Eurovision
Songwriting Camp

ROCKHAL - Etablissement public Centre de Musiques Amplifiées (hereinafter "the CMA") is committed to protecting the personal data and privacy of participants in the Eurovision Songwriting Camp 2026.

All processing of personal data is carried out in compliance with applicable regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR"), as well as applicable Luxembourg data protection legislation.

The purpose of this privacy notice (hereinafter the "Notice") is to inform you about:

• The nature of the personal data processing activities we carry out concerning you in connection with the Eurovision Songwriting Camp 2026.
• The categories of personal data we collect about you.
• How your personal data is processed by the CMA.
• The terms and conditions governing the use of your personal data and your rights in this regard.

1. Identity of the Data Controller

In accordance with the General Data Protection Regulation (GDPR), the data controller for your personal data is:

ROCKHAL - Etablissement public Centre de Musiques Amplifiées

5, Avenue du Rock'n'Roll, L-4361 Esch-sur-Alzette, Luxembourg

Email: [email protected]

2. Data Protection Officer (DPO)

For any questions regarding the processing of your personal data by the CMA, you may contact the Data Protection Officer (DPO) designated by the National Commission for Data Protection:

ROCKHAL - Etablissement public Centre de Musiques Amplifiées

Attention : DPO

L-4361 Esch-sur-Alzette, 5 Avenue du Rock'n'Roll

Email: [email protected]

3. Description of Personal Data Processing

In connection with the organization of the Eurovision Songwriting Camp 2026 and the management of applications via online registration forms, the CMA collects data about you. This personal data is processed in accordance with and limited to the purposes specified at the time of collection.

3.1 Legal basis and purposes of personal data processing

The processing of your personal data is based on the performance of the contract between you and the CMA and serves the following purposes:

• Management of applications and selection of participants for the Eurovision Songwriting Camp 2026.
• Logistical organization of the Eurovision Songwriting Camp 2026 (assignment of working groups, organization of accommodation and meals).
• Management of billing and payment for participation in the Eurovision Songwriting Camp 2026.

3.2 Categories of personal data

To fulfill these purposes, the CMA may collect the following data from you:

• Identification data: last name, first name, artist/producer name, date of birth, gender, nationality.
• Contact data: mailing address, phone number, email address.
• Artistic and professional profile: status (songwriter, producer, performer, topliner), musical skills, primary musical genre, musical interests, links to your music (Spotify, YouTube, Apple Music, SoundCloud, etc.), professional representation (management, label, publisher).
• Experience and Motivation: experience with songwriting camps, experience with Eurovision/Luxembourg Song Contest, cover letter.
• Participation details: type of ticket selected, days of unavailability, attendance at the opening and closing events.
• Dietary preferences and restrictions.

3.3 Retention periods

Data from unsuccessful applications will be retained for 1 year after the selection process closes.

Participant data is:

• Stored for 10 years from the date of purchase for billing/contractual data.
• Deleted immediately after the event for dietary preferences and restrictions.

3.4 Recipients or persons accessing your personal data

Your personal data is accessible only to:

• To authorized CMA staff responsible for organizing the Eurovision Songwriting Camp 2026 and selecting candidates.
• Camp facilitators selecting candidates.
• To the data processor responsible for hosting the website and the application platform.
• Where applicable, to the hotel service provider for the management of accommodations.

Apart from these recipients, your personal data is not disclosed to third parties. However, the CMA may be required to transfer your personal data to authorized third parties to comply with its legal obligations, particularly in the event of a court order.

4. Transfer of Your Personal Data Outside the European Union

The personal data collected by the CMA is primarily processed within the European Union. However, certain third-party services may involve the transfer of your data outside the EU, particularly for website audience measurement.

Transfer to the United States of America: On July 10, 2023, the European Commission adopted a new adequacy decision regarding the United States. Through this decision, the Commission considers that the changes made by the United States to its national legislation now ensure an adequate level of protection for personal data transferred from the EU to organizations located in the United States when they comply with the "Data Privacy Framework."

Transfers of personal data from the European Union to organizations on this list may therefore take place freely, without a specific framework in the form of "standard contractual clauses" or any other transfer instrument.

To measure our website's traffic, we use Google Analytics, a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043. Since Google Inc. is certified under the Data Privacy Framework, this transfer does not require any specific framework in the form of "standard contractual clauses" or any other transfer mechanism.

5. Security of Your Personal Data

Considering technological developments, implementation costs, the nature of the data to be protected, and the risks to individuals' rights and freedoms, the CMA implements all appropriate technical and organizational measures to ensure the security of the personal data collected.

These measures include:

• The use of physical and logical security measures to ensure the availability, integrity, and confidentiality of information systems and processed data.
• The protection of data against any security breach that results, whether accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data.

6. What Are Your Rights as a Data Subject?

Within the limits and conditions permitted by the GDPR, you have the following rights:

• The right to access your personal data.
• The right to rectify or erase such data.
• The right to restrict the processing of your personal data.
• The right to object to the processing of your personal data.
• The right to data portability.
• Right to withdraw your consent at any time, when processing is based on consent.

If, after contacting us, you believe that your rights regarding your personal data have not been respected, you may file a complaint with the National Commission for Data Protection (CNPD) or with the supervisory authority in your place of residence.

How do you exercise your rights?

To exercise these rights or for any questions regarding the processing of your data, you may contact us by verifying your identity and addressing your inquiry to the CMA via email: [email protected].

We recommend that you send this email with a reading receipt.

Please note that the CMA reserves the right to refuse requests that do not meet legal requirements or that are otherwise unfounded or excessive under applicable law.

7. Changes to This Notice

This notice may be updated at any time. In the event of a substantial change, participants will be notified via a notice or email.