Updated on 8 March 2023
1 We are committed to protecting Your Data
Amaury Sport Organisation (A.S.O.), a French Société Anonyme with capital of €61,200,240, registered in the Nanterre Trade and Companies Register (RCS) under number 383 160 348, headquartered at 40-42 Quai du Point du Jour, 92100 Boulogne-Billancourt, France, (hereinafter “We”) collects and processes data to optimise use of our website www.timeto.com (hereinafter the “Site”) by users (hereinafter “You”) and the services offered on the Site (hereinafter “Services”).
At A.S.O., we know that You care about how Your Personal Data is processed and how important it is to protect Your privacy.
Please be aware that to use the Site and Services, You must agree in full to this Policy, the Terms and Conditions of Use and the Additional Terms and Conditions of Use communicated to You when You order a product, or a service related to an Event offered on the Site.
The French version of this Policy takes precedence over any translation and is the sole authentic version.
In this Policy, words or expressions beginning with a capital letter refer to the terms defined in the Terms and Conditions of Use or defined in Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), Article 4.
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of Personal Data relating to them. We will ask for Your Consent to process Your information in specific cases such as whether or not You want to receive marketing communications from Our partners.
“Personal Data” (hereinafter “Data”) means any information relating to an identified or identifiable natural person (the “data subject”). An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Event” means the gathering of sports people taking part in a competitive or non-competitive physical activity.
“Legitimate interest” is one of the six legal bases provided under the GDPR for processing personal information. The legitimate interests of a controller or of a third party can provide a legal basis for processing, provided that a number of conditions are met, for example: it must be necessary to achieve certain purposes; it must not adversely affect the rights and interests of the data subjects in light of their reasonable expectations; and it must be legitimate. Following the recommendations of the French data protection authority, CNIL, A.S.O has conducted a legitimate interest assessment (LIA) to ascertain its validity as a legal basis for data processing relative to similar Services.
“Rules” are the sports rules and the general conditions applicable to the organisation of an Event.
“Applicable Regulations” means Law No. 78-17 of 6 January 1978, on data processing, files and civil liberties as amended (the "Data Protection and Civil Liberties" act), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and any other applicable regulations relating to the protection of personal data.
“Data Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. In this case, A.S.O. is considered to be the Data Controller when it is the Organiser of an Event.
“Similar Services” means services and products that resemble the products and services that You purchase on this Site. Since the services purchased on this Site are large sporting events, similar services offered will relate to future marathon, triathlon and cycling events organised by A.S.O.
“Data Processor” means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the Data Controller. A.S.O may be considered to be the Processor when it organises events on behalf of other Organisations, for example.
“Sporting Universe” (hereinafter “Universe”) means all public Events or competitions organised or co- organised by A.S.O., offered or sold on time to, including running, cycling and triathlons.
The terms "You," "Your", and "Yours" refer to You, as a user of the Site or as a parent or legal guardian (major) if the user is a minor in his country of residence.
3 A.S.O. as Data Controller or Processor
A.S.O. can be either the Data Controller or Processor.
i) A.S.O. is the Data Controller when it is the Organiser of the Event You participate in. In this case, A.S.O. provides You with a product or service directly;
ii) A.S.O. is the Processor when it markets an Event organised by another Organiser. In this case, A.S.O. provides You with a service or sells You a product on behalf of another Sports Event Organiser.
The additional Terms and Conditions of Use, and/or the Terms and Conditions of Sale and/or the Event's sports Rules, define the Event Organiser(s) as the Data Controller for the Data You provide when You register for an Event (Registration process) or when You purchase products or services on the Site.
The Organiser undertakes to comply with the data protection regulations in force and in particular with the GDPR. It undertakes to:
- process Your Data for the purposes described in Article 4.1 "Purposes of Use" or in the Additional Terms and Conditions of Use, if applicable;
- limit access by employees and authorised personnel to only such information as is required for the purposes for which Your Data is processed;
- after conducting an audit on a documentary basis of Processors that are likely to access, host and/or process some of Your Data, enter into a contract with the Processors that have demonstrated compliance with the data protection regulations in force and with all applicable cybersecurity laws.
All Processors will act on behalf of and at the direction of the Data Controller, as set out in the Event Rules. Processors will ensure Your Data is protected, secured and private, in compliance with this Policy and any applicable data protection and cybersecurity laws.
4 Recipients of Personal Data
We use the Data collected when You register to create Your sports profile and provide You with products and services in line with Your expectations.
The Data We collect may be transmitted to:
- Organisers other than A.S.O. of Events offered on the Site to confirm Your participation in the Event and to ensure the Event is organised smoothly.
In these cases, the Organisers are the Data Controllers and A.S.O is their Processor;
- Commercial partners of the Site, if You have given Your Consent, to offer You products and/or services, either alone or jointly with A.S.O, for the purposes of direct marketing and/or advertising of their products and services;
- Processors with which A.S.O. works for the provision of technical, commercial, legal or financial services for the purpose of providing You with Services, in particular Data hosting and carrying out transactions. Processors act on behalf of A.S.O. and follow A.S.O.'s instructions.
- Public Authorities: the Organiser may be required to provide Your Personal Data upon request to any judicial or public authority authorised by law to request it.
The Organiser must disclose Your Data to the police to comply with its legal obligations, in particular with national security laws. Your Consent is not required in this specific case, pursuant to the derogation in GDPR, Article 49.
5 What Personal Data we collect
When You use the Site, Your provide Us with a certain amount of Personal Data, either directly (5.1) or indirectly (5.2), for example when You create an account or when You fill in your registration for an Event sold on time to.
5.1 Personal Data collected directly by A.S.O. and by ACTIVE
You are informed that when You use the Site, We directly collect and process Data required to create Your user account or to register for an Event sold on time to.
If You do not enter required information (5.1.1), it will not be possible to create Your account and/or register You for the relevant Event or to take payment for the Event.
Other types of Data are optional (5.1.2), and You are free to enter this information or not.
5.1.1 Required Data on the Site
This is the information that You, the Site User, provide directly to Us when You create an account on the Site or register for an Event sold on the Site.
When You create Your account, You will be asked to create a strong login and password, according to the recommendations of the French data protection authority, CNIL.
When You register for an Event, the required Personal Data fields are marked with an asterisk (*).
The following Data are required. This list may change in line with changes in the law or with A.S.O.’s technical or organisational requirements.
126.96.36.199 When You create Your account
We will ask You to enter the identification information below:
- Email address
- Last name
- First name
- Date of birth
- Country of residence
188.8.131.52 When You register for an Event offered by Our Site
- To register You for a public sporting Event, We need to collect Your identification Data, together with the identification Data of the person You nominate to call in an emergency and in the event it is not possible to ask You for this information directly (accident, hospitalisation, or other):
o Last name
o First name
o Date of birth
o Email address
o Full postal address
o Telephone number, including country code
o or some countries only: Your national identity card or passport number
o The information for Your emergency contact: name and telephone number, including country code
- We also need to collect the following information:
o photos and videos taken at the Events and on which You may be recognised: for a Public event, and as You have read and agreed to in the Sports Rules, You assign Your image rights to the photographs of the Event;
o medical certificate stating that there are no medical reasons preventing You from participating in the Event.
This document is important for Your safety and allows Us to ensure that You can take part without any problem in the Events for which You have registered.
- We also collect Data to help Us improve Your experience of the sport and how the Event is organised:
o depending on the Events You register for, We will ask You to provide information on Your level in the sport, Your experience in the sport, Your time target, Your T-shirt size, the reasons why You to register for the Event, or any other information that will help us improve organisation of the Event. This list is not exhaustive and is subject to change, depending on the type of Events sold on the Site.
184.108.40.206 Transaction Data
When You make an order, Our PCI-DSS-certified payment provider, ACTIVE, also collects and processes Data relating to Your payment methods:
- payment card number;
- card expiry date;
- card cryptogram (3-digit security code on back).
Your card details are never stored for future purchases, unless You have consented to storing these details during the transaction.
Your payment methods are never sent unsecured over the Internet. When You provide Your card details during the Transaction, they are encrypted using a security protocol.
220.127.116.11 Connection Data
These anonymous Data are collected for strictly technical reasons. We Use this information to resolve any technical issues that arise that require information about Your browser and its security level.
We will ask You to provide:
- information about Your browser;
- information about Your operating system.
5.1.2 Optional Data on the Site
These are personal data that you can choose to provide but that is not required to create Your account or to register for an Event. Data fields not marked with an asterisk are optional. They include:
- Your photograph;
- Your nickname.
5.2 Personal Data collected indirectly by A.S.O. and by ACTIVE
These are Data that You do not provide directly, but that We collect when You browse the Site.
5.2.1 Information about use of the Site
We may collect Data on the use of the Services provided through the Site, in particular your interaction with Our Services, how many Events You register for or Your performance results.
6 Purposes for which We Process Your Personal information
We process Your Data according to the purposes for which Your provided them.
The legal basis for using the Data collected when You use the Site are:
- Your Consent;
- Our Legitimate Interest.
6.1 Your Consent
When You enter Your Data on the Site to select an Event and register for it, You express Your Consent and Wish to take part in the said Event. You give your Consent for us to process Your Data for the following Purposes:
- to register You for the Events in the Universes offered on Our Site;
- to process, track and manage Your registrations for the Events (giving you a bib; your time, etc.);
- to provide our Processors with snapshots of Your email for the purposes of offering you for purchase photographs of the Events in which You appear, if applicable;
- to offer you tailored Services, particularly with regard to the information entered in Your account or during registration for an Event: advice, training programmes, photos, videos, or any item You select;
- to give You or the persons of Your choice access to Your Photos and videos taken on the day of the Event;
- to send you promotional offers from Site partners;
- to allow You to share Your name, photo and Events in which you took part with your friends on Facebook;
- to collect information through surveys or questionnaires that We send You after your participation in an Event. At all times, you control whether or not You agree to answer a survey or questionnaire by clicking the Unsubscribe link in the emails or by connecting to Your Account and unchecking the relevant box;
- to organise draws and games that You can sign up for;
- for any other purpose specified when collecting Data and for which Your Consent will be requested.
6.2 Our Legitimate Interest
We Process the following Data on the basis of Our Legitimate Interest or Your Legitimate Interest:
- to make sure that You are not medically prevented from taking part in the Event You have registered for;
- to promote Our Events by publishing photographs that You might appear in and to which you have waived your image rights;
- to send You emails or to put messages on the Site to provide You with:
o confirmation that Your account has been created;
o information, announcements and updates concerning the Site;
o summary messages of Your password and login;
o confirmation of Your order and payment receipt, when You register for an Event;
o newsletters with information on the time to Universe and/or the Event You registered for;
o information to correct account errors;
- to send promotional offers, ads or other marketing communications on Related Services to You by email or text message;
- to give You Your results, send Your certificates;
- to conduct anonymous surveys on the sporting features of Event participants for the purposes of segmentation. These are used to tailor Our communications, products and services and improve Your customer experience;
- to combat fraud and collect unpaid bills;
- to manage, amend and improve the Site and Our Services;
- to manage marketing and promotion of Our Services;
- to look after the health of participants through the provision of Covid-19 negative test documents.
7. The legal basis for Processing Your Data
7.1 Why Your Consent is important
We never sell or rent out Data to third parties. Your information is used in strict compliance with applicable data protection laws. You and you alone control how We use Your Personal Data by giving or withdrawing Your Consent at any time.
7.1.1 When You register for an Event organised by a third-party Organiser, without A.S.O.’s involvement in this organisation, You authorise Us to provide that Organiser with Your profile Data. In this scenario, the third-party Organiser is the Data Controller and A.S.O the Processor, under the meaning of applicable Regulations.
The third-party Organiser and A.S.O. are accountable to You for adhering to and complying with applicable Regulations.
7.1.2 By subscribing for and taking part in a sports Event, You understand and agree that the Event Organiser may publish Your activity, results and performance.
Because the Site is hosted by our partner ACTIVE, and because it is a single sign-on (SSO) platform as this term is explained in our Terms and Conditions of Use, https://passport.active.com/waiver?waiverId=2180102&waiverLocale=en_GB. You may find Your results on the Passport-ACTIVE site. IF YOU WISH TO OBJECT TO SUCH PUBLICATION OF YOUR INFORMATION FOR A LEGITIMATE REASON, YOU MUST SUBMIT YOUR REQUEST TO
THE EVENT ORGANISER DIRECTLY PRIOR TO THE EVENT, in accordance with the Event Rules.
Please note that by taking part in an Event organised under the auspices of a sports federation that issues official rankings, the Organiser may not be in a position to blank out Your results.
Once published, Your results can be taken up by any media. Publication of results by a media constitutes Data processing for the purposes of information and therefore constitutes a derogation from Data protection under GDPR, No. 153.
Similarly, should You wish a site other than time to to remove your results or personal data,
Nor is A.S.O. liable for publication or removal of this information when the Event is organised by a third-party Organiser.
7.1.3 If You have given Your consent by checking the appropriate box on the Site when You registered for an Event, You may receive marketing and/or promotional offers by telephone call and/or by post and/or by email and/or by text message:
- from Site partners and/or A.S.O.’s partners to whom Data may be transmitted for the purposes described in the opt-ins;
- from the Event Organiser’s partners, if applicable.
You can log in to Your profile to change your preferences at any time. Your Consent to receive this type of communication is managed directly by the Organiser. A.S.O. declines all liability in this regard for any and all Events for which it is not the Organiser.
7.1.4 When You register for an Event, You can, if you wish, opt to link Your Facebook account to share Your last name, first name and photo with Facebook.
If so, Facebook will request Your Consent to share:
· the list of Your friends that use time to and who have also shared their friends list with time to;
· Your email address.
You can also configure Your Facebook - time to application to receive notifications and select who is authorised to see You when you use the App.
7.2 Our Legitimate Interest
You become an A.S.O. Customer when You register for a public sports Event offered on the Site. The email address You provide during registration for a public sports competition offered on this Site will be used subsequently to offer other similar Services organised by A.S.O.
Similar Services are products and services that have points of similarity with the products and services You purchase on this Site. The services purchased on this Site are part of the Universe of Sports Events for the general public; the Similar Services offered will concern future marathons, triathlons and cycling events organised by A.S.O.
This processing is based on Our Legitimate Interest in marketing with respect to Article L.34-5 of the French Post and Telecommunications Code. Your Personal Data are protected in accordance with the e-Privacy Directive, the upcoming e-Privacy Regulation, the GDPR, the French Data & Marketing Association’s Code of Ethics and the Union Française du Marketing Direct’s Code of Ethics.
According to the purpose of this processing, Your email address will not be transmitted to Our partners, unless you have given your Consent.
The scope of this processing covers all A.S.O. customers, except those who access this Site from the United Kingdom.
You have the right to object to such processing, simply and free of charge, by clicking the link in the email You receive when You register.
8 Retaining Your Data
8.1 How long We keep Your Data
We retain Your Data for the required legal retention periods, depending on the type of Data and the purpose.
8.1.1 In general, A.S.O. keeps Your Data throughout Your activity on the Site and for three (3) years from the date You were last active (account log-in, taking part in an event, purchase on time to, etc.).
At the end of the three-year period, A.S.O. will send You a reminder by email. If You do nothing and/or do not reply, A.S.O. will delete Your account and all Your Personal Data no later than the end of the month in which You received the reminder by email.
Nevertheless, when exceptional circumstances so require or a case of force majeure, obliges Us to cancel the Events offered by timeto, as was the case for the year 2020, during which the law prevented us from providing You with the Services and products offered on timeto, We may keep Your data for a period of one additional year. Indeed, not having been able to offer You Our services or products, We consider the year 2020 as a blank year. This additional retention measure only concerns persons whose last activity dates back to 2020.
8.1.2 A.S.O. will not store any health data viewed/consulted when the participant provided the document proving they had tested negative for Covid-19.
8.1.3 If You delete Your profile on Our Site, We will delete Your Data and information from all timeto and ACTIVE platforms within 30 days from the date You deleted Your profile. We will also ask all Data Processors liable to have Your Data to delete them, in accordance with the law. You need do nothing.
8.1.4 In general, We keep the details of the payment card You used to pay for products and/or services on time to for up to thirteen (13) months following completion of Your Transaction.
When required in exceptional circumstances, such as if an Event is cancelled or postponed due to a force majeure and customers are offered a refund, We may be obliged to retain Your payment card details for longer than 13 months in order to refund You, if necessary.
8.1.5 For limited and legally allowed reasons (payment, guarantee, dispute, etc.) or for any other purpose specified in the Terms and Conditions of Use and Terms and Conditions of Sale,
A.S.O. will temporarily store Your Data in a secure digital vault. We will store Your archived Data in France on servers belonging to Our data archiving service provider, Locarchives.
Only staff duly authorised by A.S.O. will have access to these Data for a period required by law, depending on the type of Data and the purpose for which they are archived. At the expiry of this legal period, Your Data will be definitively and securely deleted.
8.2 Where and how We retain Your Data
The Data We collect are stored and hosted by ACTIVE, a company that specialises in managing large-scale Events.
The servers that host Your Data are located outside the European Economic Area, in the United States of America. A.S.O. has ensured that ACTIVE has provided guarantees that Your Data are protected, in accordance with applicable personal data protection and cybersecurity laws (PCI-DSS certification; documentary-based security audits; signature of a data protection addendum (DPA), and Transfer Impact Assessment).
In general, You explicitly consent to the transfer of Your Data to an Organiser and/or Processes located outside the European Economic Area, for the purposes of providing the Services, statistical analysis on anonymous data, providing support to users, hosting the Data, and organising the Event when it takes place outside the European Economic Area.
When A.S.O. is the Data Controller, We undertake to ensure that Data are transferred under conditions that ensure the confidentiality and security of the information and with an adequate level of protection in compliance with GDPR, Articles 32 to 36. These same requirements also apply to any other third-party Organiser.
9 Your data protection Rights and how to exercise them
9.1 Your rights:
Your personal data is protected under data protection law, including French Law No. 78-17 on data processing, files and civil liberties as amended in 2018 (the "Data Protection and Civil Liberties" act) and Regulation (EU) 2016/679 (GDPR). You have the right to access, rectify, delete and restrict processing, the right to object and the right to portability of Your Data, pursuant to GDPR, Articles 15 to 21.
Right to access: you can request access to Your Data and to obtain the Data We hold concerning You, in accessible and legible form.
Right to rectify: you can request to have Your Data amended, corrected or updated if it is inaccurate or incomplete. You can also amend some of Your Data directly by logging in to Your profile.
Right to delete (erasure): you can ask Us to erase or delete some or all of Your Data free of charge, within the limits of our duties and obligations under applicable Regulations.
Please be informed that We can agree to Your request to delete Your Data in Your account only after the Event You are registered for has ended. This is necessary for the Organiser to provide You with the information relating to the Event and deliver the Services, which you duly acknowledge and release the Organiser of all liability.
You are informed that following a period of inactivity, Your Data is automatically deleted from our databases, retaining only such information as is required to comply with a legal obligation (the legally prescribed term to exercise a right to action or in defence) in a secure digital vault, accessible only by the legal department.
Where You have also opened accounts with ACTIVE in order to take part in one of the Events sold on their Site, You must make the deletion request to A.S.O. and ACTIVE at the same time to avoid these technical problems:
- since time to is an SSO site managed by ACTIVE, You can continue to connect to time to
even though A.S.O. has deleted Your Data;
- if You want to register for a new Event organised by A.S.O. at a later date and You create a new account using the same email address as in the past, the same as that used by ACTIVE on their site, A.S.O. will be unable to identify You and You may not be able to register for this new Event.
Right to restrict processing: you have the right to ask Us not to process some of Your Data, for instance where you challenge its accuracy or where you object to Processing. We will need to verify Your request. During this period, You may ask Us to temporarily halt Processing. However, even if we halt Processing, We can use Your Data for a right to bring an action or for defence in court, to protect the rights of another natural or legal person or for important reasons of public interest.
For example, we will be unable to grant a request to restrict Processing of a photo in which other people appear with You, as We would be infringing on the rights of others.
Right to object: you have the right to object to the processing of Your Personal Data at any time, provided that the Data in question are processed by Us or by Our Processors. This means You can object to marketing and to receiving emails or text messages from Us.
Right to data portability: you have the right to obtain the Data You provided solely based on Your consent in an easily reusable format.
Post-mortem right: you also have the right to give instructions on the retention, erasure and disclosure of Your Data after Your death.
To do this you can:
· either give general or specific instructions on what happens to Your Data when You die, or
· nominate Your heirs and assigns to carry out Your wishes and implement Your instructions.
9.2 How to exercise Your data protection rights
Here’s how to exercise Your rights:
- with A.S.O. as regards Your account Data;
- with the Organiser as regards the Data relating to Your participation in an Event.
When A.S.O. is the Event Organiser, all Your rights can be exercised with A.S.O.
To exercise all Your rights with regard to A.S.O. fill out the form available here: https://www.timeto.com/en-GB/gestion-des-demandes.
When You have completed the form and attached the documents requested, Your Data Protection Officer (DPO) will be notified.
You can also exercise your rights by post to:
AMAURY SPORT ORGANISATION AMAURY DATA PROTECTION OFFICER
40- 42, Quai du Point du Jour, 92100 Boulogne-Billancourt
To prevent identity theft, You will be asked to confirm Your identity. This information will be destroyed as soon as A.S.O. has processed Your request in full.
A.S.O. will reply to Your requests to exercise Your rights within the statutory period of thirty (30) days following receipt of Your request and documents. Failure to provide Us with all the information required for processing within the statutory period will extend this duration by the time taken to obtain all necessary documents.
You have the right to submit a complaint to the French data protection authority, Commission Nationale Informatique et Libertés (CNIL) if You are not satisfied that We have respected Your rights.
9.3 How to exercise Your rights regarding marketing communications
You also have the right to object to receiving marketing communications in any form whatsoever.
9.3.1 If You are concerned about marketing calls, you can also object to the use of Your phone number by registering for free on the website www.bloctel.gouv.fr.
9.3.2 If You are concerned about marketing emails, You can unsubscribe from newsletters by clicking the Unsubscribe link in the newsletter.
9.3.3 If you are concerned about receiving marketing text messages, you can unsubscribe free of charge by texting “STOP SMS” to the number in the text message.
We will process Your requests within 48 (forty-eight) working hours at most, except for requests sent by post, which will be handled within 8 (eight) days.
You can exercise Your rights by:
- post to A.S.O., DATA PROTECTION OFFICER. 40-42 Quai du Point du Jour, 92100 Boulogne Billancourt, France
- email to Our Data Protection Officer at firstname.lastname@example.org
10 How we keep Your Data safe
In accordance with the applicable data protection Regulations, We use appropriate technical and organisational measures to keep Your Data safe. These include “Data protection by design and by default”, audits of Our Processors and oversight of contractual relations with them, Site security, signature of Standard data protection clauses ensuring secure Data transfer, etc. We require the same stringent security and protection measure from Our service providers.
You are responsible for keeping the login and password you created when you registered on the Site safe and secure.
You undertake to keep Your account safe and secure and not to share Your password and login with anyone else.
You will be notified on the Site home page or by email that the new Policy is available. It is important that You consult Our policy regularly to stay informed about any updates.