Privacy Policy for Minor Members

This Privacy Policy refers to the processing of personal data referring to minors that will be carried out in case in the event of membership to Prema Fan Club and during association activities. In accordance with the European Regulation on Data Protection [Regulation (EU) 2016/679, hereinafter also "GDPR"] and the relevant Italian legislation (hereinafter, collectively, the "Applicable Law"), this Privacy Policy is provided to who join Prema Fan Club (hereinafter, “Data Subject”).

For the purposes of this Privacy Policy:

- Minor: a person under the age of 18 who joins the Prema Fan Club;

- Adult: a person aged 18 or older who acts in the name and on behalf of the Minor and who, at the same time, holds parental responsibility for the Minor.

If you are a Minor, please give this page to a parent/adult or have them read it.

If you are an Adult, please either give this Privacy Policy to the Minor, or have him or her read it, or explain to him or her how Prema Fan Club will process the personal data of the Minor.

This Privacy Policy shall be intended as an integral part of the Privacy Policy of premafanclub.com (hereinafter, “Website”).

If you are an Adult wishing to join the Prema Fan Club, please read the privacy policy for adult members .

1. Data Controller and contact details

The Data Controller is the Prema Fan Club association with registered office in Via Alcide De Gasperi 126, 36040 Grisignano di Zocco (VI), VAT n. 95155280241, hereinafter also “Fan Club”, "Data Controller" or only “Controller”.

For any clarification, information, or exercise of the rights listed in this Privacy Policy, contact the Data Controller at following e-mail contact: help@premafanclub.com.

2. Personal data subject to processing

The personal data processed through the Website are the following:

- personal data of the Minor provided by the Adult (for example, name, surname, date and place of birth, residence, tax code, and e-mail address) to enroll the Minor in the Fan Club through the “PREMA FAN CLUB SUBSCRIPTION” section of the Website, as well as personal data of the Adult (for example, name, surname, date and place of birth, residence, tax code, e-mail address, and relationship to the Minor) in order to identify him/her and verify that he/she holds parental responsibility for the Minor;

- personal data concerning the credit card or other digital payment instrument used according to the methods indicated by the Controller for the payment of the Fan Club membership fee. The Adult will be directed to the web page of the payment service provider, in this case PayPal, and shall enter the data required to complete the payment procedure. The data in question will not pass through the Website's server, which will only save the payment method used;

- data of the Minor (e-mail address), provided by the Adult, for the membership to the association's institutional mailing list in order to receive information and communications from the Fan Club;

- personal data of the Minor (e.g. name, surname, address of residence) provided by the Adult, for the shipping of the gift box dedicated to members of the Fan Club;

- personal data of the Minor (e.g. name and surname, contact details) provided by the Adult, for the participation in events organized by the Fan Club; during the events the Minor's image and voice may be collected to take photos and videos to promote the event on the Fan Club's website and social networks, according to the authorization for use of images and privacy policy provided during the event;

- personal data of the Minor (e.g. username, e-mail address and personal data contained in messages/iterations with other community participants) to allow the access and participation of the Minor in online communities reserved to Fan Club members, without prejudice to both the Fan Club Regulation and applicable legislation. In particular, please note that an online community is active on Discord: please refer to the related privacy policy, available at the following link: https://discord.com/privacy.

The Data Controller shall process personal data of the Minor and personal data of the Adult in compliance with the Applicable Law, assuming that they refer to them or to third parties who have expressly authorised to provide them or whose personal data that the Adult was entitled to provide. Under these assumptions, the Minor and the Adult undertake to release and indemnify the Data Controller from any dispute, claim, or request for compensation for damage caused by the processing of personal data that may be received from such third parties.

3. Purposes and legal basis of the processing

The acquired personal data of the Minor will be processed for the following purposes and based on the following legal bases:

PURPOSES LEGAL BASIS

Proceeding with the membership of the Minor to the Fan Club, including payment of the membership fee. The processing is necessary for the performance of a contract to which the data subject is party and/or in order to take steps at the request of the data subject prior to entering into a contract [art. 6 (1)( b), of the GDPR].

Subscribing the Minor to the Fan Club mailing list for institutional communication. The processing is necessary for the performance of a contract to which the data subject is party and/or in order to take steps at the request of the data subject prior to entering into a contract [art. 6 (1)( b), of the GDPR].

Sending the Minor the gift box dedicated to Fan Club members. The processing is necessary for the performance of a contract to which the data subject is party and/or in order to take steps at the request of the data subject prior to entering into a contract [art. 6 (1)( b), of the GDPR].

Allowing the Minor to participate in events organized by the Fan Club. The processing is necessary for the performance of a contract to which the Data Subject is party and/or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6(1)(b) of the GDPR].

Optionally, when attending such events: to take photos and videos to promote the event on the Fan Club's website and social networks The Minor’s consent provided by the Adult [art. 6(1)(a) of the GDPR] - on such occasions the Fan Club will provide the Minor and the Adult with specific authorization for use of images and privacy policy.

Allowing access and participation of the Minor in the online community reserved for Fan Club members, such as Discord, without prejudice to both the Fan Club Regulation and applicable legislation. The processing is necessary for the performance of a contract to which the Data Subject is party and/or in order to take steps at the request of the Data Subject prior to entering into a contract [art. 6(1)(b) of the GDPR].

Fulfilling the obligations of administrative and/or accounting and/or fiscal nature connected to the payment of the membership fee. The compliance with legal obligations to which the Data Controller is bound [Article 6(1)(c) of the GDPR].

Complying with legal obligations to which the Data Controller is bound, included to respond to any requests to exercise the Minor’s rights as data subject under current data protection legislation. The compliance with legal obligations to which the Data Controller is bound [Article 6(1)(c) of the GDPR].

Verifying any fraudulent or illegal use of the Website in general and ensure its security and functionality in the interest of the data subjects and the Data Controller. The legitimate interest of the Data Controller and the Users themselves to prevent or identify any fraudulent or otherwise illegal use of the Store, and the Website in general [art. 6(1)(f) of the GDPR].

Carrying out research/statistical analysis on aggregate or anonymous data, without being able to identify the Minor, to measure traffic and assess the Website usability and the interest of the data subjects. The legitimate interest of the Controller to verify the usability and appeal of the Website [art. 6(1)(f) of the GDPR].

Ascertaining, exercising, or defending a right in administrative, jurisdictional or extrajudicial proceedings or whenever administrative or jurisdictional authorities exercise their functions. The legitimate interest to ascertain, exercise, or defend a right in administrative, jurisdictional or extrajudicial proceedings or whenever administrative or jurisdictional authorities exercise their functions. [art. 6(1)(f) of the GDPR].

The personal data acquired referring to the Adult will be processed for the purposes and on the basis of the legal bases set out below.

PURPOSES LEGAL BASIS

Identify the Adult who is acting in the name of and on behalf of the Minor. The processing is necessary for the performance of a contract to which the data subject is party and/or in order to take steps at the request of the data subject prior to entering into a contract [art. 6 (1)( b), of the GDPR].

Complying with legal obligations to which the Data Controller is bound, included to respond to any requests to exercise the Adult’s rights as data subject under current data protection legislation. The compliance with legal obligations to which the Data Controller is bound [Article 6(1)(c) of the GDPR].

Carrying out research/statistical analysis on aggregate or anonymous data, without therefore being able to identify the Adult, to measure traffic and assess the Website usability and the interest of the data subjects. The legitimate interest of the Controller to verify the usability and appeal of the Website [art. 6(1)(f) of the GDPR].

4. Nature of the provision of personal data

The provision of data by the Adult referring to themselves or the Minor is optional. Nonetheless, failure to provide this data, in whole or in part, could prevent joining the Fan Club and/or benefiting from the services offered to members (such as, for example, receiving a gift box).

5. Methods of personal data processing

Personal data are processed with manual and/or computer-based instruments in a way that guarantees their security and confidentiality. To this end, the Data Controller has adopted and implements both technical and organisational security measures appropriate to the level of risk associated with the processing of personal data.

In particular, the Website functionality is provided on an HTTPS encrypted connection, and personal data are collected, filed, and stored on secure servers protected by firewalls and physically located within the European Union.

6. Recipients of personal data

The personal data of the Adult and the Minor may be shared, for the purposes set out above, with:

• persons authorised by the Data Controller to process personal data pursuant to and for the purposes of Article 29 of the GDPR and Article 2-quaterdecies of the Privacy Code and who have received specific instructions on how to process the data in accordance with the Applicable Law;

• Prema Racing S.r.l., as data processor pursuant to and for the purposes of Article 28 of the GDPR, to provide administrative support to the Fan Club in managing members and services, as well as in organizing events supplied by the Fan Club;

• companies, consultants, or professionals who may be entrusted with the installation, maintenance, and updating of the Website (for example, web agencies and/or marketing agencies) and, in general, with the management of the hardware and software of the Data Controller, including the hosting provider and cloud computing services providers that act as data processor pursuant to and for the purposes of Article 28 of the GDPR;

• the payment service provider;

• public entities, subjects, or Public Authorities to whom, as independent data controllers, it is mandatory to disclose personal data according to provisions or orders of the authorities or to prevent and/or detect any fraudulent activity or abuse concerning the use of Website and the services offered by the Data Controller;

• law firms, associated firms, consultants, or professionals (e.g., legal, administrative and/or tax consultancies) who may be appointed to support the Data Controller to ensure the correct fulfilment of the legal obligations with which the Data Controller is required to comply and/or in the ascertainment, exercise or defence of legal claims in court or whenever the jurisdictional or administrative authorities exercise their jurisdictional functions¸

• companies providing logistical and/or shipping and delivery support for products, including the gift box.

7. Transfers to non-EEA countries or international organisations

The hosting provider's servers used by the Data Controller are located within the European Economic Area.

With regard to online communities, personal data may be transferred to countries outside the European Economic Area. In particular, with reference to the Discord platform, the provider is based in the United States. The Data Controller, in accordance with art. 45 of the GDPR the transfers of personal data take place on the basis of the adequacy decision adopted by the European Commission: the rights and freedoms of data subjects are assessed as adequately protected when transfers take place within the Data Privacy Framework. Discord Inc is an active participant in the Data Privacy Framework.

8. Period of retention of personal data

The personal data of the minor and/or Adult provided by the Adult will be kept for a period not exceeding that necessary for the pursuit of the purposes indicated above and for which they are processed.

Specifically, personal data processed for Fan Club membership will be kept for a maximum period of ten years after the Minor’s membership ends. This maximum retention period may be extended, if conditions are met, to allow the User to exercise and defend a legal claim or when requested by the Jurisdictional Authority in the exercise of its functions and/or at the request of the latter.

9. Rights of the Minor and the Adult

The Minor and the Adult have the right:

• to receive confirmation as to whether or not his/her personal data are being processed and, if so, to obtain access to them and to a range of relevant information, including, by way of example, information concerning: a) the purposes of the processing; b) the categories of personal data that are subject to the processing; c) the entities or categories of entities to whom or which the personal data have been or will be communicated; d) the retention period of the data or, if that is not possible, the criteria used to determine that period; e) the source of the personal data, if not provided by the Minor and/or the Adult;

• to request and to obtain the updating of personal data, the rectification of inaccurate data, or the integration of incomplete data when there is an interest;

• to request and obtain the erasure of personal data if: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the Minor and/or the Adult objects to the processing carried out based on the Controller’s legitimate interest and there is no overriding legitimate reason to continue the processing; c) the personal data have been processed unlawfully; d) the personal data must be erased by the Controller in compliance with a legal obligation; (e) the processing of personal data has as its legal basis consent and that consent is withdrawn and there is no other legal basis for processing;

• to request and obtain the restriction of processing in the event of: (a) contestation of the accuracy of personal data for the time necessary for the Data Controller to carry out the requested verifications; (b) unlawful processing of data by the Data Controller, if the Minor and/or the Adult objects to the erasure of the data and instead requests the restriction of its use; (c) ascertainment, exercise or defence of a legal claim of the Minor and/or the Adult in court, although the Data Controller no longer needs the data for the purposes of processing; (d) awaiting the outcome of verification as to whether the Data Controller's legitimate reasons prevail over the legitimate reasons of the Minor and/or the Adult;

• in cases where the processing is based on consent or a contract and is carried out by automated means, request and receive personal data in a structured, commonly used, and machine-readable format, and obtain the direct transmission of them by the Controller to another controller, if technically feasible;

• object, in whole or in part, to the processing of personal data that has its legal basis in the legitimate interest of the Data Controller, on grounds relating to Minor’s and/or Adult’s particular situation;

• in cases where the processing is based on consent, to withdraw consent given at any time without affecting the lawfulness of processing based on consent before its withdrawal;

• to file a complaint with the supervisory Authority pursuant to Article 77 of the GDPR (and Articles 140-bis et seq. of the Privacy Code), if he/her believes that his/her rights under the Applicable Law have been infringed.

The Data Controller shall inform each recipient to whom the personal data have been transmitted of any rectification, erasure, and/or restriction of processing carried out, except when this proves impossible or involves a disproportionate effort.

10. Ways of exercising rights of the Minor and/or the Adult

As data subject, the Minor and/or the Adult may exercise the above-mentioned rights at any time by contacting the Data Controller at the contact detail listed in paragraph “1. Data Controller and contact details” of this Privacy Policy.

To lodge a complaint with the Italian Data Protection Authority, the User may use the forms available on the website of the relative Authority.

11. Changes to this Privacy Policy

This Privacy Policy may be amended, and/or integrated and/or updated periodically, including as a result of updates to the Applicable Law. In such cases, the Data Controller will inform the Minor and/or the Adult of any amendments and/or integrations and/or updates to this Privacy Policy by publishment on the Website.

Rev. 01 - Last Update: 05/08/2024