From September 1st, 2022.
Courtesy Translation - Italian version shall prevail.
This Policy is intended to illustrate the methods and purposes of the processing of personal data carried out by Federazione Italiana Baseball Softball and Marketing Network Milano Srl as independent controllers (hereinafter also the “Data Controllers”), in the provision of services rendered through:
- the Website www.fibshc.com
- other websites, platforms, applications, products and/or content of the Data Controllers.
In relation to certain services, the Data Controllers reserve the right to provide a particular information that may, from time to time, supplement or amend this information; in case of conflict, the terms of the particular information relating to the specific service prevail.
The provisions set out herein shall be deemed applicable to any person browsing the site and/or any service accessible electronically, including by means of any mobile applications already existing or soon to be developed, and more generally to individuals whose personal data are collected and processed within the services.
The processing of subjects’ personal data will take place in compliance with applicable legislation, with particular reference to EU Regulation 2016/679 (hereinafter also the “Regulation”) on the protection of individuals with regard to the processing of personal data, as well as with the national implementing provisions and measures of the National Supervisory Authority (namely the Data Protection Supervisor).
A) Navigation Data: through the use of the website also for informational purposes only, the computer systems and the procedures that allow its operation to acquire personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with individual data subjects, but that by their very nature could, through processing and association with data held by third parties, allow users to be identified.
This category of data includes, but is not limited to: IP addresses, hostnames of computers used by users connecting to the site or platform, date and time of request, time difference from Greenwich Mean Time (GMT), request content (specific page), access status/HTTP status code, volume of data transferred in each case, referrer site (referrer), browser, operating system and interface, language and software version of the browser and other parameters related to the operating system and the computer environment of the user. Data related to the PC - Phone - Tablet - or other device used for navigation will also be collected.
These data, processed for the sole purpose of obtaining anonymous statistical information on the use of the sites in question and to check their correct functioning, are deleted after their processing. They can also be used for the assessment of liability in case of cybercrimes against the site or the Platform of the Data Controllers and its users, also at the request of the judicial authorities.
B) Data voluntarily provided by the user: the subject of processing is the personal data provided by the user (hereinafter also “Data Subject”) through the contact forms on the site, or in any case within the framework of the relationship with the Data Controllers.
Such data may include:
- identification and contact data (first name, last name, gender, date of birth, company or company name, address, registered office, telephone and e-mail addresses - data relating to identification documents);
- payment and billing data, such as data relating to credit cards and other payment systems used by the user in the event of a request for certain services provided by the Data Controllers.
The provision of personal data is a necessary requirement for the provision and subsequent use of the services requested. It should therefore be noted that failure to provide certain data may make it impossible for the Data Controllers to validate the registration, as well as to provide the requested service. In this regard, the Data Controllers will indicate from time to time, also through their own forms, the data whose provision is strictly necessary for the use of the services and the additional data whose provision is instead optional.
The personal data of the data subjects are processed by the Data Controllers for the purposes specified below.
A) For the execution of the contract or in any case to provide services requested by the user: the data of the user and the persons indicated will be processed by the Data Controllers for the execution of the contractual relationship and the provision of the services provided at the user’s request. In particular, the Data Controllers may process the data of the user and the persons indicated by him for the performance of operational and administrative activities necessary for:
(i) managing platform registration operations;
(ii) managing requests for the purchase of goods or services offered through the platform directly by the Data Controllers or by third parties;
(iii) managing payment transactions at the user’s request to enable banks and credit institutions to carry out the verification of the chosen means of payment, charges and other service’s procedures management;
(iv) offering a platform for contacts and useful information on possible activities, events and events organized by the Data Controllers through newsletter services and facilitating communication and information between users through networking and messaging services as well as their participation in various initiatives (sports, recreational, charitable) organized by the Data Controllers or third parties;
(v) managing, at your request, the interactions of the services with third-party’s social networking platforms, to which users can connect according to their preferences in order to share activities or information about them;
For this purpose, the Data Controllers may process the data indicated in points a) and b) of the previous article 2). The legal basis for processing is represented by Article 6, paragraph 1, lett. b) as the processing is necessary to perform a contract of which the user is a party or in any case to provide the services requested by the data subject. Where, for the purposes of providing the services requested, the Data Controllers need to process particular categories of user data, the failure to provide consent, as well as the revocation thereof, will determine the impossibility of providing the services requested.
B) For the fulfilment of legal obligations: the data of the user and the persons indicated will be processed by the Data Controllers for the fulfilment of legal obligations, such as, for example, tax obligations related to the performance of the contract and the provision of the services. For this purpose, the Data Controllers may process the data indicated in points a) and b) of the previous article 2).
The basis of the treatment is represented by art. 6, paragraph 1, lett. c) of the Regulation as the processing is aimed at fulfilling a legal obligation to which the Data Controllers are subject.
C) For marketing purposes: the Data Controllers may process user data, to send informative and promotional communications related to the services offered by the Data Controllers, as well as related to activities, events and events promoted and/or organized by the Data Controllers, or for the completion of studies and statistical research and/ or market, both with traditional methods of contact (paper mail, calls via operator) and with automated contact (email, SMS, MMS, instant messaging systems).
For the pursuit of these purposes, Data Controllers may process the data indicated in point b) of the previous article 2). Data Controllers will carry out this activity in compliance with the principles of the Regulation and for the pursuit of a legitimate interest (cf. art. 6, paragraph 1, lett. f of the Regulations); in any case, the user can object at any time, even during registration for the services, to the receipt of such communications, writing to firstname.lastname@example.org.
Moreover, the individual communications transmitted by e-mail will contain a hyperlink to oppose in a simple and intuitive way the receipt of further communications (unsubscribe).
In addition, with the expressed and specific consent of the user (cf. art. 6, paragraph 1, lett. a of the Regulation), Data Controllers may process the user’s data for the purposes indicated above, as well as to invite him to participate in promotional initiatives (present and future), loyalty programs or initiatives with third-party partners and to carry out market surveys and analysis of user satisfaction, using automated communication channels (e.g. SMS, e-mail, calls without operator, notifications on the App).
For the pursuit of this purpose, Data Controllers may process the data referred to in point b) of the previous article 2); moreover, if the user has given his consent to carry out the profiling activities referred to in point d) below, Data Controllers may also process the information indicated in point a) of the previous article 2) for marketing purposes.
User’s consent may be revoked at any time by writing to email@example.com.
D) For profiling purposes: following prior expressed and specific consent of the user (cf. art. 6, paragraph 1, lett. a of the Regulation), Data Controllers may process the user’s data in order to better understand his habits and interests and, consequently, offer him products and services, invitation to participate in activities, events and/or events that he believes may be to his satisfaction. In particular, based on the participation in previous events, the area of residence, navigation on the site, the user may be suggested events to attend. For the pursuit of this purpose, Data Controllers may process the data referred to in points a) and b) of the previous article 2).
User’s consent may be revoked at any time by writing to firstname.lastname@example.org.
E) For the purposes of communication to third parties for marketing purposes: following prior expressed and specific consent of the user (cf. art. 6, paragraph 1, lett. a of the Regulation), Data Controllers may communicate some user data to event organizers and companies with which Data Controllers may conclude partnership agreements for the purpose of making interesting or advantageous offers to the users of the Data Controllers. These organizers and companies may then use user data for commercial and promotional purposes, using both automated systems (e.g. e-mail) and traditional channels (e.g. paper mail).
The user identification data, his address or registered office and his contact details (telephone number and e-mail address) may be shared.
User’s consent may be revoked at any time by writing to email@example.com.
The personal data are processed by Data Controllers with the help of electronic and manual means suitable to guarantee their security and confidentiality.
In particular, they may be processed in the following ways: registration and processing on paper; registration and processing on computer media; organization of archives in both automated and non-automated form.
The data will be stored in a form that allows the identification of data subjects only for the time strictly necessary to achieve the purposes for which the data were originally collected and, in any case, within the limits of law.
In order to ensure that personal data is always accurate, up-to-date, complete and relevant, we encourage users and other interested parties to keep their data updated through the specific functions of the platforms, of the linked sites and applications or to report any changes to the following e-mail address: firstname.lastname@example.org.
Personal data will be processed only for the time necessary in relation to the purposes described above.
Unless otherwise disclosed in such policy and in the detailed information regarding specific services, Data Controllers will adhere to the following retention periods:
- for purposes related to the execution of the contract and the provision of the services requested by users, letter A) art. 3 above: the data will be processed by and for the duration of the relationship and as long as there are obligations or obligations related to the execution of the same. The criteria for determining the retention period of the Data take into account the allowed processing period and the applicable laws on taxation, limitation of rights and the nature of legitimate interests where they constitute the legal basis for processing. In accordance with the provisions of current legislation, personal data may be stored for a period subsequent to that originally provided, in case of any disputes or requests from the competent Authorities;
- for the fulfillment of legal obligations letter B) art. 3 above: the data will be processed and stored by Data Controllers as long as the need for processing persists to comply with these legal obligations;
- with regard to processing for marketing purposes, carried out on the basis of a legitimate interest or with the prior consent of the user, the data will be processed for the duration of the relationship with the user and as long as there are obligations or obligations related to the execution of the aforementioned relationship, unless the consent previously given is revoked or in case of opposition to processing;
- for profiling purposes, data will be processed for a maximum period of 10 years or for the period that may be provided for by law or by measures of the Supervisory Authority, after which the data will be stored, if necessary, to pursue other purposes or will be permanently deleted;
- in relation to further data processed pursuant to a legitimate interest of the Data Controllers as described above, the data will be processed as long as the legitimate interest persists, without prejudice to the right of opposition of the data subject.
No data will be disclosed or shared with third parties except with the express and specific consent of the data subject, except for the data disclosed or otherwise shared by the same user through the website of the Data Controllers or through social networks and otherwise present in the internet web according to point 6) of this policy.
Where communication to third-party suppliers, consultants or partners of the Data Controllers is necessary for requirements related to the provision of the services, registrations, recruitment and accreditations, it will be the responsibility of the Data Controllers to ensure the appointment of the latter as data processors pursuant to art. 28 of the Regulation, by virtue of the ability, experience and reliability demonstrated.
Data subjects may request at any time the complete list of data processors appointed by the Data Controllers, by sending a request in accordance with Article 9) below.
It is understood that personal data of users may be freely communicated to third parties, such as police or other public administrations, whenever permitted by law or required by an order of a competent authority. These parties will process the data as independent Data Controllers.
The site and the contact forms constitute a platform for sharing the experiences of each user, both individually and as part of activities and events organized by third parties or by the Data Controllers themselves, that will participate in a plurality of subjects.
The site also offers the possibility to share this information with the social networks chosen by each user. The operators of these services will act as independent Data Controllers. Users who wish to share their data and information on these social networks are invited to check such sites’ data processing policies.
In the case of activities and events organized by third parties, the organizer may acquire and process the data of the user who takes part in the event for their own purposes and on the basis of an autonomous information; the user is then invited to check with the organizer (and any suppliers that the organizer uses) the means and purposes of the processing of his data related to participation in the event. Where provided for in the related policy to each specific event, the Data Controllers may also play the role of co-controller or autonomous Data Controllers together with the organizer, with the consequent exchange of data and information for the purposes described in the information and on the basis of an appropriate legal basis.
In pursuit of the purposes described above, the Data Controllers may also transfer personal data to third Countries or International Organizations outside the European Economic Area (“EEA”).
In this case, where the European Commission has recognized that a Country outside the EEA is capable of ensuring an adequate level of data protection, the personal data of data subjects may be transferred on that basis. For transfers to non-EEA Countries or International Organizations whose level of protection has not been recognized by the European Commission, the Data Controllers will rely on a derogation applicable to the specific situation (for example, a transfer necessary to perform a service at the request of the data subject such as an international payment) or on one of the following adequate safeguards to ensure the protection of the personal data of data subjects:
- standard contractual clauses, approved by the European Commission, that bind the data importer to processing the data in compliance with the Regulation and this Policy;
- binding business norms.
For more information on these measures, you can send a written request to email@example.com.
Taking into account the state of the art and the costs of implementation, as well as the nature, subject matter, context and purpose of the processing, the risks to the rights and freedoms of data subjects, the Data Controllers, also through their data processors appointed pursuant to art. 28 of the Regulation, will put in place appropriate technical and organizational measures to ensure a level of safety appropriate to the risk in accordance with Articles 32 and with the Regulation; these measures include, among others:
- pseudonymization and encryption of personal data;
- the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident;
- a procedure for the regular testing, verification and evaluation of the effectiveness of technical and organizational measures to ensure safe processing.
The Data Controllers also have in place a procedure for the regular verification of the effectiveness of the technical and organizational measures taken to ensure the security of the processing for its entire duration and allows access to data only to duly instructed parties, except where access is to be granted by virtue of a specific provision of Union or Member State law or by order of the authority.
According to the Regulation, data subjects can exercise the following rights against the Data Controllers:
- request and obtain information about the existence of their own data at the Data Controllers as well as about the processing of personal data carried out by the Data Controllers, and obtain access to them;
- request and obtain the receipt in a structured, commonly used and machine-readable format of the data provided to the Data Controllers, if the processing is based on a consent or a contract and is carried out by automated means, and, where technically possible, the transfer of such data to another controller;
- request and obtain the modification and/or correction of data that are inaccurate or incomplete;
- request and obtain the cancellation of data if considered not necessary - or no longer necessary - for the purposes that precede or in the presence of other conditions provided by law (cf. art. 17 of the Regulation);
- request and obtain the limitation of the processing of data if the data subject contests the accuracy or in the other cases provided for by art. 18 of the Regulation;
- object to the further processing of data in the cases expressly defined in Article 2) above.
Such requests may be sent to the Data Controllers by a request via e-mail to firstname.lastname@example.org or through other channels that the Data Controllers may make available to interested parties. Requests sent by e-mail or other means that do not allow the applicant to be identified must be accompanied by a copy of the applicant’s identity document in order to verify the applicant’s identity.
In accordance with current legislation, in addition to the above rights, the data subject also has the right to submit a complaint to the competent supervisory authority that in Italy is the Guarantor for the protection of personal data, Piazza Venezia n. 11 - 00187 Roma, Fax: (+39) 06.69677.3785, email@example.com, firstname.lastname@example.org.
Normal browsing within the pages of the site involves the installation, by the Data Controllers or third parties, of small strings of text called cookies, the use of which is intended to ensure the normal functionality of the site and web applications, as to allow the Data Controllers to offer its users a better browsing experience.
The use of the services is reserved to adults.
In any case, any abuse related to the processing of children’s data may be reported to email@example.com in order to allow the Data Controllers to take appropriate measures to protect the child, even with the immediate blocking of the processing of his data.