In accordance with the current legislation on the protection of natural persons and other subjects with regard to the processing of personal data, as well as the free movement of such data, and, in particular, pursuant to Article 13 of the European Regulation 2016/679 (hereinafter GDPR) and Article 13 of Legislative Decree 196/2003 (Privacy Code), as amended by Legislative Decree 101/2018 and subsequent amendments, in relation to the personal data that will be processed by the Data Controller indicated below, we inform you of the following:

Definitions

Personal data: any information concerning an identified or identifiable natural person, directly or indirectly.
Special categories of personal data: (Article 9, paragraph 1, GDPR) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data concerning health or sexual life or sexual orientation of the natural person.
Data subject: the natural person to whom the personal data refer.
Processing: any operation or set of operations, performed with or without the aid of automated processes, and applied to personal data.
Data Controller: the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of the processing.
Data Processor: the natural or legal person, public authority, service or other body that processes personal data on behalf of the Data Controller.
Authorized personnel: the natural person authorized to perform specific processing operations by the Data Controller or the Data Processor.
Data subject’s consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Communication: making personal data known to one or more specific subjects.
Dissemination: making personal data known to unspecified and/or unidentifiable subjects.

1. Data Controller and DPO

The Data Controller is
ORGANIZING COMMITTEE OF THE EUROPEAN ABSOLUTE FENCING CHAMPIONSHIPS GENOA 2025
With registered office in Genoa, Corso Podestà, n. 12/9
The Data Protection Officer (or Personal Data Protection Officer) is
ATTY. FLORIANA BRANCA contact details: privacy.dpo.studiolegalebranca@pec.it

2. Personal data subject to processing

The Data Controller will process only the personal data of the Data Subject necessary for the purchase of the ticket, such as, for example: name, surname, place and date of birth, address of residence or domicile, tax code, email address, telephone number, payment instruments used.
Only occasionally, it will have to process special categories of personal data, i.e., data concerning the health of the Data Subject, within the limits strictly necessary to ensure compliance with the current legislation on the removal of architectural barriers, including sensory barriers, where possible.
The data processed will only be those communicated by the Data Subject, as the Data Controller will not process any data relating to the Data Subject obtained from public or publicly accessible sources.

3. Purposes and legal basis of the processing of personal data

The processing of the data received may be aimed at:
Purpose a) fulfillment of the ticket sales contract, also in the pre-contractual phase or in the event that the sale is not successful.
Purpose b) fulfillment of the obligations provided for by laws, regulations and the legislation of Italy and the European Union, as well as by provisions issued by Authorities authorized by law or by supervisory or control bodies.
Purpose c) sending newsletters, also through automated or IT tools, subject to the Data Subject’s consent.
Purpose d) direct marketing, subject to the Data Subject’s consent.
Purpose e) when the Data Controller must act or defend itself in court.
If the Data Controller intends to further process personal data for purposes other than those for which they were collected, and as indicated above, before such further processing: it will provide the Data Subject with all the necessary information in accordance with the current legislation; it will verify whether the processing for such different purposes is compatible with the purposes for which the personal data were initially collected; if the processing is not based on a legislative act of the European Union or the Italian State, it will proceed to collect the Data Subject’s consent to such new processing in accordance with the current legislation and the GDPR.
The legal bases for the processing are:
Purpose a): the processing is necessary for the conclusion and execution of the contract.
Purpose b): the processing is necessary to fulfill a legal obligation.
Purpose c): the processing is subject to the acquisition of specific and explicit consent for this purpose.
Purpose d): the processing is subject to the acquisition of specific and explicit consent for this purpose.
Purpose e): the processing is based on a legitimate interest of the Data Controller, within the limits of the GDPR.

4. Methods of data processing

The processing of data will be carried out by the Data Controller and/or its authorized personnel, in strict compliance with the principles set out in Articles 5 and following of the GDPR (in particular, the principles of lawfulness, fairness, transparency, accuracy, purpose limitation and data minimization), through the operations or set of operations indicated by the current legislation and, in particular, by Article 4 of the GDPR, concerning the collection, recording, organization, structuring, storage, use, adaptation or modification, consultation, processing, selection, extraction, comparison or interconnection, blocking, communication and communication by transmission, dissemination or any other form of making available, limitation, erasure and destruction of data. The aforementioned operations may be carried out with or without the aid of automated processes and the data may be stored in archives, whether paper, electronic, centralized, decentralized, or functionally or geographically distributed. The systems used for data processing are configured, from the outset, to minimize the use of the data itself. Following periodic checks, the Data Controller will verify the accuracy, updating, strict relevance, adequacy and non-excess of the data collected with respect to the obligations and purposes of the processing for which they were collected. The data will be processed in a manner that ensures adequate security of the same, including protection, through the adoption of appropriate technical and organizational measures, from unauthorized, unlawful processing or from loss, destruction, modification, unauthorized disclosure, accidental damage, as well as from unauthorized access to personal data transmitted, stored or otherwise processed, even in the case of processing through remote communication tools.

5. Data retention period

The retention period of personal data varies according to the purpose of the processing of the same.
Purpose a) point 3: personal data of a fiscal/accounting nature will be retained for ten years following the end of the fiscal year following the one of competence, to address any tax assessment and/or dispute.
Purpose b) point 3: the retention periods of the data are set at ten years and, in any case, for the period strictly necessary for the purposes and fulfillment of the obligations provided for by laws, regulations and the legislation of Italy and the European Union, as well as by provisions issued by Authorities authorized by law or by supervisory or control bodies.
Purpose c) purpose d) point 3: the data will be retained for one year only, starting from the date of their provision by the Data Subject. In any case, the Data Subject has the right to withdraw his or her consent at any time and in a manner similar to that provided for its provision, without consequences, except for the non-sending of newsletters or the processing of data for marketing.
Purpose e) point 3: personal data will be retained for the entire period of the ordinary statute of limitations and until the complete resolution, judicial or extrajudicial, of the dispute itself.
Personal data whose retention is not necessary, or is no longer necessary, in relation to the indicated purposes, will be deleted or transformed into an anonymous form.

6. Existence of an automated decision-making process, including profiling

The Data Controller does not adopt any automated decision-making process, including profiling, under the current legislation.

7. Provision of data, refusal to provide data and refusal or withdrawal of consent

In relation to the purposes expressed in point 3, letters a), b), e), the provision of data and consent to processing are mandatory, being a legal or contractual obligation or a necessary requirement for the conclusion of the contract or its execution; any refusal will not allow the Data Controller to carry out the assigned task or to conclude the contract of which the Data Subject is a party. In the case of legal obligations, any refusal would result in the impossibility for the Data Controller to establish relationships with the Data Subject and could have the obligation to report to the competent Authorities. In relation to the purposes set out in letters c) and d), the provision of data and consent to processing are optional and the Data Subject has the right to withdraw his or her consent at any time, without consequences.
In any case, the Data Subject has the right to withdraw consent to the processing of personal data in relation to the purposes set out above, or only to some of them, at any time, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal.

8. Communication of data and recipients of the communication of personal data

Personal data may be communicated to third parties, especially when the communication is necessary for the fulfillment of a legal obligation. In such cases, personal data may be communicated for the purposes set out in point 3 a: all subjects, natural or legal persons, public or private, to whom the right of access to such data is recognized by virtue of legislative or regulatory provisions, national and of the European Union; supervisory, control and other authorities, for purposes related to the fulfillment of legal obligations (e.g., Judicial, Health, Administrative, Police Authorities, etc.), and/or regulations, as well as by provisions issued by the same authorities; employees of the Data Controller, Data Processors and authorized personnel, only and exclusively in relation to the performance of the tasks and duties specifically assigned to each of them; external collaborators; subjects operating in the judicial and/or administrative sector; banks and credit institutions; lawyers; technical consultants; arbitrators or arbitration panels; mediators; accountants; insurance companies, for the purpose of stipulating insurance policies related to the task assigned to the Data Controller; and, in general, to all those subjects to whom the communication is necessary by law and/or necessary and functional for the correct fulfillment of the purposes indicated in point 3 and/or in any case strictly connected and pertinent to the contract stipulated with the Data Subject. The Data Subject, at any time, upon written request to be sent to the Data Controller, at the registered office indicated in point 1, may have the updated and complete list of the subjects recipients of the communication of his or her personal data.
All the subjects listed above, with the exception of the other employees of the Data Controller and the Data Processors specifically appointed, will process personal data as autonomous Data Controllers, by law or by specific consent, remaining third parties and external to the original processing, therefore excluded from the direct authority of the Data Controller referred to in this information, being able to autonomously determine the methods and purposes of the processing. Some recipients of personal data, however, may be designated by the Data Controller as external Data Processors: in this case, they carry out the processing on behalf of the Data Controller, following its instructions, implementing adequate technical and organizational measures, in order to ensure compliance with the provisions of the GDPR and, in general, with the current legislation, and the protection of the rights of the Data Subject.

9. Dissemination of data

Personal data will not be subject to dissemination.
Nor will they be transferred to third parties for commercial and/or profit and/or indirect marketing purposes.
Personal data, within the scope of the purposes set out in point 3, may be transferred to countries of the European Union and to third countries outside the European Union. If for technical and/or operational reasons it is necessary to use subjects located outside the European Union, or if it is necessary to transfer some of the collected data to technical systems and services managed in the cloud and located outside the European Union, the processing will be regulated in accordance with the provisions of Articles 44 and following of the EU Regulation 679/2016 and authorized on the basis of specific decisions of the European Union. All necessary precautions will therefore be adopted in order to ensure the widest protection of the personal data of the Data Subject.

10. Rights of the Data Subject

The current legal provisions, and, in particular, Articles 15 to 23 of the GDPR, grant Data Subjects the exercise of specific rights. Therefore, within the limits and under the conditions provided for by the aforementioned legislation, the Data Controller recognizes and guarantees the Data Subject the exercise of the following rights:

• to request confirmation of the existence or not of personal data in the Data Controller’s archives;
• to access the personal data present in the Data Controller’s archives and to all the information relating to them in accordance with the law and the GDPR;
• to request the rectification, updating, integration and erasure of personal data, if incomplete or incorrect, as well as to object to their processing for legitimate and specific reasons;
• to obtain the rectification of inaccurate personal data without undue delay;
• to obtain the erasure of personal data without undue delay, if one of the reasons set out in Article 17, paragraph 1, GDPR exists (so-called “right to be forgotten”);
• to obtain the restriction of the processing of personal data if one of the reasons set out in Article 18, paragraph 1, GDPR exists;
• to obtain the portability of the personal data, i.e., to receive it/them from the Data Controller in a structured, commonly used and machine-readable format and/or to transmit it/them to another Data Controller without hindrance, or to obtain the direct transmission of the personal data from the Data Controller to another Data Controller, within the limits and in the ways provided for by Article 20 GDPR;
• to withdraw consent to the processing of personal data, in particular where given pursuant to Article 6, paragraph 1, letter a) or Article 9, paragraph 2, letter a), GDPR, in relation to the purposes set out above or only to some of them, at any time, without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;
• to object at any time to the processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing;
• to object to an automated decision-making process relating to natural persons, including profiling, and to obtain human intervention by the Data Controller, to express his or her opinion and to contest the decision;
• to object to the processing of personal data for scientific or historical research purposes or for statistical purposes, unless the processing is necessary for the performance of a task carried out in the public interest;
• to receive information relating to the action taken regarding the exercise of one or more of the rights listed above, or to the effects arising from the exercise of one or more of the aforementioned rights, without undue delay and, in any case, at the latest within one month of receipt of the request itself (term, if necessary, possibly extendable by two months in the cases provided for by law and by Article 12, paragraph 3, GDPR);
• to lodge a complaint with a supervisory authority;
• to bring a judicial appeal.

Unless the processing is unlawful or violates the principles set out by the current legislation, the exercise of the rights listed above by the Data Subject must be pertinent and motivated, and cannot imply the withdrawal of the consent given or the erasure of the data provided for the conclusion or execution of the contract or for the fulfillment of a legal obligation, as set out in point 3, to the extent and for as long as the personal data are necessary for such purposes. If the Data Subject’s requests are manifestly unfounded, excessive or repetitive, the Data Controller may, pursuant to Article 12, paragraph 5, letters a) and b), GDPR, charge the Data Subject a fee or refuse to comply with the request. The European Union or the Italian State may limit the scope of the obligations and rights of the Data Controller and the Data Subject, as set out above, pursuant to and for the purposes of Article 23 GDPR. The rights in question, with the exception of the right to lodge a complaint or appeal, may be exercised by written request addressed to the Data Controller at the addresses and contacts indicated in point 1.
For anything not expressly mentioned in this information, express reference is made to the current legal provisions and, in particular, to the GDPR.
The Data Controller does not process data of minors under the age of eighteen.
The Data Controller will in no way be responsible for any false statements that may be provided by the minor himself or herself at the time of providing personal data. If the falsity of the statements made by the minor is ascertained, the Data Controller will proceed with the immediate deletion of any personal data relating to him or her.

This information is applicable from the moment of its publication.
In order to best satisfy any knowledge needs in the field of privacy and to keep up with the regulatory evolution of the sector, this information may be subject to updates and changes. In this regard, the Data Controller recommends periodically consulting this page. Further information regarding your rights in relation to the protection of your personal data and their processing can be found on the website of the Guarantor for the protection of personal data at the address www.garanteprivacy.it.
This information supplements the general information published on the vivaticket.com website.