PRIVACY POLICY AND DATA PROTECTION
This privacy policy follows Spanish and European laws in force regarding the protection of online personal data, based on the following:
· Regulation (EU) 2016/679 of the European Parliament and of the European Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
· Spanish Organic Law 3/2018 of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD).
· Law 34/2002, of July 11, 2002, on Information Society Services and Electronic Commerce (LSSI-CE).
Name of the party responsible for processing personal data
The party responsible for processing personal data collected is:
The Confederación Mundial de Peñas del FC. Barcelona (CMP) (FC Barcelona Supporters’ Clubs World Confederation), at Arístides Maillol, 15, 08028 Barcelona, entity registered in the Registro de Asociaciones de la Dirección General de Derecho y de Entidades Jurídicas (Register of Associations of the General Directorate of Law and Legal Entities) of the Generalidad de Cataluña (Catalan government) with number 766 and tax identification number (NIF) G-66522640 (hereinafter, also “Responsible Party”).
Its contact information is:
· Address: C/ Arístides Maillol, 15, 1º piso 08028, Barcelona
· Email: penyes@confederaciopenyes.cat .
Data Protection Officer (DPO)
The Data Protection Officer (DPO) is responsible for ensuring compliance with the data protection regulations to which CMP is bound. The user can contact the DPO appointed by the Responsible Party by using the following contact details:
Principles applicable to the processing of personal data
The processing of the user's personal data shall be subject to the following principles set forth in Article 5 of the GDPR:
· Principle of lawfulness, fairness, and transparency: One of the legitimate reasons listed in Article 6.1 of the GDPR will be required in order to process personal data, informing in advance and in a completely transparent manner the purposes for which these data are collected.
· Principle of purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes.
· Principle of data minimization: Personal data collected will only be strictly necessary in relation to the purpose for which they are processed.
· Principle of accuracy: Personal data must be accurate and kept up to date always.
· Principle of storage limitation: Personal data will only be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
· Principle of integrity and confidentiality: Personal data shall be processed in a manner that ensures its security and confidentiality.
· Principle of accountability: The Responsible Party shall be responsible for ensuring compliance with all the previous principles.
The categories of personal data that the CMP deals with are only identification and contact data. Under no circumstances are special categories of personal data processed as defined in Article 9 of the GDPR.
In order to comply with the above-mentioned principle of transparency, the CMP provides the user with all the information related to the different data processing that it can perform with the personal data the user provides through this website. Following is the list, according to the purpose:
1. Coordination of activities organized by the CMP, federations, and supporters' clubs. This includes sending information through electronic media, the management associated with their participation in these activities and the subsequent dissemination of images through social networks and the corporate website.
· Legal bases:
o Legitimate interest of the Responsible Party for sending information by electronic means (Article 21 of the LSSI).
o The implementation of a contract to which the data subject is a party or the implementation of pre-contractual measures at the request of the data subject based on the relationship that binds us to the federations and official supporters' clubs of which the data subject is a member.
o Consent of the interested party in the use of images for public dissemination, previously granted by means of the corresponding explicit document.
· Duration of the data processing: As long as the user’s relationship with the official supporters' club remains in effect, although the user may oppose the sending of communications and revoke the consent previously granted for the use of the image at any time through the means made available to him/her and which are reported in the rights section of this privacy policy.
· Recipients of the user’s data: The information collected for this purpose through this electronic site may be shared with the federations and supporters' clubs of which the user may be a member.
2. Management of the requests made by the user through this website . We can receive these requests via email o through questionnaires or forms made available to users in our website.
· Legal bases:
o The legitimate interest of the Responsible Party for the formulation, implementation, or defense of claims arising from these requests.
o The implementation of a contract to which the data subject is a party or the implementation of pre-contractual measures at the request of the data subject based on the obligations undertaken between the user and the CMP in relation to these requests.
o Compliance with legal obligations that apply to the Responsible Party.
· Duration: Within the statute of limitations of legal responsibilities originated by this processing.
· Recipients of the user’s data: The user’s personal data may be shared with third parties when it is strictly necessary to fulfill the user’s request and for the formulation, implementation, or defense of a claim.
3. Management of the digital identity of the supporters’ club member . Generation of credentials (username and password) that allows identification as a supporters’ cub member online. Due to its online nature, it allows not only to demonstrate this condition in the digital environment of the CMP, but also in the digital environment of any company or organization with which the CMP may reach agreements.
· Legal basis:
o The implementation of a contract to which the data subject is a party or the implementation of pre-contractual measures at the request of the data subject based on the obligations undertaken between the user and the CMP in relation to this request.
· Duration: As long as the user’s relationship with the official supporters’ club to which he/she belongs to remains in effect.
· Recipients of the user’s data: These credentials will be shared with entities linked to the environment of the CMP, and companies or organizations with which the CMP establishes agreements, and that require the user’s identification in order to obtain the benefits associated with the user’s status as a supporters’ club member.
4. Documentation repository for the exchange of information with federations, supporters' clubs, and the user him/herself. This processing consists in hosting documentation to carry out procedures and requests related to the supporters' club movement.
· Legal bases:
o The legitimate interest of the Responsible Party for the formulation, implementation or defense of claims arising from these requests.
o The implementation of a contract to which the data subject is a party or the implementation of pre-contractual measures at the request of the data subject based on the obligations undertaken between the user and the CMP in relation to these requests.
o Compliance with legal obligations that apply to the Responsible Party.
· Duration: Within the statute of limitations of legal responsibilities originated by this processing.
· Recipients of the user’s data: This documentation may be shared with third parties provided that the services requested by the interested party itself require their communication, and under the principles set out in Article 5 of the GDPR.
5. Sending marketing communications from CMP sponsors. When authorized by the user, the CMP may send marketing communications from its official sponsors by any means. At no time will the personal data of the users of this site be disclosed to these sponsors and it will be the CMP itself the one in charge of sending these marketing communications.
· Legal basis:
o The data subject’s express consent to receive marketing communications from third parties by electronic means (Article 21.1 of the LSSI) or by any other means (Article 6.1.a of the GDPR).
· Duration: As long as the interested party does not revoke their consent. The user may do so through the means made available to him/her and that are reported in the rights section of this privacy policy. Also, through the link at the bottom of the electronic marketing communications.
· Recipients of the user’s data: Personal data will not be communicated to third parties for this purpose.
6. Access to VipDistrict (discounts site). The users of our website will have access to a site from where they will be able to make purchases and benefit from discounts. In order to access this site from our website, the user must previously accept the disclosure of his/her data to VipDistrict.
· Legal basis:
o The express consent of the interested party obtained by checking the box provided for this purpose, before accessing the site.
· Duration: As long as the interested party does not revoke their consent. They may do so through the means made available to them and that are reported in the rights section of this Privacy Policy.
· Recipients of the user’s data : The consent given implies the disclosure of his/her data to VipDistrict, the entity responsible for the discount site, as reported in its privacy policy.
In compliance with the provisions of Article 8 of the GDPR and Article 13 of the LOPD-GDD, only persons over 14 years of age may give their consent to the processing of their personal data in a lawful manner by the CMP. In the case of a minor under 14 years of age, the consent of the parents or guardians will be required for the processing of data, and it will only be considered lawful if it has been authorized.
The CMP is committed to adopting the necessary technical and organizational measures, according to the level of security appropriate to the risk of the data collected, so as to ensure the security of personal data and prevent the accidental or unlawful destruction, loss or modification of personal data transmitted, stored, or otherwise processed, or the unauthorized communication or access to such data. The website has an SSL (Secure Socket Layer) certificate that ensures that personal data is transmitted securely and confidentially, as the transmission of data between the server and the user, and vice versa, is fully encrypted. However, since the CMP cannot guarantee the invulnerability of the internet or the total absence of hackers or others gaining fraudulent access to personal data, the Responsible Party agrees to inform the user without undue delay when there is a breach of security of personal data that is likely to entail a high risk to the rights and freedoms of natural persons.
In accordance with Article 4 of the GDPR, a breach of security of personal data means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Personal data will be treated as confidential by the Responsible Party, who agrees to inform and ensure by means of a legal or contractual obligation that this confidentiality is respected by its employees, partners, and any other person to whom it makes the information available.
With respect to the CMP, the user has the following rights, recognized in the GDPR, which may be exercised through the Responsible Party:
· Right to access : It is the user's right to obtain confirmation as to whether or not the CMP is processing their personal data and, if so, to obtain information about their specific personal data and the processing that the CMP has carried out or will carry out, as well as the information available on the origin of this data and the recipients of the communications made or planned.
· Right of correction: This is the right of the user to modify their personal data that is inaccurate or incomplete, considering the purposes of the processing.
· Right of deletion (the "right to be forgotten"): This is the right of the user, unless otherwise provided for by the legislation in force, to obtain the deletion of his or her personal data when
o it is no longer needed for the purposes for which they were collected or processed;
o the user has withdrawn his/her consent to the processing of the data and there is no other legal basis;
o the user is opposed to the processing of the data and there is no other legal reason to continue doing so; when the personal data have been used illegally;
o the personal data have to be deleted to comply with a legal obligation, or when the personal data have been obtained as a result of a direct offer of information society services to a minor under 14 years of age.
Besides deleting the data, the Responsible Party, considering the technology available and the cost of its implementation, shall take reasonable steps to inform the parties responsible for processing the personal data of the data subject's request for the deletion of any link to such personal data.
· Right to the limitation of data processing: This is the right of the user to limit the processing of his/her personal data. The user has the right to request a limitation of the data processing when he/she contests the accuracy of his/her personal data, the processing is unlawful, the Responsible Party no longer needs the personal data but the user needs them to make claims, and when the user has objected to the processing.
· Right to data portability: In case of data processing by automated means, the user shall have the right to receive from the Responsible Party his/her personal data in a structured, commonly used, and machine-readable format, and to transmit them to another party responsible for data processing. Whenever technically possible, the Responsible Party shall transmit the data directly to the other party responsible for the processing.
· Right of opposition: This is the user’s right not to have his or her personal data processed or to have the CMP cease processing such data.
· Right not to be subject to a decision based solely on automated processing, including profiling: This is the right of the user not to be subjected to an individualized decision based solely on the automated processing of his or her personal data, including profiling, unless otherwise provided by law.
Thus, the user may exercise his/her rights by means of a written communication addressed to the Responsible Party, with the following reference:
“Data Protection Rights”
detailing the following:
· name and last name (surname) of the user and a copy of a government issued identification. In cases where representation is allowed, it will also be necessary to identify the person representing the user, as well as the document proving the representation. The photocopy of the identity card may be replaced by any other legally valid means that proves the identity;
· the request with the specific reasons or information to be accessed;
· the address for notification purposes;
· the date and signature of the person making the request; and
· any document that supports the request being made.
The request and supporting documents should be sent to:
C/ Arístides Maillol, 15, 1º piso 08028, Barcelona
or via email at dpo@confederaciopenyes.cat
The website can include links that allow access to third party websites different from the CMP’s and that therefore are not managed by the CMP. The owners of these websites will have their own data protection policies and it will be them who in each case, are responsible for their own files and privacy policies.
Complaints to the supervisory authority
In the event that the user considers that there is a problem or violation of the regulations in force in the way in which his/her personal data are being processed, he/she shall have the right to effective judicial protection and to file a complaint before a supervisory authority, in particular, in the State where he/she has his/her usual residence, place of work or where the alleged violation takes place. In the case of Spain, the supervisory authority is the Agencia Española de Protección de Datos (Spanish Data Protection Agency) ( http://www.agpd.es).
It is necessary that the user reads and agrees to the conditions on the protection of personal data contained in this Privacy Policy, as well as to accept the processing of their personal data so that the Responsible Party can access them for the duration and for the purposes indicated.
The CMP reserves the right to modify its Privacy Policy, according to its own criteria or due to a legislative, judicial, or doctrinal change of the Spanish Data Protection Agency. Changes or updates to this Privacy Policy will be explicitly notified to the user.
This privacy policy was updated on September 12, 2022.