1. Introduction
1.1 Privacy of personal data represents one of
the main concerns for MASSIF ESTATE SRL. As such, we aspire to provide the highest standards of
privacy and transparency for the personal data we’re processing in our current
activity.
1.2 Since for conducting our business we are
required to process a series of personal data, especially in relation to the
specifics of our line of business, we wish to provide assurances that the
processing will take place in compliance with the principles of transparency
and security of personal data. This privacy policy is meant to help you
understand what data we’re collecting, why we’re collecting it and what we’re
doing with it.
2. Who are we?
2.1 MASSIF ESTATE SRL is a Romanian company, established Cluj-Napoca, Eremia Grigorescu, nr. 122A, registered with the Trade
Register under no. J12/5924/07.12.2021, VAT number: RO36944344. MASSIF ESTATE SRL acts as operator of personal data collected through the www.bemassif.com
website (the "website”), the ticket
buying process by the buyer, the means of video monitoring and photo and video
image capture within the Festival by persons
authorized by MASSIF ESTATE SRL.
2.2 The operator is required to manage safely
and solely for specified purposes, the personal data that the users of the
website are providing.
3. What kind of data is processed, the purpose
of processing and the storage period for and the legal basis for processing for
each category of data?
| 3.1 | WHAT KIND OF DATA IS PROCESSED | THE PURPOSE OF PROCESSING | STORAGE PERIOD | LEGAL BASIS FOR PROCESSING |
| 3.1.1 | Last name, first name, gender, country, date of birth, nationality | For the purpose of purchasing the ticket, ensuring access and services to which the buyer/participant in the festival is entitled based on the ticket, preventing fraud, abusive use. | 20 days after the end of the Festival | a) Art. 6 (1) lit. b - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; b) Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; |
| 3.1.2 | Name, surname, e-mail, telephone number and other information provided by you in the problem description section. Name, surname, e-mail, telephone number as well as other information provided by you with the communication of an e-mail or in the specific section for formulating a question/report on the website; | For the purpose of returning purchased products or solving a problem addressed to us. | 30 days from the return date. | a) Art. 6 (1) lit. b - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; |
| 3.1.3 |
Contact details of the data subjects (e.g.
e-mail and / or telephone) could be used to inform them about the issues
related to the organization and conduct of the event, offers or any other
communications that are directly related to the product purchased.
This data can be obtained directly from the buyer or from the ticketing platform. |
For the purpose of informing about aspects related to the organization and conduct of the event or any other offers and announcements in close connection with the purchased product. For example, if a particular concert was canceled or rescheduled at another time, the data subjects could receive an informational message and / or any other offers, communications in this regard. | 20 days from the end of the Festival | Art. 6 (1) lit. b - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Article 6 (a) lit. f - processing is necessary for the purpose of the legitimate interests pursued by the operator or by a third party. |
| 3.1.4 |
Last name, first name, email and telephone number.
To the extent that surveys are conducted by telephone. |
For the purpose of promoting products provided by MASSIF ESTATE SRL and its partners, as well as conducting surveys to improve the quality of the services we provide. | Until withdrawal of consent. | Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; |
| 3.1.5 | Name surname; E-mail Phone number; Country and nationality; Date of birth, sex: |
Information collected in the Pre-register Campaign;
The data subjects understand (and accept) that they register to
be able to purchase tickets at a promotional price, at the pre-sale stage,
for the Festival.
Subsequently, MASSIF ESTATE SRL sends e-mails / text messages
announcing the date on which the tickets for the campaign for which they have
registered are put up for sale.
Data regarding country, nationality, date of birth, sex - to
facilitate the process of purchasing the ticket.
|
Last name, first name, e-mail, phone number - they are deleted within 72 hours from the
expiration of the Pre-register Campaign if the data subjects did not buy the
product for which they registered.
If the data subjects have purchased a Ticket in this campaign,
their personal data will be processed from this step forward in order to
ensure the purchased services and access to the Festival.
The other data are anonymized within 72 hours upon the expiration of the Pre-register Campaign if the data subjects did not buy the product for which they registered. |
Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; Art. 6 (1) lit. b - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; |
| 3.1.6 | MASSIF ESTATE SRL uses video monitoring means through which the images of the data subjects, respectively of all the visitors of the Event will be processed. | a) For the purpose of ensuring the security of property, spaces and people. b) For the purpose of defending rights in court or for the purpose of a legal obligation. | 20 days from the end of the event. Some data may be stored for a longer period, if storage is necessary to investigate a fraud, to defend in court the rights of either Party or in cases where compliance with requests from competent authorities is required. |
Art. 6 (1) (d) the processing is necessary
in order to protect the vital interests of the data subject or of another
natural person;
Art. 6 (1) (c) the processing is necessary
in order to fulfill a legal obligation incumbent on
the operator;
Art. 6 (1) (a) the data subject has given consent to the
processing of his or her personal data for one or more specific
purposes;
Art. 6 (a) lit. f processing is necessary for the purposes of
the legitimate interests pursued by the controller or by a third party;
|
| 3.1.7 | Photographs or footage taken during the Event. | For journalistic, informational, artistic, commercial purposes, for marketing and promotional purposes of the event, MASSIF ESTATE SRL products and services or related products and services, in its own name by MASSIF ESTATE SRL or by any partner or sponsor of the Festival. Images or videos can also be used to make NFTs (Non-fungible tokens) and trading them on the relevant market. | Indefinitely. | a) Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; b) Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; |
| 3.1.8 | IBAN and account holder name |
The customer is asked if we need to make a refund on a ticket purchased more than 6 months ago. |
The period provided by law in order to fulfill the obligations. |
Art. 6 (1) (c) the processing is necessary in order to fulfill a legal obligation incumbent on the operator; |
| 3.1.9 | Name, Surname, e-mail within the campaigns organized in partnerships with Companies/Organizations |
The purpose of requesting the data is to send tickets / subscriptions to the 2023 MASSIF Festival for individuals within the company / organization with which MASSIF ESTATE SRL has a partnership. |
48
hours from the moment the prize has been sent to the email address.
|
Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; |
3.2 In addition to the aforementioned purposes, MASSIF ESTATE SRL may
process the personal data collected for the following purposes:
a.
For the fulfillment of the obligations that incube
on us, as a result of the services provided (e.g.
accounting, fiscal, audit, etc.), these are always compatible with the main
purposes, for which the data was collected.
b.
To the extent that the
data subject has given their consent for the processing of their personal data
for one or more specific purposes;
c.
For any other purpose
auxiliary to the above, or for any other purpose for which we have been
provided with personal data, in compliance with the relevant legislation
3.3 In the situations in which we will use your data for purposes
other than those mentioned in this Policy, we undertake to obtain your consent,
unless we have a legal obligation or have a different legal basis for
processing the data.
3.4 The operator does not create individual profiles for those who
participate at the Festival.
3.5. In order to gain access, as Organizers of the event,
we might have the obligation to verify the documents required by the state
authorities in order to prevent and combat the effects of the Covid-19 pandemic
(eg verification of the
European Digital Certificate COVID-19 which includes proof of vaccination, test
result negative RT-PCR, proof of the infection, verification of the negative
result of the rapid antigen test). This data shall be neither processed, nor
stored on the scanner, but only verified at the location in order to ensure
access to the Festival.
4. How are we
collecting your personal data?
4.1 We are collecting your personal data
either directly from you, e.g. when
you’re creating an account on our website/App, you’re sending us an
e-mail at ask@wintermassif.com, in which you’re
requesting us an offer / information, and you’re giving your consent for
communication of commercial messages, , etc., or indirectly, e.g. when you’re sending this information to the
platforms of other collaborators for our company, such as: www.in-town.ro, www.entertix.ro, etc., in the process of purchasing the ticker/pass.
4.2 We collect your personal data automatically, when you use our
services from the website, we collect information through cookies and by
logging your activity. For more information on the use of cookies, please refer
to Art. 6 of this Policy.
4.3. If you choose to provide us with the personal data of others, such as when
you purchase tickets on behalf of others, you are responsible for how you
obtained these data and that you have a legal basis for processing them. We
cannot be held liable for the violation of the rights of the respective
persons.
5. How are we storing the
personal data?
5.1 For storing the personal data you're
providing as a user of our website / App, a cloud service provided by Amazon
Web Services EMEA S.A.R.L. is used.
6. COOKIES
6.1 The website contains cookies (very small files MASSIF ESTATE
SRL is sending to the computers of website users or to other access devices).
6.2 There are two types of these cookies:
●
Functionality cookies:
These types of cookies improve the users' website navigation experience and
allow them to benefit from various features;
●
Performance Cookies:
These types of cookies are used to measure and analyze
how MASSIF ESTATE SRL customers are using the Website. These cookies can
continually improve the functionality of the website and the user experience.
6.3 Accessing the website implies the agreement of the users
regarding placing these types of cookies on their device and access them on
their next visit to the site.
6.4 Information on deleting and controlling cookies is available
at www.aboutcookies.org. Deleting or blocking the cookies may prevent access to
certain areas or features of the site.
6.5 For more information, please consult our Cookie Policy.
7. To whom we’re disclosing your personal
data?
7.1 For fulfilling the processing purposes, MASSIF
ESTATE SRL may disclose your personal data to partners, third parties or
entities supporting MASSIF ESTATE SRL in the conduct of their business, or to
central / local public authorities, in the following cases listed as
examples:
1. To our service providers and contractual partners, for
example: marketing and advertising service providers; to our partner in charge
of ensuring access to the Festival venue; to IT
service provider; to courier services, payment services, banking services, etc.
This data will be provided to the extent necessary and only on the basis of a
confidentiality agreement from the contractual partners, which guarantees that
this data is kept safe and that its processing is done according to the
legislation in force;
2. To the accountants, auditors, lawyers, insurers or other
such external advisers Operator might employ. This data will be provided to the
extent necessary and only on the basis of a confidentiality agreement from the
contractual partners, which guarantees that this data is kept safe and that its
processing is done according to the legislation in force;
3. Authorities,
institutions and public bodies, if there is a legal request from them or to the
extent that there is a legal obligation from us;
4. The operator will be able to disclose
this data whenever the law requires it, or in the case in which this action is
necessary to allow the exercise of the rights provided by the law and / or to
be able to take legal action against any illegal activity;
5. Your personal data may be transferred
to third countries, based on the contractual relationships we have with our
partners (both affiliates and other entities in the European Union) in order to
compile statistics and other types of reports;
8. How long do we store your personal information?
8.1 As a matter of principle MASSIF ESTATE SRL
will process your personal only to the extent necessary to achieve the
processing purposes mentioned above. Please note that for most processing
purposes, data about the Participants at the festival will be deleted within 20
days from the end of the Festival, unless the
Participant has an account on our website or has given us the consent to retain
the data in order to be contacted for certain, clearly defined, purposes.
For further details about our Data Retention Policy for
certain specific data processing please review column 3 of the Table in Art. 3.
9.
Your rights related to personal data processing:
9.1 If you have consented to processing activities, you may
withdraw this consent at any time. This withdrawal will only take effect for
the future and will not affect the legality of the processing prior to its
withdrawal.
9.2 To the extent that your consent is withdrawn, MASSIF ESTATE
SRL will prohibit the processing of your personal data and will take all
actions to delete all records containing this data.
9.3 However, if processing is compulsory for the provision of
services by MASSIF ESTATE SRL and this can be performed on the basis of other
legal provisions, MASSIF ESTATE SRL will carry out such processing and will
notify you to this regard.
9.4 In accordance with
the data protection legislation, you
have the following rights:
1)
Right to information
This right provides the data subject with the
ability to ask a company for information about what personal data (about him or
her) is being processed and the rationale for such processing. For example, a
customer may ask for the list of processors with whom his or her personal data
is shared.
2)
Right to access
This right provides the data subject with the
ability to get access to his or her personal data that is being processed. This
request provides the right for data subjects to see or view their own personal
data, as well as to request copies of the personal data.
3)
Right to rectification
This right provides the data subject with the
ability to ask for modifications to his or her personal data in case the data
subject believes that this personal data is not up to date or accurate.
4)
Right to withdraw consent
This right provides the data subject with the
ability to withdraw a previously given consent for processing of their personal
data for a purpose. The request would then require the company to stop the
processing of the personal data that was based on the consent provided earlier.
5)
Right to object
This right provides the data subject with the
ability to object to the processing of their personal data. Normally, this
would be the same as the right to withdraw consent, if consent was
appropriately requested and no processing other than legitimate purposes is
being conducted. However, a specific scenario would be when a customer asks
that his or her personal data should not be processed for certain purposes
while a legal dispute is ongoing in court.
6)
Right to object to automated processing
This right provides the data subject with the
ability to object to a decision based on automated processing. Using this
right, a customer may ask for his or her request (for instance, a loan request)
to be reviewed manually, because he or she believes that automated processing
of his or her loan may not consider the unique situation of the customer.
7)
Right to be forgotten
Also known as right to erasure, this
right provides the data subject with the ability to ask for the deletion of
their data. This will generally apply to situations where a customer
relationship has ended. It is important to note that this is not an absolute
right, and depends on your retention schedule and retention period in line with
other applicable laws.
8)
Right for data portability
This right provides the data subject with the
ability to ask for transfer of his or her personal data. As part of such
request, the data subject may ask for his or her personal data to be provided
back (to him or her) or transferred to another controller. When doing so, the
personal data must be provided or transferred in a machine-readable electronic
format.
9.5 If you wish to exercise the rights mentioned above, please
contact the person responsible for the protection of personal data using the
following contact details:
●
E-mail: ask@wintermassif.com.
●
Address: str. G-ral Eremia Grigorescu, nr. 122 A,
Cluj-Napoca, Cluj County.
9.6 You can also file a complaint regarding
the processing of your data with the National Authority for the Processing and
Supervision of Personal Data (B-dul G-ral. Gheorghe Magheru 28-30,
Sector 1, postal code 010336, Bucharest, Romania, www.dataprotection.ro, anspdcp@dataprotection.ro).
10. Information security
10.1 We are working hard to protect our website, App and users, as
well as all personal data collected in accordance with this Policy, from any
unauthorized access or from the modification, unauthorized disclosure or
destruction of the information we hold.
10.2. In this regard:
a.
MASSIF ESTATE SRL certifies
that it meets the minimum requirements for the security of personal data, the
data being processed in a way that provides protection against unauthorized or
illegal processing and against accidental loss, destruction or damage, by
taking appropriate technical or organizational measures;
b.
or the data collected
through the website and the App, in order to ensure access to the festival, MASSIF
ESTATE SRL uses a cloud service provided by Amazon Web Services EMEA SARL.
Therefore, the security settings provided by Amazon are used. Access to data is
done in a whitelist of security groups, which means that data can only be
accessed from certain pre-defined IP addresses. Access is based on username and
password, and within MASSIF ESTATE SRL access to the database is allowed to a
limited number of persons.
c.
The used data storage
systems have implemented back-up mechanisms to ensure the redundancy of the
stored data.
d.
We are regularly
reviewing the practices for collecting, storing and processing information,
including physical information, as well as security measures, to prevent
unauthorized access to the systems.
e.
We are restricting the
access of our employees and contractors to your personal information, and the
contractual relations with these persons are subject to strict rules regarding
contractual confidentiality obligations, including under the sanction of
termination of contracts.
11. When does this
Privacy Policy apply?
Our privacy policy applies to all services provided by our company
and excludes services that have separate privacy policies and do not contain
the provisions of this privacy policy.
12. Amendments
12.1 Our privacy policy may change, but we promise not to reduce
your rights under these changes without your explicit consent. We will publish
any amendment to the privacy policy on our webpage, amendment which will come
into effect within one day and, if the changes are significant, we will provide
more prominent notification (including, for some services, email notification
of privacy policy changes). We will also store earlier versions of this Privacy
Policy in the archive so that it can be reviewed by you at any time.
This Privacy Policy was published on the 3rd
of November 2022.
