Version of december 2020

Our Charter for your personal data

What are personal data?

“Personal Data” (hereinafter “PD”) are any data relating to you that make it possible to identify you directly or indirectly.
This can include your username, name, sex, date of birth, postal address or your email.
To ensure optimal use of our services and, in particular, personalised services, you provide certain PD to the CFA. The provision of certain data is even essential in order to obtain certain services (e.g. purchasing tickets).
This may therefore include usage data collected automatically when you connect to our website. We store information about your usage using a tracking method, such as a cookie.

Our promise

The Centre for Fine Arts (hereinafter “CFA”), a limited liability company under public law with a social purpose, is responsible for the multidisciplinary organising of educational, cultural and artistic events.
We attach great importance to the respect and protection of your PD that we process in the performance of our public mission and services.
We undertake to process your PD in a fair, lawful and transparent manner as required by the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereinafter “the Law”) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “the GDPR”).
This Charter is in keeping with our desire to act in a fully transparent manner and to enable you to improve your user experience.

Who are we?

We act as Data Controller (hereinafter “DC”) for our productions, joint data controller for our co-productions and as a new data controller for the events of other external organisers and parties that rent halls.

Contact details for the DC
Centre for Fine Arts,
Limited liability company under public law with a social purpose
CBE 895.408.978
Rue Ravenstein 23,
1000 Brussels

Data Protection Officer
If you have any questions concerning your PD, please contact our Data Protection Officer at the following address:

What categories of PD do we process?

Your identification data
Such as your last name, first name, postal address, telephone number(s), email address(es), identity card, photo, images recorded, etc.

Date of birth
We are legally obliged to obtain parental permission for those under 13 years of age and these data are also necessary for age verification for certain events and to apply preferential rates.

Browsing data
Such as IP address, date and time of access, type of domain with which you connect to the Internet, your preferences, etc.

Location Data or other communication-related data;
Specific for the BOZAR app
When you use the BOZAR app  your localisation data (GPS position) in the building can be actived if your Bluetooth is on (popup to activate BT). The technology used for this are the beacons who are situated in public spaces and never traceable to a particular individual. this data is not correlated with personal identification (phone number, name, address, etc.)

As other communication-related data you can receive notifications
If as user of the BOZAR app, you are close to a beacon; a popup is shown on your device with supplementary information.

Professional data on studies and training
Title/function, name of employer, curriculum vitae (including for traineeships, job applications or in order to satisfy the selection criteria set down for certain public procurement contracts launched by the CFA).
For more information about the processing of your professional and personal data within the context of recruitment, please visit the page:
fr: Emplois, stages & bénévolat / nl: Jobs, stages & vrijwilligerswerk

Sensitive data
We do not generally process data such as your sexual orientation, religious or political beliefs or data relating to your health or ethnic background.

Payment and billing data
These data are retained to enable us to process orders and comply with our legal accounting obligations.

Device ID data: Wifi clearpass
If you connect to BozarWifi in the building, your must register your device to get access and to be granted to the network according to the user profile that corresponds to you.

What are our sources?

You are our main direct source for collection of PD when you sign up for a newsletter, for example, or when purchasing tickets. We therefore expect you to provide us with correct and up-to-date PD.
Certain PD, such as the pages you have viewed, the date and time that you access our website or your location data with the BOZAR app, are automatically collected, via the servers visited (when you visit the pages of our website or the application) and from “cookies” placed on our site.
For information about “cookies”, their use and the specific data that they collect, please see our cookie policy page.
We may also receive your PD from our partners or parties who rent halls or from third parties. This is only possible where you have given your explicit consent, which you may withdraw at any time.

What do we do with your personal data?

Purchasing tickets or registration for a free event or booking of a Guided tours
We collect your PD mainly to establish, develop and manage the contractual relationship surrounding your order for tickets for an event taking place at the CFA (e.g. to manage your booking and keep you informed about the event for which you have purchased tickets).

Digital Wayfinding
BOZAR uses Bluetooth localization information for digital wayfinding on BOZAR premises; which allows for popups when in proximity of ‘exhibition pieces’

Access management
We might ask you for your identity card when you visit the Centre for Fine Arts to verify your date of birth. This enables us to ensure that the right rate was applied to you when you purchased your entrance ticket.

Subscribing to one or more newsletters
We collect your PD when you subscribe to one or more of our newsletters. You can manage your subscription via our online form.

Market research
Satisfaction surveys or market research may be organised on a voluntary basis. You can, of course, choose not to take part.

Direct marketing
The data are also used for the purposes of direct marketing for similar events in the CFA’s offering. You may object to such direct marketing at any time and request that the CFA removes you from the list. You will therefore find an unsubscribe link at the bottom of every email. By removing yourself from this list, you will also be unsubscribed from all newsletters to which you have subscribed.

Sending of brochures
As a subscriber, you have the option of receiving different brochures by post.

The CFA combines the data you have provided with your usage of the site to optimise your browsing experience and to notify you of personalised offers by email.

Video recordings
Some of our concerts or events may be filmed for live streaming or recorded for later broadcast. You may be filmed on such occasions.

Transfer to third parties
Your PD may be provided to the organiser of the event for which you purchased tickets, solely to ensure the smooth running of the event.
With your express permission, organisers may also use your PD to suggest other events. You can find out more on this topic in the organiser’s data protection statement - (see “Hosted Event” section).
In this context, your PD are also used to validate, correct or link them with data already present in the database.
We may share your PD with our external providers to the extent necessary for them to provide their services to us. In such cases, we enter into a contractual agreement to ensure compliance with the GDPR.

Verification of the legality of operations
PD may be processed to prevent or detect crime, such as illegal reselling of tickets, infringement of intellectual property rights, electronic payment fraud or other offences.

Processing job applications
If you apply for a position at the CFA, your PD are retained to comply with the application procedure; see the page Emplois, stages & bénévolat.

Complaints or lost property
Your PD may be used to respond to a complaint submitted to us by you and, where appropriate, to compensate you. Where your complaint relates to an event organised by a “Hosted Event” external organiser, we will transfer it to the external organiser to be dealt with. The same applies when you lose any personal belongings while visiting the CFA.

Improving our services
Your PD enable us to optimise our services (such as adapting and improving content or navigation on our website or the BOZAR app), improve the effectiveness of our marketing or advertising campaigns and compile statistics.
They will not be used for any other purpose without your prior express consent, such as for third party advertising or to send you a new newsletter to which you have not yet subscribed.

Who processes your PD?

In keeping with the principle of minimisation, only authorised FA personnel have access to your PD.

Our external service providers and contractors
In order to perform certain tasks and provide our services, we use the services of external providers.
This may include, among others, our application provider and our ticketing system.
We require our subcontractors to provide the same level of protection as we do and that they do not use your PD for purposes other than those specified by us.
They must also have appropriate security measures to protect against unauthorised or unlawful processing of your PD and against accidental loss, destruction or damage of your PD.
This is guaranteed contractually and they are only authorised to process your PD for the authorised purpose, with the requisite discretion and security.

Do we share your PD?

With our cultural partners
As part of our public mission, we work closely with other institutions such as the Belgian National Orchestra (BNO) and the Royal Theatre of la Monnaie/de Munt (RTM).
BNO concerts are co-productions. When you purchase a concert ticket for the BNO via our ticket office, you are therefore making a purchase from two joint data controllers, the CFA and the BNO. The BNO therefore also has access to your PD on this contractual basis and may contact you to suggest concerts similar to that for which you purchased tickets.
If you have any questions relating to the processing of your PD by the BNO, you can contact the BNO via the website

With our clients - “Hosted Events”
When you purchase a ticket for an event organised by (an) external producer(s) in our halls, we only transmit the PD required to fulfil your order (information regarding any change of hall, time, artist, etc.)
We ask these external organisers to retain your PD only for as long as necessary to organise their event. After this, your PD are deleted, anonymised or stored exclusively for statistical purposes and are not used for any other purpose whatsoever. When purchasing a ticket as part of a package, we will also provide your PD to the organiser of the event in question. In order to process these packages, the organisers must have access to your data and your order.
Your express consent is always required in all other cases.
“Hosted Events” are listed under the “Hosted Events” tab on our website.

With public authorities
Your PD may also be disclosed in compliance with laws or regulations or pursuant to a decision of a competent regulatory or judicial authority.

With Meridian platform and on Google Cloud Services
When you use the BOZAR app, your data will be after their anonymization disclosed to for reporting information related to the location services is kept (via Meridian platform).

How secure are your PD?

We are committed to protecting your PD in accordance with the law and the state of the art.
We have therefore implemented appropriate technical and organisational measures to protect your PD. These measures are designed to provide a level of security appropriate to the risks posed by the processing of your PD.
Our IT infrastructure is protected by various technical means such as perimeter security services using firewalls as well as email filtering systems. Several systems have been put in place that permit the backing up of data. In addition, exchanges of data between the various interfaces are encrypted and therefore protected.
Your transactions are also secured through encryption.
In order to prevent unauthorised access or unauthorised changes to data to the greatest extent possible, CFA staff, partners or subcontractors only process your PD in accordance with this Privacy Charter.
However, we draw your attention to the fact that we cannot guarantee the security of your PD while being transmitted over the Internet.
We draw your attention to these particular risks connected with the specific nature of the Internet and networks and the fact that information relating to PD may be captured and/or transferred, without your knowledge, including to countries that do not guarantee an adequate level of protection.

For how long do we retain your PD?

The CFA only retains your data for as long as necessary for the purposes described above as well as to comply with the statutory data retention obligations applicable to us.
The retention period for PD is generally set at 10 years.
This time period has been decided for practical reasons and to satisfy our accounting obligation to retain data for 10 years and for reasons of technical feasibility.
If you have not shown any activity for a period of 10 years or have not made any contact with the CFA, you will receive an email asking if we can disable your account.
After this, your PD are deleted, anonymised or stored exclusively for statistical purposes and are not used for any other purpose whatsoever.
For WIFI, the Device ID data are deleted after 31 days.

Your children’s PD?

As parents, you are asked to monitor your child(ren)’s usage of his/her/their PD and his/her/their access to the CFA’s online/offline services.
The digital age of consent on the web is 13 years. Children under 13 years of age must therefore declare and acknowledge that they have obtained the prior authorisation of their parents or a legal guardian.

What are your rights?

You have a right of access, a right to rectification (in case of inaccurate data) and a right of erasure of your registration data.
You have the right to object, based on serious and legitimate grounds, to the processing of your registration data.
You have the right to object, at any time, to the use of your PD for direct marketing purposes.
You can submit your request for access, changes, erasure or objection to our DPO by sending a detailed request by email to
The DPO will assess the validity of your request and determine the possibility of responding to your request as soon as possible and no later than within one month of receipt of the request.
If necessary, this period may be extended by two months, depending on the complexity and number of requests.
In addition, following your request, the CFA may need to verify your identity to prevent identity theft or abuse. This verification may require the transmission of additional data such as a copy of your identity card.
You can also object to the recording of your usage data via your browser settings.

Remedies available and competent supervisory authority

In case of a dispute concerning a decision of the DPO or any other complaint relating to the processing of your PD, you may submit a complaint to the supervisory authority free of charge:

Rue de la Presse 35, 1000 Brussels
Telephone: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35


Changes to this Charter

This Charter may be amended at any time as a result of the development of new forms of processing implemented by the CFA or changes to the applicable legislation.
Any change shall enter into force immediately. We therefore invite you to visit this page regularly.
Last updated on 16.12.2020.