PRIVACY POLICY

(Effective from 23/10/2023)

Welcome to our platform for the communication, sharing and use of information, services and experiences related to the world of endurance and outdoor.

This Policy is intended to illustrate the methods and purposes of the processing of personal data carried out by Engagigo S.r.l., as the data controller (hereinafter, “ENDU” or the “Controller”), in the provision of services provided through the website www.endu.net (hereinafter: the “Site”) , as well as through other services accessible electronically via sites or mobile applications for which ENDU provides this information (hereinafter: “ENDU Services”). In relation to certain services, ENDU reserves the right to provide a particular policy that may from time to time supplement or modify this information; in case of conflict, the terms of the particular information relating to the specific service prevail.

What is established herein must be considered applicable to anyone who browses the Site or otherwise interacts with the ENDU Services, accessible electronically also by means of any existing or upcoming mobile applications, and more generally to natural persons whose personal data are collected and processed within the scope of the ENDU Services (users of the ENDU Services and, more generally, all persons whose data are processed within the scope of the ENDU Services shall also be referred to below as the "Data Subjects").

The processing of personal data of data subjects shall take place in compliance with applicable legislation, with particular reference to EU Regulation 2016/679 (hereinafter, also the "Regulation") on the protection of natural persons with regard to the processing of personal data, as well as national implementing provisions and measures of the Italian Supervisory Authority for the protection of personal data.


1.

Scope of application



Each person has the right to the protection of their personal data.

For this reason, ENDU has always been strongly committed to ensuring respect for the confidentiality of data subjects and their right to be adequately informed about the collection and processing of their data.

The ENDU Services have therefore been configured, in compliance with the principle of necessity and proportionality, in such a way as to minimise the collection and use of data identifying the data subjects, excluding the processing thereof in all cases in which the intended purposes can be achieved through the use of anonymous data or in any other way.

For the avoidance of doubt, it should be noted that this Privacy Policy must be considered referred to and therefore applicable only to the ENDU Services offered by the Data Controller, without extending to: (i) products and services provided by third parties through the platform and the ENDU Services; (ii) pages or sites accessible through links from the ENDU Services and managed by third parties.

Therefore, each user is invited to carefully read the related privacy policies for a more detailed understanding of the processing carried out through these sites and services.

It should also be noted that ENDU makes its platform available to event organisers, associations and sports clubs and other parties who provide support to the organisers, as well as to sports bodies, or sell goods or services related to the sports activities covered by the services; through the ENDU platform, therefore, the aforementioned parties can directly provide goods or services to users (for example, they can collect registrations for an event or a sports organisation or they can sell goods related to the sports event). In such cases, for the purposes of the protection of personal data, the parties in question operate as independent data controllers on the basis of the independent relationship (for example, the relationship arising from registration for the event or sports organisation) established with the user within the ENDU platform, while ENDU, as provider of the platform used by the data controllers, shall operate as their data processor pursuant to Article 28 of the Regulation and in this capacity may acquire and transmit user data to the data controllers. This policy, therefore, does not concern the processing that these parties shall carry out in their capacity as independent data controllers. Whenever a user establishes an independent relationship with the parties in question through the ENDU platform, they are responsible for reading and verifying the information they provide, in order to find out about the purposes and legal basis of the processing and to express any required consents in an informed manner.


2.

Purpose and legal basis of the processing



The personal data of the data subjects are processed by the Data Controller for the purposes specified below.

  1. For the execution of the contract or in any case to provide ENDU Services requested by the user

    The data of the user and the persons indicated by the latter shall be processed by ENDU for the execution of the contractual relationship and the provision of the ENDU Services provided at the user's request.

    In particular, ENDU may process the data of the user and the persons indicated by the latter for the performance of operational and administrative activities necessary to: (i) manage the registration, authentication and access operations to the platform; (ii) provide geolocation, timing, statistical analysis and other similar services related to participation in sports events or the performance of training; (iii) manage requests for the purchase of goods or services offered through the platform directly by ENDU or by third parties, including registrations for sports events, as well as the purchase of goods or services ancillary to such events; (iv) manage payment transactions at the user's request to allow banking and credit institutions to verify the chosen means of payment, debits and the management of other service procedures; (v) offer a platform for contacts and useful information on the world of endurance and the outdoors, facilitate communication and information between users through networking and messaging services and their participation in initiatives of various kinds (sports, recreation, charity) organised by ENDU or third parties, and by providing a thematic newsletter service dedicated to the world of endurance and outdoor and to projects and sports events organised by ENDU and third party partners; (vi) manage, at the user's request, the interactions of the ENDU Services with third-party social network platforms, to which users can connect according to their preferences in order to share activities or information concerning them; (vii) provide the ENDU Services (for example, ENDUpix or other similar services) through which ENDU allows participants in sports events (and those authorised by them) to purchase, after registering with their services, the photographic and video footage that portrays them during the course of the event; (viii) the issuance of administrative, accounting and tax documents relating to the ENDU Services requested by the user.

    For this purpose, ENDU may process the data indicated in points a), b), c), d), e) and f) of Article 3 below.

    The legal basis of the processing is article 6, paragraph 1, letter b), as the processing is necessary to execute a contract to which the user is a party or, in any case, to provide the ENDU services requested by the data subject.

    Where, for the purposes of providing the requested ENDU Services, the Data Controller needs to process particular categories of user data (i.e. data relating to the user's state of health), the legal basis for the processing shall also be the explicit consent of the user pursuant to Article 9, paragraph 2, letter a) of the Regulation. The failure to provide consent, as well as the revocation of the same, shall determine the impossibility of providing the requested ENDU services for which the data are necessary.

    Likewise, where the ENDU Service requested by the user requires the use of data relating to the location of the electronic device used by the user for the purposes of using the service, ENDU shall request the prior consent of the data subject, which is revocable at any time.

    In relation to the publication and distribution, through the Site and the ENDU Services (for example, ENDUpix or other similar services), of photographs and videos relating to events and sporting events, individual participants shall be required to obtain specific authorisation at the time of registration collected by the organiser.

    Finally, where, at the express indication of the User and always for the purposes of providing the ENDU Services, the Data Controller is processing personal data of persons with whom it does not have a direct relationship (for example, the identification or contact data of a third party registered by a user to a sports event through the services), the processing shall be based, as well as on the need to provide the requested ENDU Service and the authorisation indirectly provided by the data subject, also on the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, letter f) of the Regulation, to the extent that the user who provides the data of the third party through the ENDU Services declares to do so with the prior authorisation of the data subject and the processing of the data of the latter by ENDU, as well as being reasonably foreseeable by the data subject in the light of what has been stated by the user, does not infringe their fundamental rights and freedoms. In this case, the data subject has the right to object at any time, for reasons related to their particular situation, to the processing of their personal data, by writing to privacy@endu.net.

  2. For the fulfilment of legal obligations

    The data of the user and the persons indicated by the latter shall be processed by ENDU for the fulfilment of legal obligations, such as, by way of example, tax obligations related to the execution of the contract and the provision of the ENDU Services.

    For this purpose, ENDU may process the data indicated in points a), b), c), d), e) and f) of Article 3 below.

    The basis of the processing is article 6, paragraph 1, letter c) of the Regulation, as the processing is aimed at fulfilling a legal obligation to which the Data Controller is subject.

  3. To forward commercial communications relating to products/services similar to those already purchased

    ENDU, pursuant to Article 6, paragraph 1, letter f) of the Regulation, may process the user's data on the basis of its own legitimate interest, for the sending, by email, of communications of a commercial nature and/or relating to promotional initiatives concerning products and services similar to those already purchased by the user.

    To achieve this purpose, ENDU may process the data indicated in point b) of Article 3.

    In any case, the user may object at any time to the processing of their data for this purpose, by writing to privacy@endu.net.

    In case of opposition, ENDU shall interrupt such data processing without delay and in any case no later than 5 days from the opposition.

    In addition, the individual communications conveyed by email shall contain a hyperlink within them to simply and intuitively oppose the receipt of further communications.

  4. For the sending of commercial communications relating to ENDU services and products or third parties

    With the express and specific consent of the user, ENDU, pursuant to Article 6, paragraph 1, letter a) of the Regulation, may process the user's personal data in order to send commercial communications concerning its own or third party products and/or services, as well as to invite them to participate in promotional initiatives, loyalty programmes and/or initiatives with third party partners as well as to carry out market surveys and analysis of the level of customer satisfaction.This consent is optional and is not a condition for the conclusion of the contract with ENDU concerning the ENDU Services.

    ENDU may send the communications in question using automated systems (e.g. email, instant messaging systems such as "WhatsApp") and traditional channels (e.g. paper mail and operator calls).

    To achieve this purpose, ENDU may process the identification and contact data as well as the data relating to the requested ENDU Services referred to in point b) of Article 3; in addition, if the user has given their consent to the performance of the profiling activities referred to in point e) below, ENDU may also process the information indicated in point a) of Article 3 for marketing purposes.

    The consent given by the user can be revoked at any time by writing to privacy@endu.net.

  5. For profiling purposes

    With the express and specific consent of the User, ENDU, pursuant to Article 6, paragraph 1, letter a) of the Regulation, may process the user's data to better understand their habits and interests and, consequently, to offer them products and services that ENDU believes may be to their liking, as well as to improve the user experience in the use of ENDU services. In particular, ENDU shall process personal data for this purpose such as information relating to ENDU products and services purchased (by way of example, the type of events in which the user has participated, the type of products, the frequency of purchase, the amount spent), as well as the data relating to their navigation on the Site. To achieve this purpose, ENDU may process the data referred to in points a) and b) of Article 3 (in any case, with the exclusion of data belonging to particular categories, such as data relating to health status). This consent is optional and is not a condition for the conclusion of the contract with ENDU concerning the ENDU Services.

    The consent given by the user can be revoked at any time by writing to privacy@endu.net.

  6. For the transfer of data to third parties for marketing purposes

    With the express and specific consent of the user, ENDU, pursuant to Article 6, paragraph 1, letter a) of the Regulation, may communicate some of the user's data to event organisers and companies operating in the insurance, editorial, tourism, financial, sports, automotive, energy, consumer, humanitarian and charitable organisations sectors for the sending of marketing communications by them. These organisers and companies may therefore use user data for commercial and promotional purposes, using both automated systems (e.g. email, instant messaging systems such as "WhatsApp") and traditional channels (e.g. paper mail and operator calls).

    The user's identification data, such as their name, surname, date and place of birth, home post code, address or registered office and contact data may be communicated. This consent is optional and is not a condition for the conclusion of the contract with ENDU concerning the ENDU Services.

    The consent given can be revoked at any time by writing to privacy@endu.net.

    Sometimes, ENDU may request the consent to the transfer of the user's data to third party partners, for the sending of marketing communications by the latter, also by means of automated systems (for example, email, instant messaging systems such as, by way of example, "WhatsApp"), against advantages or services offered without the payment of cash. User data may be communicated to partners from time to time highlighted in the purchase process.

    Also in this case, the consent given can be revoked at any time by writing to privacy@endu.net. If consent is required for the provision of a duration service, the revocation of said consent shall result in the interruption of the service offered.

  7. For video and photographic filming

    If the user decides to register and participate in an event whose regulations provide for the execution of video or photographic recordings of the event, with the consequent issue of the release for the use of their image, ENDU, on the basis of their legitimate interest, may take the image of the data subject for the purpose of documenting the event as well as to make the photographs of the event available to the participants of the event through their ENDUpix service.

    In any case, the user may object, at any time, to the processing of their data for this purpose, by writing to privacy@endu.net.

    In case of opposition, ENDU shall interrupt such data processing without delay, without prejudice to the lawfulness of the data processing put in place at the time of the opposition.

  8. For the purposes of documentation and evaluation of sports events

    As part of its mission to create an information portal for all endurance and outdoor sports fans, ENDU may collect, publish and process for statistical purposes, through its platform, the personal data of participants in sports events, having specific regard to the results (including placement, final time and intermediate times) obtained by such persons in sports competitions that are already publicly accessible by virtue of the public nature of the event and its results and/or by virtue of specific agreements between the participant and the event organiser. Also for the purpose of documenting events and sporting events, ENDU may also acquire, directly or through its business partners, the relevant photographic footage.

    The legal basis of the processing is Article 6, paragraph 1, letter f) of the Regulation to the extent that ENDU uses the data for information purposes without interfering with the rights and freedoms of the data subject and the processing of data relating to the results and photographic footage in accordance with the terms described above is reasonably foreseeable by any data subject who participates in a competition or event of a public nature and whose results are intended to be disseminated and commented on, even outside the circle of participants. In the case of photographic reproductions used by ENDU for the purpose of documenting the events, the legal basis of the processing may also be the specific consent given by the data subject at the time of registration for the sporting event.

    In any case, the data subject has the right to object at any time, for reasons related to their particular situation, to the processing of their personal data and to revoke the consent previously given, by writing to privacy@endu.net.

  9. For purposes related to corporate transactions or the transfer or rental of the Data Controller's company

    ENDU may transfer the data of the data subjects to parties resulting from corporate transactions to which ENDU is a party (for example, mergers, demergers, incorporations, etc.) or to companies that purchase or lease the Data Controller's company or that, in any case, on the basis of a specific agreement, take over from the Data Controller in the activity of providing the services.

    In this case, the transfer shall be aimed at allowing the normal continuation of the relationships in relation to the provision of the services and shall be based on the legitimate interest of the Data Controller (see Article 6, paragraph 1, letter f of the Regulation), without prejudice to the right of the data subject to object at any time, for reasons related to their particular situation, by writing to privacy@endu.net. To achieve this purpose, ENDU may process the data referred to in points a), b), c) d), e) and f) of Article 3.


3.

Type of data processed



  1. Data provided voluntarily by the user

    ENDU shall process the personal data that the user provides at the time of registration, data relating to the request for a specific service (for example, registration for a sporting event) or data provided in any case as part of the relationship with ENDU.

    This data may include:

    • identification and contact data (name, surname, gender, date of birth, company or business name, address, registered office, telephone number and email address);
    • data relating to the ENDU Services used by the user and to the sports events in which the user has taken part;
    • payment and billing data (data relating to credit cards and other payment systems used by the user);
    • particular categories of data whose processing is necessary in the context of the provision of a service requested by the user (for example, personal data relating to any disability of the data subjects as necessary for registration in special sections or categories and for participation in sports events);
    • personal information published and shared directly by the data subject through the services, including any profile photos.

    The provision of personal data is a necessary requirement for the provision and subsequent use of the services requested. Therefore, any failure to provide certain data (personal data, email address, postal address, payment data and telephone number, etc.) could make it impossible for the Data Controller to provide the requested Services. In this regard, ENDU shall indicate from time to time, also through its forms, the data whose provision is strictly necessary for the use of the services and the further data whose provision is necessary only in order to enhance the user experience in the context of the services.

  2. Public and/or freely accessible data and photographic footage of sporting events

    The Site and the ENDU Services also perform the function of aggregator of results of sporting, competitive and amateur events. To this end, the Data Controller may process personal data taken from lists, public lists (for example: rankings and results of sporting events organised by business partners and/or affiliates) or freely accessible to the general public.

    It should also be noted that, as provided for in the registration forms for events or sporting events, participants may be filmed, by means of photographs or videos, during the events and in this case the organiser may request their specific authorisation for the publication and distribution of the related images, also through third party services, including ENDU.

    ENDU processes the personal data connected to the image of the participants taken during the event from time to time in order to: (i) document the sporting event within the Site and Services; (ii) make the photos and videos available on the ENDU platform in order to allow the participants to purchase and share the photos and videos that portray them through the ENDUpix service, as indicated in Article 2, letter g) of this policy.

    ENDU may acquire the footage of the event from the organiser, also through its business partners, or, as the case may be, carry it out directly in agreement with the organiser.

    Each participant is free to authorise a family member or friend to view and purchase the photos and videos in which they appear by means of the services; it is therefore recommended that you take the utmost care and responsibility in choosing the person with whom you wish to share the codes and access credentials for the services that allow the footage to be viewed and purchased. Without prejudice to the general information above, the information sheets of the individual services (for example, ENDUpix, etc.), available on the websites dedicated to the services themselves, contain the detailed description of the criteria, logic and technology through which (i) the participant's image is automatically recognised within the footage; (ii) the photos and videos are made accessible only to the subjects shot.

    In this regard, it is also specified that:

    • absence of authorisation with respect to photographic and video footage and their provision for the purposes described above shall make it impossible to register for the event, considering that in light of the public holding of sports events it is in fact impossible to exclude people who have denied their authorisation from the footage;
    • through the Data Controller's Services (by way of example, ENDUpix or other similar Services), the data subject (or the persons authorised by them) may only purchase the photographs and videos that portray them or photographs deemed to be of general interest in relation to the event; however, in view of the public holding of the sports events, it is not possible to exclude the possibility that the photographs and videos in question also contain the image of data subjects other than the participant who purchases the photo or video;
    • given the nature of the events, video and photo footage may also be taken in places or in ways that are not reported or with reports that are not always visible.

    If a subject does not share the use of their image in the terms described above, they should not take part in the events in relation to which the organisers acquire, at the time of registration, the rights for the subsequent publication and distribution of the footage, including for a fee and through third party services, including ENDU.

    Without prejudice to the above, the data subject may always send a written request to the Data Controller in order to ensure the removal of their image from the Site and the Services or the pixilation of the same, after identifying the photograph or video that portrays them.

    If the photographic and video footage is published and distributed directly by the organiser or by third parties through the ENDU platform, the data subject must contact the organiser and the third party, as independent data controllers, in order to exercise their rights.

  3. User location data and statistics of sports events

    The ENDU Services also include services related to the tracking and/or timing of sports events or sporting activities carried out in an unorganised manner; in order to provide these Services, the Data Controller locates the user's geographical position through the GPS system of the device used or through other technologies, such as RFID. Tracking and timing services also involve the processing of location data for the calculation and display of key sport performance parameters such as distance, intermediate times, and average pace/speed. The location is necessary for the provision of the requested ENDU Services and without access to such data the Data Controller is not able to provide the ENDU Services in question which presuppose the identification of the geographical location of the devices used by the users. In order not to be located, it is sufficient that the user does not use the location services provided by ENDU or that, in any case, through the settings of their device, they prevent the sharing of their location. Notwithstanding the foregoing, the organiser of the individual sporting event may make participation subject to tracking for safety reasons or for other specific reasons. It is therefore recommended that data subjects carefully read the regulations of the individual events, asking for any clarification in this regard directly from the organiser.

    In the event of use of the Data Controller's Services for the sending of an emergency message, the user's location shall be detected in real time and, upon the occurrence of the conditions specified in the terms of use of the ENDU Services and within the same Services, the user's location shall be communicated by SMS and/or internal message in the application and/or email to the recipient chosen by the user.

    In the event of use of the ENDU Services for the tracking of routes in the context of races or training, the Data Controller shall keep track data to allow the user to maintain the history of their routes on any device on which the ENDU Services are used, as well as to allow the user to share such data with other users or third parties through the ENDU Services. The user can, at any time, ask the Data Controller to delete the data in question. In case of a request for deletion of data, ENDU shall not be able to provide the services related to the storage and sharing of location data relating to the user's training and races. In the event of closure of the user's account, the Data Controller shall delete or permanently anonymise the data in question. In any case, the deletion has no effect on the possible processing of data carried out independently by the organiser of the sporting event.

  4. Third party data

    When the user provides a telephone number or other contact address to which to automatically send an emergency message or the identification and contact data of a person to be registered for a sporting event or other initiative through the services, the use of such data by ENDU takes place under the sole responsibility of the user, who must obtain the express authorisation of the data subject for this purpose. It is expressly forbidden to use the services to communicate or disseminate personal data of third parties who have not previously explicitly authorised the use of their data in the context of the services.

  5. Data transmitted by third-party providers of the data subject

    For the purposes of performing the services requested by the data subject, ENDU may acquire and process data transmitted, subject to the data subject's authorisation, by third parties who provide the data subject with specific services (for example, data attesting to the data subject's physical fitness status with respect to participation in a sporting event that are processed and transmitted by companies specialised in the provision of fitness status certification services and that are used by ENDU to complete registration for a sporting event through its Services; data relating to registration for sporting events or bodies that the data subject intends to share as part of their ENDU profile).


4.

Processing methods and data retention period



All personal data are processed mainly through electronic tools and methods; however, the processing by paper means is not excluded a priori.

The data shall be stored in a form that permits identification of the data subjects only for as long as is strictly necessary to achieve the purposes for which the data was originally collected and, in any case, within the limits of the law.

In order to ensure that personal data are always accurate, up-to-date, complete and relevant, we invite users and other data subjects to keep their data updated through the specific functions of the sites and applications connected to the ENDU Services or to report any changes made to the following email address: privacy@endu.net.

Personal data shall be processed only for the time necessary in relation to the purposes described above.

Unless otherwise set out in this privacy policy and in the detailed policies relating to specific services, the Data Controller shall comply with the following storage periods:

  • for purposes related to the execution of the contract and the provision of the services requested by the users, the data shall be processed by ENDU for the entire duration of the relationship and until there are obligations or fulfilments related to the execution of the same; after this period, in the event of disputes and always for data relating to orders or purchases made through the services, in light of the ordinary limitation period of the rights (10 years in Italian law), the retention period shall be extended for a further 11 years for purposes related to the fulfilment of legal obligations and in order to allow ENDU to defend its rights against possible disputes within the limitation period;
  • for the fulfilment of legal obligations, the data shall be processed and stored by ENDU as long as the need for the processing persists to fulfil said legal obligations;
  • with reference to processing for marketing purposes, carried out on the basis of a legitimate interest of ENDU or prior consent of the user, the data shall be processed for the entire duration of the relationship with the user and until there are obligations or fulfilments related to the execution of the aforementioned relationship, except for any revocation of the consent previously given or opposition to the processing;
  • for profiling purposes, ENDU may process – until termination of the relationship or any withdrawal of consent – the data relating to the last 12 months after which the data shall be stored if necessary to pursue other purposes or will be permanently deleted;
  • in relation to further data processed on the basis of a legitimate interest of the Data Controller as described above, the data shall be processed for as long as the legitimate interest persists, without prejudice to the data subject's right to object.

5.

Communication of personal data to third parties



No data shall be disseminated or communicated to third parties except with the express and specific consent of the data subject, except for the communication of the location data pursuant to point 3, letter d) above, as well as for the data disseminated or otherwise shared by the same user through the ENDU Services and the related websites in accordance with the provisions of point 6) of this policy.

Where communication to third party providers, consultants or partners of ENDU is necessary for needs related to the provision of the ENDU Services, the Data Controller shall be responsible for appointing the latter as data processors pursuant to Article 28 of the Regulation, by virtue of the capacity, experience and reliability demonstrated. In this regard, for the purposes of data storage, ENDU uses the hosting services provided by the company AWS Amazon Web Services Inc. from servers located within the European Union; for this purpose, AWS has been appointed by ENDU as data processor. Data subjects may request, at any time, the complete list of the data processing officers appointed from time to time by ENDU, by sending a request pursuant to Article 9) below. In addition, in certain cases, ENDU may communicate user data to its partners to allow users to benefit from any discounts, promotions or ancillary services provided by such partners (for example, insurance companies); these partners will process as independent data controllers.

As already indicated in Article 1) above, where ENDU operates as a data processor of a third party provider that uses the ENDU platform to provide goods or services to users (including the organisers of sporting events for which the user should register), ENDU may acquire and transmit users' data to the respective data controllers, in its capacity as data processor and on the basis of the information independently made available by the data controllers. It is understood that users' personal data may be freely disclosed to third parties, such as police forces or other public administrations, whenever this is permitted by law or required by an order or provision of a competent authority. These subjects shall process the data as independent data controllers.


6.

Public data sharing, social networks and third-party sites



The Site and the ENDU Services constitute a platform for sharing the sporting experiences of each user, both individually and in the context of events organised by third parties or by the Data Controller itself, in which a range of parties will participate.

By using the ENDU Services in the context of sports competitions and events, the user chooses to share and make public their participation in the sporting event, allowing access to their location data (and those resulting from the related processing in terms of times, speeds and distances) to anyone who connects to the website of the Data Controller or the organiser through which the event can be followed. If you do not intend to share such data publicly, you are advised not to use the relevant ENDU Service.

Each user shall have the opportunity to modify their preferences and settings in terms of data and information sharing, including those related to their training, freely and at any time through the ENDU Services, by creating a public, private or limited-access profile. In this regard, the user's attention is drawn to the importance of carefully evaluating the data to be published through the ENDU Services and the consequences that the publication of such data could have with respect to their private life and that of third parties, having regard, for example, to the data relating to tracking races or training sessions. In case of doubts about the possible negative consequences deriving from the publication, the user is invited not to publish the data or to request more information from ENDU, by writing to privacy@endu.net.

The Site also offers the possibility of sharing such information with the social networks chosen by each user. The managers of these services will act as independent data controllers. Users who wish to share their data and information on these social networks are invited to read the respective policies on the processing of personal data.

In the case of events and competitions organised by third parties, the organiser may acquire and process the data of any user who takes part in the event for its own purposes and on the basis of independent information; the user is therefore invited to check with the organiser (and any providers used by the organiser) regarding the means and purposes of processing their data related to participation in the event. Where provided for in the policy relating to each specific event, ENDU may also play the role of joint data controller or independent data controller together with the organiser, with consequent exchange of data and information for the purposes described in the policy and by virtue of an adequate legal basis.


7.

Transfer of personal data outside the European Economic Area 



To achieve the purposes described above, ENDU may also transfer data to third countries or international organisations outside the European Economic Area ("EEA").

In that case, where the European Commission has recognised that a country outside the EEA is able to guarantee an adequate level of data protection, the personal data of the data subjects may be transferred on that basis.

For transfers to countries or international organisations outside the EEA whose level of protection has not been recognised by the European Commission, ENDU will either rely on an exemption applicable to the specific situation (for example, a transfer necessary to perform a service at the data subject's request, as in cases in which an international payment is made), or on one of the following adequate safeguards to ensure the protection of the personal data of data subjects:

  • standard contractual terms, approved by the European Commission, which bind the data importer to the processing of the data in compliance with the Regulation and this policy; or
  • binding corporate rules.

To obtain more information on these measures, you can send a written request to privacy@endu.net.


8.

Security measures



Taking into account the state of the art and the costs of implementation, as well as the nature, purpose, context and purposes of the processing, as well as the risks to the rights and freedoms of data subjects, ENDU, also through its data processors appointed pursuant to Article 28 of the Regulation, shall implement adequate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with Articles 32 et seq. of the Regulation; these measures include, among others:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to promptly restore availability and access to personal data in the event of a physical or technical incident;
  4. a procedure for regularly testing, evaluating and verifying the effectiveness of technical and organisational measures to ensure the security of the processing.

To this end, ENDU uses as a subcontractor the company AWS – Amazon Web Services Inc., whose services are certified according to the ISO 27001 standard, thus guaranteeing the confidentiality, integrity, availability and resilience of computer systems and the related services through which data are stored and processed.

Furthermore, the Data Controller has a procedure in place for the regular verification of the effectiveness of the technical and organisational measures adopted to ensure the security of the processing for its entire duration and allows access to the data only to duly trained subjects, except in cases where access must take place pursuant to a specific provision of European Union or Member State law or an order of the authorities.


9.

Rights of the data subject



Pursuant to the Regulation, data subjects may exercise the following rights against ENDU:

  • the right to request and obtain information on the existence of their data held by ENDU and on the processing of personal data carried out by ENDU, as well as to obtain access to such data;
  • the right to request and obtain receipt (in a structured, commonly used and machine-readable format) of their data provided to the Data Controller, where the processing is based on consent or on a contract and is carried out by automated means, as well as, where technically possible, the transfer of such data to another data controller;
  • the right to request and obtain the modification and/or rectification of data that is inaccurate or incomplete;
  • the right to request and obtain the erasure of their data if such data or information is not required – or no longer required – for the above purposes, or if the other conditions provided for by law are met (see article 17 of the Regulation);
  • the right to request and obtain the restriction of the processing of their data if the data subject contests its accuracy or in the other cases provided for in article 18 of the Regulation;
  • the right to oppose further processing of their data in the cases expressly defined in article 2) above.

These requests may be addressed to ENDU through the endu.net website, by accessing the Privacy section of your account, by sending a request to privacy@endu.net or through other channels that ENDU may make available to data subjects. Requests transmitted through emails or other channels that do not allow the identification of the applicant must be accompanied by a copy of the latter's identity document in order to verify their identity.

In accordance with current legislation, in addition to the above rights, data subjects also have the right to submit a complaint to the competent supervisory authority, which in Italy is the Italian Data Protection Authority: Garante per la protezione dei dati personali, Piazza di Monte Citorio 121 00186 ROME, Fax: (+39) 06.69677.3785, garante@gpdp.it, protocollo@pec.gpdp.it.


10.

Links to other websites



The Data Controller does not control, and has no way of supervising, either the content or the personal data processing policies of the websites and third-party services accessible through the links contained within the Site and the ENDU Services. Therefore, ENDU cannot under any circumstances be held responsible for the processing carried out through or in relation to these third-party sites. Users are therefore invited to pay the utmost attention in this respect, reading the conditions of use and the privacy policies published on the portals visited. ENDU provides links to websites and services managed by third parties exclusively to facilitate user navigation, it being understood that the activation of these hyperlinks does not imply, nor should it imply, any kind of recommendation or report by the Data Controller for access to and navigation on these websites, nor any guarantee about their contents or the goods and services provided through them.


11.

Cookie



Normal navigation within the pages of the Site involves the installation, by the Data Controller or third parties, of small text files called cookies, the use of which is aimed both at ensuring the normal functionality of the Site and at allowing the Data Controller to offer its users a better browsing experience. For more information on this, data subjects are invited to read the Cookie Policy.


12.

Minors



The use of the ENDU Services is reserved for users over 18 years of age. In the case of images of minors taken during a sporting event, the provisions of Article 3 c) above shall apply. The rights relating to the minor's image must be exercised directly by the person exercising parental authority.

As already mentioned in the premise, in order to provide goods and services through the ENDU platform, some users may process personal data relating to minors; in such cases, ENDU does not operate as a data controller and therefore the processing in question is outside the scope of this Privacy Policy.

In any case, any abuses related to the processing of minors' data may be reported to privacy@endu.net in order to allow ENDU to take the appropriate measures to protect the minor concerned, including through the immediate blocking of the processing of their data.


13.

Data controller



The Data Controller of the personal data of users and other data subjects whose data is processed through the services is Engagigo S.r.l., with registered office in Via Francesco Paciotto 6/A, Alberi di Vigatto (PR), Italy; the Data Controller can be freely contacted by the data subjects in relation to any doubt or request related to this Privacy Policy, by writing to the email address dpo@endu.net.


14.

Amendments and updates



The Data Controller may freely amend or update all or part of this document, including in consideration of amendments to laws or regulations governing the protection of personal data.

It is understood that users and other data subjects shall be notified of any changes or updates on the homepage of the Site and through the other channels available from time to time within the services (for example, in-app communications or email communications for registered users). Upon new access to the Site and the Services by the data subject, ENDU shall ask the latter to confirm that they have read the new version of the Privacy Policy applicable to the processing of their data.