GDPR – Principles for the Protection of Personal Data and Information Memorandum for the Race Participants and Contractual Partners – Natural Persons
(on the method of personal data processing and related rights)
Effective as at 1 November 2018
1. INTRODUCTION AND DEFINITIONS
By virtue of these principles and information memorandum, we provide you, all participants in the SPARTAN events and natural persons whose personal data may be processed with regard to organization of the SPARTAN events, including volunteers participating in preparing and organization of the SPARTAN events, and our contractual partners – natural persons, with information on the scope and method of processing of their personal data, for what purposes we process the personal data, whether we transfer these personal data to any third party and what rights these natural persons have with regard to processing of their personal data. These principles were prepared in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation, GDPR), effective as at 25 May 2018.
These principles apply to processing of personal data with regard to organization of SPARTAN events by ACEU s.r.o., having its registered seat at Osadní 869/32, Holešovice, 170 00, Prague 7, Czech Republic (“Spartan CZ”), by Adventuredsports s.r.o., having its registered seat at Hlavná 461, 094 12 Vechec, Slovak Republic (“Spartan SK”); by ULMUS ENTERPRISE Sp.z o.o., having its registered seat at ul. Halna 7/6, 33-380 Krynica-Zdrój, Republic of Poland (“Spartan PL”); by HSR Rendezvényszervezo Kft., having its registered seat at ul. Kelemen L. u. 1., 2900 Komárom, Hungary (“Spartan HU”); by ADVENTURED SPORT EVENTS S.R.L., having its registered seat at ul. Drumul INTRE TARLALE, Nr. 41C, BIROUL 24, Etaj 2, Bucuresti Sectorul 3, 032982, Romania (“Spartan RO”); by AROO – občianske združenie, having its registered seat at ul. 1. mája 1433, 02302, Krásno nad Kysucou, Slovakia („AROO“) (hereinafter collectively referred to as the Companies); for the purposes of these principles, the above Companies are hereinafter also referred to as the “SPARTAN Group”; the Companies in the SPARTAN Group process individual personal data and sensitive data on your person and they determine the purpose and means for processing of such personal data, and therefore, they are controllers of these personal data in relation to these personal data (hereinafter individually the “Controller” or “Company”). The Companies in the SPARTAN Group may share these personal data among themselves and process the same; and for the purposes of such processing, they entered into contracts on processing under art. 28 GDPR, based on which they guarantee ensuring of all rights of the data subjects with regard to such processing.
Personal data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive data – are personal data that may reveal your racial or ethnic origin, religion, political opinion or philosophical beliefs, trade union membership, health status or sex life information, genetic data or biometric data, to uniquely identify the natural person.
Contractual partner – a natural person who concluded a contract with the Company within its business activities.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Recipient – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third party – a natural or legal person, public authority, agency or body other than the data subject, Controller, Processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
2. TYPES OF COLLECTED PERSONAL DATA
By completing an entry/registration form for a race or by registration to volunteer activity, a contractual relationship arises between you and the Company (the Controller). At the formation or during existence of the contractual relationship, the Controller may process your personal data, namely the personal data that you disclosed to the Company (for the purposes of implementation of the contractual relationship – see below) prior to formation or during the existence of the contractual relationship. The Controller shall process in particular the following types of personal data:
– identification data such as your first name, surname, photograph, date of birth, birth ID, gender;
– information on clothing size;
– contact details, e.g. your residing address, contact address, personal phone numbers and e-mail addresses, bank account details, payment information, contact details of persons specified by you as contacts for emergency purposes.
During the race, we may acquire the following personal data processed for implementation of the contractual relationship with you, performance of statutory obligations, and performance of legitimate interests of the Controller (see below). These include in particular to the following personal data:
– BIB numbers/information from competitors´ register;
– visual, audio and audio-visual records (photographs, recordings, videos);
– location data;
– health status information (for cases of injury or health problems, lodging insurance claims).
3. PURPOSE AND LEGAL BASIS FOR PROCESSING OF PERSONAL DATA
The Controller shall collect and use your personal data for the purposes of performance of a contract that was or shall be concluded between you and the Company, or for the purposes of an insurance contract. This processing of personal data is carried out in accordance with Art. 6(1)(b) GDPR (Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data), and thus it is not subject to your consent.
Where processing of personal data is not necessary for the performance of a contract, the Controller may expressly request in limited cases your consent with certain methods of use of your personal data. Should the Controller request your consent, you may always refuse, and you are entitled to withdraw such a consent at any time.
We note that in case of processing personal data of persons below the age of 16 years based on a consent, the consent may only be given or authorised by the holder of parental responsibility over the child.
For the sake of completeness, we note that the Controller may further collect and use the personal data (based on Art. 6 GDPR; without a consent) where it is necessary for other legitimate purposes, such as:
– ensuring safety of the races, publishing race results, organizing races, ensuring protection of property of both the Controller and the data subject, performance of other legitimate interests of the Controller;
– investigation of potential incidents or breach of statutory obligations;
– where it is necessary for compliance with the law and legal regulations, such as collecting and disclosing personal data in accordance with the regulatory requirements, tax law or at the request of the police;
– based on a court warrant or within defending statutory rights of the Controller;
– where it is necessary for the protection of your vital interests (or vital interests of another natural person).
4. RECIPIENTS OF PERSONAL DATA
The Controller may share your personal data also with third parties – processors, including:
– those who provide the Controller with goods or services (e.g. financial and legal advisors, other advisors, providers of support in the area of data storage and information systems);
– other third parties, where the personal data are shared (1) based on your consent, or (2) where it is necessary (i) for compliance with statutory obligations, (ii) for drafting or submitting an actual or potential lawsuit or defence against a factual or potential lawsuit, or (iii) to protect your vital interests (or vital interests of another natural person), (iv) for the performance of contracts concluded between the Controller and a third party.
The Controller may disclose your personal data (including sensitive data) to other Companies in the SPARTAN Group, since certain activities or services related to internal data processing, organization of the SPARTAN events, insurance, marketing activities etc. are shared within the SPARTAN Group.
The Controller may share your personal data (including sensitive data) also with third parties – processors, including:
– those who provide the Controller with goods or services (timekeeping, processing race results, providers of on-line services and payment services, platform for registration and concluding contracts, providers of support in the area of data storage and information systems, e-shop operator), whose countinuously updated list is given HERE:
– public authorities and health and other insurance companies; insurance of competitors is concluded for the SPARTAN Group by Spartan SK with MetLife Europe d.a.c., insurance company branch from another Member State, having its seat at Pribinova 10, 811 09 Bratislava, Slovak Republic;
– sponsors, marketing partners for each SPARTAN event; the sponsors and marketing partners are listed at the Companies website at www.spartan-race.ro;
other third parties, where the personal data are shared (1) based on your consent, or (2) where it is necessary (i) for compliance with statutory obligations, (ii) for drafting or submitting an actual or potential lawsuit or defence against a factual or potential lawsuit, or (iii) to protect your vital interests (or vital interests of another natural person), (iv) for the performance of contracts concluded between the Controller and a third party. The Controller has contractually arranged for processing of personal data in accordance with the requirements of Art. 28 GDPR with the processors of personal data.
5. TRANSFERRING PERSONAL DATA OUTSINDE THE EUROPEAN ECONOMIC AREA
Since the SPARTAN RACE events are organized within a franchising structure established by Spartan Race, Inc., having its seat at 234 Congress Street, 5th Floor, Boston, MA 02110, US, and since they are carried out in more than 30 countries worldwide, the personal data may be, to the extent necessary for compliance with the franchising obligations of the Controller, also transferred to countries outside the European Economic Area (EEA). Similarly, the Controller may also transfer your personal data to third parties having their registered seats in other countries. Should the Controller transfer your personal data to another country, it shall always take measures in order to ensure that such transfer of personal data was in accordance with the requirements for the protection of personal data under the GDPR, and sufficient level of protection was ensured within the transfer to countries outside the (EEA).
6. TERM OF RETENTION OF PERSONAL DATA
Your personal data shall be retained only for a period necessary to fulfil the purposes specified in these principles and information memorandum (or any other purposes that were notified to you), or for another period required by contracts concluded with third parties, the respective law or other internal regulations of the Company.
The Controller in particular strives to ensure that your personal data is retained, and where necessary, erased or destroyed, in accordance with its internal regulations and the statutory requirements.
7. YOUR RIGHTS FOR PROTECTION OF PERSONAL DATA
As a data subject, you have a right to:
– access to personal data (Art. 15 GDPR);
– rectification of personal data (Art. 16 GDPR);
– erasure of personal data (Art. 17 GDPR);
– restriction of processing of personal data (Art. 18 GDPR);
– portability of personal data (Art. 20 GDPR);
– object against processing of personal data (Art. 21 GDPR);
– not to be subject of automated decision-making;
– withdraw consent with processing of personal data;
– lodge a complaint
– in the Czech Republic: with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), having its seat at Pplk. Sochora 727/27, 170 00 Prague 7-Holešovice, tel.: 234 665 111, 420 234 665 111; e-mail: email@example.com;
– in the Slovak Republic: with the Office for Personal Data Protection (Úrad na ochranu osobných údajov), having its seat at: Hraničná 12 820 07 Bratislava 27, Slovak Republic, tel.: +421 /2/ 3231 3220, e-mail: firstname.lastname@example.org;
– in the Republic of Poland: with the Office of Inspector General for the Protection of Personal Data (Biuro Generalnego Inspektora Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa; tel. 22 531 03 00, fax. 22 531 03 01, email@example.com;
– v HU: with the Office of Nemzeti Adatvédelmi és Információszabagság Hatóság, having its seat at: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c, Hungary, tel.: +36 1 391 1400, +36 1 391 1410, firstname.lastname@example.org
– in Romania: with the Office of The National Supervisory Authority For Personal Data Processing (Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal), having its seat at: B-dul G-ral. Gheorghe Magheru 28-30, sector 1, București 010336, Romania, tel.: +40.318.059.211, +40.318.059.212, email@example.com;
in case you believe that your right to protection of personal data was breached.
We note that with regard to the above rights of data subjects, limitations or derogations of the possibility to apply the rights may exist. The Controller shall strive to cooperate with you and discuss any derogations or limitations, should you submit a request for application of your right. Should you have any inquiry regarding your rights or should you wish to submit a request regarding application of such rights with regard to personal data specified in these principles, please contact the contact persons specified below in writing.
8. CONTACT INFORMATION OF THE CONTROLLER
Should you have any inquiries or comments with regard to this notice or procedures of the Controller in the protection of personal data, please contact the SPARTAN Group at e-mail: firstname.lastname@example.org.
The Controller may change the wording of these principles and this information memorandum at any time, whereas it shall publish the new wording at its website.