PURSUANT TO REGULATION (EU) 2016/679
- Data controller
- Categories of data processed and data subjects
The data processed by the Controller belong to the following categories:
(i) Navigation data
The computer systems and software procedures used to operate this website acquire, in the course of their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols.
– IP and domain names of the computers used by Data Subjects connecting to the site;
– the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the number code indicating the status of the response given by the server;
– types of browser used by the data subject;
– information on the pages visited within the site;
– other parameters relating to the operating system and computer environment of the data subject.
This data is processed, for the time strictly necessary, for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct operation. Moreover, this data could be used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the site.
(ii) Data voluntarily provided by Data Subjects
Included in this category is all information freely provided by Interested Parties browsing the site, with specific reference to: (i) athletes and/or other participants (including employees of the Owner’s partner companies, who have an interest in offering participation in races, events, etc. organised and/or otherwise managed by the Owner and/or by companies connected, linked or partners of the FollowYourPassion circuit) who make (directly or through the company or organisation to which they belong) online registration for races, events, etc. organised and/or otherwise managed by the Owner and/or companies connected to, connected to or partnering with the FollowYourPassion circuit (the “Participants“); (ii) individuals who wish to remain informed and/or updated (through newsletters and/or other communication channels) about events and other initiatives organised by the Owner and/or companies connected to, connected to or partnering with the FollowYourPassion circuit.
More specifically, they include data voluntarily provided by Data Subjects (directly or via third parties):
– the e-mail address (and other personal data included in the message) provided for the transmission of requests by the data subject;
– personal and identification data for filling in the forms for: (i) site registration; (ii) registration for further activities (i.e., competitions, events, etc.); (iii) newsletter subscription;
– payment details (where required for participation in the event of interest);
– data contained in the medical certificate of fitness (where required for participation in the event of interest).
- Legal basis and purpose of processing
The personal data of all Data Subjects are processed by the Controller for the following purposes:
- guaranteeing and verifying the correct functioning of the website, as well as improving the Data Subject’s browsing experience. The legal basis for the processing of personal data for this purpose is the legitimate interest of the Data Controller in enabling the proper enjoyment of the website content (Art. 6(1)(f) GDPR);
- manage user requests received by e-mail; manage user registration on the site; manage registration for further activities (i.e., competitions, events, etc.). The legal basis for the processing of personal data for this purpose is the execution of pre-contractual and contractual measures taken in the interest of the Data Subject (Art. 6(1)(b) GDPR);
- sending information material (i.e., newsletters). The legal basis for processing personal data for this purpose is the express consent provided by the Data Subject (Art. 6(1)(a) GDPR).
- In addition, personal data referring only to Participants may be processed for the following further purposes:
- fulfilment of contractual and legal obligations arising from the relationship entered into with the Participant, or to execute his pre- and post-contractual requests and in any case for the management of commercial or professional relationships (Art. 6(1)(b) GDPR);
- in order to formalise registration for events, competitions or events and for all related and consequential fulfilments, as well as for updates related to the event, competition or event (including the possibility of independently printing one’s own confirmation letter and diploma of participation, which will remain public until the next edition) (Art. 6(1)(b) and (f) of the GDPR);
- to contact the Participant and send information on subsequent editions of the same event, sponsors and/or events in general of the FollowYourPassion circuit by e-mail or telephone or App (Art. 6(1)(f) of the GDPR);
- for fulfilments and obligations provided for by laws, regulations and EU rules, or by provisions issued by authorities empowered to do so by law and by supervisory and control bodies (for bookkeeping and the management of collections and payments) (Art. 6(1)(c) GDPR);
- for anonymous and aggregate statistical purposes (e.g. number of entrants broken down by men and women, by country or region, age, or other) aimed at finding sponsors, commercial partners, institutional partners of the event itself (aggregate statistical data).
For the purposes listed from letter a to letter i of this paragraph 3, the consent of the Participants is not required, as the legal basis for such processing is the performance of an existing contract between the Data Controller and the Participants or the performance of pre-contractual measures in the interest of the Participants, as well as the legitimate interest of the Data Controller in the management and organisation of its events and the fulfilment of legal obligations related to such events (e.g. safety) (Art. 6(1)(b), (c), (f) of the GDPR). The provision of personal data for the above purposes is mandatory, otherwise it will not be possible to proceed with event registration.
- In addition to the purposes described above, the Data Controller may also process the personal data of Participants for the following additional purposes: for the use of still or moving images that may depict them during their participation in the event, competition or event on all media, including promotional and/or advertising materials, throughout the world and for as long as required by law and regulations. Events will have appropriate signage installed at event venues;
- to send, via newsletter or other format, information about further events and initiatives of the FollowYourPassion circuit, unrelated to the event they wish to participate in;
- to enable their profiling, in order to keep track of the events they attended and to provide them with proposals in line with their expectations;
- to enable promotional activities, via newsletters, of initiatives of sponsors and/or partners and/or third parties connected to the FollowYourPassion circuit;
- to purchase photographic or similar services through event partners. For the pursuit of these purposes, the Data Controller will request specific and distinct consents from the athletes. The provision of personal data for the above purposes is optional and therefore does not affect registration for the event.
The processing activities referred to in points j to n of this paragraph 3 shall only be carried out after specific, separate and informed consent has been obtained from the Participants. Such consents shall be requested prior to the registration of the Participants.
- Modalities of data processing and storage
The processing of the data shall take place by means of instruments suitable to guarantee their confidentiality, integrity and availability, in compliance with adequate technical and organisational security measures provided for by the GDPR. The processing shall be carried out by means of computerised and/or automated systems and shall include all the operations or set of operations provided for in Article 4 of the GDPR and necessary for the processing in question, including communication to the persons authorised to process the data.
The data will generally not be disseminated, while they will or may be communicated to public or private entities operating within the scope of the purposes described above and offering specific services to the Controller (including, for example, the Customer Relationship Management service). The data of Participants, on the other hand, in the event that the latter give their consent to this purpose, may be disclosed.
The Data Controller shall process the personal data of the Data Subjects for the time necessary to fulfil the above-mentioned purposes and, in any case, for no longer than the ten-year limitation period provided for by law.
- Communication and transfer of personal data
The data will be made accessible:
– to employees/collaborators of the Controller, in their capacity as authorised processors, subject to appropriate appointment;
– to third parties (such as legal, tax, communications consultants, etc.; authorities responsible for receiving such data by law; etc.), who will act from time to time as autonomous data controllers or data processors on behalf of the Data Controller.
Processing is conducted with the use of appropriate security measures to prevent unauthorised access to the data by third parties and to guarantee confidentiality. The management and storage of personal data will take place on servers located within the European Union of the Data Controller, companies belonging to the same group as the Data Controller and/or third party companies appointed and duly appointed as data processors. Please note that, as a result of any disclosure of personal data, the Controller will no longer be able to guarantee that such data will not be transferred outside the European Union.
- Rights of the Interested Parties
According to the provisions of the GDPR, each Data Subject has the following rights vis-à-vis the Controller:
– obtain confirmation as to whether or not personal data concerning him/her are being processed and, if so, to obtain access to the personal data (Right of Access Art. 15);
– obtain rectification of inaccurate personal data concerning him/her without undue delay (Right of Rectification Art. 16);
– obtain the deletion of personal data concerning him/her without undue delay, and the Data Controller is obliged to delete personal data without undue delay if certain conditions are met (Right to be Forgotten Art. 17);
– obtain restriction of processing in certain cases (Right to restriction of processing Art. 18);
– receive in a structured, commonly used and machine-readable format the personal data concerning him/her that have been provided, and has the right to transmit such data to another data controller, without being prevented from doing so by the Data Controller, in certain cases (Right to data portability Art. 20);
– object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her (Right to object art. 21). Data subjects may easily object at any time to the processing of their data for marketing purposes by means of the ‘opt-out’ (‘unsubscribe’) function at the bottom of any communication received from the Controller;
– revoke express consent at any time, without affecting the lawfulness of the processing of personal data carried out prior to revocation (Conditions for Consent Art. 7). Where applicable, in addition to the rights under Articles 16-21 GDPR (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), the data subject has the right to complain to the competent supervisory authority.
- How to exercise rights
You may exercise your rights under Section 7 above and contact the Controller at the following e-mail address: [email protected].
Updated to July 2023