and in compliance with CMC’s contracts with the third party, and other appropriate confidentiality and security measures.

SECURITY

CMC uses appropriate technical and organizational security measures to protect your personal data from unauthorized access and unauthorized alteration, use, disclosure or destruction.

These measures include internal reviews of CMC’s data collection, storage and processing practices and security measures, including appropriate encryption and physical security measures to guard against unauthorized access to systems where CMC stores data. You can learn more about CMC’s data security by reading CMC’s Privacy Policy.

Personal data created in the European Union will be transferred out of the European Union to CMC in compliance with appropriate safeguards and applicable law, including the GDPR and Federal, State, and Local information privacy laws.

If you feel CMC has not complied with applicable EU laws regulating such personal data, you have the right to file a complaint with the appropriate supervisory authority in the EU in accordance with your rights listed in this GDPR Privacy Notice.

RETENTION AND DESTRUCTION OF INFORMATION

Your personal data will be retained by CMC in accordance with applicable state and federal laws, and the applicable retention periods in CMC’s records management policy. Your personal data will be destroyed upon your request unless applicable law or regulation requires destruction after the expiration of an applicable retention period. The manner of destruction will be appropriate to preserve and ensure the confidentiality of your personal data given the level of sensitivity, value, and importance to you and to CMC.

YOUR RIGHTS

At any point in which CMC is in possession of or is processing your personal data, you have the following rights, subject to applicable laws and regulations:

  • Right of access – you have the right to request a copy of the information that CMC hold about you.
  • Right of rectification – you have a right to correct data that CMC hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data CMC holds about you to be erased from its records.
  • Right to restriction of processing – where certain conditions apply, you have a right to restrict CMC’s processing of your personal data.
  • Right of portability – you have the right to have the data CMC holds about you transferred to another organization.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – you have the right to not be subject to the legal effects of automated processing or profiling.
  • Right to judicial review: in the event that CMC refuses your request under any of the above rights, it will provide you with a reason as to why. You have the right to complain as outlined in this GDPR Privacy Notice.
  • Right to withdraw consent: You have the right to withdraw your consent to CMC’s collection, recording, use, processing, or disclosure of your personal data at any time.  However, your withdrawal of consent will not affect CMC’s lawful use or disclosure of your personal data while your consent was in effect.

Any exercise of the above rights can also be forwarded to any third party involved in the processing of your personal data. Your rights may differ depending upon the location within the world where your personal information was created or shared. The erasure of your information may also be subject to CMC’s records retention and management policies. Should your personal data fall within one of the areas where CMC is legally required to retain your personal data for a certain period of time, CMC will retain that personal data in accordance with its legal obligations.

Please note that your rights in this GDPR Privacy Notice are not absolute and CMC may refuse certain requests where exceptions apply. Should CMC determine that you are not entitled to exercise a certain right, CMC will provide you with the reason(s) for the denial.

REQUESTS FOR PERSONAL DATA HELD BY CMC

At any time, you may request that CMC provide you with the personal data CMC collects about you and to transmit your personal data to another data controller where possible. You may also request that CMC confirm what personal data it possesses about you and whether or not your personal data is being processed by CMC; is subject to the use of automated decision-making; and how CMC processes your personal data.

Similarly, you can request confirmation whether CMC received your personal data; if it disclosed your personal data to a third party; and how long CMC will store your personal data under its records management policy.

UPDATES TO THIS GDPR PRIVACY NOTICE

CMC may update or change this GDPR Privacy Notice at any time. Your continued use of CMC’s websites or third party applications, or continued interaction with CMC or submission of personal data to CMC, after any such change indicates your acceptance of the changes.

COMPLAINTS AND CONTACT INFORMATION

In the event that you wish to make a complaint about how your personal data is being processed by CMC or its authorized third parties, or how your complaint has been handled, you may to lodge a complaint directly with the GDPR supervisory authority and CMC.

If you wish to contact CMC or file a complaint concerning CMC’s collection, recording, use, processing, or disclosure of personal data please contact us at: Cincinnati Museum Center, 1301 Western Ave., Cincinnati, Ohio 45203 or (800) 733-2077.

 

GDPR Data Protection Policy

Last updated 2/12/19

Definitions

CMC means Cincinnati Museum Center and its affiliates,  subsidiaries, and aligned partners (including, but not limited to: Union Terminal Corporation, Union Terminal LLC, Mercury Museum Services; and Holocaust & Humanity Center)
GDPR means the General Data Protection Regulation.
Responsible Person means Chief Technology Officer at domains@cincymuseum.org.
Record of Processing Activities means a written description and analysis of  the various contexts in which Personal Data is processed by CMC.
Individual means a person located within the European Union at the time of collection of Personal Data.
Personal Data means any information that relates to an identified or identifiable Individual including, but not limited to: (a) name; (b) identification number; (c) location data; (d) an online identifier; or (e) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.

1. Data protection principles

CMC is committed to processing Personal Data in accordance with its responsibilities under the GDPR. As such, CMC shall comply with GDPR requirements for all Personal Data collected from Individuals located within the European Union at the time of collection, regardless of where the processing takes place, where the processing activities are related to the offering of goods or services to such Individuals or the monitoring of their behavior that takes place within the European Union.

If it is possible to identify an Individual directly or indirectly from the information being processed, then that information shall be considered to be Personal Data. When considering whether information ‘relates to’ an Individual, CMC takes into account a range of factors, including the content of the information, the purpose or purposes for which CMC is processing it and the likely impact or effect of that processing on the individual.

Article 5 of the GDPR requires that Personal Data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to Individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    1. further processing for (a) archiving purposes in the public interest; (b) scientific purposes; (c) historical research purposes; or (d) statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date;
    1. every reasonable step must be taken to ensure that Personal Data that is inaccurate, taking into account the purposes for which it is processed, is erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data is processed;
    1. Personal Data may be stored for longer periods if the Personal Data will be processed solely for (a) archiving purposes in the public interest, (b) scientific purposes; (c) historical research purposes; or (d) statistical purposes, subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
    1. such measures should be appropriate to the circumstances of CMC and the risk the processing imposes and may include, among other things, conducting risk analyses, implementing IT security policies and user codes of conduct, physical and technical measures such as locked storage/server rooms, the pseudonymization and encryption of Personal Data, electronic access control/password restrictions, and implementing appropriate backup and data restoration procedures.

2. General provisions

  1. This policy applies to all Personal Data processed by CMC.
  2. The Responsible Person shall take responsibility for CMC’s ongoing compliance with this policy.
  3. This policy shall be reviewed at least annually.

3. Lawful, fair and transparent processing

  1. To ensure its processing of Personal Data is lawful, fair and transparent, CMC shall maintain a Record of Processing Activities under its responsibility.
    1. The Record of Processing Activities must include:
      1. the name and contact details of CMC and the Responsible Person;
      2. the purposes of the processing;
      3. a description of the categories of data subjects and of the categories of Personal Data;
      4. the categories of recipients to whom the Personal Data have been or will be disclosed including recipients in third countries or international organizations;
      5. where applicable, transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization and, if applicable, the documentation of suitable safeguards;
      6. where possible, the envisaged time limits for erasure of the different categories of data;
      7. where possible, a general description of the technical and organizational security measures
    2. A template Record of Processing Activities is included as Exhibit A to this policy.
  2. The Record of Processing Activities shall be in writing and reviewed at least annually.
  3. Individuals have the right to access their Personal Data and any such requests made to CMC shall be dealt with as soon as reasonably possible, but, in any event, within 30-days of receiving such requests.
  4. CMC shall handle Individuals’ Personal Data only in ways they would reasonably expect and shall not use the Personal Data for any unlawful purposes.
  5. If CMC hires a processor to handle Personal Data on its behalf, it shall put in place a written contract that sets out each party’s responsibilities and liabilities and includes certain specific minimum terms, such as (a) requiring the processor to take appropriate measures to ensure the security of processing; and (b) requiring the processor to assist CMC in allowing Individuals to exercise their rights under the GDPR.

4. Lawful purposes

  1. All Personal Data processed by CMC must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
    1. Consent: the Individual has given clear consent for CMC to process their Personal Data for a specific purpose.
    2. Contract: the processing is necessary for a contract CMC has with the Individual, or because the Individual has asked CMC to take specific steps before entering into a contract with a third-party.
    3. Legal obligation: the processing is necessary for CMC to comply with the law (not including contractual obligations).
    4. Vital interests: the processing is necessary to protect the life of the Individual or of another natural person.
    5. Public task: the processing is necessary for CMC to perform a task in the public interest or in the exercise of official public authority, and the task or function has a clear basis in law.
    6. Legitimate interests: the processing is necessary for CMC’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the Individual’s Personal Data that overrides those legitimate interests. Legitimate interests must be balanced against the Individual’s. If the Individual would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override CMC’s legitimate interests.
  2. CMC shall note the appropriate lawful basis in the Register of Systems.
  3. Where consent is relied upon as a lawful basis for processing Personal Data, evidence of opt-in consent shall be kept with the Personal D
    1. Opt-in consent shall be freely given, specific, informed, and unambiguous.
    2. Consent requires positive opt-in and may not use pre-ticked boxes that may use inaction by the Individual to assume consent.
    3. Consent must be separate and may not be bundled with other terms and conditions, privacy notices, or other services.
  4. Where communications are sent to Individuals based on their consent, the option for the Individual to revoke his or her consent must be clearly available and systems must be in place to ensure such revocation is reflected accurately in CMC’s systems.

5. Data minimization

  1. CMC shall ensure that Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6. Accuracy

  1. CMC shall take reasonable steps to ensure Personal Data is accurate.
  2. Where necessary for the lawful basis on which Personal Data is processed, steps shall be put in place to ensure that Personal Data is kept up to date.

7. Archiving / removal

  1. To ensure that Personal Data is kept for no longer than necessary, CMC shall put in place an archiving policy for each area in which Personal Data is processed and review this process annually as part of its review of the Record of Processing Activities.
  2. The archiving policy shall consider what Personal Data should/must be retained, for how long, and why.

8. Security

  1. CMC shall ensure that Personal Data is stored securely using encryption processes and modern software that is kept-up-to-date.
  2. Access to Personal Data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorized sharing of information, including, but not limited to, electronic access control, encryption, and other technical security measures.
  3. When Personal Data is deleted this must be done safely such that the data is irrecoverable using appropriate commercially recognized methods such as shredding, hard drive crushing, and/or degaussing.
  4. Appropriate back-up and disaster recovery solutions shall be in place.

9. Breach

In the event of a breach of security, defined as the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, CMC shall promptly assess the risk to Individuals’ rights and freedoms and, if appropriate, report this breach to the relevant supervisory authority. CMC shall report any breaches within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting Individuals’ rights and freedoms, CMC shall also inform those Individuals without undue delay. A “high risk of adversely affecting Individuals’ rights and freedoms” may include breaches involving medical or financial information, large scale breaches of contact information, or a breach of contact information combined with other information that could subject the Individual to greater risk of harm. Such notification shall at least:

  1. describe the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
  2. communicate the name and contact details of the Responsible Person or other contact point where more information can be obtained;
  3. describe the likely consequences of the Personal Data breach;
  4. describe the measures taken or proposed to be taken by the controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Notice to the Individual shall not be required if any of the following conditions are met:

  1. CMC has implemented appropriate technical and organizational protection measures, and those measures were applied to the Personal Data affected by the Personal Data breach, in particular those that render the Personal Data unintelligible to any person who is not authorized to access it, such as encryption;
  2. CMC has taken subsequent measures which ensure that the high risk to the rights and freedoms of Individual is no longer likely to materialize;
  3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Individuals are informed in an equally effective manner.

CMC shall keep a record of all Personal Data breaches, regardless of whether notification is required.