1. Who is data controller of your personal data?
ISTRA D.M.C. Ltd. Umag, Jadranska 66, Croatia (the “Event Organizer”) is a data controller and are responsible for, and control, the processing of the personal data you submit. Event Organizer processes your personal data jointly with the World Triathlon Corporation, 3407 W. Martin Luther King Blvd, Suite 100, Tampa, Florida 33607, USA (“WTC”) and Ironman Germany GmbH, Höchster Straße 90, 65835 Liederbach, Germany (“IMG“). For the purpose of the performance of the Event, Event Organizer, WTC and IMG, shall be therefore deemed as Joint Controllers (Event Organizer, WTC and IMG, collectively, “we” or “Joint Controllers”).
2. What personal data do we collect?
The Registration Partner gives us access to the personal data you fill in the registration. The personal data will regularly include the following:
Name, email address, phone number, address, birth date, place of birth, gender, information on medical condition and medications, emergency contact information, relay information, and other information you provide during registration. The Joint Controllers also have access to the last 4 digits of the credit card used for the registration in order to initiate refunds by the Registration Partner.
In the course of preparing the Event, we might add other information, such as your registration number and the age group to which you are allocated.
3. Why and on which legal basis do we collect and use your personal data?
Regularly we use your personal data for the following purposes and on the following legal grounds:
- We use your personal data in order to perform our contractual services or for the preparation of entering into a contract with you. If you register for our Event, we use your data to conduct our Event and make your participation in our Event possible or handle cancelations, including refunds. Information we use includes: information we need to contact you or otherwise communicate with you, e.g., to send you administrative information, registration and Event information to process your Event registration and participation; information to respond to your comments and questions and provide customer service.
- We use your personal data if justified by our legitimate interests. The usage of your personal data may also be necessary for our own business interests. For example, we may use some of your personal data to evaluate and review our Event and overall business performance, understand you and your preferences to enhance and individualize your experience and enjoyment of our Event. If necessary, we may also use your personal data to pursue or defend ourselves against legal claims.
- We use your personal data after obtaining your consent. In some cases, we may ask you to grant us separate consent to use your personal data. You are free to deny your consent and the denial will have no negative consequences for you. You are free to withdraw your consent at any time with effect for the future. If you have granted us consent to use your personal data, we will use it only for the purposes specified in the consent form.
- We use your personal data to comply with legal obligations. We are obligated to retain certain data because of legal requirements, for example, tax or commercial laws or we may be required by law enforcement to provide personal data on request.
We will only use your personal data for the purposes for which we have collected them. We will not use your personal data for other purposes. We do not use your personal data for automated individual decision-making.
4. With whom do we share your personal data?
As required in accordance with how we use it, we will share your personal data with the following third parties:
- Joint Controllers: The personal data will be share between the Joint Controllers for management of the Event and for their respective processing purposes described above.
- Partners: Event Organizer will share your personal data with its parent organization Plava Laguna d.d., which is involved in the organization of the Event.
- Service providers and advisors: Third party vendors and other service providers that perform services for us, which may include marketing campaign services, providing mailing or email services, tax and accounting services, services related to the registration and organization of our Event, data enhancement services, timing, filming, photographing, fraud prevention or providing analytic services. Where applicable such service providers will by appropriate data processing agreements be bound to only process the data on our behalf and under our instructions.
- Marketing Partners. Provided you have granted your consent, we may disclose your personal data to our third-party sponsors and marketing partners (collectively, "Marketing Partners") to allow them to market their products or services to you, and measure the effectiveness of their marketing campaigns, promotions, endorsements and sponsorships or for other marketing purposes.
- Event Photographers. If you participate in our Event and have given us consent to do so, we will disclose your bib number, name, email address and phone number to the Event photographer, who may contact you with photos from the attended Event.
- Purchasers and third parties in connection with a business transaction: Personal data may be disclosed to third parties in connection with a transaction, such as a merger, sale of our assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business, or in the event of a bankruptcy or similar proceedings.
- Law enforcement, regulators and other parties for legal reasons: Third parties as required by law or subpoena or if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) to enforce our legal claims or to protect the security or integrity of our Event; and/or (c) to exercise or protect the rights, property, or personal safety of the Joint Controllers, our athletes, visitors, or others.
- The public: The official rankings and information justifying the ranking will be disclosed to visitors of our event and on WTC's website ironman.com. Further a Tracking function can allow public users the (estimated) location of an athlete during a race.
5. How long do we keep your data?
We will store personal data for as long as necessary to fulfil the purposes for which we collect the data, in accordance with our legal obligations and legitimate business interests. Afterwards, or at the end of the statutory retention times, the personal information will be deleted. For example, national commercial or financial codes may require to retain certain information for up to 10 years.
6. How do we protect your information?
We implement a variety of security measures to maintain the safety of your personal data when preparing the Event. In the event that any information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose personal data may have been compromised and take other steps, in accordance with any applicable laws and regulations.
7. How do we safeguard your personal data when there is an international transfer?
Your personal data will be transferred to countries outside the European Union or the European Economic Area. For example, WTC will access your personal data from the USA. This may mean that your personal data will be stored in a jurisdiction that offers a level of protection that may, in certain instances, be less protective of your personal data than the jurisdiction you are typically a resident in.
For this reason, we have entered into guarantees to ensure appropriate safeguards. If we transfer information from the European Union to third parties outside the European Union and to countries not subject to schemes which are considered as providing an adequate data protection standard, we will enter into contracts which are based on the EU Standard Contractual Clauses with these parties.
8. What rights and choices do you have?
We want you to understand your rights and choices regarding how we may use your personal data. Depending on how you use your data, these rights and choices may include the following:
You have specific rights under applicable privacy law in respect to your personal data that we hold, including a right of access and erasure and a right to prevent certain processing activities.
If you are a resident in the European Union, you have the following rights in respect to your personal data that we hold:
- Right of access. The right to obtain access to your personal data.
- Right to rectification. The right to obtain rectification of your personal data without undue delay where that personal data is inaccurate or incomplete.
- Right to erasure. The right to obtain the erasure of your personal data without undue delay in certain circumstances, such as where the personal data is no longer necessary in relation to the purposes for which it was collected or processed.
- Right to restriction. The right to obtain restriction of the processing undertaken by us on your personal data in certain circumstances, such as, where the accuracy of the personal data is contested by you, for a period of time enabling us to verify the accuracy of that personal data.
- Right to portability. The right to portability allows you to move, copy or transfer personal data easily from one organization to another.
- RIGHT TO OBJECT. YOU HAVE A RIGHT TO OBJECT TO ANY PROCESSING BASED ON OUR LEGITIMATE INTERESTS WHERE THERE ARE GROUNDS RELATING TO YOUR PARTICULAR SITUATION. YOU CAN OBJECT TO MARKETING ACTIVITIES FOR ANY REASON WHATSOEVER.
If you wish to exercise one of these rights, please contact us using the contact details below. For e-mail marketing, we provide the following easily usable option: If you no longer want to receive marketing e-mails from us, you may choose to unsubscribe at any time using the link provided in every e-mail we send.
In addition to the foregoing listed rights, as an EU resident, you also have the right to lodge a complaint with your local data protection authority. Further information about how to contact your local data protection authority is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
9. How to contact us?
ISTRA D.M.C. Ltd.
Umag, Jadranska 66 Croatia
The Event Organizer will also pass your request on to the other Joint Controllers, if needed.
You may also contact the WTC and IMG directly, if you want: PrivacyPolicy@ironman.com.
10. Data Protection Officer
For all enquiries regarding Event Organizer’s activities you may also want to contact its Data Protection Officer who can be reached at firstname.lastname@example.org.
For all enquiries regarding IMG's activities, you may also want to contact its Data Protection Officer who can be reached at email@example.com.
For all inquiries regarding WTC’s activities, you may also want to contact its data privacy team which can be reached at firstname.lastname@example.org.