The joint data controllers, collectively the “Companies” or the “A.S. Roma Entities”, this policy refers to are:
- A.S. Roma S.p.A., with registered offices in Rome, Italy, at P.le Dino Viola No. 1, - Tax Code and entry in the Register of Companies of Rome under No. 03294210582, VAT No. 01180281006;
- Soccer S.a.s. di Brand Management S.r.l., with registered offices in Rome, Italy, at Via Emilia 47 - Tax Code, VAT Number and entry in the Register of Companies of Rome under No. 09305501000;
- Stadio TdV S.p.A., with registered offices in Milan, Italy, at Via Montenapoleone, 29 - Tax Code, VAT Number and entry in the Register of Companies of Milan under No. 08732500965; and
- Roma Studio S.r.l., with registered offices in Rome (Italy), at P.le Dino Viola No. 1,- Tax Code and entry in the Register of Companies of Rome under No. 14613831008, VAT number 14613831008,
The Companies act as joint data controllers and take your privacy seriously and understand the importance of maintaining the confidentiality of your personal data and other information stored about you.
The Companies are committed to ensuring the confidentiality, integrity and availability of your personal data, as well as to respect your privacy, in the course of its day-to-day activities and in compliance with applicable relevant data protection laws.
A.S. Roma Entities collect and process personal data in respect of your use of and interactions with the A.S. Roma Platforms in order to provide you with a service, to respond to you and to publish and share information plus documents related to football and A.S. Roma. “Personal data” means any information that may be linked directly or indirectly to you as an individual. The types of Personal Data we may collect and process vary from A.S. Roma Platform to A.S. Roma Platform but can be summarised as follows:
(i) Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender and ID number.
(ii) Contact Data includes billing address, delivery address, email address and telephone numbers.
(iii) Financial Data includes bank account and payment card details.
(iv) Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
(v) Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access A.S. Roma Platforms.
(vi) Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
(vii) Usage Data includes information about how you use A.S. Roma Platforms.
(viii) Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
(ix) Cookie and Device Data. Details can be found in Section 10.
(x) Other. Other information you may provide to us, for example photographs, competition entries.
Some of the personal data requested on the A.S Roma Platforms such as your first and last name, telephone number, and e-mail address, may be marked as “mandatory” [e.g., indicated with an (*)] as they are necessary to access the services of the A.S Roma Platforms you wish to use (e.g., if you place an order). Failure to provide this data marked as “mandatory” will result in our inability to provide you the requested service (e.g., if you fail to give us your e-mail address, we cannot send you a newsletter). Failure to provide data marked as “optional” will not have any consequences.
We collect your personal data in a number of ways as described below.
Information you give to us directly:
We collect information on you where you:
(i) register an account with us (including via social media profiles such as Facebook and Google+) or log in and make changes to your online account;
(ii) register to receive marketing communications from us;
(iii) purchase products or service or tickets from us;
(iv) enter into a competition on A.S. Roma Platforms;
(v) interact with our social media profiles; and
(vi) contact us (including over the phone, or via email, post, live chat or social media messaging);
(vii) submit your application for a job position.
Personal data we collect from third parties:
We collect information on you from third parties, such as A.S. Roma Entities’ commercial and media partners and A.S. Roma Entities suppliers, where you:
(i) have a contract in place with such third parties which requires the transfer of your personal data to us; and/or
(ii) register through such third parties to receive marketing communications from us.
Personal data we collect automatically:
The personal data we hold on you will be used in a number of ways depending on the A.S. Roma Platform as explained below. Under data protection laws we have to have a lawful basis for processing your personal data. We have indicated the lawful basis we rely on below in the headings.
Where we rely on legitimate interest as this lawful basis, our legitimate interest is necessary for promoting our business, improving the services we offer to you and your experience when you interact with us, and ensuring effective operational management and internal administration of our business and the exercise of our rights.
To fulfil contracts
If you enter into a contract with us (for example to purchase a ticket, open an account, purchase a product or to enter into a competition) we need to process personal data in order to fulfil the contract by providing the services, processing payments and corresponding in relation to the same. If you do not provide the information to us, we may not be able to fulfil the contract and provide the products or services to you.
If you submit an application for a job position offered in one of the A.S. Roma Entities, we need to process personal data in order to take steps at your request prior to entering into a contract. If you do not provide the information to us, we may not be able take in consideration your submission.
Where we have your consent
We ask for your consent to send you direct marketing communications relating to ticketing sales, merchandise sales, events, competitions, promotions, and other activities we run. You can choose to unsubscribe at any time as explained in ‘your rights’ below. In some limited circumstances, we do not need to obtain your consent for marketing as explained in the legitimate interest section below.
Where we have a legal obligation
To protect, investigate, deter and report fraudulent, unauthorised or illegal activity. Where you are interested in purchasing tickets this includes the prevention of credit card fraud and the retention of certain payment details to enable refunds and for financial record keeping requirements.
We are also under legal obligations in respect of health and safety, ensuring that individuals who have been banned do not attend our events and other requirements relating to the integrity of the sport. This may involve the processing of personal data about you and the disclosure of information to the police, state authorities and other bodies where required by law.
Where we have a legitimate interest
We may process your personal data where it is necessary for our legitimate interests as a business in the following situations:
· Account management and record keeping and correspondence in relation to products and services you receive from us.
· Fraud detection and checks.
· To respond to any enquiries, information requests or complaints you make to us or that are made about you.
· To inform you of upcoming events, promotions and community initiatives and communicate with you about these, where you have shown an interest.
· To send you marketing communications by e-mail where we have a commercial relationship (for example where you pay us for tickets to an event or purchase items from our store) with you and you have not objected to receiving such communications from us.
· To contact you for your views and feedback on our events and activities.
· To assist with internal record keeping.
· To provide you with, and maintain the quality of, our website and to analyse the use of our website in order to help guide improvements.
· Profiling to enable better service and personalisation as explained in more detail below.
· To assist in the prevention of or detection of a crime or equivalent malpractice.
· To assist in the identification and prosecution of offenders.
· To monitor the security of A.S. Roma Entities’ events, activities and stadia.
Where we rely on legitimate interest as a ground for processing your personal data, we carry out an assessment to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests, before we go ahead with such processing. We keep a record of these assessments. You have a right to the personal data contained in these balancing tests on request and can find out more by contacting us using the details below.
We may also use aggregate anonymised information in order to help us develop our services and may provide such information to third parties. This information cannot identify you.
We may share your personal data with the parties set out below for the purposes set out above.
· With external third parties who perform functions on our behalf and who also provide services to us, such as professional advisors, technology providers and hosting companies; advertising companies and exchanges; analytics companies; payment providers; fraud and credit checking companies; companies which provide us with services instrumental to our personnel selection activities. These third parties comply with similar and equally stringent undertakings of privacy and confidentiality.
· With external third-party data services; who help up to segment and understand our audience by providing additional information.
· With external third-party advertisers (such as Facebook or Google) to help us identify customers similar to our audience or to serve relevant adverts to you on third party websites. The information shared with these advertisers is pseudonymised to protect your personal data.
· With police and state authorities in particular to carry out security or administrative controls in relation to venues or events You have requested access to.
· With external third parties, where the Companies. find that it is necessary, as determined in the Companies’ sole discretion, to investigate, prevent or take action regarding illegal activities, suspected fraud, emergency situations involving potential threats to the physical safety of any persons, violations of contractual obligations or as otherwise required by law.
· Certain third parties pursuant to court orders or warrants.
· To third parties where you give us express permission to share your personal data in the course of your relationship with us from time to time.
A.S. Roma Entities will not sell, rent or transfer your personal data to third parties without your consent and for reasons other than those consistent with the purpose for which the data were originally collected or for other purposes authorised by law.
The Companies may transfer and process your data anywhere in the world where we maintain data processing operations. We shall at all times ensure we provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of data protection regulations.
To the extent that we process any Personal Data protected by the GDPR in a country that has not been designated by the European Commission as providing an adequate level of protection for your data, we will provide adequate protection (within the meaning of GDPR) for your data by working with Data Processors who have self-certified its compliance with Privacy Shield principles or by assuring adequate safeguards according to the GDPR .
· our contractual obligations and rights in relation to the personal data involved;
· legal obligation(s) under applicable law to retain data for a certain period of time;
· statute of limitations under applicable law(s) which is the period during which contractual claims could be brought, being 10 years in Italy;
· our legitimate interests where we have carried out balancing tests (see section on ‘How do we use your personal data’ above);
· (potential) disputes; and
· guidelines issued by relevant data protection authorities.
By law, you have a number of rights (subject to certain conditions) when it comes to your personal data. Further information and advice about your rights can be obtained from the data protection regulator in your country.
What does this mean?
Your right to object to processing
You have the right to object to certain types of processing, including processing based on the legitimate interest of the Companies or processing for direct marketing purposes (i.e. if you no longer want to be contacted with potential offers or opportunities). Unsubscribing from newsletters and e-mail marketing communications can most easily be done by clicking on the unsubscribe link at the bottom of any e-mail newsletter we have sent to you or, alternatively, by modifying your account settings and preferences.
Your right to be informed
Your right to Access your personal data
This is so you are aware and can check that we are using your personal data in accordance with data protection law.
Your right to Update and Rectification
You are entitled to have your personal data corrected if it is inaccurate or incomplete.
You are generally able to review, correct or update your personal data at any time by accessing your account on any A.S. Roma Platform where it has been created. However, you may choose to send us a written request to do so on your behalf at any time.
The right to erasure
This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your personal data where there is no compelling reason for the Companies to keep using it. This is not a general right to erasure, there are exceptions.
You are generally able to delete your personal data at any time by accessing your account on the A.S. Roma Platform where it was created. However, you may choose to send us a written request to do so on your behalf at any time.
Your right to restrict processing
You have rights to ‘block’ or suppress further use of your personal data. When processing is restricted, the Companies can still store your personal data, but will not use it further. We keep lists of people who have asked for further use of their personal data to be ‘blocked’ to make sure the restriction is respected in future.
Your right to data portability
You have rights to obtain and reuse your personal data for your own purposes across different services.
Your right to lodge a complaint
You have the right to lodge a complaint about the way the Companies handle or process your personal data with your national data protection regulator by contacting the applicable data protection regulator directly.
Your right to withdraw consent
If you have given A.S. Roma Entities your consent to anything we do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your personal data for marketing purposes.
You can exercise any of these rights by contacting us in writing (including via email or regular mail) on the details below. Please note that we may require to receive a proof of your identity before we can respond to your request.
AS ROMA S.P.A.
Piazzale Dino Viola, 1
We usually act on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:
· baseless or excessive/repeated requests, or
· further copies of the same information.
A.S. Roma Entities may refuse, restrict or defer the provision of information where the Companies have the right to do so under current data protection legislation.
Please consider your request responsibly before submitting it. We will respond as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will come back to you and let you know.
OUR APPROACH TO DATA SECURITY
We want you to feel confident about using the A.S. Roma Platforms. Therefore, the Companies define and implement the reasonable technical and organisational measures necessary to maintain the security of personal data, according to the nature of the personal data processed and the circumstances of the processing, with the objective of avoiding (in the realm of the possible and having regard to the state of the art) non-authorised processing or access, alteration or loss (to ensure confidentiality, integrity and availability respectively).
The Companies use industry standard SSL encryption to protect data transmissions. If You communicate with the Companies in any format other than via A.S. Roma Platforms (e.g. by e-mail), You should be aware that the secrecy of the Internet is uncertain. By sending sensitive or confidential e-mail messages or information which are not encrypted, you accept the risk of such uncertainty and possible lack of confidentiality over the Internet.
Identity theft and the practice currently known as “phishing” are of great concern to the Companies. Safeguarding information to help protect You from identity theft is a great concern. A.S. Roma Entities do not and will not, at any time, request your credit card information, your account ID, login password or national identification numbers in a non-secure or unsolicited e-mail or telephone communication.
We may use the personal data you provide to us to better understand your interests so we can try to predict what other products, services and information you might be most interested in. We call this profiling. This enables us to tailor our communications and those of our third parties to make them more relevant and interesting for you.
If you don’t want us to do this you may opt-out here http://www.networkadvertising.org/choices/, or http://www.aboutads.info/or, for EU users only here: http://youronlinechoices.eu/. You may also use your right to object set out in Section 8 above.
We do not use your personal data to make automated decisions about you that may have legal effects or otherwise significantly impact you.
PRIVACY FOR CHILDREN
The protection of personal data of children and adolescents is of particular concern to the Companies. The A.S. Roma Platforms and their content are not directed at children under the age of fourteen (14). The Companies recommend that parents discuss the use of the Internet and the provision of personal data on websites with their children before allowing minors between fourteen (14) and sixteen (16) to register.
A.S. Roma Entities will not knowingly collect personal data from or about children under fourteen (14). If a parent or legal guardian becomes aware that his or her child under fourteen (14) has registered as a user without their consent, he or she should delete the relevant account or if this is not possible, inform the Companies immediately. If the Companies become aware that a child under fourteen (14) has registered as a user, their access as a user will immediately be denied and their account deleted as quickly as possible (including all personal data associated with that account).
If you believe that the Companies might have any personal data from or about a child under thirteen (13), please notify the Companies in writing by email to firstname.lastname@example.org mail to Roberto Aiello, A.S. Roma S.p.A., P.le Dino Viola No. 1, Rome, Italy.
OUR DATA PROTECTION OFFICER
The Data Protection Officer appointed by A.S. Roma S.p.A. and Soccer S.a.s. di Brand Management S.r.l. can be contacted at the e-mail address: email@example.com.
LINKS TO OTHER SITES
AS ROMA S.P.A.
Viale Tolstoj, 4
The full text of Regulation EU 2016/679 is available on the Website of the Italian Data Protection Authority (www.garanteprivacy.it).