DATA PRIVACY NOTICE This Privacy Notice gives you details on the following items, in accordance with the General Data Protection Regulation ("GDPR"): (i) how we use the personal data you provide; and (ii) the marketing activities we carry out through our websites or social media. We would also like to inform you about the measures we are taking to protect your personal data, as well as about your rights and options to access your data and protect your privacy. This Privacy Notice contains information about the type of data we collect from you, how we process them and who we forward them to, if the case. This Privacy Notice applies to the visit and use of Eventim.RO websites where you can create a customer account and purchase tickets, and that of Eventim partner websites to the extent that we have expressly indicated this on such websites, as well as to our marketing activities in connection with Eventim.RO websites. Other websites are not covered by this Privacy Notice and will provide their privacy notices. In this Privacy Notice, the terms listed below have the following meaning:
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Controller - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; Who is responsible for the processing of your data and whom can you contact if you need to? We, EVENTIM.RO SRL are the Controller who processes your personal data. Our full contact and identification data are listed below: Registered seat: Bucharest, Sector 2, Str.Popa Petre nr.5, et.2, lot 5 Trade Register number: J40/7871/2007 Fiscal code: 21597760 E-mail: firstname.lastname@example.org What information do we have about you and how do we obtain it? a) We collect the data you provide when you create your account, you purchase and pay for tickets and when you ask us to deliver the tickets to you, namely: name and contact details (phone number, e-mail address, postal address), minimal geolocation data (the county where you live, or if you live abroad). If you do not provide this data, we will be unable to create your user account, and to sell and deliver tickets to you. b) We automatically collect information about your device as well as about the visits and use of this website, including your IP address, general geographical area where your device is located (city level), type of browser, referral source, duration of your visit to the website and the number of page views. You may adjust the confidentiality settings in your browser to block most cookies; blocking cookies may however affect your surfing experience on www.eventim.ro. You may find more details on how we collect this data in the Cookies section; http://www.eventim.ro/ro/cookie_policy/ . c) We also collect data related to the events for which you have purchased tickets (name of the event, row, seat, number of tickets, ticket category, specialised data regarding the event). We will be unable to sell you tickets without collecting this information; e) When you post on our social media pages or you send us messages, the relevant network will provide us with information about you, such as: Text of the message Name Profile photo Annexes (if applicable) Voice messages In addition, we have access to all information on your Facebook profile which you have chosen to make public. f) If you have any specific requests regarding access to events, we would like to make sure that you have the best experience. For this, we need to collect details regarding your request, which may mean the sending of information regarding your health. Unless we collect this data, we will be unable to ensure that we properly respond to your request. g) If you request to return tickets and to be reimbursed their value, we will collect the data in the request you fill in for purpose of returning the tickets, the data in the payment order, as well we your bank account number, if you choose to be reimbursed by bank transfer. We will be unable to process your request unless we process this type of data. h) If you use the print@home option, we will collect the following information: (i) gender), (ii) first and last name, (iii) postal address, (iv) city, (v) postal code, (vi) country and (vii) mobile phone number. Supplying data regarding your gender and mobile phone number is optional. All other data are necessary for you to be able to use the print@home function. i) If you pay by card from outside Romania and our payment services provider has a suspicion of fraud, we will receive data regarding the respective transaction (such as your name, bank card used for the payment, amount paid, date of transaction), for purpose of verifying the transaction. j) We will collect any other information you may provide to us of your own will. Most of the times it is not mandatory for you to provide this data, but it may be that in absence of all or some of this data, we will be unable to respond to your request. For what purposes and on what legal basis are your personal data processed? 1.1. Based on your consent [Art. 6 (1) (a) GDPR] We process your personal based on your consent when (i) you create a user account on our website without purchasing tickets from us, for purpose of handling your respective account, (ii) you use the comments functions on our websites or on our social media pages, for purpose of understanding the nature of your comment, responding to your request or appropriately handling your comment considering its nature and content; (iii) you take part in our competitions, for purposes related to such competitions; (iv) you subscribe to our newsletters and thereby send us information regarding certain categories/ types of events, according to the selections you make; (v) you decide to fill in the gender and mobile phone number boxes in the print@home section, for purpose of creating demographic and geographic statistics in respect of our customers; (vi) as well as in any situation where we process your health data in connection with your access to events, only if this is strictly necessary and we have your explicit consent to do so (e.g. Art. 9 (2) (a)din GDPR). If you have given us your consent for us to process your personal data, the processing will only take place for the purposes and under the conditions mentioned in your written statement of consent (such as, for example, the mailing of newsletters to users who are not our customers). You may withdraw your consent at any time without giving reasons. Withdrawal of consent will only have effect for the future. 1.2. For compliance with contractual obligations [Art. 6 (1) (b) GDPR] We process your data in connection with account management, so that we perform our contract with you (i.e. sale of tickets, delivery of tickets, contacting you in case of payment irregularities, customer support services, handling questions/complaints/suggestions etc) and the orders you place. 1.3. For compliance with legal obligations [Art. 6 (1) (c) GDPR] We may process your data as necessary for compliance of legal obligations with regard to contract management, accounting, invoicing etc. 1.4. To protect the Controller's legitimate interests [Art. 6 (1) (f) GDPR] We process your data in order to protect our legitimate interests or those of a third party, as follows: Sending you information regarding upcoming events for which you purchased tickets; Sending you information/ newsletters regarding similar events For purpose of marketing, internal analyses and advertisements; Advertisements on third party websites and on social networks; Fraud detection and prevention measures; For asserting, exercising or defending our rights in legal proceedings; For purpose of internal auditing and verifications, with observance of applicable law. Who receives your personal data? We transfer your data for purpose of concluding or performing our contract with you, based on Art. 6 (1) (b) GDPR, for purpose of improving and promoting our products, based on our legitimate interest to do so in accordance with Art. 6 (1) (f) GDPR and, if you have given your consent to the processing of your personal data, based on your consent within the meaning of Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR, if that consent is explicit. As it is important to protect the confidentiality of your personal data, we disclose your personal data only to the extent describe below or within the scope of an individual instruction received from you when we collect the data or later. Your data will not be transferred to third parties by way of sale or other forms of disclosure against monetary compensation. 1.1. Transfer to Eventim group companies We transfer your data to other companies of the Eventim Group, in accordance with the legal provisions and restrictions of GDPR and Romanian data protection law, in cases where we deem it is appropriate for us to do so based on our legitimate interest, for internal administrative purposes (for example, for the use of our client management or ticket management IT systems) or for purpose of auditing and monitoring our internal processes. We equally transfer your personal data to companies within our group (such as, for example, CTS Eventim Austria GmbH), who act as provider of goods and services, such as IT systems. Access to your personal data will be restricted to those employees who need to know it and may include employees in our marketing, IT and security departments. 1.2. Transfer to other third parties If we, Eventim.RO, act as service provider (processor) for third parties or as joint controllers (e.g. when operating associated websites, carrying out events, operating web-shops etc), we provide your data to the relevant contractual partners, if this is necessary for performing the respective contracts. We transfer your data to joint controllers in accordance with the contract we have concluded with them (Art. 26 GDPR) and with a specific information notice which will be made available to you. When we personalize tickets (e.g. we print your first and last name on the tickets), we do so at the request of the event organisers, as their processors. In such cases, the data processing will be covered by the relevant organizer's privacy notice. In addition, to the extent necessary to attribute seats at events or if we receive a request from you which may be resolved by the event organizers, we transfer your data (including, if necessary, the content of your message to us) to the event organizer, based on such organizer's legitimate interest to ensure smooth roll out of the event [Art. 6 (1) (f) GDPR] or based on your consent [Art. 6 (1) (a) and, if applicable, Art. 9 (2) (a) GDPR]. 1.3. Transfer to processors We also give access to your data to our processors who act as service providers to us, if this is necessary for them to provide their services to us, such as the performance of our contract with you, handling your calls to our call centre, handling payments, account management, accounting and invoicing, sending newsletters and supply of IT services, e.g. platform and data base management, the supply of tools for our products and services etc. We do this for marketing and analytical/ statistical purposes. We transfer your data in accordance with the foregoing paragraph, among others, to CTS Eventim GmbH, the provider of the IT platform used for operation of Eventim.RO web shop, and to CTS Eventim AG, who makes available the software license and necessary support for the ticket distribution platform. In its ticket sale activity, EVENTIM.RO has set up a network of outlets – meaning, third party partner companies who were granted access to our ticket distribution platform based on a contract and who sell tickets in the name and on behalf of EVENTIM.RO through their own distribution network (such as Orange, Vodafone, OMV etc). If the tickets for the events you wish to attend are personalized, such partners will have access to your data which is printed on the ticket upon the sale. 1.4. Other transfers We may also transfer your data (i) to auditors, lawyers, experts or other similar professionals, to the extent this is necessary for them to provide to us the services for which they were contracted and in our legitimate interest; (ii) if we are required to do so by law or in the context of legal proceedings; (iii) if we believe that disclosure is necessary to prevent damages or financial loss on our part or on the part of third parties; or (iv) in relation to (suspected or proven) fraud investigation. In addition, we may disclose your data to third parties as follows: a. If you give your consent to the disclosure, you request us to make the disclosure, or the disclosure is necessary for the handling of a request you address to us [Art. 6 (1) (a), and Art. 9 (2) (a) GDPR] b. To banks and payment services providers, for purpose of ticket payments or reimbursement, in case you return tickets [Art. 6 (1) (b) GDPR] c. To our transportation/ delivery services providers, for purpose of delivering tickets pursuant to your request [Art. 6 (1) (b) G d. If such third parties prove that they are acting legally in your name [Art. 6 (1) (a) GDPR] e. In cases where this derives from our legitimate interest to manage our business [Art. 6 (1) (f) GDPR] i. If we sell our business or parts thereof, we might disclose your data to the potential purchaser of our business of the relevant part thereof, considering that third party's need to run a due diligence investigation into the business it intends to purchase. ii. If Eventim.RO or a substantial part of its assets are purchased by a third party, the data processed by Eventim.RO may be part of the transferred business, or even if not, the third-party buyer will have a legitimate interest in running a legal due diligence investigation into Eventim.RO's business. iii. In order to respond to any complaints, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent unlawful activity; or iv. To protect the rights, property or safety of Eventim.RO, its employees, clients, suppliers or other persons. f. If we are legally bound to disclose a certain type of information, in case of legal requests of government officers, or in case we are bound to observe national security or law enforcement requirements, or in order to prevent illegal activities. Some of the transferees (including our affiliates) may use your data in countries outside the European Union or the European Economic Area. Please consult the dedicated section below for more details on this topic. 1.5. Links to other websites Our platform includes links to websites of other suppliers. EVENTIM.RO has no control over such websites and the user is advised to check such websites directly for any information regarding their confidentiality policy. EVENTIM.RO takes no responsibility of the content of such websites. Are data transferred to a third country or an international organisation? If we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), we will transfer data only in order to fulfil (pre)contractual obligations, based on your consent, a legal obligation or our legitimate interests. Subject to legal or contractual authorization, we process or have data processed in a third country only where the particular conditions of Art. 44 GDPR are met. This means, for example, that data processing and transfer are carried out on the basis of special safeguards, such as (i) standard contractual clauses approved by the European Commission, (ii) EU-US Privacy Shield; (iii) binding corporate rules. You may contact us at any time for additional details or in order to obtain a copy of the relevant documentation, if the case. In respect of data transfer in the context of our use of third-party services, please note the following: www.eventim.ro is using Google Analytics, Facebook Pixel and Sociomantic (details of cookies corresponding to such services and how you can deactivate them are available in Cookies section http://www.eventim.ro/ro/cookie_policy/ . Such third parties store data in data centres which may be located in third states (i.e. outside of the European Union (EU) or the European Economic Area (EEA)). For additional details regarding data transfer to third states and protection measures employed by such third parties, please access the data processing policies of such third parties, at the links below: o Google Analytics: https://policies.google.com/privacy?hl=ro o Facebook Pixel: https://ro-ro.facebook.com/privacy/explanation o Sociomantic: https://www.sociomantic.com/privacy/en/ For how long are personal data stored and processed? We process your data for the entire duration of our contractual relationship with you (from commencement to performance and termination of the contract) and beyond this, pursuant to statutory retention and documentation obligations. These derive, for example, from: The Romanian Civil Code; Consumer protection legislation; Fiscal legislation. In addition, the retention period must take into account statutory limitation periods on a case by case basis (for example, under the Romanian Civil Code, the limitations period is usually of 3 years). Except as may be expressly provided in this Privacy Notice, personal data processed by us will be deleted as soon as they are no longer required for the purpose for which they were collected, provided that deletion does not conflict with any statutory retention obligations or other rights to retain data under the law. What are your rights and options? You have the following rights under GDPR: Right of access – allowing you to receive confirmation whether we are processing your personal data and, if yes, relevant details regarding the processing; Right to rectification – allowing you to request the rectification of inaccurate data we hold concerning you; Right to erasure – allowing you to request, in certain circumstances, the erasure of your personal data (e.g. in case the data is no longer necessary to fulfil the purpose for which they were collected); Right to restriction of processing – allowing you to request, in certain circumstances, the restriction of processing (e.g. in case you dispute the accuracy of the personal data, the restriction shall be put in place for a period enabling us to verify the accuracy of the respective personal data); Right to data portability – allowing you to receive, in certain circumstances, the personal data concerning you and which you have provided to us, in a structured, commonly used and machine-readable format, as well as to transfer such data to another controller; Right to be informed, without undue delay, in care of a data breach capable of generating a significant risk to the rights and liberties of a natural person; Right to file a complaint with the Romanian Data Protection Authority (Autoritatea Nationala pentru Supravegherea Prelucrarii Datelor cu Caracter Personal) (www.dataprotection.ro) or any other competent supervisory authority (Art. 77 GDPR). You also have the following specific rights: The right to withdraw, at any time, your consent for the data processing. You may find additional details in the relevant section below ; The right to object, for any reasons related to your particular situation, to the processing of date based on our legitimate interest The right to object, at any time, to the processing of your data for direct marketing purposes. In addition, please consider the following: Period of time: we will try to respond to your requests within 30 days and we may extend this term for specific reasons related to the complexity and number of requests. In all cases where this period of time is extended, we will inform you on the extension and the reasons having generated it. Restriction of access: it may be that, in certain circumstances, we will be unable to give you access to all or some of your personal data, due to applicable legal provisions. If we refuse your request to access, we will inform you on the reasons for refusal. No identification: it may be that, in certain circumstances, we are unable to search for your personal data based on the identification you provided in your request. If we are unable to identify you as the data subject, we will not be in a position to comply with your request, unless you provide additional information allowing us to identify you. We will inform you of this and we will give you the opportunity to provide us with such additional information. How can you exercise your rights? Should you wish to exercise one or more of the abovementioned rights, please send your request to either of the contact details below: email@example.com Withdrawal of Consent (a) If you wish to stop receiving our newsletters We are sending you information on similar products and services (“Newsletter”) based solely on your consent, keeping records in this respect, or, if we acquired your e-mail address directly upon your purchase of tickets, based on Art. 12 (2) of Law 506/2004. You may unsubscribe from our Newsletter, i.e. withdraw you consent, at any time via e-mail to firstname.lastname@example.org or by clicking on UNSUBSCRIBE in any Newsletter you receive. If you withdraw your consent, we will continue to process your personal data exclusively so that we may prove that we have complied with the law for the time when we were sending you Newsletters, if the case. You also have the right to request the erasure of your personal data, in accordance with GDPR. (b) Other situations: In any other situation where you have given your consent that we process your data, you may withdraw your consent as follows: • In respect of Cookies, please use the cookies settings available on www.eventim.ro. For further details, please see the Cookies section. • In any other cases, please send an e-mail to email@example.com. The withdrawal of your consent will not affect (i) past processing or (ii) processing of your data which is not based on your consent. What kind of personal data do we collect if you contact us? If you contact us (e.g. by e-mail, phone or social media), your contact details will be processed so that we may manage your request. It may be that we store your data in our IT system, for the same purpose. We will erase the data you provide by way of such contact requests as soon as their storage is no longer necessary. Online presence in social media We maintain an online presence on social media and platforms (Facebook, Twitter, Google+) in order to communicate with our customers, prospective customers and users and inform them about our products and services. When you access the respective networks and platforms, the general terms and conditions, as well as data privacy policies of the respective networks and platforms become applicable: https://www.facebook.com/Eventim.ro/ https://www.facebook.com/privacy/explanation https://twitter.com/EventimRomania https://twitter.com/en/privacy https://plus.google.com/110743913132156722940 https://www.google.com/intl/en_ro/+/policy/content.html Unless otherwise stated in this Privacy Notice, we process the personal data of users who communicate with us within such social networks and platforms. For further details on the processing we do in connection with our Facebook page, please refer to the privacy notice available on the respective page. How are your data protected? We take suitable technical and organisational measures to protect your data against unauthorised or illegal processing, as well as accidental loss, destruction or damage. How will we inform you on the changes to this Privacy Notice? In the event that we make significant changes to this Privacy notice, we will inform you of the same through our website, and we will provide you with the updated privacy notice.
Cookies, analysis tools and other similar aspects
HTTP Cookie _ga eventim.ro Registers a unique ID that is used to generate statistical data on how the visitor uses the website. 2 years HTTP Cookie _gid eventim.ro Registers a unique ID that is used to generate statistical data on how the visitor uses the website. Session HTTP Cookie IDE doubleclick.net 1 month HTTP Cookie AID google.com 2 years HTTP Cookie SSID google.ro 2 years HTTP Cookie APISID google.ro 2 years HTTP Cookie 1P_JAR google.ro 1 month HTTP Cookie CONSENT google.ro 20 years HTTP Cookie HSID google.ro 2 years HTTP Cookie NID google.ro 6 months HTTP Cookie SID google.ro 2 years HTTP Cookie SAPISID google.ro 2 years EVENTIM.RO collects the user's IP address, if this is necessary for technical reasons to correctly display content on www.eventim.ro website. EVENTIM.RO will also store your IP address for security reasons, for maximum seven working days, in order to ensure stability and operational viability of implemented IT systems and in order to prevent or take measures against undue use of such systems. (c) Advertising/ Marketing: These cookie modules are used by us and other entities in order to offer advertising relevant to your interests, both on our website and outside of it:
(Date of last revision, 31 October 2018)