(Valid from September 30, 2019; Version 1.0)
- the EventBuilder platform
- the website www.cortina2021.com and any other websites or microsites
- the Controllers’ App of the event Cortina 2021
- other Controllers’ services and products accessible electronicall
The processing of data subjects’ personal data will be carried out in compliance with the applicable legislation, with particular reference to Regulation (EU) 2016/679 (hereinafter also referred to as the “Regulation”) on general data protection with regard to the processing of personal data, as well as Italian implementing provisions and provisions of the Italian Personal Data Protection Authority (Garante per la protezione dei dati personali).
2. Categories of data processed
A) Navigation data. When browsing the website also for informational purposes only, the IT systems and software procedures operating the website acquire personal data, the transmission of which is implicit in the use of Internet communications protocols. This information is not collected in order to be associated to identified data subjects, however, due to the nature of the same, said information may allow for users to be identified as a result of processing and association with data held by third parties.
This category includes, for example, the IP addresses or domain names of the computers used by the users to connect to the website or to the platform, date and time of the request, time zone difference from Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, volume of data transferred in each case, website from which the request comes (referrer), the browser, the user’s operating system and its interface, the language and browser software version and other parameters concerning the user’s operating system and computer environment. Data will also be collected relating to the PC – Telephone – Tablet – or other devices used for navigation.
This type of data is used with the sole purpose of obtaining anonymous statistical information concerning the use of the websites and to check their proper functioning. The data are deleted immediately after processing. They may also be used to ascertain responsibility in the event of cybercrimes against the Controllers’ website or Platform and their users, even at the request of the judicial authorities.
B) Data provided voluntarily by Users. Data processing include personal data provided by the User (hereinafter also “data subject”), when signing up on the EventBuilder platform or through the contact forms on the website or following up the App registration, or through the ticketing platform, or otherwise through all Controllers’ services.
Such data may include:
- identity and contact details (name, surname, gender, date of birth, legal residence, address, seat, emails and phone numbers – data relating to I.D.);
- data about profession and qualifications obtained such as: qualification, work experience and voluntary work – groups data subjects belong to, i.e. public and/or private bodies/Federations and/or Committees or with which they have an employment and/or cooperation contract – driving license – level of skiing skills – possession of a lift pass – possession of a first aid certificate;
- particular categories of data the Controllers need to collect for the service requested, for example, personal data relating to any disabilities of the data subjects and which are considered necessary for the recruitment of staff to facilitate participation in sporting and organised events, as well as data relating to the physical structure for the provision of uniforms; passport photos necessary for the preparation of badges and/or memberships;
- payment and billing data, such as data about credit cards and other payment systems used by data subjects for certain services provided by the Controllers;
- Provision of user’s personal data is a necessary requirement for using the Services requested as well as for the recruitment of volunteers or for the accreditation of journalists. It should therefore be noted that failure to provide certain data may make it impossible for the Controllers to validate the registration, as well as to provide the requested service. In this regard, the Controllers will from time to time indicate – also through their forms – the data that must be provided for the use of the Services, and further optional data.
C) Public and/or freely accessible data and photographs of sporting events. The Website and Services also act as aggregators of the results of sporting, competitive and amateur events. For this purpose, the Controllers may process personal data taken from lists, public lists (for example: rankings and results of sports events organised by business partners and/or affiliates) or freely accessible to the public.
Participants in the events, staff, guests and any other data subjects who are involved and/or participate in events linked to the Controllers are advised that they may appear on photographs or videos taken during the events. These are personal data related to the image of subjects who appear on photographs or videos taken from time to time during the event in order to document the sporting event within the Website, social networks and services offered by the Controllers.
In this regard, it should also be noted that failure to authorise to take photographs and videos and to make them available for the purposes described above will result in the inability to participate in the event. Given that sports events take place in public, it is in fact impossible to exclude people who have denied their authorisation from photos and videos. It should also be noted that given the characteristics of the events, videos and photos may also be taken in places or in ways that are not indicated or with indications not always visible. If subjects do not agree to use their image in the terms described above, they should not take part in the events.
The Controllers may acquire the filming of the event from the organiser – also through their business partners – or perform it directly, depending on the case.
3. Purpose and legal basis of processing
Users’ personal data are processed by the Controllers for the purposes specified below.
A) Performance of the contract or provision of the Services requested by the user. The data of the user and of the people indicated by him or her will be processed by the Controllers for the execution of the contractual relationship and the provision of the Services provided at the request of the user. In particular, the Controllers may process the data of the user and the people indicated by him or her for the performance of operational and administrative activities that are necessary for:
(i) managing registration, authentication and access to the platform;
(ii) managing applications for the recruitment of volunteers and personnel to employ in the ski events scheduled for the years 2019 – 2021 and the following years in Cortina;
(iii) managing invitation, registration and accreditation for journalists and other categories of data subjects;
(iv) managing requests to send journalistic communications;
(v) managing invitations to participate in press conferences and/or presentations;
(vi) managing requests to purchase goods or services provided directly by Controllers or third parties through the platform, including subscriptions to sporting events and the purchase of additional goods or services of such events;
(vii) managing payment transactions at the request of the user to enable banks and credit institutions to verify the chosen means of payment, charge the payment and manage other service procedures;
(viii) providing a platform of contacts and useful information on the ski events scheduled for 2019-2021 and the following years and any events organised by the Controllers through newsletter services and by facilitating communication and information between users through networking and messaging services and users’ participation in initiatives of various kinds (sports, leisure, charity events) organised by the Controllers or by third parties;
(ix) at the request of the user, managing the interactions of the Services with third party’s social network platforms, to which users can connect according to their preferences in order to share activities or information concerning them;
(x) the issue of administrative, accounting and tax documents relating to the Services requested by the user.
The basis of the processing is represented by point (c) of Article 6(1) of the Regulation, as the processing is necessary for compliance with a legal obligation to which the controller is subject.
C) Marketing purposes. The Controllers may process the user’s data for sending information and promotional communications related to the services offered by the Controllers as well as to events promoted and/or organised by the Controllers, or the conduction of studies and statistical and/or market research related to sports activities or to other activities relating to sport, both through traditional communication channels (paper mail, assistance calls) and through automated communication channels (email, texting, MMS, instant messaging systems).
In addition, the communications sent by email will contain a hyperlink to object to the receipt of further communications in a simple and intuitive way (unsubscribe).
Furthermore, with the express and specific consent of the user (see point (a) of Article 6(1) of the Regulation), the Controllers may process the user’s data for the purposes defined above, as well as to invite him or her to participate in (present and future) promotional initiatives, loyalty programs or initiatives with third parties and to carry out market surveys and evaluations of user satisfaction using automated communication channels (e.g. texting, emails, automated attendant, App notifications).
The user may withdraw consent at any time by writing to
email@example.com or firstname.lastname@example.org
D) Profiling purposes. With the express and specific consent of the User (see point (a) of Article 6(1) of the Regulation), the Controllers may process the user’s data to better understand his or her habits and interests and, consequently, offer him or her products and services, invitation to participate in events that he or she may attend. In particular, depending on the participation in previous events, the area of residence and the navigation on the website, the user may receive suggestions about events to participate in. For this purpose, the Controllers may process the data defined in points a), b), c) and f) of article 2 above.
The user may withdraw consent at any time by writing to email@example.com or firstname.lastname@example.org
E) Communication to third parties for marketing purposes. With the express and specific consent of the User (see point (a) of Article 6(1) of the Regulation), the Controllers may communicate some user data to event organisers and companies with which they may enter into partnership agreements in order to make offers of interest or favourable offers for the users availing themselves of the Controllers’ services. These organisers and companies may then use user data for commercial and promotional purposes, using both automated systems (e.g. emails) and traditional channels (e.g. paper mail).
The user’s identity data, address or legal residence and contact details (phone number and email address) may be communicated.
The user may withdraw consent at any time by writing to
email@example.com or firstname.lastname@example.org
4. Data processing methods and period of retention of personal data
Personal data is primarily processed by the Controllers manually or with the help of electronic means to ensure their security and confidentiality. Specifically, data may be processed in the following ways: recording and processing on paper; recording and processing in machine-readable form; organisation of files in both automated and non-automated form.
Data will be stored in a form that allows the identification of the data subjects only for the time strictly necessary to achieve the purposes for which they data were originally collected and, in any case, within the limits of the law.
In order to ensure that personal data are always accurate, up-to-date, complete and relevant, we invite users and other data subjects to keep their data up to date through the specific functions of the platforms, websites and applications or to report any changes made to the following email address: email@example.com or firstname.lastname@example.org
Personal data will be processed only for the time necessary in relation to the purposes described above.
- for purposes related to the execution of the contract and the provision of services requested by users, see point A) of article 3 above: the data will be processed for the entire duration of the relationship with the user and as long as there are obligations or fulfilments related to the performance of the relationship itself. The criteria for determining the period for which the personal data will be stored take into account the period during which processing is allowed and the applicable regulations on taxation, statute of limitations of the rights and the nature of legitimate interests where they constitute the legal basis for the processing of personal data. In accordance with current legislation, personal data may be stored for a period subsequent to that originally envisaged, in the event of any disputes or requests by the competent authorities;
- for the compliance with legal obligations, see point B) of article 3 above: data will be processed and stored by the Controllers as long as the need for processing persists, in order to comply with such legal obligations;
- with reference to processing for marketing purposes, carried out on the basis of a legitimate interest or with the prior consent of the user, data will be processed for the entire duration of the relationship with the user and as long as there are obligations or compliance related to the performance of the aforementioned relationship and, in any case, for the entire duration of the skiing events organised by the Controllers, except for withdrawal of consent or opposition to the processing;
- for profiling purposes, data will be processed for a maximum period of 24 months and in any case for the entire duration of the skiing events organised by the Controllers, or for a different period that should be required by law or by provisions of the Data Protection Authority, after which the data will be stored if necessary to pursue other purposes or will be permanently erased;
- in relation to further data processed on the basis of a legitimate interest of the Controllers as described above, data will be processed as long as the legitimate interest persists, without prejudice to the right of opposition of the data subject.
5. Communication of personal data to third parties
In the event communication to third-party suppliers, consultants or partners of the Controllers should be necessary for needs related to the provision of Services, registrations, recruitment and accreditation, it will be the responsibility of the Controllers to appoint them as data processors pursuant to Article 28 of the Regulation, in accordance with the ability, experience and reliability demonstrated.
The data subjects may, at any time, request the complete list of the data processors appointed from time to time by the Controllers by sending a request in accordance with article 9 below.
It is understood that the personal data of users may be freely disclosed to third parties, such as police or other public authorities, whenever this is permitted by law or required by an order or measure of a competent authority. Such persons shall process the data in their capacity as autonomous controllers.
6. Public sharing of data, social networks and third-party sites
The website and the contact forms constitute a platform for sharing the experiences of each user, both individual and in the context of events organised by third parties or by the Controllers themselves, in which a plurality of subjects will participate.
The Website also offers the possibility of sharing such information on the social networks chosen by each user. Social media providers will act as independent controllers. Users who wish to share their data and information on these social networks are invited to read their respective policies on personal data processing.
7. Transfer of personal data outside the European Economic Area
In pursuit of the purposes described above, the Controllers may also transfer data to third countries or international organisations outside the European Economic Area (EEA).
In such a case, if the European Commission has recognised that a country outside the EEA is capable of ensuring an adequate level of data protection, personal data of the data subjects may be transferred. For transfers to countries or international organisations outside the EEA whose level of protection has not been recognised by the European Commission, the Controllers will rely on a derogation applicable to the specific situation (for example, a transfer necessary to perform a Service at the request of the data subject, as in the case of an international payment) or on one of the following appropriate safeguards to ensure the protection of the personal data of the data subject:
- binding corporate rules.
For further information on these measures, please send a written request to email@example.com or firstname.lastname@example.org
8. Security measures
Taking into account the state of the art and the costs of implementation and the nature, scope, context and purposes of processing as well as the risk for the rights and freedoms of the data subjects, the Controllers, also through their data processors appointed pursuant to Article 28 of the Regulation, will put in place adequate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with Articles 32 et seq. of the Regulation; these measures include, inter alia:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Furthermore, the Controllers have in place a procedure for the regular verification of the effectiveness of the technical and organisational measures adopted in order to guarantee the security of the processing for its entire duration and allows access to the data only to duly instructed subjects, except in cases where access must take place pursuant to a specific provision of Union or Member State law or an order from the authority.
9. The rights of the data subject
Pursuant to the Regulation, the data subjects may exercise the following rights against the Controllers:
- request and obtain information from the Controllers about the presence of their personal data in the Controllers’ systems and the processing of personal data carried out by the Controllers themselves, and obtain access to them;
- request and obtain personal data concerning them which they have provided to the Controllers in a structured, commonly used and machine-readable format, if the processing is based on consent or on a contract and is carried out by automated means, and, where technically possible, the transfer of such data to another controller;
- request and obtain the modification and/or correction of data that are inaccurate or incomplete;
- request and obtain the erasure of their data if the data or information are not necessary – or no longer necessary – for the purposes set out above or in the presence of other conditions required by law (see Article 17 of the Regulation);
- request and obtain the restriction of the processing of their data if the data subject contests the accuracy or in the further cases provided for in Article 18 of the Regulation;
Such requests may be sent to the Controllers through the website www.cortina2021.com, by accessing the Privacy section of the user’s account, or via email to email@example.com or firstname.lastname@example.org
or through other channels that the Controllers may make available to data subjects. Requests sent via email or other channels that do not allow the identification of the requester must be accompanied by a copy of the requester’s identity document in order to verify his or her identity.
In accordance with current legislation, in addition to the above rights, the data subject also has the right to submit a complaint to the competent supervisory authority, which in this case is the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia no. 11 00187 ROMA, Fax: (+39) 06 69677 3785, email@example.com, firstname.lastname@example.org.
10. Links to other websites
The Controllers do not control and have no way of supervising neither the content nor the policies for the processing of personal data of third-party websites and services accessible through the links contained within the website, and therefore cannot under any circumstances be held responsible for the processing carried out through or in relation to such third-party websites. Users are therefore invited to pay the utmost attention in this regard, reading the conditions of use and privacy policies published on the portals visited.
12. Children (people under 18)
In any case, any abuse relating to the processing of children’s data can be reported to
email@example.com or firstname.lastname@example.org
in order to allow the Controllers to take appropriate measures to protect the children concerned, including through the immediate blocking of the processing of their data.
13. Data Controller
14. Changes and updates