Privacy Policy

PRIVACY POLICY

(updated December 9, 2023)

1. AIM, SCOPE AND DEFINITIONS
This Policy aims to protect the privacy and the fundamental rights related to personal and sensitive Information and personal and sensitive Data of those persons who get in any manner in contact with CMAS apart from Anti-Doping activities and purposes, as well as those who communicate in any manner with CMAS included but not limited to providing his/her personal Information and/or Data or any other sensitive Information and/or Data.

This Policy only applies to the collection, processing, protection and transferring of personal Information and/or Data and does not apply to the same activities related to Anti-Doping purposes and matters. These last matters shall be carried out according to the terms and conditions provided for in CMAS Anti-Doping Personal Information and Data Collection, Processing and Protection Policy.

This Policy seeks to ensure an effective, appropriate and high-level privacy protection to the personal Information and/or Data anyway provided to CMAS.

Definitions:

  • Controller: CMAS as responsible for Data and/Information collection.
  • Personal Data and/or Information: any data and/or information relating to an identified or identifiable natural person including – but not limited to - Sensitive Personal Information (such as – but not limited to - Personal Information relating to racial or ethnic origin, commission of offences -criminal or otherwise- , health and genetic information).
  • Event: Any competition or different event sanctioned, recognized, panned, staged organized, entrusted and/or subcontracted to third parties, by CMAS.
  • Data subject: Any person transferring personal data and/or information to CMAS.
  • Collection: Method by mean of which CMAS collects personal Data and/or Information by Data Subjects.
  • Anti-Doping Activities: Activities specified by WADA Code, WADA’s International Standards, WADA ISPPPI and CMAS’s Statutes, Rules or Regulations, to be carried out by Anti-Doping Organizations, and their Third-Party Agents, for the purpose of establishing whether anti-doping rule violations took place, including collecting whereabouts information; conducting Testing; performing results management; determining whether an Athlete’s Use of a Prohibited Substance or Prohibited Method is strictly limited to legitimate and documented therapeutic purposes; educating Participants on their rights and responsibilities; conducting investigations into anti-doping rule violations; and initiating proceedings against those who are alleged to have committed such a violation.
  • Processing (and its cognates, Process and Processed as well as Collection and Protection and their relevant cognates): Collecting, retaining, storing, disclosing, transferring, transmitting, amending, deleting or otherwise making use of Personal Data and/or Information.
  • Data Breach: Any unauthorized and/or unlawful Processing of, including access to, Personal Data and/or Information whether in electronic or hard-copy or other form, or interference with an information system, that compromises the privacy, security, confidentiality or integrity of Personal Data and/or Information.
  • Third Parties: natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data and Third-Party Agents (such as subcontractors who process Personal Data and/or Information for or on behalf of CMAS).
  • Recipient: natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not

2. RULE OF LAW
This Policy has been developed in accordance to Italian Law, having regard to EU General Data Protection Regulation (GDPR) regulatory principles and in compliance with CMAS Statutes, Rules and Regulations.

In the event of a conflict between any of the abovementioned codes, laws, rules etc., Italian Law shall, in any case, prevail. In this respect and for the sake of clarity, the relevant Italian Law is the Privacy Code (Legislative Decree n. 196/2003 and subsequent amendments, particularly the Legislative Decree n. 24/2023).

3. PRINCIPLES
This Policy recognizes the principles established by Italian Law and CMAS Statutes, Rules and Regulations.

This Policy acknowledges the basic principles included in EU Reg. n. 2016/679 (GDPR) concerning collection processing protection, retaining and transmission of Data and/or Information as well as public transparency, accountability and respect for the privacy of those who get in any manner in contact with CMAS.

All Data and/or Information provided to CMAS shall be handled only by Staff and/or Management Members who shall be informed and trained having regard to this Policy in order to avoid any possible unauthorized disclosure.

The collected Information and/or Data shall not be disclosed under any circumstances unless in case of Public disclosure (as set forth in this act) or in case of consensus by the Data subject.

Regardless to all the principles and provisions provided for in this Policy, CMAS shall share any kind of Information and/or Data at any time with the relevant Public Authority when due and/or compelled to and in compliance with the Italian Law or to any other applicable law.

4. PURPOSES AND TYPES OF DATA AND/OR INFORMATION
CMAS is an International Sports Federation and can collect Data and/or Information for Sports and Marketing purposes.

These purposes shall include every activity necessary to stage, organize, implement, recognize or take part to events directly managed to CMAS, as well as for those events entrusted and/or subcontracted to third parties, by CMAS.

Collecting and handling Data and/or Information for Sports and Marketing purposes includes as well all the activities deemed necessary to develop a Sports Database including all the athletes and officials information, to enable the Events accreditation process, to implement a public sports results database, to contact athletes, officials and National Federations to provide news, information and notices as well as targeted advertising by e-mail newsletters and any other means of communication by CMAS and any other authorized third party.

In the same way, any other activity deemed necessary to be carried out by CMAS or by authorized third parties to pursue Sports and Marketing goals, shall be considered as part of the abovementioned Sports and Marketing purposes.

For its Sports and Marketing purposes, CMAS can collect the following types of Data and/or Information:

  • Data subject’s Identity (Full name, Date of Birth, Gender, Phone number(s), E-mail Address(es), Home Address(es), Organizations to which he/she belongs, Names and details of contact persons).
  • Sports Discipline/s and any other relevant sports information.
  • Curriculum Vitae, resume, qualification, occupation, marital status.
  • Clothing sizes, shoes measures and similar.
  • Travel Schedule.
  • Food preferences and/or programs and food intolerances.
  • Medical and pharmaceutical needs.
  • Insurance policy number, terms and conditions.
  • Fiscal Data.
  • Social Security number.
  • Passport and/or any other Identification Document number and expiry date. Bank details.
  • Pictures for Identification and Accreditation Cards, website and similar. Social media contacts.
  • Any other necessary information to take part to an event.
In case of a public event (such as competitions, ceremonies, side events etc.) in which CMAS decides to carry out video footages and/or taking pictures, the public, the participants and any other person taking part to and/or anyway assisting to the event, shall be fully informed in advance by general notices to be displayed and/or posted on key points inside and outside the venue(s).

5. COLLECTION AND PROCESSING
Data subjects (or their duly authorized representatives, such as National Federation Staff members in charge) will be asked to give their consent to the collection, processing, treatment, protection and retaining of their own personal Information and/or Data provided to CMAS by:

  • Digital forms.
  • Digital checkbox.
  • Written Consent form.

Apart from the format, the Consent form shall include summary information about how Data and/or Information belonging to the Data subjects will be used and processed for Sports and Marketing purposes and a URL to this Policy or, in case of a written Consent, a paper copy of this Policy.

The abovementioned Consent shall be in compliance with this Policy.

Given that single Data Subject are usually part of single National Federations or other bodies or entity which CMAS mostly interacts with, the consent may be provided by Data Subject’s duly authorized representatives.

The relationship between Data Subjects and his/her representatives shall be set out in writing between them. CMAS shall only supervise and check the source from which Data and/or Information will be collected.

This Policy shall be published on CMAS official website in a way to be available for the public and so that the Data subject can acknowledge and accept its Terms and Conditions before giving his/her consent.

For those under the age of eighteen or incapable to furnish an informed consent by mental capacity or other legitimate reason recognized in law, the Consent shall be given by a parent or by a legal guardian. In these cases, Data and/or Information shall be treated with an additional degree of caution and trying to safeguard sensitive data and/or information belonging to incapable persons in an even better way.

For sensitive Data and/or Information such as medical or pharmaceutical needs or fiscal Data etc., an additional consent will be asked to the Data Subject.
Data subjects are responsible for providing correct Information and/or Data and they are subject to all the duties provided for in this Policy, in Italian Law, in CMAS Statutes Rules and Regulations and/or in any other applicable laws, regulations or compulsory legal processes and where such processing does not conflict with applicable privacy and data protection laws.

Personal Information and/or Data will be collected by CMAS Staff and/or Management Members and by any other organization or body (third parties) to which CMAS has in any manner entrusted and/or delegated the necessary authority.

In these cases, third parties shall act in accordance with the terms and the conditions set forth in this Policy.

Each of the abovementioned persons responsible for the collection, processing and protection of Data and/or Information shall act according to the terms and conditions set out in this Policy and shall be considered as personally accountable for his/her actions in case of a violation of the rules stated in this Policy.

Regardless of who will conduct the data collection, CMAS shall only process Personal Information where necessary and appropriate to Sports and Marketing purposes under this Policy, Italian Law, CMAS Statutes Rules and Regulations and/or any other applicable laws, regulations or compulsory legal processes and where such processing does not conflict with applicable privacy and data protection laws.

Regardless of any refusal to grant or subsequent withdrawal of the Consent by the Data subject, the process of personal Information and/or Data still may be required, unless otherwise prohibited by Italian Law, when necessary to enable CMAS or any of its third parties:

  • To commence or pursue investigations involving suspected CMAS Rules and Regulations violations relating to the Data subject.
  • To conduct or participate in proceedings involving suspected CMAS Rules and Regulations violations relating to the Data subject.
  • To establish, exercise or defend against legal claims relating to CMAS, to the Data subject or both, or when required by any applicable law.

Personal Information and/or Data shall be processed fairly, accurately and completely. All data shall be kept up-to-date and may be corrected or amended when necessary or required by the Data subject.

CMAS and third parties shall only process personal Information and/or Data for Sports and Marketing purposes and on valid legal grounds, which can also include compliance with legal obligations, fulfilment of a contract or protection of vital interests of the Data subjects.

CMAS and third parties may process personal Information and/or Data for other purposes, provided that those purposes relate exclusively to the achievement of CMAS goals and are found to be relevant following an appropriately documented assessment performed by CMAS.

6. PROTECTION
Data and information shall be safeguarded according to the following security standards:

  • Any written Information and/or Data shall be kept confidential and stored in a locked closet, located in CMAS’s headquarters or in the Presidential offices.
  • Any digital format Information and/or Data shall be kept confidential and stored in password locked computers or in encrypted portable hard disk or encrypted flash USB memories, to be stored in a locked closet located in CMAS headquarters or in the Presidential offices.
  • The abovementioned passwords shall be composed by at least 8 alphanumeric digits and shall be changed by CMAS every 12 months and every time a Management and/or Staff member will be terminated.
  • Passwords shall be stored in a Password History program accessible only to the Privacy Officer.
  • CMAS may entrust external service providers to store, retain and protect the collected Data and/or Information on outsourced servers located in countries where the Privacy standards are in compliance with this Policy.
  • CMAS shall prevent any kind of unauthorized access to this material and shall empower its Management and/or Staff Members to handle it for job purposes only.
  • CMAS may authorize some of the abovementioned Management and/or Staff Members to retain on their personal computer any kind of Information and/or Data collected by CMAS, provided that all the above-mentioned precautions will be taken.
  • In the event of a Data Breach, CMAS shall – as soon as it becomes aware of the breach – immediately inform the affected Data subjects about the breach (both individually or jointly), where this breach is likely to affect in a significant way the rights and interests of those persons concerned.
  • CMAS will review the circumstances of the breach and take measures to prevent any recurrence.
  • CMAS may set up an Emergency Unit in order to stop the Data Breach and help the persons concerned in the best way possible.
  • CMAS may audit compliance to this Policy at any time.

7. ACCESS AND RETENTION
Data subjects to whom the personal Information and/or Data relates have the right to access to the following information from CMAS:

  • Confirmation about CMAS processing personal Information and/or Data relating to them.
  • Information about the Consent to be given as per art. 5 above.

Copy of the relevant personal Information and/or Data.

Access requests shall be approved in a short time provided doing so does not impose a disproportionate burden on CMAS in terms of costs or effort, given the nature of the personal Information and/or Data in question.

CMAS may refuse to allow Data subjects to access to all or part of their personal Information and/or Data if the release could in any manner compromise the Data Privacy process. In this case, CMAS shall inform the Data subject and set out in writing the reasons for refusing the request as soon as practicable.

In this regard, if a Data subject is not satisfied, he/she has the right to initiate a complaint with CMAS. In the event that the complaint cannot be satisfactorily resolved, the plaintiff may notify and/or submit a complaint to the competent Italian Court who will determine whether a violation of this Policy and a subsequent law violation has occurred.

Data subjects have the right to ask for the correction of their personal Data and/or Information when necessary.

CMAS and its third parties shall ensure that personal Information and/or Data are retained only as long as it is necessary to achieve their goals, having regard to the general Sports and Marketing purposes inspiring this Policy and CMAS activity or where otherwise required by applicable law, regulation or compulsory legal process.
Once personal Data and/or Information no longer serves the purposes mentioned in this Policy, may be deleted, destroyed or permanently pseudonymized.

8. DATA TRANSFER AND DISCLOSURE
Personal Information and/or Data may be transferred by CMAS to authorized recipients, according to this Policy, CMAS Statutes, Rules and Regulations and Italian Law as well as any other applicable law.

Relationships between CMAS and its third parties, as well as the ones relating to recipients, shall be settled by single agreement to be set out according to the terms and conditions provided for in this Policy.

Personal Information and/or Data may be made available to the public on CMAS official Website and Social Media pages and/or in writing when due and according to the general Sports and Marketing purposes inspiring this Policy and CMAS general activity (e.g. Sports results, news, CMAS Members contact information etc.)
Authorized third parties - for instance, International Sports authorities and/or organizations, National Federations, major games and other events organisers, subcontractors, time and score keepers etc. – shall act and consequently treat Data and Information in compliance with this Policy, CMAS Statutes, Rules and Regulations and Italian Law as well as any other applicable law.

Personal Information and/or Data shall not be disclosed to third parties other than as set out above, except where such disclosures:

  • are required by law.
  • take place with athlete’s informed, express and written consent, or
  • are necessary to assist law enforcement or governmental authorities in the detection, investigation or prosecution of a criminal, civil or similar offences, provided that the personal Information is reasonably relevant to the offence or breach in question and cannot otherwise be obtained by the authorities.

Personal Information and/or Data may be Publicly Disclosed by CMAS in further specific situations, in any case in compliance with the limits set out in this Policy and by any applicable law.

Retained personal Information and/or Data may be used to be part of an anonymized Statistical Annual Report drafted by CMAS. This report may be published and/or shared with third parties.

9. SANCTIONS
Any breach or violation of this Policy shall be punished according to the provisions included in the CMAS Disciplinary and Ethic’s Code.

10. COMPLIANCE, INFO AND COMPLAINTS
For the purpose of making this Policy comply with applicable privacy and data protection laws, as well as for handling complaints and providing relevant information, CMAS appoints Mr. Daniele Rosorani as Privacy Officer. Contact: cmas@cmas.org. Any change concerning this matter shall be communicated to the public by modifying this Policy.

Data Protection Policy - Terms of use

Data Subject (or his/her duly authorized representative) acknowledges, accepts and authorizes the collection of his/her personal Data and/or Information for Sports and Marketing purposes as defined in Art. 4 of CMAS Data Protection Policy (the Policy) by CMAS or by any of its authorized third parties.

CMAS and/or its authorized third parties can use Data and/or Information provided by the Data Subject or his/her Parent and/or Legal Guardian and/or duly authorized representative according to the terms and the conditions set out in the Policy and only for Sports and Marketing purposes.

Data Subject (or his/her duly authorized representative) acknowledges and accepts that personal Data and/or Information provided to CMAS or to any of its authorized third parties can be processed and transferred as stated in the Policy for Sports and Marketing purposes.

Data Subject (or his/her duly authorized representative) acknowledges and accepts that personal Data and/or Information provided to CMAS or to any of its authorized third parties can be used for market researches, statistics, targeted advertising, development of mailing lists, news and notices services, event management and organization, scoring and time keeping systems and any other activity related to the general Sports and Marketing purposes of the collection as stated in the Policy.

Data Subject (or his/her duly authorized representative) acknowledges and accepts that personal Data and/or Information provided to CMAS or to any of its authorized third parties can become part of one or more Database for Sports and Marketing purposes as well as part of Public Sports Results Database and News.

Data Subject (or his/her duly authorized representative) acknowledges and accepts that personal Data and/or Information provided to CMAS or to any of its authorized third parties can be published on CMAS Official Website and Official Social media pages for Sports and Marketing purposes as stated in the Policy.

Data Subject (or his/her duly authorized representative) acknowledges and accepts that personal Data and/or Information provided to CMAS or to any of its authorized third parties will be stored as stated in the Policy and that will be retained as long as they serve the abovementioned purposes.

Data Subject (or his/her duly authorized representative) declares to have provided correct and true personal Data and/or Information as well as he/she acknowledges and accepts to be held responsible in case of incorrect and/or false personal Information and/or Data.

Data Subject (or his/her duly authorized representative) can ask further information, demand access to his/her personal Data and/or Information, submit a complaint or a request to change or update Personal Data and/or Information as well as withdraw his/her consent by writing to cmas@cmas.org.

OFFICIAL CMAS PARTNERS

@CMASORG