This Privacy Policy refers to the processing of personal data that will be carried out in the event of membership in the Prema Fan Club and during associated activities. In accordance with the European Regulation on Data Protection [Regulation (EU) 2016/679, hereinafter also "GDPR"] and the relevant Italian legislation (hereinafter, collectively, "Applicable Law"), this Privacy Policy is provided to those who join the Prema Fan Club (hereinafter, “Data Subject”).
This Privacy Policy shall be intended as an integral part of the Privacy Policy of the website premafanclub.com (hereinafter, “Website”).
If you are a minor or are in the process of associating a minor, please read the privacy policy for minors.
1. Data Controller and contact details
The Data Controller is the Prema Fan Club association with registered office in Via Alcide De Gasperi 126, 36040 Grisignano di Zocco (VI), VAT n. 95155280241, hereinafter also “Fan Club”, "Data Controller" or only “Controller”.
For any clarification, information, exercise of the rights listed in this Privacy Policy, you can contact the Data Controller at the following e-mail contact: help@premafanclub.com.
2. Personal data subject to processing
The personal data processed through the Website are the following:
- personal data provided by the Data Subject (e.g., name, surname, date and place of birth, residence, tax code, e-mail address) to join the Fan Club through the “PREMA FAN CLUB SUBSCRIPTION” section of the Website and to receive confirmation of membership by e-mail;
- personal data concerning the credit card or other digital payment instrument used according to the methods indicated by the Controller for the payment of the Fan Club membership fee. Specifically, the Data Subject will be directed to the web page of the payment service provider, in this case, PayPal, and will enter the data required to complete the payment procedure. The data in question will not pass through the Website's server, which will only save the payment method used;
- contact data of the Data Subject (e-mail address) for membership in the association's institutional mailing list to receive information and communications from the Fan Club;
- personal data provided by the Data Subject (e.g. name, surname, address of residence) for the shipping of the gift box dedicated to members of the Fan Club;
- personal data provided by the Data Subject (e.g. name, surname, contact details), for the participation in events organized by the Fan Club; during the events the Data Subject's image and voice may be collected to take photos and videos to promote the event on the Fan Club's website and social networks, according to the authorization for use of images and privacy policy provided during the event;
- personal data provided by the Data Subject (e.g. username, e-mail address, and personal data contained in messages/iterations with other community participants) to allow the access and participation of the Data Subject in the online communities reserved to Fan Club members. In particular, please note that an online community is active on Discord: please refer to the related privacy policy, available at the following link: https://discord.com/privacy.
The Data Controller shall process personal data in compliance with the Applicable Law, assuming that they refer to the Data Subject or to third parties who have expressly authorised the Data Subject to provide them or whose personal data that the Data Subject was entitled to provide. With respect to these assumptions, the Data Subject undertakes to relieve and indemnify the Data Controller from any dispute, claim, or request for compensation for damage caused by the processing of personal data that may be received from such third parties.
3. Purposes and legal basis of the processing
The acquired personal data will be processed for the following purposes and based on the following legal bases:
PURPOSES LEGAL BASIS
Proceeding with the membership of the Data Subject to the Fan Club, including payment of the membership fee. The processing is necessary for the performance of a contract to which the Data Subject is party and/or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6(1)(b) of the GDPR].
Subscribing the Data Subject to the Fan Club mailing list for institutional communication. The processing is necessary for the performance of a contract to which the Data Subject is party and/or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6(1)(b) of the GDPR].
Sending the Data Subject the gift box dedicated to Fan Club members. The processing is necessary for the performance of a contract to which the Data Subject is party and/or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6(1)(b) of the GDPR].
Allowing the Data Subject to participate in events organized by the Fan Club. The processing is necessary for the performance of a contract to which the Data Subject is party and/or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6(1)(b) of the GDPR].
Optionally, when attending such events: to take photos and videos to promote the event on the Fan Club's website and social networks The Data Subject’s consent [art. 6(1)(a) of the GDPR] - on such occasions the Fan Club will provide the Data Subject with specific authorization for use of images and privacy policy.
Allowing access and participation of the Data Subject in the online community reserved for Fan Club members (such as, Discord). The processing is necessary for the performance of a contract to which the Data Subject is party and/or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6(1)(b) of the GDPR].
Fulfilling the obligations of administrative and/or accounting and/or fiscal nature connected to the payment of the membership fee. The compliance with legal obligations to which the Data Controller is bound [Article 6(1)(c) of the GDPR].
Complying with legal obligations to which the Data Controller is bound, included to respond to any requests to exercise the Data Subject’s rights as data subject under current data protection legislation. The compliance with legal obligations to which the Data Controller is bound [Article 6(1)(c) of the GDPR].
Verifying any fraudulent or illegal use of the Website in general and ensure its security and functionality in the interest of the Data Subjects and the Data Controller. The legitimate interest of the Data Controller and the Users themselves to prevent or identify any fraudulent or otherwise illegal use of the Store, and the Website in general [art. 6(1)(f) of the GDPR].
Carrying out research/statistical analysis on aggregate or anonymous data, without therefore being able to identify the Data Subject, to measure traffic and assess the Website usability and the interest of Data Subjects. The legitimate interest of the Controller to verify the usability and appeal of the Website [art. 6(1)(f) of the GDPR].
Ascertaining, exercising, or defending a right in administrative, jurisdictional or extrajudicial proceedings or whenever administrative or jurisdictional authorities exercise their functions. The legitimate interest to ascertain, exercise, or defend a right in administrative, jurisdictional or extrajudicial proceedings or whenever administrative or jurisdictional authorities exercise their functions. [art. 6(1)(f) of the GDPR].
4. Nature of the provision of personal data
The provision of data by the Data Subject is optional. Nonetheless, failure to provide the data, in whole or in part, could prevent the Data Subject from joining the Fan Club and/or to benefit from the services offered to members (such as receiving a gift box).
5. Methods of personal data processing
Personal data are processed with manual and/or computer-based instruments, in a manner than ensures their security and confidentiality. To this end, the Data Controller has adopted and implements both technical and organisational security measures appropriate to the level of risk related to the processing of personal data.
Specifically, the Website functionality is provided an HTTPS encrypted connection, and personal data are collected, filed, and stored on secure servers protected by firewalls and physically located within the European Union.
6. Recipients of personal data
The personal data of the Adults and Minors may be shared, for the purposes set out above, with:
• persons authorised by the Data Controller to process personal data pursuant to and for the purposes of Article 29 of the GDPR and Article 2-quaterdecies of the Privacy Code, and who have received specific instructions on how to process the data in accordance with the Applicable Law;
• Prema Racing S.r.l., as data processor pursuant to and for the purposes of art. Article 28 of the GDPR, to provide administrative support to the Fan Club in the management of members, services, events supplied by the Fan Club;
• companies, consultants, or professionals who may be entrusted with the installation, maintenance, and updating of the Website (e.g., web agencies and/or marketing agencies) and, in general, with the management of the hardware and software of the Data Controller, including the hosting provider and cloud computing services providers that act as data processor pursuant to and for the purposes of Article 28 of the GDPR;
• the payment service provider;
• public entities, subjects, or Public Authorities, as independent data controllers, when it is mandatory to disclose personal data according to provisions or orders of the authorities, or to prevent and/or detect any fraudulent activity or abuse concerning the use of Website and the services offered by the Data Controller;
• law firms, associated firms, consultants, or professionals (e.g., legal, administrative, and/or tax consultancies) who may be appointed to support the Data Controller in order to ensure the correct fulfilment of the legal obligations with which the Data Controller is required to comply and/or in the the ascertainment, exercise, or defense of legal claims in court or whenever the jurisdictional or administrative authorities exercise their jurisdictional functions¸
• companies providing logistical and/or shipping and delivery support for products, including the gift box.
7. Transfers to non-EEA countries or international organisations
The Data Controller’s hosting provider’s servers are located within the European Economic Area.
With regard to online communities, personal data may be transferred to countries outside the European Economic Area. In particular, with reference to the Discord platform, the provider is based in the United States. The Data Controller, in accordance with art. 45 of the GDPR the transfers of personal data take place on the basis of the adequacy decision adopted by the European Commission: the rights and freedoms of data subjects are assessed as adequately protected when transfers take place within the Data Privacy Framework. Discord Inc is an active participant in the Data Privacy Framework.
8. Period of retention of personal data
The Data Subject's personal data or provided by the Data Subject will be kept for a period not exceeding the one necessary for the pursuit of the purposes indicated above and for which they are processed.
In particular, personal data processed for the membership for Fan Club will be kept for a maximum period of ten years after the end of the membership period by the Data Subject. This maximum retention period may be extended, where the conditions are met, in order to allow the User to exercise and defend a legal claim or whenever the Jurisdictional Authority exercises its functions and/or at its request of the latter.
9. Rights of the Data Subject
The Data Subject has the right:
• to receive confirmation as to whether or not his/her personal data are being processed and, if so, to obtain access to them and to a range of relevant information including, for example, information concerning : a) the purposes of the processing; b) the categories of personal data that are subject to the processing; c) the entities or categories of entities to whom or which the personal data have been or will be communicated; d) the retention period of the data or, if that is not possible, the criteria used to determine that period; e) the source of the personal data, if they have not been provided by the Data Subject;
• to request and obtain the updating of personal data, the rectification of inaccurate data, or the integration of incomplete data where there is the interest;
• to request and obtain the erasure of personal data if: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the Data Subject objects to the processing carried out on the basis of a legitimate interest of the Controller and there is no overriding legitimate reason to continue the processing; c) the personal data have been processed unlawfully; d) the personal data must be erased by the Controller in compliance with a legal obligation; (e) the processing of personal data is based on consent, and that consent is withdrawn and there is no other legal basis for processing;
• to request and obtain the restriction of processing in the event of: (a) contestation of the accuracy of personal data for the time necessary for the Data Controller to carry out the requested verifications; (b) unlawful processing of data by the Data Controller, if the Data Subject objects to the erasure of the data and instead requests the restriction of its use; (c) ascertainment, exercise, or defense of a legal claim of the Data Subject in court, although the Data Controller no longer needs the data for the purposes of processing; (d) awaiting the outcome of the verification as to whether the Data Controller's legitimate reasons prevail over the legitimate reasons of the Data Subject;
• in cases where the processing is based on consent or a contract and is carried out by automated means, to request and to receive personal data in a structured, commonly used, and machine-readable format and to obtain the direct transmission of them by the Controller to another controller, if technically possible;
• to object, in whole or in part, to the processing of personal data that has its legal basis in the legitimate interest of the Data Controller, on grounds relating to the particular situation of the Data Subject;
• in cases where the processing is based on consent, to withdraw, at any time, the consent given without prejudice to the lawfulness of processing based on consent before its withdrawal;
• to file a complaint with the supervisory Authority pursuant to Article 77 of the GDPR (and Articles 140-bis et seq. of the Privacy Code), if he/her believes that his/her rights under the Applicable Law have been infringed.
The Data Controller shall inform each of the recipients to whom the personal data have been transmitted of any rectification, erasure, and/or restriction of processing carried out, except when this proves impossible or involves a disproportionate effort.
10. Ways of exercising rights of the Data Subject
As data subject, the Data Subject may exercise the above-mentioned rights at any time by contacting the Data Controller using the contact detail listed in paragraph “1. Data Controller and contact details” of this procedure.
In order to lodge a complaint with the Italian Data Protection Authority, the User may use the forms available on the website of the relative Authority.
11. Changes to this Privacy Policy
This Privacy Policy may be amended, and/or integrated and/or updated periodically, including as a result of updates of the Applicable Law. In such cases, the Data Controller shall inform the Data Subject of any amendments and/or integrations, and/or updates to this Privacy Policy by publishment on the Website.
Rev. 01 - Last Update: 05/08/2024