Visitor Privacy Notice
Below is the Privacy Notice of Emac S.r.l. relating to the web page for purchasing tickets for the event “Vicenza Classic Car Show”: https://vicenzaclassiccarshow.com/home-page-en/
Privacy Notice – Processing of the Visitor’s personal data by EMAC S.r.l., pursuant to Art. 13 of EU REG. 679/2016.
The processing of personal data relating to legal entities does not fall within the scope of personal data protection as set out by EU Regulation 2016/679, but in any case EMAC S.r.l., VAT No. 01861750477, with registered office at Viale IV Novembre, no. 25, 51016 Montecatini Terme (PT), as Data Controller, guarantees that it may process all personal data even if processed incidentally on the basis of adequate and documentable lawful grounds, as set out below.
The Company will process all of the Visitor’s personal data, specifically: (a) personal data (identifying, personal and contact details indicated by the Visitor in the specific form or provided subsequently, as well as data acquired from third parties or during the Event); (b) transaction data; (c) any voluntarily provided data; (d) images or video recordings; for the following purposes:
1. PURPOSES OF THE PROCESSING
- Personal data will be processed using paper tools and/or computerized procedures, in the manner and within the limits necessary to pursue the following contractual, pre-contractual, management, accounting, and tax purposes aimed at providing the services subscribed to in the relevant contract with the Data Furthermore, the identified data will be collected for the purpose of creating the Emac S.r.l. database.
- Personal data necessary for the execution of the payment (e.g. user identification data,transaction data, and technical data used to authorise the operation) is collected via ourwebsite but is processed, on our behalf, by the company responsible for paymentmanagement, duly appointed as the External Data Processor pursuant to Article 28 of the GDPR [General Data Protection Regulation].
- We will process personal data for direct marketing purposes (regarding commercial and promotional information/communication activities) and indirect marketing (regarding invitations to events and/or exhibitions promoted and/or organized by the Data Controller and/or its Data Processors).
- We will process personal data for profiling purposes, aimed at analyzing preferences, interests, and purchasing or participation behaviors in events, in order to send customized communications and offers.
- We will process personal images possibly acquired during the event (such as photos and/or videos) for the purpose of promoting the event itself.
2. LEGAL BASIS OF THE PROCESSING
The provision of personal data for the above purposes—except for marketing and profiling purposes—is mandatory, and failure to provide such data will make it impossible for the Data Controller to provide the service.
The lawfulness of the processing for direct and indirect marketing purposes, as well as for profiling, lies solely and exclusively in the consent voluntarily provided during completion of the relevant form.
The legal basis for the processing of payment data for the purchase of tickets is the performance of a contract or pre-contractual measures at the request of the data subject, pursuant to Article 6(1)(b) of the GDPR, as the provision of payment data is necessary to finalise the purchase of the requested products/services. The Data Controller processes the data exclusively for purposes related to payment processing, adopting appropriate technical and organisational measures pursuant to Article 32 of the GDPR. The data is not stored for longer than is strictly necessary for the execution of the transaction and the management of related administrative and anti-fraud activities, except for storage obligations required by law.
The use of photos/videos in which unidentified visitors appear as secondary subjects may take place without consent, on the legal basis of the legitimate interest of the data controller (Article 6(1)(f) of the GDPR).
Regarding the creation of the Emac S.r.l. database, the legal basis for processing is the pursuit of the Data Controller’s legitimate interest.
3. PERSONS AUTHORISED TO PROCESS THE DATA
The personal data provided may be processed by internal personnel responsible for the processing of personal data and/or by third parties, such as IT service companies (software used for data registration, etc.) expressly authorized to process the data pursuant to Art. 29 of EU Regulation 2016/679, and possibly by the Judicial Authority, in the event of a request.
For the processing of transaction data, the Data Controller has appointed an externalcompany as the Data Processor, which manages the data solely for purposes related to theprocessing of payments, adopting technical and organisational measures in compliance with Article 32 GDPR. Data is not retained longer than necessary for the completion of thetransaction and the management of related administrative and anti-fraud activities, unlessretention obligations are provided by law.
All such parties will process the data exclusively for the purposes indicated in point 1 of this notice.
4. RECIPIENTS OF THE DATA
Your personal data may be disclosed to third parties acting on behalf of the Data Controller such as, by way of example, supervisory and control authorities and bodies, public or private entities authorized to request the data in compliance with legal and contractual obligations. The data may also be processed by external parties designated as External Data Processors. All such parties will process your data exclusively for the purposes indicated in point 1 of this notice.
5. RETENTION PERIOD OF PERSONAL DATA
Data will be processed for the time necessary to fulfil contractual obligations and all related and consequential requirements. After such period, in compliance with legal obligations, data will in any case be retained for no longer than 10 years from the time of provision.
Personal data will be retained only for the period strictly necessary to comply with tax and fiscal obligations, and in any case for no longer than 10 years from the time of provision.
Data will be retained for no longer than the period required to achieve marketing purposes and for a maximum of 24 months, in full compliance with the storage limitation principle established by the GDPR; or until withdrawal of consent, which may be withdrawn by sending a specific email to the Data Controller.
Data forming part of the Company’s database will be retained for the time necessary to achieve the relevant purpose, for a maximum period of five years, in full compliance with the GDPR’s storage limitation principle.
In the event of a dispute, we may retain personal data for a longer period (until the end of the dispute; until no longer needed by the Judicial Authority).
6. SECURITY MEASURES
Data are stored in electronic and paper archives with full assurance of adequate security measures aimed at minimizing the risk of breaches.
7. RIGHTS OF THE DATA SUBJECT
As a Data Subject, you hold the following rights listed below pursuant to Articles 15 et seq. of the GDPR: Right to information (you may ask us which of your personal data we are actually processing); Right of access (you may access your personal data undergoing processing and may request a copy thereof); Right to rectification (you may rectify your personal data at any time by requesting the correction of inaccurate data and the completion of incomplete data); Right to erasure (you may request the erasure of your personal data at any time); Right to data portability (you may request the portability of your data, that is, to receive from the Company the personal data concerning you in a structured, commonly used and machine-readable format. You therefore have the right to ask the Company to transmit your data to another Controller); Right to object (you may object to a specific processing of your personal data without necessarily requesting their erasure. From the moment of objection, the Company will stop processing your data); Right to restriction (you may request the restriction of the processing of your personal data. In certain cases, for example when exercising the right to object, restriction is a natural consequence. Where processing is restricted, any use of the data by the Company may only take place with your consent).
8. TRANSFER OF DATA ABROAD
Personal data will not be disclosed to Third Countries and/or international organisations. Any cross-border transfer of data to such countries takes place in accordance with the applicable legal provisions, as well as in compliance with the decisions of the Court of Justice of the European Union and of national and foreign Authorities on the protection of personal data. In any case, transfers of personal data to countries outside the European Economic Area (EEA) or to an international organisation are allowed provided that the adequacy of the third country or organisation is recognised by a decision of the European Commission (Art. 45 of Regulation (EU) 2016/679). In the absence of such a decision, the transfer is permitted where the controller or processor provides appropriate safeguards, which include enforceable data subject rights and effective legal remedies for data subjects (Art. 46 of Regulation (EU) 2016/679).
9. USE OF PUBLIC IMAGES OF VISITORS
With regard to images relating to visitors participating in the event (such as, for example, photos/videos or audiovisual recordings) within the scope of the event open to the public, by purchasing a ticket and entering the event, the visitor agrees that these images may be freely used, free of charge, by the Organiser, by the data processors appointed by the Organiser and by the Event’s Partner Companies for the purposes of publication and dissemination for informational and commercial purposes.
10. METHODS FOR EXERCISING THE DATA SUBJECT’S RIGHTS
The Controller may be contacted at the email address: segreteria@emacfiere.com and at the certified email address (PEC): emacsrl@arubapec.it, or by sending a registered letter with return receipt to the Controller’s registered office.
The Data Protection Officer (DPO) / Data Protection Manager (RPD) may be contacted at the email address: dpo@emacfiere.com