INFORMATION NOTICE REGARDING THE PROCESSING OF PERSONAL DATA BY EVENTIM.RO S.R.L.

Through the information notice below, we provide you, in accordance with the General Data Protection Regulation (“GDPR”), details regarding:

(i) the way we use the personal data that you provide to us; and

(ii) the marketing activities we carry out through our websites or through social networks.

We also wish to inform you about the measures we adopt to protect your personal data, as well as about the rights and options you have to gain access to your data and to protect your privacy.

This information notice contains details about the categories of personal data we collect from you, how we process them and to whom we disclose them, if applicable.

This information notice applies to visiting and using the Eventim.RO websites where a customer account can be created and from which tickets can be purchased, to the websites of Eventim partners to the extent expressly indicated by us on those websites, as well as to our marketing activities related to Eventim.RO websites. Other websites are not covered by this notice and will provide their own information notices.

Within this information notice, the following terms have the meanings below:

• Processing – means any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or national law, the controller or the specific criteria for its nomination may be provided for by Union or national law.

Who is responsible for processing your data and whom can you contact if necessary?

We, EVENTIM.RO S.R.L., are the controller of your personal data and have the following identification details:

Registered office: Bucharest, Str. Aleksandr Sergheevici Pușkin, No. 7-9, 3rd Floor, District 1

Trade Registry number: J2007007871400CUI 21597760

E-mail: protectiadatelor@eventim.ro

What categories of information do we hold about you and from what sources do we obtain them?

a) We collect the data that you provide to us when creating an account and when placing an order (i.e., when you fill in the data collection form to purchase a ticket for an event available on our platform), namely:

a.1) If you decide to create an account on our platform (see purpose 1.1 (i) below), we will collect your email address.

a.2) If you place an order on our platform (see purpose 1.2 below), we will collect the following data:

• Identification data (first and last name) – necessary for performing the contract with you, for example, to provide you with a personalized (named) ticket; 

• Contact data (email address and phone number) – necessary for performing the contract (for example, to inform you about essential matters related to the concluded contract if there are any changes of any kind to the event for which you purchased tickets, such as postponement/cancellation).

• Address data (street and number, postal code, city, country) – necessary to physically deliver the tickets purchased, if you selected this option; 

• Payment data (for example, amount paid, card number) – necessary for processing/managing the payment you made.

a.3) If, in the context of placing an order, you decide to fill in the field regarding the personal numerical code (CNP), we will collect this data for the purpose mentioned at 1.1 (ii) below.

a.4) If, in the context of placing an order, you decide to fill in the field regarding the date of birth, we will collect this data for the purposes mentioned at 1.1 (v) and (vi) below.

a.5) If you use the “Favorites” functionality available in your account, for example, by marking favorite artists, venues or events, we will process the information saved by you in this section for the purposes described at 1.1 (iv), (vii) and (viii) below.

b) If you agree, we collect, through cookie-type technologies, information about your computer and about your visits to and use of this website, including your IP address, the general geographic location of your computer or device (city level), browser type, referrer source, pseudonymized IDs (cookie ID, mobile ID), search and browsing behavior on the site, duration of visit and number of page views when visiting our site. You can adjust the privacy settings in your browser to block most cookies; however, this could affect your browsing experience on www.eventim.ro. For example, we process this information for the purpose mentioned below at 1.1 (viii). More details about how we collect these data and the purposes for which we process data collected through cookies can be found in the Cookies Policy.

c) We collect data related to the events for which you purchased tickets (event name, row, seat, number of tickets, category, specialized event-related data). We will not be able to sell you tickets without this category of information;

e) When you post on our social media pages or send us messages, the network will provide us with a series of information about you, such as:

• Message text
• Name
• Profile picture
• Attachments (if applicable)
• Voice messages.
• We may also access all the information from your Facebook profile that you chose to make public.

f) If you have specific requests concerning access to events, we want to make sure you have the best experience. To this end, we need to collect details related to your request (which may involve providing information about your health condition). Without collecting this information, we will not be able to ensure we respond adequately to your request.

g) If you request a ticket return and reimbursement of their value, we collect the data included in the ticket return request filled in by you, the data from the payment order, as well as the bank account if the refund is made via bank. We will not be able to process the return request without processing this category of data.

h) If you use the print@home option, we collect the following information: (i) gender; (ii) first and last name; (iii) address; (iv) city; (v) postal code; (vi) country; and (vii) mobile phone number. Providing gender and mobile phone number is optional. The rest of the data are necessary to allow you to use the print@home function.

i) If you pay by bank card from outside Romania and our payment service provider suspects fraud, we receive data related to that transaction (such as your name, the bank card used for payment, the amount paid, the transaction date) for the purpose of verifying the transaction.

j) If you choose to write a review related to an event you attended, we will collect the data completed by you in the review submission form, such as the rating given (1–5), the date of the event, the venue, the city where the event took place, the title, the testimonial in text form, and the e-mail address, for the anonymous publication of the review on our website. Additionally, if you choose to complete your name in the form, we also process this information in order for it to be displayed next to the review.

k) We also collect any other information you send us on your own initiative. In most cases, providing this information is not mandatory, but we may be unable to resolve your request without the respective data.

For what purposes and on what legal grounds do we process your personal data?

1.1. Based on consent [Art. 6 (1) (a) GDPR] We process the personal data provided based on your consent as follows:

(i) if you create a user account on our website for the purpose of managing that account;

(ii) if you place an order and choose to fill in the field regarding your CNP (personal numerical code) for accounting purposes, in accordance with Government Emergency Ordinance (GEO) no. 138/2024 on amending and supplementing certain fiscal-budgetary acts and for regulating other measures. Alternatively, you have the option to enter thirteen zeros (0000000000000) in the form instead of the CNP;

(iii) if you participate in our contests, for purposes related to the contest;

(iv) if you subscribe to our newsletters, sending you information about certain categories/types of events, according to your selection, including in a personalized manner, for example about artists, venues or events marked as favorites in the relevant section of your account;

(v) if you decide to fill in the gender and mobile phone number sections in print@home or, as applicable, if you decide to fill in the field in the order placement form regarding date of birth, for the purpose of creating demographic and geographic statistics about our customers;

(vi) if you decide to fill in the section regarding year of birth for marketing purposes;

(vii) if you choose to save information in the “Favorites” section of your account;

(viii) for displaying personalized content recommendations within the website and user account based on the information you provide us, for example during the purchase process, while browsing the website, through various user account settings such as favorite artists/venues, ticket alerts, browser and device information, etc. We process your personal data for this purpose based on the consent expressed for storing/accessing cookie-type technologies;

(ix) if you decide to fill in your name in the review form, for the purpose of publishing it on our platform together with your review; and

(x) in any situation where we process data about your health in connection with access to events, if strictly necessary and we have explicit consent (e.g., Art. 9 (2) (a) GDPR).

If you have given your consent for the processing of your data, processing will only be carried out for the purposes and under the conditions mentioned in the written consent declaration (for example, in the case of sending newsletters to users who are not our clients). Consent may be withdrawn at any time without the need for justification. Withdrawal of consent will only take effect for the future.

1.2. For the performance of the contract [Art. 6 (1) (b) GDPR] The processing of personal data takes place in connection with the conclusion and performance of the contract concluded with you (i.e., sale of tickets, delivery of tickets, contacting you in case of irregularities in the payment process, informing you about essential matters related to the concluded contract, for example, where changes of any kind occur to the event for which you purchased tickets, processing and managing payments in order to issue the purchased ticket(s), etc.).

1.3. For compliance with legal obligations [Art. 6 (1) (c) GDPR] We may process your personal data if it is necessary to comply with legal obligations in connection with contract management, accounting, invoicing, etc.

1.4. For protecting the legitimate interests of the controller [Art. 6 (1) (f) GDPR] We process your personal data for the purpose of achieving the legitimate interests of Eventim.RO or a third party, as follows:

• Sending you information about the upcoming event for which you purchased ticket(s);
• Sending information/newsletters about similar events;
• For marketing purposes, internal marketing analyses and advertising;
• Advertising on third-party websites and on social networks;
• Adopting appropriate identity verification and security measures to protect your personal data, including for the prevention and detection of fraud (for example, adopting the measure that requires users to provide distinct forms of identity verification before accessing the account or a functionality);
• For the collection of the information completed by you in the review form regarding an event you attended, for the purpose of managing and, where applicable, publishing your review. The e-mail address completed by you in the dedicated review form is collected by the Controller strictly for administrative purposes, such as communicating the status of the submitted review. The e-mail address is not displayed next to the review, which will be published anonymously or, if you have chosen to complete the “Name” field, the review will be published under the name entered.
  
  The process of collecting, verifying and publishing reviews, including the data entered in the review form, is based on the legitimate interest of Eventim.ro SRL to ensure transparency regarding the services provided by its partners.
  
  We will collect your name for the purpose of publishing it alongside the review only if we have your consent. Please see, in this respect, purpose 1.1 letter ix) above.
  
  
• For the establishment, exercise or defense of legal claims;
• For conducting internal audits and checks, in compliance with applicable legal provisions.

To whom do we disclose your personal data?

We disclose your personal data for the purpose of concluding or performing the contract with you under Art. 6 (1) (b) GDPR, based on our legitimate interest to improve and promote our products under Art. 6 (1) (f), and, if you have given consent to the processing of data, based on that consent, under Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, if such consent is explicit.

Since protecting the confidentiality of your personal data is important, we disclose your personal data only in the situations below or in the context of an individual instruction received from you at the time of data collection or thereafter. Your personal data will not be sent to third parties by sale or other forms of disclosure in exchange for money.

1.1. Transfers to companies within the Eventim group

We transfer your data to companies within the Eventim group, in compliance with the provisions and obligations imposed by the GDPR and Romanian legislation regarding the processing of personal data, if we consider it to be in our legitimate interest to do so, for internal administrative purposes (for example, IT systems for customer management or ticket issuance management, for managing the review system contracted by CTS EVENTIM AG & Co. KGaA from BazaarVoice Inc., which is a provider participating in the EU-U.S. Data Privacy Framework for secure data transfers between the EU and the U.S.) or for auditing and monitoring our internal processes. We also transfer your personal data to group companies (such as CTS Eventim Austria GmbH) that provide us with products and services, such as information technology systems. Access to your personal data is limited to those employees who need to know the personal data and may include employees from the marketing, information technology and security departments.

1.2. Transfers to other third parties

If we, Eventim.RO, act as service providers (processors) for third parties or as joint controllers (e.g., when we manage associated websites, organize events, manage online shops, etc.), we provide the respective contractual partners with your data, if necessary for the performance of those contracts. We disclose your data to joint controllers, in accordance with the agreement concluded with them (Art. 26 GDPR) and the specific information notice we will make available to you. When we personalize tickets (e.g., print your first and last name on tickets), we act at the request of the event organizers as a processor. In that situation, for the processing of your data by printing on the ticket, the information notice of the respective event organizer will apply.

Also, to the extent necessary for seat allocation at events or if we receive a request from you that can be resolved by the event organizers, we disclose your personal data (including, if needed, the content of the message received from you) to the event organizers, based on the organizers’ legitimate interests to organize the events properly [Art. 6 (1) (f) GDPR] or your consent [Art. 6 (1) (a), respectively Art. 9 (2) (a) GDPR].

1.3. Transfers to processors

We also make your personal data available to our processors who act as service providers for us, where necessary for the provision of services on our behalf, such as the performance of contracts with you or handling your requests submitted through the call center, processing payment orders, account management, accounting and invoicing, management of the review system, sending newsletters and providing IT services, such as managing our platforms and databases, providing tools useful for our products and services, etc. This transfer takes place for purposes related to marketing and analysis/statistics.

Among the categories of processors to whom we transfer your data under the conditions above are CTS Eventim GmbH, which provides the IT platform on which Eventim.RO’s webshop operates, as well as CTS Eventim AG, which provides the software license and the necessary support for the ticket distribution platform. In the actual sale of tickets, EVENTIM.RO has formed a network of outlets – third-party partner companies that have been granted access to the ticket distribution platform based on a contract and which ensure the sale of tickets in the name and on behalf of EVENTIM.RO through their own distribution network (such as Cărturești, Humanitas, Carrefour, Good2Go, etc.). If the tickets for the event you wish to attend are personalized, these partners will have access to your data printed on the ticket at the time of sale.

1.4. Other transfers

We may transfer your personal data also (i) to auditors, lawyers, experts or other similar professional categories, to the extent necessary for the provision of the services for which they were contracted and in our legitimate interest; (ii) if we have such an obligation under the law or in the context of legal proceedings; (iii) if we consider that providing the information is necessary to prevent damage or financial loss to us or to data recipients, according to our legitimate interest or that of the respective data recipients; or (iv) in connection with investigations related to fraudulent activities (suspected or proven).

We will also disclose your personal data to third parties as follows:

• a. If you give us consent for such disclosure, if you request the respective disclosure or if the disclosure is necessary to resolve a request addressed to us by you [Art. 6 (1) (a), respectively Art. 9 (2) (a) GDPR];
• b. To banks and payment service providers, for the purpose of paying for tickets or refunding money in the case of a return [Art. 6 (1) (b) GDPR];
• c. To our transport/delivery service providers, for the purpose of delivering tickets according to your request [Art. 6 (1) (b) GDPR];
• d. To those who demonstrate they act lawfully on your behalf [Art. 6 (1) (a) GDPR];
• e. Where it is in our legitimate interest to administer our business [Art. 6 (1) (f) GDPR]:
• i. If we sell the business or parts of it, we may disclose your personal data to potential buyers of the business or its parts, given their need to verify and legally review the business they intend to buy (“legal due diligence”).
• ii. If Eventim.RO or a substantial part of its assets are acquired by a third party, in which case the personal data processed by Eventim.RO will either form part of the transferred business or the third party will have a legitimate interest in verifying and legally reviewing Eventim.RO’s business (“legal due diligence”).
• iii. To respond to any complaints, to protect our rights or the rights of a third party, to protect anyone’s safety or to prevent any illegal activity;
• or iv. To protect the rights, property or safety of Eventim.RO, our employees, customers, suppliers or other persons.
• f. If we are legally required to disclose a certain type of information, in the case of lawful requests from government officials, or when we are required to comply with national security or law enforcement requirements or to prevent illegal activity. Some of these recipients (including our affiliates) may use your data in countries outside the EU or the European Economic Area. See the section below for more details on this aspect.

1.5. Links to other web pages

In addition, this platform contains links to web pages of other providers. EVENTIM.RO has no control over such websites, therefore the user is advised to check them for any information regarding their privacy policy. EVENTIM.RO assumes no responsibility for the content of linked pages.

Are your data transferred to a third country or an international organization?

If we process your personal data in a third country (i.e., outside the European Union or the European Economic Area), we will transfer data only to fulfill (pre-)contractual obligations, on the basis of consent, under a legal obligation or under a legitimate interest. Subject to a legal or contractual authorization, we process or arrange for the processing of personal data in a third country only if the specific conditions mentioned in Art. 44 GDPR are met. This means, for example, that processing and transfer of data take place on the basis of appropriate safeguards, such as (i) standard contractual clauses approved by the European Commission; (ii) binding corporate rules; or (iii) participation in the EU–U.S. Data Privacy Framework.

You may contact us at any time for additional details or to obtain a copy of the relevant documentation, if applicable. Regarding data transfers in the context of our use of third-party services, we highlight the following:

www.eventim.ro uses Google Analytics, Facebook Pixel and Sociomantic (details about cookies related to these services and how you can disable them can be found in the Cookies section. These third parties store data in data centers that are also located in third countries (i.e., outside the European Union or the European Economic Area).

For additional details about data transfers to third countries and the protection measures applied by these third parties, please see the personal data processing policies of these third parties, available below:

• Google Analytics: https://policies.google.com/privacy?hl=ro
• Facebook Pixel: https://ro-ro.facebook.com/privacy/explanation
• Sociomantic: https://www.sociomantic.com/privacy/en/

For how long will we store your personal data?

We process your personal data for the entire duration of the contractual relationship (from initiation to performance and termination of the contract) and beyond, according to retention and record-keeping obligations provided by law. These may result, for example, from:

• The Romanian Civil Code
• Consumer protection legislation;
• Tax legislation.

In addition, the retention period takes into account the limitation period depending on the specific situation (for example, under the Civil Code, the general limitation period is 3 years).

Unless expressly provided otherwise in this information notice, the personal data we process will be deleted as soon as they are no longer necessary for the purpose for which they were collected, and their deletion does not conflict with legal data retention obligations or other data retention rights we have under the law.

Your data necessary for creating an account on our website will be kept as long as you have an active account on the platform. If you request deactivation and deletion of the account, your account and personal data will be deleted, except where another exception provided by law applies.

In the case of data processing based on your consent, we will keep your personal data for as long as we have your consent. For example, if you have given us consent to send you commercial communications by email that are of interest to you, and you later withdraw this consent, we will no longer send such communications. However, the email address may continue to be kept to fulfill another purpose (for example, if you created an account on our website using that address).

Financial-accounting documents are kept for the period established by tax legislation, namely 5 years from the end of the relevant financial year.

What rights and options do you have?

You have the following rights under the GDPR:

• right of access – which allows you to receive from us confirmation of whether or not we process your data and, if so, relevant details regarding those processing activities;
• right to rectification – which allows you to request the rectification of inaccurate data we hold about you;
• right to erasure – which allows you, in certain situations, to obtain the deletion of your data (e.g., if the data are no longer necessary for the purposes for which they were collected);
• right to restriction of processing – which allows you, in certain situations, to obtain restriction of processing (e.g., if you contest the accuracy of the data, for a period that allows us to verify the accuracy of those data);
• right to data portability – which allows you, in certain situations, to receive the personal data concerning you that you have provided to us, in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller;
• the right to be informed, without undue delay, in the event of a personal data breach likely to result in a high risk to the rights and freedoms of a natural person.
• the right to lodge a complaint before the National Supervisory Authority for Personal Data Processing (www.data-protection.ro) or another competent supervisory authority (Art. 77 GDPR).

You also have the following specific rights:

• to withdraw, at any time, your consent to data processing. See additional details in the section below;
• to object, on grounds relating to your particular situation, to data processing that we carry out based on our legitimate interest;
• to object, at any time, to data processing for direct marketing purposes.

In addition, please consider the following:

• Time period:
• We will try to respond to your requests within 30 days and we may extend this term for specific reasons related to the complexity and number of requests. In all cases, if this period is extended, we will inform you about the extension period and the reasons that led to it.
• Restricted access: in certain situations, we may be unable to provide access to all or some of your personal data due to legal provisions. If we refuse an access request, we will inform you of the reason for the refusal.
• No identification: in some cases, we may be unable to search for your personal data due to the identifiers you provide in your request. In such cases, if we cannot identify you as the data subject, we are not in a position to comply with your request unless you provide additional information that allows your identification. We will inform you and give you the opportunity to provide such additional details.

How can you exercise your rights?

If you wish to exercise any of the above rights, please send your request to any of the contact details below:

• protectiadatelor@eventim.ro

Withdrawal of Consent:

• (a) If you no longer wish to receive the Newsletter: We send you information about similar products and services (“Newsletter”) only based on your consent, keeping a record to this effect, or under Art. 12 (2) of Law 506/2004, if we obtained your email address directly in the context of ticket sales. You can unsubscribe from the Newsletter, i.e., withdraw your consent, at any time by email at protectiadatelor@eventim.ro or by clicking the UNSUBSCRIBE button in the Newsletter you receive. If you withdraw your consent, we will continue to process your data solely to be able to demonstrate, if necessary, compliance with the law during the period we sent you Newsletters. You also have the right to request the deletion of your data under the conditions of the GDPR.
• (b) Other situations:

For any other situation in which you have given consent for us to process your data, you can withdraw it as follows:

• Regarding the use of Cookies, please use the cookie settings available on www.eventim.ro. For additional details, please visit the Cookies section.
• For other situations, by sending us a message at: protectiadatelor@eventim.ro.

If you withdraw your consent, this will not affect: (i) processing that has already taken place; or (ii) data processing that is not based on your consent.

What personal data do we collect if you contact us?

If you contact us (for example, by email, phone or social networks), your contact data will be processed to handle your request. For the same purpose, we may store your data in our IT system. We will delete the personal data provided on that occasion if storage is no longer necessary. Our presence on social networks We are present on platforms and social networks (Facebook, Instagram, Twitter, Google+, TikTok) to communicate with our customers, potential customers and users and to inform them about our products and services. When you access those platforms and social networks, the terms and conditions and the data processing policies of the operators of those platforms and networks also apply.

• https://www.facebook.com/Eventim.ro/
• https://www.facebook.com/privacy/explanation
• https://twitter.com/EventimRomania
• https://twitter.com/en/privacy
• https://plus.google.com/110743913132156722940
• https://www.google.com/intl/en_ro/+/policy/content.html

Unless otherwise stated in this information notice, we process the personal data of users who communicate with us on our pages on platforms and social networks. For more details regarding data processing related to our Facebook page, please read the information notice available on that page.

How are your data protected?

We adopt appropriate technical and organizational measures to protect your data against unauthorized or unlawful access and against accidental loss, deletion or destruction.

How will we inform you about changes to this information notice?

If we make significant changes to this information notice, we will inform you via our website and provide you with the new information notice.

(Last revised date, 19.05.2026) | See previous versions - 18.05.2026 | 04.11.2025