The current legal framework concerning data protection, as of May 25th 2018, is Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – GDPR.
The provisions set forth in Regulation (EU) 2016/679 may have an impact on the operations and activities of certain cultural institutions such as, inter alia:
- National Heritage Institute, which operates all nationwide databases on cultural heritage, including personal data of owners.
- National Institute for Cultural Research and Training, which operates nationwide databases on translators, impresarios for performing arts and participants in various training programmes.
Collective management societies may find themselves in a similar situation as described above, since they manage the personal data of all their members and of right holders for whom they have to collect and distribute remunerations for the mandatory collection.
Generally speaking, all cultural institutions have updated the terms of service on their websites which take in account the new rules on data protection. Online payment of tickets for cultural events is generally managed by third party entities and not directly by the cultural organisations themselves, therefore liability for compliance with GDPR lies with these entities.