23 October 2021
In its capacity as the Data Controller, Federazione Italiana Giuoco Calcio (hereinafter “FIGC” or simply the “Association”), provides data subjects with the following information in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (hereinafter “GDPR”).
In this document, FIGC intends to set out the purposes and methods of the personal data processing it carries out when a data subject provides their personal data on www.figc.it (hereinafter the “FIGC website”), via other telematic channels or when they engage in contact with FIGC, both online and offline. This includes providing their personal data in order to purchase match tickets or official merchandise, providing their personal data in order for them to participate in contests, events involving athletes, fans or coaches or promotional initiatives associated with football, and providing data in order to receive updates on FIGC and its institutional, sporting, promotional and commercial activities, which may use personal data in order to engage with data subjects via direct marketing initiatives.
FIGC may provide specific policies relating to personal data processing for specific activities or individual events. In these cases, the Association may provide a paper copy of the policy or reference the relevant section on privacy on the FIGC website or on other websites associated with FIGC's activities. Data subjects are encouraged to read the relevant policies in the event that they have not yet done so.
The Data Controller is FIGC, located at No.14 Via Gregorio Allegri, Rome, with VAT No. 01357871001.
The Association processes personal data in order to allow data subjects to interact with FIGC, to register on the FIGC website, to manage their account, to interact with published content, to receive news and correspondence regarding FIGC and to purchase goods and services, including through official suppliers and commercial partners. FIGC may also process personal data in order to fulfil legal obligations, to ensure that specific categories of people can access events, to action requests from data subjects and to pursue its statutory objectives as these concern the organisation, running and promotion of football in Italy, together with any associated activities.
In most cases, personal data is provided by data subjects directly, but it is possible for FIGC to receive data from other parties. For example, the Association may allow interaction with users browsing on social media pages or channels run by FIGC, such as Facebook, Twitter and YouTube. When this happens, FIGC receives the personal data of users directly from the social networks.
When data processing requires the consent of data subjects, data subjects can withdraw or alter their consent at any time. They can also request that their data be erased or that data processing is limited in circumstances set out in law and described below.
However, there are cases in which FIGC may legitimately continue to process personal data even when a data subject withdraws their consent or exercises one of their rights.
Data processed by FIGC and data collection methods used. Consequences of failure to grant consent.
FIGC collects and processes personal data that is spontaneously provided by data subjects when they interact with the Association or participate in events or initiatives organised by it. This may also occur when a data subject registers on the FIGC website or signs up to the newsletter. In other cases, the Association processes data that is collected or generated when a data subject accesses the FIGC website or websites associated with FIGC’s activities.
Some personal data may also be collected when FIGC match tickets are purchased or when a user browses an online ticketing site, such as Ticketone.
Moreover, FIGC may process data received from other Associations, national/international companies, associations or bodies, or teams participating in matches, tournaments or events organised or hosted by the Association. In these cases, the data in question is necessary to enable the data subjects to participate in these events and competitions.
Purpose and legal basis of data processing
FIGC processes the personal data of data subjects for reasons that are necessary to its activities and therefore in order to pursue legitimate interests deriving from its role as the leading authority on the organisation, administration and promotion of football in Italy.
FIGC may also process personal data when this is necessary for the execution of a contract with the interested party, to complete any pre-contractual duties and to comply with any legal obligations.
The Association’s data processing purposes may include:
• checking the identity of the parties in a contract and of data subjects that interact with the Association during the completion of their activities;
• executing a contract and responding to requests from data subjects;
• organising sporting or social competitions and events on local, national or international levels and fulfilling any duties or complying with any requirements deriving from these;
• monitoring the regularity of sporting and promotional events and activities to make sure these take place in accordance with the FIGC Statute and with FIGC or international regulations, including as regards health and safety and any regulations FIGC is required to observe;
• issuing tickets and access passes for competitions and events organised or run by FIGC;
• cooperating with the authorities, including by communicating personal data collected in the past, as set out in all applicable laws;
• organising sports justice activities and ensuring that these can take place in the proper manner, as well as publishing any verdicts passed;
• undertaking activities designed to promote the activities of FIGC, sports and football, as well as any initiatives with social or health goals (if this requires personal data processing for specific categories, these will be processed anonymously where possible, otherwise data will be processed based on legitimate need or based on explicit consent obtained for that specific purpose);
• producing, storing and using footage, photographs, images, audio-visual content, recordings and news of results or sporting events, and producing or creating documents of public, historic or statistical interest, as part of FIGC’s interest in documenting and sharing the history of sport in general and football in particular;
• undertaking direct marketing activities.
FIGC may request explicit consent from data subjects for further processing when the purpose of this includes:
• commercial and promotional correspondence from FIGC, official sponsors or third parties;
• the use of apps or features of apps;
• other purposes which require explicit consent. FIGC informs data subjects that it does not use automated decision-making processes that have significant legal implications for data subjects or that affect them in any significant way.
Consent to data processing
When FIGC processes personal data based on explicit consent from the data subject, the data subject may withdraw their consent at any time.
However, withdrawal of consent does not affect the legality of data processing undertaken based on consent before it was withdrawn.
Even where consent is withdrawn, data subjects are reminded that there are some purposes for which the Association may legitimately continue to process the personal data of the data subject, where there are other legal bases for data processing. For example, the Association may legitimately send direct marketing communications where this is done on the basis of a legitimate interest.
However, the data subject is entitled to oppose data processing for direct marketing (also known as “opting out”) and ask not to receive that kind of correspondence and not to be subject to profiling insofar as this is based on those direct marketing activities. Data subjects can contact the Association using the contact details below in order to exercise their rights.
Football is a passion shared by people of all ages. As such, it is possible that data subjects will be minors.
However, where consent is required, data processing consent can only be legitimately expressed by a minor when they are 16 or over. In other cases, the Association requires data processing consent to be provided by the minor’s parent or legal guardian.
Data storage period
The personal data collected by FIGC is stored for the period of time necessary for the Association to achieve the purposes of data processing.
It isn’t always possible to accurately specify this period of time. In general, the following criteria are used when determining the data storage period:
• where data is processed in order to execute a contract, complete pre-contractual duties or action a request from a data subject, the data storage period is 11 years from the date the contract concludes, barring any claims;
• where data concerns registration on the FIGC website or other websites associated with FIGC’s activities, the data storage period is the entire time the data subject is active and for the subsequent five seasons;
• where data processing is linked to promotional activities and direct marketing, the data storage period is until the data subject asks for communications to cease;
• where data processing takes place in order to ensure compliance with legal requirements, the data storage period is the entirety of the period required by law;
• where we process your data in order to pursue our legitimate interest in documenting the Association’s activities and the history of football, the data storage period can last for a longer period of time, in accordance with the principle of data minimisation, as set out in GDPR.
The Association would like to clarify that when a data subject exercises one of their rights, by withdrawing their consent or asking not to receive direct marketing any more, their personal data is not erased and their use is not limited immediately. The data may be processed for a further period as is strictly necessary for FIGC to action the requests it has received.
Finally, FIGC keeps a record of the fact that a data subject has exercised a right for an indeterminate period of time, in order to allow it to adhere to the requests it has received (i.e. a request from a data subject who no longer wishes to be contacted).
Communication and publication of personal data. Transfer to other countries
As part of the pursuit of the aims set out here, personal data may be shared between different departments of the Association (including those belonging to its constituent bodies) and with third parties such as suppliers of goods or services or the Association’s commercial partners.
More specifically, FIGC may communicate personal data to entities that provide ticketing and stadium access management services for FIGC matches or other events, with the aim of overseeing all ticketing service profiles or simply to ensure compliance with legal obligations.
Personal data may be communicated to sports clubs, match organisers and any other bodies for which the Association has been granted consent.
All these bodies will process personal data as autonomous Data Controllers.
It is also possible that personal data will be communicated to national and international sports justice bodies, where necessary.
Please be advised that FIGC is required to communicate personal data it has processed to the authorities when this is required by law.
In undertaking its activities and pursuing its legitimate interests, FIGC may share some personal data regarding, for example, the rulings of sports justice bodies, match results and relevant news from events organised, run or sponsored by the Association, in order to maintain a record of these for informative, journalistic, statistical, promotional and commercial reasons.
In the event that personal data needs to be transferred out of the European Economic Area, where no explicit consent is obtained from the data subject in advance, FIGC will ensure that any such transfer will occur in accordance with standard contractual clauses, binding corporate rules or an equivalent code of conduct. Details of the applicable mechanism in each case will be provided where a request is made.
The communication of personal data to UEFA and FIFA takes place in accordance with an adequacy decision from the European Commission.
Rights of data subjects
All data subjects have the right to access their personal data, the right to rectification, the right to erasure and the right to restrict data processing, where legitimate grounds exist.
The Data Controller can be contacted at firstname.lastname@example.org.
In accordance with GDPR, FIGC has appointed a Data Protection Officer. They can be contacted via email at email@example.com or by sending a letter via recorded delivery to:
Data Protection Officer
Federazione Italiana Giuoco Calcio
Via Gregorio Allegri No.14
00198 – Rome
Data subjects may also make a complaint to a supervisory body. In Italy, the supervisory body can be contacted at www.garanteprivacy.it.
Additional FIGC policies
You may be interested in other policies relating to specific FIGC activities:
Commercial and promotional/advertising activities