GIRO D'ITALIA* PRIVACY POLICY *change for each event (Giro d’Abruzzo, Giro Women etc)
This privacy policy, pursuant to and for the purposes of EU Regulation 679/2016 (“GDPR”), is issued by the Joint Controllers indicated below for the processing of your personal data collected in the context of the delivery of services through websites, apps, registration, participation in and accreditation to events, initiatives and competitions.
1. JOINT CONTROLLERS AND CONTACT DETAILS
Who are the Joint Controllers? How can I contact them?
The details of the Joint Controllers and their contact details are provided below:
- RCS Sports & Events S.r.l., with its registered office in Via Rizzoli, No. 8 – 20132 Milan, Tax Code/VAT No. 10490090965,
- RCS Sport s.p.a., with its registered office in Via Rizzoli, No. 8 – 20132 Milan, Tax Code/VAT No. 09597370155,
- Società Sportiva Dilettantistica RCS Active Team a r.l., with its registered office in Via Rizzoli, No. 8 – 20132 Milan, Tax Code/VAT no. 08894770968,
(hereinafter, jointly the “Joint Controllers” and each individually the “Joint Controller”)
The Joint Controllers have entered into a joint data controller agreement in which they have determined that RCS Sports & Events S.r.l. will manage requests by the data subject to exercise their rights, and in which they have indicated the activities to be carried out by each of them and the related responsibilities. The joint contact point chosen by the Joint Controllers is the following e-mail address privacysport@rcs.it. You may request further details relating to the joint data controller agreement from the indicated contact address.
2. CATEGORIES OF PERSONAL DATA
Which categories of personal data do we process?
As part of the services provided and depending on the type of services requested, we will collect the following categories of data:
- identification details (including personal details, contact details, etc.);
- contractual data (including data necessary to use the services and participate in the events, payment and invoicing details, services provided, etc.);
- derived data (only if you have provided consent to profiling, data relating to your habits and preferences);
- only in the context of sporting events data relating to sporting fitness (only if the participant’s fitness for sporting activity is an essential requirement to participate in the sporting event, based upon Art. 9, par. 2, lett. h of the GDPR, in accordance with the health protection regulations referred to in the Decree of the Ministry of Health of 18 February 1982 as amended and supplemented).
3. PURPOSES AND LEGAL BASIS OF PROCESSING
For what purposes are the data processed? On what legal basis? For how long are they stored?
We indicate below the processing purposes, the legal basis that legitimises the processing and the storage period of your personal data:
PURPOSES | LEGAL BASIS | STORAGE PERIOD |
| Performance of the contract and/or take steps prior to entering into a contract | The data will be stored until the end of the service, until withdrawal or until a cancellation request is made |
| Compliance with a legal obligation | The data will be stored for the mandatory storage period defined by the applicable accounting and/or tax laws |
| Legitimate interest of the Joint Controllers in effectively and efficiently managing internal business operations | The data will be stored for the limitation period of the rights and for any additional storage periods established by accounting and tax laws |
| Legitimate interest in carrying out aggregate analyses to plan the company strategy according to the relevant market | The personal data used for this purpose do not require separate storage but comply with the storage periods of the other purposes. |
| Consent | The data will be stored until the withdrawal of consent or until cancellation and, in case of inactivity, after five years. |
The Joint Controllers use profiling data to offer you content that is more suited to your tastes, to aggregate marketing profiles and to customise campaigns and advertising, and for the development of commercial strategies. | Consent | The data, observed from time to time, will be erased after 12 months from the start of processing |
| Consent | The data will be stored until the withdrawal of consent or until cancellation and, in case of inactivity, after five years |
| Legitimate interest of the Joint Controllers in sending communications relating to similar services, as established by Art. 130, 4 of Italian Legislative Decree 196/2003. | The data will be stored until objection or cancellation and, in case of inactivity, after five years. |
4. MANDATORY NATURE AND CONSEQUENCES OF PROVISION OF DATA
Is it mandatory to provide the data? What happens if I do not provide them?
The provision of data for the purposes indicated in points 3.1, 3.2, 3.3 and 3.4 is necessary for the conclusion and management of the contract. In the partial or total absence of provision of these data, the contractual relationship may not be initiated and/or continued. For the purposes indicated in points 3.5, 3.6, 3.7 and 3.8, the provision of data is optional and, in the event of a failure to provide it, the marketing and profiling activities specified therein may not be carried out.
5. DISCLOSURE, COMMUNICATION AND PARTIES ACCESSING THE DATA
Who can know your data? To whom do we communicate them?
Your data may be disclosed or communicated to the following parties.
- Authorised persons – The data may be accessed by officers authorised by the Joint Controllers who must access them for the purposes indicated above.
- Processors – Your personal data will not be disseminated, but they may be disclosed, where necessary for the provision of the service, to third parties (such as, for example, third party technical service providers, hosting providers, IT or marketing companies) appointed as Data Processors for tasks instrumental to the provision of the services.
- Autonomous data controllers – your data may be shared with other controllers when required by specific rules (e.g. public administration, judicial authority) or when you have given consent (e.g. third parties for the “Direct marketing purposes by third parties”) or when necessary for the performance of contracts to which you are a party or to fulfil requests before the conclusion of the contract (e.g. banks to manage payments). Competent national sports federations or affiliated organisations or bodies for membership management) or for administrative and accounting purposes to group companies within the EU.
6. LOCATION OF DATA PROCESSING
Are the data transferred outside the EU?
Your personal data may also be processed by the joint controllers outside the European Union. If this happens, the processing will be regulated in compliance with the provisions of chapter V of the Regulation and authorised on the basis of specific decisions of the European Union. All necessary precautions will therefore be taken in order to guarantee the most complete protection of personal data, basing this transfer: a) on adequacy decisions of the recipient third countries expressed by the European Commission; b) on appropriate safeguards expressed by the recipient third party pursuant to Art. 46 of the Regulation; c) on the adoption of Binding Corporate Rules.
7. RIGHTS OF THE DATA SUBJECT
What are your rights as a data subject?
The GDPR grants to you the following rights in relation to your personal data which you may exercise within the limits and in compliance with the provisions of the legislation:
- Right of access to your personal data (art. 15);
- Right to rectification (art. 16);
- Right to erasure (right to be forgotten) (art. 17);
- Right to restriction of processing (art. 18);
- Right to data portability (art. 20);
- Right to object (Art. 21); you have the right to object at any time, on grounds related to your particular situation, to the processing of personal data concerning you based on the legitimate interest, including profiling on that basis. The Joint Controllers refrain from processing unless they demonstrate the existence of compelling legitimate interests to proceed with the processing that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of a legal claim;
- Right to object to a decision based solely on automated processing (art. 22);
- Right to withdraw, at any time, the consent given, without prejudice to the lawfulness of the processing based on consent given before the withdrawal
You may exercise these rights by sending a communication to the Joint Controllers or to the Data Protection Officer (or “DPO”) whose contact details are indicated in the appropriate sections of this privacy policy.
Furthermore, you always have the right to lodge a complaint with the Personal Data Protection Supervisory Authority (art. 77 GDPR), which can be contacted at the address garante@gpdp.it or via the website http://www.gpdp.it, or the right to an effective judicial remedy (art. 79 of the GDPR).
8. DATA PROTECTION OFFICER AND CONTACT DETAILS
Has a DPO been appointed? How do I contact him/her?
The Joint Controllers have identified a Data Protection Officer and have set up an office for managing requests of the data subjects regarding privacy.
To exercise the rights granted to you, you can contact the Joint Controllers or contact the DPO at the following address: dpo@rcs.it.
9. DATA SOURCE
What is the source of the data?
Your personal data are normally acquired directly from you. They may occasionally be obtained from third parties during the course of the services provided (for example, for participation in some sporting events, your data will be provided by your company, teams and other parties with which you have a contractual relationship, if you have asked to participate in the event).
10. LATEST UPDATE
This Privacy Policy is updated to 04/04/2024