Last update on July 1st,2020
1. Our commitment to protecting your Data
Amaury Sport Organisation (A.S.O. ), a limited company with a capital of 61,200,240 euros registered with the Trade and Company Register of Nanterre under number 383 160 348, headquartered at 40-42 Quai du Point du Jour, 92100 Boulogne-Billancourt, (hereinafter “We”) collects and processes Data to enable the user (hereinafter “You”) to use in an optimal way the website www.timeto.com (hereinafter the “Site”) and all the services We provide in the Site (“Services”).
A.S.O. knows that you value how Your Personal Data is processed and We are committed to protecting Your Privacy.
"Consent" of the person concerned means any freely given, specific, informed and unambiguous indication of the Data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal Data relating to him or her. We will ask for Your Consent to be able to process Your Data in specific cases such as receiving marketing communications from Our partners.
"Personal Data" (“Data”) means any information relating to an identified or identifiable natural person (hereinafter the “person concerned”); a person concerned is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location Data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"Event" refers to the gathering of sports enthusiasts participating in physical activity, be it competitive or not.
"Rules" refers to the sports regulations and the general conditions applicable to the organization of an event.
"Applicable Regulations" refers to Act N° 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties modified, the Regulation (EU) 2016/679 of the European Parliament and council of 27 April 2016 on the protection of natural persons with regard to the processing of personal Data and on the free movement of such Data, and repealing Directive 95/46/EC (General Data Protection Regulation), and any other applicable privacy regulations.
"Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. In this case, A.S.O. will be considered as Data Controller when it is the Organizer of an Event.
"Data Processor" means a natural or legal person, public authority, agency or other body which processes personal Data on behalf of the controller. A.S.O will be considered a Processor when it organizes Events on behalf of other organizations, for example.
The terms "You," "Your", and "Yours" refer to You, as a user of the Site or as a parent or legal guardian (major) if the user is a minor in his country of residence.
3. The Data and information collected
By using the Site, You will be required to provide directly (3.1) to Us or indirectly (3.2) a certain amount of Data and information, especially when You create an account or when You complete Your registration to an Event sold on timeto.
3.1. Personal Data directly collected by A.S.O. and by ACTIVE
When You use the Site, We inform You that We directly collect and process Data which is considered as mandatory to create Your user account or to register for an Event which is sold on timeto.
Please be aware that if You refuse to provide Data which is mandatory (3.1.1), We will not be able to create Your account neither to register You for the chosen Event.
Other Data will be optional (3.1.2) and You will have the choice of whether to provide them.
3.1.1. Mandatory Data the User declares
These are the Data that You, User of the Site, communicate to Us directly when creating an account on the Site or when You register for an Event sold on the Site.
When You create Your account, You will need to create a strong login and password, following to CNIL recommendations.
The mandatory nature of the Data collected when You register for an Event is indicated by an asterisk (*).
In particular, the following Data You declare are considered mandatory, knowing that this list is likely to evolve according to A.S.O. 's legal, technical or organizational constraints:
184.108.40.206. When creating Your account:
- Email address
- Last Name
- Date of birth
- Country of residence
220.127.116.11. When You sign up for an event:
We collect Your identification Data:
- Last Name;
- Date of birth;
- Email address;
- Full postal address;
- Telephone number preceded by the country code;
- For some countries only: The number of Your national identity card or passport
- Information about Your emergency contact: name and telephone number.
- Photos and videos taken on Events and on which You are likely to be recognized.
We also collect Data that allows Us to improve the organization of the Event and Your sports experience:
Depending on the Events You register for, We will ask You to provide Us with Data about Your athletic level, Your sporting experience, Your time goal, the size of Your T-shirt, Your personal motivations to register for the Event, or any other information that allows Us to improve the organization of the Event. This list is not exhaustive and will evolve, depending on the nature of the Events sold on the Site.
18.104.22.168. Data about Transactions
When You make an order, Our payment provider, ACTIVE, PCI-DSS certified, also collects and processes Data about Your means of payment:
- Credit card number,
- Expiry date
- Visual cryptogram.
Your card details are never saved for further purchases unless You agree to do so when You make the transaction.
Your means of payment never go through Internet in plain language. When You communicate them to Us during your Transaction, the numbers are encrypted through a security protocol.
3.1.2. Optional Data on the Site.
This is personal Data that is not necessary to create Your account or sign up for an Event but that You can provide to Us if You wish to do so. Data not preceded by an asterisk are considered optional.
- Your photograph
- Your nickname
3.2. Data indirectly collected by A.S.O. and by ACTIVE:
This is Data that You do not provide to Us directly, but which can be collected by Us especially through Your navigation on the Site.
3.2.1. Connection Data.
Through Your navigation, We can collect Your Personal Data when You visit the Site or Our applications or Third Parties’. This may include:
- Information about the browser You are using
- Information about the operating system you are using;
- The pages You visit;
- The links You click on while browsing the Site.
3.2.2. Information about the use of the Site.
We are likely to collect Data about the use of the Services provided through the Site, including Your exchanges with Our Services, how many Events You have signed up to or the sports results You have obtained.
4. Using Your Personal Data
4.1. Purposes of use
This Data is collected and processed when You use the Site. Their processing is necessary to meet the next purposes:
4.1.1. Allow the processing, monitoring and management of Your registrations to Events (benefit from a bib; be timed, etc.);
4.1.2. Offer personalized services, especially in relation to the information provided on Your account or when You sign up for an Event: advice; training programs, photographs, videos, or any other object You would select;
4.1.3. Allow You and/or allow people of Your choice to access Your Photos and Videos, taken the day of the Event;
4.1.4. Sending to You emails or posting messages on the Site to provide You with:
- Confirmation of Your account creation;
- Information, announcements and updates about the Site;
- Recap messages of Your password and ID;
- Confirmation of Your order and payment receipt, following to Your registration for an Event;
- Newsletters about Our activities and/or the Event You are registered for;
- Information to rectify account errors.
4.1.5. Sending emails or SMS with promotional offers, advertisements or other commercial communications about similar Events or, if You have consented, commercial communications from partners of the Site or Events of different nature from the one(s) You have registered for or participated to;
4.1.6. Inform You about Your results and send to You Your diplomas;
4.1.7. Collect information through polls, surveys or questionnaires We send to You as an outcome of Your participation to an Event. You can always control Your participation to these polls, surveys or questionnaires by opting out via the unsubscribing link inserted in the emails;
4.1.8. Create anonymous segmentations about the sporting characteristics of Event participants, allowing Us to adapt Our services, products and communications and improve Your customer experience;
4.1.9. Let You share Your name, photo and Events You participate to with Your friends on Facebook;
4.1.10. Organize lotteries and competitions and allow You to register and participate in them;
4.1.11. Fighting fraud and collecting unpaid debts;
4.1.12. Enable the management, modification and improvement of the Site and of Our Services;
4.1.13. Manage the marketing and promotion of Our Services
4.1.14. Allow any other purpose specified during the Data collection and for which Your Consent will be requested.
4.2. Personal Data Recipients
The Data collected during Your registration allows the creation of Your sports ’profile and provide You with products and services which fit Your expectations.
This Data We collect can be shared with:
- Organizers of Events proposed in the Site, different from A.S.O: to allow the Organizers to confirm Your participation in the Event and to organize it properly. In such cases, Organizers are the Data Controllers and A.S.O. is their Data Processor;
- Commercial partners of the Site, if You have given Your Consent. This allows them to propose to You products and/or services, either alone or with A.S.O, for solicitation purposes and/or advertising of their products and services;
- Data Processors whom A.S.O. works with for technical, commercial, legal or financial services. This allows them to provide You with Services, especially hosting Data and executing transactions. Data Processors act on behalf of A.S.O. and follow A.S.O.'s instructions.
4.3. Responsibilities of the Data Controllers and of the Data Processors.
A.S.O. will be considered a Data Controller or a Data Processor, depending on if A.S.O. is the Organizer of the Event sold on the Site or not:
- A.S.O. is to be considered a Data Controller when A.S.O. is the Organizer of the Event You participate to. In such a case, A.S.O. provides You directly with a product or with a service;
- A.S.O. is to be considered a Data Processor when A.S.O. sells on the Site an Event organized by a Third-party Organizer. In such a case, A.S.O. provides You with a service or sells to You a product on behalf of another Sports Event Organizer.
The Organizer is committed to complying with the Applicable Regulations relative to Personal Data protection, including GDPR. Thus, the Organizer commits itself to:
- Limit the access to employees and staff authorized to the only Data necessary for the purposes followed by the processing of Your Data;
- Enter into any contract with Data Processors who may access, host and/or process some of Your Data, provided that they comply with the Applicable Regulations relative to Data Protection and to cybersecurity law.
All Data Processors will act on behalf of the Data Controller as defined in the Event’s Regulation and according to their instructions. Data Processors will guarantee the protection, security and confidentiality of Your Data, in compliance with this Policy and with any Applicable Data Protection and cybersecurity laws.
5. Importance of Your Consent
We neither sell nor rent Data to third parties. We use Your Data in strict compliance with Applicable Personal Data protection law. You remain the sole master of the use of Your Personal Data by giving or withdrawing Your consent at any time:
5.1. When You sign up for an Event organized by a third-party Organizer without A.S.O. intervention in the organization, You allow Us to send him the Data of Your Profile. In this case, the third-party Organizer is the Data Controller and A.S.O acts as its Data Processor within the meaning of the Applicable Regulations.
The third-party Organizer and A.S.O. are responsible before You to comply with the Applicable Regulations.
5.2. By registering and by participating to a Sports Event, You understand and agree that Your activity, results and athletic performance are likely to be published by the Event Organizer.
Be aware that when You participate to a sporting Event organized on behalf of a sport federation which discloses the official classification, the Organizer may not be able to obfuscate Your results.
Once the results have been disclosed, they can be published by any media. Any publication of the results by any media constitutes a Data Processing for journalistic purposes and thus, is a derogation to Data Protection stipulated by Recital 153 of GDPR.
Be aware that A.S.O. cannot be held responsible for publishing or withdrawing this information when the Event is organized by a third-party Organizer.
5.3. If You have consented, by checking the respective box in the Site when You register for an Event, You are likely to receive commercial and/or promotional offers by phone and/or by mail and/or by SMS:
- From Site partners and/or A.S.O. partners, to whom the Data can be transferred and ceded for purposes as described in the drafting of the opt-ins;
- On behalf of the Event Organizer for Events of other nature than the one(s) You have registered for or participated in;
- Potentially, from the partners of the Event Organizer.
You can change at any time Your preferences regarding the communications You want to receive by logging into your profile. Your Consent to receive this type of communication is directly managed by the Organizer. For any event which Organizer is a third-party, A.S.O. assumes no liability whatsoever.
5.4. When You register for an Event, You will be able to choose to link Your Facebook account and thus, if You wish, share Your last name, Your name and Your photo with Facebook.
Later, Facebook will ask for Your consent to share:
- The list of Your friends who use timeto and who have also shared their friends list with timeto;
- Your email addresses.
You can also set up Your Facebook - timeto app to receive notifications and select who You can see when You use the App.
5.5. The Organizer may be required to provide Your Personal Data upon request from any judicial or public authority that is authorized to do so under the Applicable Regulations.
As such, the Organizer must communicate Your Data to the police authorities in order to comply with its legal obligations, especially in the context of laws protecting the internal security. In such a case, Your Consent will not be required as it is one derogation scheduled by Article 49 of GDPR.
6. Personal Data Retention
6.1. The Life Cycle of Your Data
The Data are retained for the required legal retention periods, depending on the type of Data and of the purpose followed.
6.1.1. Generally speaking, A.S.O retains Your Data for the extent of Your activity on the Site and up to three (3) years from Your last activity (connection to Your account, participation in an Event, purchase made on timeto, etc.). At the end of the three (3) years period, A.S.O. will send You a reminder by email. If We get no action and/or response from You, A.S.O. will delete Your account and all Your Personal Data at the end of the month following the month You have received the reminder.
6.1.2. If You delete Your profile on Our Site, We commit to deleting Your Data and Information within 30 days after having deleted the profile on all the platforms, timeto and ACTIVE and to ask to all Data Processors which may have Your Data, to delete them in compliance with the law. You won't have to do anything.
6.1.3. In general, We keep for up to thirteen (13) months following Your payment of products/services on timeto the credit card details You used for Your Transaction.
However, where exceptional circumstances require it, such as in the case of a force majeure were to constrain Us to cancel or postpone an Event and, as a consequence, We introduce refund options, We may be compelled to keep Your credit card details for a period exceeding 13 months in order to refund You, if necessary.
6.1.4. Be aware that only the Data essential to exercise any legal action (i.e. legal limitation period of a right to act) will be archived within a secure digital vault which is accessible only to the legal department. Your archived Data will be stored in France within the servers belonging to Our service provider, Locarchives.
After this legal limitation period, We will delete Your Data permanently and securely.
6.2. Where and how is Your Data retained?
The Data We collect is stored and hosted by ACTIVE, a company that is specialized in managing large-scale Events.
The servers which host Your Data are located outside the European Economic Area, in the United States of America. A.S.O. has ensured that ACTIVE has all the safeguards to protect Your Data in accordance with any Applicable Regulation relative to Personal Data protection and cybersecurity (Privacy Shield and PCI-DSS certification; documents audits; signature of a Data Processing Addendum or DPA).
In general, You explicitly consent to transfer Your Data to an Organizer and/or Data Processors, located outside the European Economic Area, for the purposes of providing the Services, carrying out statistical analyses on anonymous data, supporting users, hosting Data, organizing the Event when it takes place outside the European Economic Area.
We commit Ourselves, for the Data We process as Data Controller, and We oblige any third party Organizer, to carry out these transfers under conditions that ensure the confidentiality and security of the Data and an adequate level of protection, in compliance with Articles 32 to 36 GDPR.
7. Which are Your Data protection rights and how can You exercise them?
7.1. Your rights:
According to the Applicable Data Protection Regulations, including the Act N° 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties as amended in 2018, and The Regulation (EU) 2016/679, You have the rights of access, rectification, deletion, limitation of processing, opposition and portability of Your Data, in accordance with Articles 15 to 21 GDPR.
Right of access: You can request the access, in an accessible and readable form, to Your Data We and/or Our Data Processors hold.
Right to rectification: You can ask Us to modify, rectify or update Your Data which could be inaccurate or incomplete. You can directly edit some of Your Data by accessing to Your profile.
Deletion right: You can ask Us to delete all or part of Your Data at no cost, if the Applicable Regulations allow Us to do so.
Be aware that, if You ever want to delete Your Data in Your account, the deletion will be possible only after the Event You are registered for is terminated. Otherwise, You admit that the Organizer will not be able to usefully communicate with You to provide You with all the information relative to the Event neither to provide You with the Services, and thus, You discharge the Organizer of any responsibility whatsoever.
Be aware that, following a period of inactivity, Your Data will automatically be deleted from Our data bases and, only the information indispensable to exercise legal actions (the legally prescribed term to exercise a right to action or in defense) is archived in a digital vault, exclusively accessible by the litigation department.
Processing limitation: You may ask Us to no longer process some of your Data: Your photograph, for example.
Right of Objection: You have the right to object to the Processing of your Data at any time, only if the Objection concerns Data We or Our Data Processors process.
Right to Data portability: You have the right to obtain disclosure of Your Data, which You provided to Us based on Your Consent only, in an easily reusable format.
Post-mortem Right: You also have the right to give instructions on the retention, erasure and disclosure of Your Data after your death.
To do this You can either:
- Directly define general or specific guidelines on the fate of your Data after your death or
- Assign Your successors to carry out Your will and implement the guidelines You have given to them.
7.2. How can you exercise Your Data protection rights?
You will be able to exercise all Your rights as follows:
- When the request concerns Your Account: You will ask A.S.O. to proceed
- When the request concerns the Data You have provided to participate to an Event: You will ask the Organizer to proceed.
When A.S.O.is the Organizer of the Event, You will be able to exercise Your rights before A.S.O.
You can exercise Your rights before A.S.O. by filling out the form which is available here: https://www.timeto.com/en-GB/gestion-des-demandes Once you have completed the form and attached the requested documents, Our DPO will be notified.
You can also send a post mail at:
AMAURY SPORT ORGANISATION
DATA PROTECTION OFFICER
40-42 Quai du Point du Jour,
Be aware that a copy of a document vouching for Your identity will be requested in order to prevent an identity theft. This information will be destroyed as soon as A.S.O. has processed Your request.
A.S.O. will respond to Your requests within the legal period of 30 days after having received the form and the documentation. If Your request is incomplete, We will not be able to process it within the legal time period, which will be interrupted and extended until We get the necessary documentation.
Finally, you have the right to lodge a complaint before the Commission Nationale Informatique et Libertés if You think that We have not respected Your rights.
7.3. How can you exercise Your rights in terms of commercial solicitation?
You also have the right to object to commercial solicitations.
7.3.1. If You are concerned about telemarketing, You can also object to the use of Your phone number by registering with no fees on the site www.bloctel.fr
7.3.2. If you are concerned about e-mail solicitations, You can unsubscribe the newsletters by clicking on the dedicated link You will find in each newsletter.
7.3.3. If you are concerned about SMS solicitations, you can opt out of the text message with no fees, sending the word "STOP SMS" to the number shown in the message You received.
We will process your requests within a maximum period up to 48 (forty-eight) working hours, except for requests sent by post mail, which require a processing time of 8 (eight) days.
You can exercise these rights by addressing:
- A letter to A.S.O. DATA PROTECTION OFFICER. 40-42 Quai du Point du Jour, 92100 Boulogne Billancourt, France
- An email to firstname.lastname@example.org
The contact information of the A.S.O. Data Protection Officer is: email@example.com
8. How do We protect Your Data?
In compliance with the Applicable Data Protection Regulations, We take all appropriate technical and organizational measures to ensure the protection of Your Data, especially "Privacy by design and by default" principles. We impose the same level of protection and security to the Data Processors We work with.
On your side, You are responsible for the confidentiality of Your password and the login you chose when registering on the Site.
You commit Yourself to take all the measures to ensure confidentiality and protection to Your account, and not to disclose neither Your password nor Your login to third parties.
You will be informed of the publication of the new Policy on the home page of the Site or by email. We recommend You check the Site regularly to be updated of any modification.
French version of this Policy prevails over any other linguistic version of the Policy.