PRIVACY POLICY

(Effective on 21/06/2019)

Welcome to our platform designed for communicating, sharing and using information, services and experiences in connection with the world of endurance and outdoor.

This Privacy Policy describes how and why personal data is processed by Engagigo S. r. l., as data controller under this policy (hereinafter: “ENDU” or the “Controller”), in the provision of services via the website www.endu.net (hereinafter: the “Site”) and NeverAlone+ application, including the other web services accessible online via neveralone.site or smartrack.it or any other sites or mobile applications regulated by this privacy notice (hereinafter: “ENDU Services”). In relation to certain services, ENDU reserves the right to provide a specific privacy notice that may modify or supplement this Privacy Policy as appropriate; in case of conflict, the terms of the specific privacy notice in connection with the specific service will prevail.

The terms and conditions hereof apply to anyone browsing the Site or interacting with ENDU Services, accessible online also via existing or future mobile applications, and more broadly to natural persons whose personal data are collected and processed within the framework of the Services (the users of ENDU Services and, more broadly, all individuals whose data are processed within the scope of the Services will be hereinafter referred to also as data subjects).

The processing of data subjects’ personal information will be carried out in accordance with applicable laws or regulations, in particular with reference to the EU general data protection regulation 2016/679 (hereinafter: the “Regulation”) for the protection of natural persons in relation to the processing of personal data, and to the national legislation implementing the Regulation as well to the measures taken by the national supervisory authority (i.e. the Italian Data Protection Authority).


1.

SCOPE



Everyone has a right to protection of their personal data.

For this reason, ENDU has always been strongly committed to ensuring that your privacy is protected and to being clear about how your personal data are collected and processed.

ENDU Services have therefore been designed, in pursuance of the proportionality and necessity principles, in such a manner as to reduce the collection and use of user identification data of data subjects to the minimum, while at the same time preventing processing whenever the use of anonymous data or any other arrangements allow to achieve the intended purpose.

For the sake of clarity, it is hereby confirmed that this Privacy Policy only refers and is therefore only applicable to ENDU Services as offered by the Controller and does not apply to: (i) products and services provided by third parties via ENDU platform and ENDU services; (ii) any pages or websites accessible through links from the Services and operated by third parties.

We encourage you to read any relevant third party privacy policies carefully to get a more detailed understanding of how they process personal information through their sites and services.

It should be noted that ENDU platform is made available to event organisers, sports clubs and associations, and other individuals who provide support to organisers and sports events or sell goods or services in connection with sports activities relating to the Services; through ENDU platform, therefore, the above-mentioned individuals and entities can directly provide goods or services to users (for instance, they can collect registrations for an event or with a sports association, or they can sell goods related to the sports event). In such circumstances, for the purposes of protection of personal data, these individuals or entities act as independent data controllers on the basis of the independent relationship (for instance, the relationship arising from the registration for an event or with a sports association) established with the user within ENDU platform, whereas ENDU, as the provider of the platform used by the controllers, will act as data processor on their behalf, pursuant to art. 28 of the Regulation, and as such may acquire and transmit user’s data to them. This notice, does not therefore concern the processing activities that such individuals or entities will implement in their capacity as independent data controllers. Whenever a user establishes an independent relationship with such individuals or entities via ENDU platform, he or she shall read and check the relevant notices provided by them, so as to learn about the legal basis and the purpose of the processing and to give any required consent in an informed manner.


2.

Legal basis and purposes of the processing



As data subject, your personal data is processed by the Controller for the following purposes:

  1. For the performance of the contract or to provide the Services requested by the user

    Your data and the data of the persons indicated by you will be processed by ENDU for the performance of the contract and to fulfil the Services you have asked for.

    In particular ENDU may process your data and the data of the persons indicated by you to perform administrative and operational activities necessary to: (i) manage registration, authentication and access to the platform; (ii) provide geopositioning, timekeeping, statistical analysis services and other similar services in connection with the participation in sports events or training activity; (iii) manage purchase requests for goods or services offered directly by ENDU or third parties via the platform, including registrations for sports events as well as the purchase of ancillary goods or services in relation to such events; (iv) manage payment requests submitted by you, to allow banks and credit institutions to verify the selected payment method, charge the amounts due and manage any other service procedures; (v) to offer a platform with useful contacts and information on the world of endurance and outdoor, by means of newsletters, while facilitating communication and sharing of information between users via networking and messaging services, and user participation in various (sports, leisure or charitable) initiatives organised by ENDU or third parties; (vi) manage, upon your request, interactions between the Services and third party social networking platforms, to which you can connect based on your preferences, in order to share your activities or information about yourself; (vii) provide the Services (such as ENDUpix or other similar Services) through which ENDU allows participants in sports events (and anyone authorized by them) to purchase, after registering to its Services, photo and video recordings of them during such events; (viii) the issuing of administrative, accounting and tax-related documents relating to the services you have asked for.

    For such purpose, ENDU may process the data referred to in points a), b), c), d), e) e f) of Article 3) below.

    The legal basis for the processing is Article 6, paragraph 1, point b) as the processing is required for the performance of the contract to which the user is a party or to provide the Services requested by the data subject.

    Should ENDU, for the purpose of providing the Services requested, need to process special categories of personal data (i.e. information concerning your health status), the legal basis for the processing will also be your explicit consent pursuant to Article 9, paragraph 2, point a) of the Regulation. Without your consent, or in case consent is withdrawn, it will not be possible to provide the Services requested.

    Likewise, should the Service you requested rely on data concerning the geolocation of the electronic device in use, ENDU will ask for your prior consent to this end. Your consent may be withdrawn at any time.

    As regards the publication and disclosure, through the Site and the Services (for instance ENDUpix or other similar Services), of photos and videos of sport events, each single participant will be required to grant specific authorization at the time of registration collected by the organiser.

    Lastly, should ENDU upon your express request, and again for the purposes of providing the Services, need to process personal data of people with whom ENDU has no direct relationship (for instance, identification data or contact details of a third party registered by another user to a sport event through the Services) not only will the processing be based on the need to provide the Service requested and on the authorization indirectly provided by the data subject, but also on the legitimate interest of the Controller pursuant to Article 6, paragraph 1, point f) of the Regulation, to the extent that the user providing the data of the third party through the Services, declares to have been given prior consent by the data subject, and the processing of the third party data by ENDU, besides being reasonably foreseeable to the data subject in the light of what was declared by the user, does not infringe his or her rights and fundamental freedoms. In this case, the data subject shall still be entitled to object at any time to the processing of any personal data for reasons relating to his or her particular situation, by writing to info@endu.net.

  2. For compliance with a legal obligation

    Your data and the data of the persons indicated by you will be processed by ENDU for compliance with legal obligations, including without limitation, tax obligations related to the performance of the contract and the provision of the Services.

    For such purposes, ENDU may process the data referred to in points a), b), c), d), e) e f) of Article 3) below.

    The basis for the processing is Article 6, paragraph 1, point c) of the Regulation as the processing is necessary for compliance with a legal obligation to which the controller is subject.

  3. For marketing purposes

    ENDU may process your data to send you commercial information and or for promotional initiatives associated with ENDU products or services by traditional means (postal service, call with an operator). In addition, ENDU may use the e-mail address provided in connection with the provision of the Services for direct sales purposes related to products and services similar to previously purchased ones.

    In order to pursue such purposes, ENDU may process the data referred to in point b) of Article 3). ENDU will carry out such processing operations in compliance with the principles of the Regulation and to pursue a legitimate interest (see Article 6, paragraph 1 point f of the Regulation); in any case, you are entitled to object at any time, also during registration to the Services, to such communications, by writing to info@endu.net.

    In addition, individual communications sent by e-mail shall contain a hyperlink allowing to object to further communications in an easy and intuitive manner. Furthermore, after obtaining explicit and relevant consent from you (see Article 6, paragraph 1, point a of the Regulation), ENDU may process your data for the above mentioned purposes and to invite you to take part in (current and future) promotional initiatives, loyalty programmes or initiatives in conjunction with third parties as well as in order to carry out market surveys and analysis of the level of customer satisfaction, by means of automated communication channels (i.e. text messages, e-mails, automated calls without operator, in-app notifications).

    In order to achieve such objective, ENDU may process the data referred to in point b) of Article 3; furthermore, where you have given consent to profiling as indicated under point d) below, ENDU may process for marketing purposes also the information referred to in point a) c) and f) of Article 3.

    You have the right to withdraw your consent at any time, by writing to info@endu.net.

  4. For profiling purposes

    With your prior explicit consent (see Article 6, paragraph 1, point a of the Regulation), ENDU may process your data in order to better understand your behaviours and interests and, consequently, offer you products which may interest you. In particular, based on your participation in past events, your home area and your navigation activity on ENDU, you may receive communications on recommended events you may want to take part in. For such purpose, ENDU may process the data referred to in points a), b), c) and f) of Article 3).

    You have the right to withdraw your consent at any time, by writing to info@endu.net.

  5. For disclosure to third parties for marketing purposes

    Subject to your explicit and specific consent (see Article 6, paragraph 1, point a of the Regulation), ENDU may disclose some of your data to event organisers and associations with whom ENDU may enter into partnership agreements in order to create interesting or promotional offers dedicated to ENDU sport users. Such organiser and associations may therefore use your data for commercial and promotional purposes, using both automated systems (i.e. e-mail) and traditional channels (i.e. postal service).

    The following identification data may be transmitted: name, lastname, date and place of birth, the address of your home or registered office, postal code and contact details (telephone number and e-mail address).

    You have the right to withdraw consent at any time, by writing to info@endu.net.

  6. For sports events coverage and rating

    Within the scope of its mission, aimed at creating an information portal dedicated to all outdoor and endurance sports enthusiasts, ENDU may collect, publish and process for statistical purposes, through its platform, personal data of sports events participants, in particular regarding the results (including finishing positions, overall time and split times) achieved in sport races, that are already accessible due to the public nature of the event and of the relevant results and/or on the basis of specific agreements between the participant and the event organiser. Always with a view to cover sports events, ENDU may also acquire, directly or through its business partners, images relating to such events.

    The legal basis for the processing is Article 6, paragraph 1, point f) of the Regulation to the extent that ENDU uses the data for information purposes without infringing the rights of freedoms of the data subject and that the processing of data relating to images and results as described above can be reasonably expected by the data subject taking part in a public race or event whose results are meant to be disclosed and commented also outside the circle of participants. In the event of photos being used by ENDU for the purpose of covering events, the legal basis for the processing may also be the explicit consent given by the data subject at the time of registration to the sport event.

    In any case, the data subject has the right to object at any time to the processing of his or her personal data, for reasons relating to his or her particular situation, and withdraw the previously given consent by writing to info@endu.net.

  7. In relation to corporate transactions or transfer / lease of the Controller’s business

    ENDU may transfer the data of data subjects to entities resulting from corporate transactions to which ENDU is a party (for instance, mergers, divisions, incorporations, etc.) or to companies which may acquire or lease the Controller’s business or which however, on the basis of a specific agreement, will replace the latter in the provision of the Services.

    In such case, the transfer will aim at ensuring ongoing relationship in the provision of the Services and will be based on the legitimate interest of the Controller (see Article 6, paragraph 1, point f of the Regulation), without prejudice to the right of the data subject to object at any time to the processing of his or her personal data, for reasons relating to his or her particular situation, by writing to info@endu.net. For such purpose, ENDU may process the data referred to in points a), b), c), d), e) e f) of Article 3).


3.

Types of data processed



  1. Navigation data

    The information systems and software procedures relied upon to operate the websites from which ENDU services are provided, acquire certain personal data as part of their standard functioning; the transmission of such data is an inherent feature of Internet communication protocols.

    Such information is not collected in order to relate it to identified data subjects, however it might allow user identification per se after being processed and matched with data held by third parties.

    This data category includes, by way of example, IP addresses or domain names of the computers used by users connecting with ENDU sites, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of such requests, the method used for submitting a given request to the server, returned file size, a numerical code relating to server response status (successfully performed, error, etc.) and other parameters related to the user’s operating system and computer environment.

    These data are only used to extract anonymous statistical information on website use as well as to check correct functioning; they are erased immediately after being processed. Such data may also be used to establish liability in case computer crimes are committed against ENDU sites and their users, also upon request by the judicial authority.

  2. Data provided voluntarily by the user

    ENDU will process the personal data provided by the user at the time of registration, when a specific service request is received (for instance, the registration to a sport event) or within the scope of the relationship with ENDU.

    Such data may include:

    • identification data and contact details (name, surname, gender, date of birth, firm or company name, address, registered office, telephone number and e-mail address);
    • invoicing and payment data (credit card details and information about other payment systems used);
    • certain data categories whose processing is necessary in relation to the provision of a Service requested by the user (for instance, information on any disability of the data subject as this is necessary for the registration under special sections or categories and for participating in sports events);
    • personal information published and shared directly by the data subject through the Services.

    The submission of personal data is a necessary requirement for the purpose of the provision and subsequent use of the Services requested. Failure to provide certain data (biographical data, e-mail address, postal address, payment data and telephone number, etc.) might therefore prevent the Controller from providing the Services requested. To this end, ENDU will indicate as appropriate, also through its own forms, which data is strictly necessary for the purpose of using the Services and any other data whose provision is only necessary to enhance the user’s experience in relation to such Services.

  3. Public and/or freely available data and photo/video recordings of sport events

    The Site and the Services also act as an aggregator of results from competitive and non-competitive sports events. To this end, the Controller may process personal information acquired from lists, public directories (including but not limited to rankings and results from sports events organised by business partners and/or affiliates) or that is freely available to the general public.

    In this respect, it is also necessary to take into account that, as set out in our race or sports event registration forms, photo and video recordings of participants during events may occur, and in such case the organiser may require explicit consent for the publication and distribution of relevant images, also through third party services, including ENDU.

    ENDU processes personal data relating to the photos of participants taken during the event in order to: (i) provide coverage of the sport event within the Site and the Services; (ii) make the photos and videos available on ENDU platform to allow these participants to buy and share photos and videos of them.

    ENDU may acquire photo and video recordings from the organiser, also through its business partners, or, based on the circumstances, provide photo and video service directly, with the consent of the organiser.

    Each participant is free to authorise a friend or a family member to view or buy through the Services photos and videos of him or her; we encourage you to choose carefully and wisely the person with whom you will share the codes and credentials of the Services which allow to view and purchase the recordings.

    Without prejudice to the above general notice, the information sheets of the individual Services (for instance, ENDUpix, etc.), available within the websites dedicated to such Services, contain a detailed description of the criteria and technology used to (i) automatically tag photos and videos of yourself to your profile; (ii) make the photos and videos available only to the relevant subjects.

    In this regard it should be noted that:

    • if no authorization to take photo and video recordings and to disclose them for the above mentioned purposes is granted, you will not be allowed to register for the event, given that the public nature of sport events make it impossible to exclude from videos or photos those people who have not granted their consent;
    • by using the Controller’s Services (including but not limited to, ENDUpix or other similar Services), the data subject (or the people authorised by him or her) may purchase only photos and videos of him or her or images deemed to be of general interest in relation to the event; however, as sport events are held in public, it is not possible to ensure that these photos and videos have not captured the image of subjects other than the participant who purchases such photos or videos;
    • considering the characteristics of the events, there may be no notice posted or notices always visible of photography and video recordings happening.

    Where an individual does not consent to the use of his or her image as outlined above, he or she should not participate in the events in relation to which the organisers acquire, at the time of registration, the rights to subsequently publish and distribute the photo and video recordings, or to sell them via third party services, including ENDU.

    Without prejudice to the above, the data subject can send a written request to the Controller that his or her image be removed or hidden from the Site or the Services, subject to the identification of the photo or video in which he or she appears.

    Where the photo and video recordings are published and distributed directly by the event organiser or by third parties via ENDU platform, the data subject shall consult directly with the organiser or the third party, in their capacity as independent data controllers, for the purpose of exercising his or her rights.

  4. User location data and statistics from sports events

    ENDU Services include tracking and/or timekeeping services during sports events or non-organised sports activities; in order to provide such Services, the Controller detects the geographical position of the user via the GPS system of the device in use or through other technologies such as RFID. Tracking and timekeeping services involve also the analysis of location data for calculating and viewing key sports performance parameters such as distance, split times and average pace/speed. Location data are essential to the provision of the Services requested; without access to this data the Controller cannot provide such services which rely on the detection of the geographical location of the users’ devices. To deny access to your location data, you simply have to refrain from using the geopositioning Services provided by ENDU or turn off the location service on your device. Notwithstanding the above, the organisation running the individual sport event may make participation subject to the collection of participants’ location data for security purposes or any other given reason. Data subjects are therefore encouraged to read the rules and regulations of each event carefully and ask the event organiser directly for any clarifications thereof.

    In case the Services provided by the Controller are used to send an emergency message, the geographical position of the user will be detected in real time and, should the conditions under the Terms of Use of ENDU Services and within the services themselves occur, the user location will be notified via text message and/or in-app message (within the application) and/or e-mail to the emergency contact selected by the user.

    Should ENDU Services be used for tracking routes during races and training activities, the Controller will store such tracking data to allow you to maintain records of your tracks on any device used to access ENDU Services, and also to enable you to share this information with other users or third parties through ENDU Services. You may at any time request erasure of these data by the Controller. If you do so, ENDU will not be able to provide the Services associated to the storage and sharing of location data in relation to your races and training activity. If you close your account, the Controller will erase your personal data or proceed to permanent data anonymization. Nevertheless, such erasure will not affect the processing of data that may have been independently carried out by the organiser of the sports event.

  5. Third party data

    When you provide a telephone number or any other contact to which the automated emergency message can be sent, or the identification data and contact details of a person you want to register for a sport event or other initiative via the Services, the use of such data by ENDU remains under your sole responsibility and to this end you are required to obtain prior express consent from the data subject. Using the Services to share or disclose personal data of third parties without their prior explicit consent to the use of such data in relation to ENDU Services is expressly prohibited.

  6. c. Data provided by the data subject’s third party providers

    Subject to the data subject’s prior consent, with the aim of delivering the Services upon request by the data subject, ENDU may collect and process data transmitted by its third party providers of specific services (for instance, data concerning the level of physical fitness of the data subject in relation to his or her participation in a sport event that are processed and transmitted by providers of certificates of medical fitness and that are used by ENDU in order to complete the registration for a sport event via its own Services; data relating to the registration for sports events or with sports associations which the data subject wishes to share on his or her ENDU profile).


4.

Data processing methods and storage period



All personal data are processed mainly using electronic instruments and methods; nevertheless this does not exclude the use of paper files.

These data will be stored in such a manner to allow identification of the data subjects only for the time strictly necessary to accomplish the purposes for which the data were collected in the first place and, in any case, within the terms of the law.

In order to ensure that personal data are always correct, updated, relevant and complete, we invite both users and other data subjects to keep their data up-to-date through the specific website and application functions connected with ENDU Services or notify us of any changes by sending an email to info@endu.net

Personal data will be processed solely for the time strictly necessary in relation to the purposes described above.

Except as otherwise provided for in this privacy notice and in the specific notices relating to certain Services, the Controller shall comply with the following storage periods:

  • for the performance of the contract, or for the provision of the Services requested by the user, the data will be processed by ENDU for the whole relationship period and as long as obligations or requirements in connection with such performance exist; after this period, in case of disputes and always with reference to the data in relation to orders or purchases made via the Services, in the light of the ordinary period of prescription of the rights (10 years according to Italian law), the storage period will be extended for an additional 11 years for purposes connected with the fulfilment of legal obligations and to allow ENDU to protect its rights against possible disputes within the limitation period;
  • to comply with legal obligations, the data will be processed and retained by ENDU as necessary to comply with such legal obligations;
  • with regard to the processing for marketing purposes, carried out on the basis of ENDU legitimate interest or subject to your consent, the data will be processed for the whole relationship period with the user and as long as obligations or requirements in connection with such performance exist, except in case of withdrawal of the consent previously given or objection to the processing;
  • for the purpose of profiling, the data will be processed for a maximum period of 12 months or another period otherwise laid down by law or measures by the supervisory authority; after this period the data will be stored if necessary to pursue other aims or permanently erased;
  • in relation to further data being processed by virtue of a legitimate interest of the Controller as set out above, the data will be processed for as long as the legitimate interest exists, without prejudice to the right of the data subject to object to processing.

5.

Transmission of personal data to third parties



No data will be disclosed or transmitted to third parties without the express and specific consent of the data subject, apart from location data in accordance with Article 3, point d) above, and the data disclosed or anyhow shared by the user via ENDU Services and related websites as indicated under Article 6) of this privacy notice.

Should the communication of your data to ENDU third party providers, consultants or partners be necessary in relation to the provision of the Services, the Controller shall appoint these third party providers as data processors pursuant to art. 28 of the Regulation, by virtue of their proven ability, experience and reliability. In this respect, for the purpose of data storage, ENDU relies on the hosting services provided by AWS Amazon Web Services Inc from servers located within the European Union; for such purpose AWS has been designated as data processor by ENDU. Data subjects may request at any time the complete and updated list of data processors designated by ENDU as necessary, by sending a request pursuant to Article 9) below.

As referred to in Article 1) above, where ENDU acts as data processor on behalf of a third party provider which provides goods or services via ENDU platform, ENDU may collect and transmit users’ data to the relevant controllers, in its capacity of data processor and on the basis of the privacy notices made available separately by the controllers.

It is understood that your personal data may be communicated to third parties such as law enforcement authorities or other public administrations whenever this is permitted by law or required by orders or measures issued by a competent authority. These subjects will process such data as independent data controllers.


6.

Social networks and third party websites



The Site and ENDU Services together represent a platform for sharing sports experiences either individually or within the scope of events organised by third parties or directly by the Controller which involve the participation of several people.

By using ENDU Services within sports races and events, you agree to publicly share your participation in these events and allow access to your location data (as well as time/distance/speed data resulting from relevant analysis) to anyone connecting to the Controller’s or the organiser’s website to follow the event. If you wish to keep this information private, we encourage you to refrain from using the related ENDU Service.

You are free to change at any time your own preferences and settings in relation to the sharing of data and information via ENDU Services, including information about your training activity, by setting your profile to public or private or allowing limited access to it. In this regard, you should carefully consider which data you intend to publish via ENDU Services and the consequences that such publication might have for your private life and the private life of third parties, having regard for instance to race or activity tracking data. In case of doubts about the negative consequences that may arise from the publication of this data, you are encouraged to avoid publishing any such information, or send an email to info@endu.net for more information.

In addition, the Site offers the possibility to share this information on the social networks selected by each user. The providers of these services will act as independent data controllers. If you wish to share your personal information and data on these social network platforms, you are encouraged to read the relevant data processing policies.

In case of races and events organised by third parties, the event organiser may collect and process the data of the users participating in the event, for its own purposes and in accordance with its own privacy notice; you are encouraged to check with the organiser (and any provider the organiser may engage) regarding how and why your data may be processed in connection with your participation in the event. Where the privacy notice of each single event so provides, ENDU may also act as joint data controller with the organiser, or independent data controller, and as a result exchange data and information for the purposes of this privacy notice and by virtue of an adequate legal basis.


7.

Transfer of personal data outside the European Economic Area 



For the purposes stated above, ENDU may transfer your data also to third countries or international organisations outside the European Economic Area (EEA).

In such case, where the Commission has recognized that a country outside the EEA offers an adequate level of data protection, the personal data of data subjects may be transferred on that basis.

Regarding transfers to third countries or international organisations outside the EEA that are not recognized by the European Commission to have an adequate level of protection, ENDU will rely on a derogation applicable to the specific situation (for instance, the transfer is necessary to fulfil a Service the data subject has asked for, i.e. in case an international payment is made) or on one of the following adequate guarantees ensuring the protection of the data subjects’ personal data:

  • general contract terms, approved by the European Commission, which bind the data importer to the data processing of such data in compliance with the Regulation and this privacy notice; or
  • binding corporate rules.

For more information on these measures, you can send a written request to info@endu.net.


8.

Security of personal data



Taking into account the state of the art and the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks for the rights and freedoms of data subjects, ENDU, also through its processors engaged pursuant to Article 28 of the Regulation, shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, pursuant to Articles 32 et seq. of the Regulation; such measures include (but are not limited to):

  1. pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In this respect, ENDU has engaged AWS - Amazon Web Services (whose services have certification for compliance with ISO 27001 standard) as subcontractor, thus ensuring confidentiality, integrity, availability and resilience of IT systems and services through which data are processed and stored.

The controller, moreover, has implemented a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing throughout the whole processing period, and allows access to such data only to individuals duly appointed, except when access is required by a specific provision of Union or Member State law or an order by the authority.


9.

Data subject rights



In accordance with the Regulation, data subjects may exercise their rights in respect of ENDU to:

  • request and obtain information as to whether or not personal data concerning them are held and being processed by ENDU, and obtain access to them;
  • request and receive in a structured, commonly used and machine-readable format the personal data provided to the Controller, where the processing is based on consent or on a contract and is carried out by automated means, and, where technically feasible, have the personal data transmitted to another controller;
  • request and obtain rectification and/or updating of inaccurate or incomplete data;
  • request and obtain erasure of their personal data where the information and the data are not necessary - or no longer necessary – in relation to the purposes referred to above or on other legal grounds (see Article 17 of the Regulation);
  • request and obtain restriction of processing of personal data where accuracy is contested by the data subject or where any further grounds provided for in Article 18 of the Regulation apply;
  • object to further processing of personal data in the cases expressly set out in Article 2) above.

These requests may be submitted to ENDU through endu.net, from the Privacy section of the user’s account, by sending a request to info@endu.net or by means of other channels that ENDU may provide to this end. Any request by e-mail or other channels that do not allow the requester to be identified, must be submitted together with a copy of an identification document so that the person’s identity can be verified.

In accordance with the regulations currently in force, besides the rights referred to above, the data subject also has the right to lodge a complaint with the relevant supervisory authority. The Italian Data Protection Authority is the Garante Per La Protezione Dei Dati Personali, Piazza di Monte Citorio n. 121 00186 ROMA, Fax: (+39) 06.69677.3785, garante@gpdp.it, protocollo@pec.gpdp.it.


10.

Third party websites



The Controller does not exercise control over websites and services run by third parties that may be linked from the Site or ENDU Services nor supervises them with regard to contents and data processing policies thereof. Therefore, ENDU is under no circumstances liable for the processing of data carried out through or in connection with such third party websites.

We therefore encourage you to carefully read the terms of use and the privacy policy of the portals you visit.

ENDU provides links to third party websites and services for the sole purpose of facilitating user navigation. You acknowledge that the inclusion of such hypertext links does not imply nor is intended to provide any kind of recommendation or endorsement of the linked websites and that ENDU makes no warranties with respect to the contents, goods and services provided through them.


11.

Cookie



When visiting the Site pages, small strings of texts called cookies are placed on your computer by the Controller or third parties, to ensure normal Site functions and allow the Controller to offer you an improved user browsing experience.

For further information please refer to ENDU Cookie Policy.


12.

Minors



In order to use ENDU and its Services you need to be 18 or older. In the case of photos of minors taken at a sports event, we will apply the provisions stated in article 3, comma 3. The image rights of a minor are exercised by the holder of parental responsibility.

As already stated in the introduction and in order to provide goods and services through ENDU's Portal, some Users might process the personal data of a minor, in such case ENDU does not operate as the controller. Therefore the processing in question falls outside of the scope of this Privacy Policy.

Any abuses concerning the processing of a minor's personal data may be reported to info@endu.net so as to help ENDU take the appropriate measures to safeguard the minor, also by immediately blocking the processing of his/her data.


13.

Data Controller



The Controller of the personal data of users and other data subjects whose personal data are processed through the Services is Engagigo S.r.l, with registered offices in Via Francesco Paciotto 6/A, Località Alberi di Vigatto (PR), Italy; for any questions or doubts concerning this Privacy Policy, you may at any time write to the Controller by sending an email to dpo@endu.net.


14.

Amendments and updates



The Controller may amend or update all or part of this document at any time, also where amendments are made to laws or regulations governing the protection of personal data.

It is understood that Users and any other person involved will be notified of any amendment or update on the Site's Homepage and through other channels available as appropriate within the Services (for instance, in-app or email communications sent to registered users). Such changes will be published and communicated at least 20 days before they come into effect, with the aim of ensuring that reasonable notice is given to allow all the persons involved to become aware of the changes, except where the changes are necessary to fulfill a legal obligation, or an order issued by an authority. We therefore encourage you to access the Site from time to time and periodically check the other communication channels commonly used by ENDU, to remain informed about possible changes to this Privacy Policy.




This notice was written in Italian. To the extent any translated version of this notice conflicts with the Italian version, the Italian version controls.