Privacy policy
Information note
on the processing of personal data within the VIBE festival
A VIBE EVENTS MANAGEMENT SRL, hereinafter "VIBE" processes personal data in the framework of the organization and running of the festival, as set out in this Information Notice.
The purpose of this notice is to set out the principles for the protection and processing of personal data in the context of the organization and conduct of the festival, obtained directly from the data subject, so that the data subject can be adequately informed about: the data processed by VIBE or the processor, the purposes, legal basis and duration of the processing, the name and address of any processor involved in the processing and his/her activities in relation to the processing, and, in the case of a transfer of the data subject's personal data, the legal basis and the recipient of the transfer.
Legislation used and taken into account in developing the provisions of this guide:
GDPR:
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter ''GDPR'';).
- Law No. 190/2018 on measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
Definitions
The definitions in this notice correspond to the interpretative definitions set out in Article 4 of the GDPR.
Where the definitions in the current GDPR differ from the definitions in this Notice, the definitions set out in the legislation shall prevail.
I. Data controller, processor and their contact details
Data Operator
| Name: | VIBE EVENTS MANAGEMENT SRL |
| headquarters: | Florești, str Gârbăului, nr. 200 C, jud. Cluj |
| mailing address: | Cluj-Napoca, str. Meteor, nr. 74, jud. Cluj |
| Email: | [email protected] |
| Unique registration code | 36889061 |
| Order number in the Trade Register | J12/10/2017 |
| Legal representative | Rés Konrád Gergely |
Processors:
Personal data will be transferred for processing
| ticket sales and additional services related (festival entry) |
NETPOSITIVE EVENTS SRL Sediu: Cluj-Napoca, str. Mamaia, nr. 12, ap. 11, jud. Cluj Cod unic de înregistrare: RO47032416 Număr de ordine în Registrul Comerțului: J12/6445/2022 |
| managing the cashless payment system | FESTIPAY ZRT. sediu: 1135 Budapest, str. Reitter Ferenc, nr. 46-48. Ungaria Cod unic de înregistrare: HU25405983 Număr de ordine în Registrul Comerțului.: Cg.01-10-048644; |
| advertising and promotion services | PUBLICITY NEXT SRL Cluj-Napoca, str. Meteor, nr. 74, jud. Cluj Cod unic de înregistrare:342689714 Număr de ordine în Registrul Comerțului: J12/855/2015 |
II. Data subjects, data processed, purpose of data processing, legal basis, method, data source, data storage duration
Persons concerned: festival participants, possibly legal representative and/or accompanying person
| Scope of processed data | Purpose of data processing | Legal basis processing: | Processing time |
| Full name, e-mail address, telephone number and home address Bank account details |
Buying tickets | Article 6 (1)(a) GDPR (consent) | until withdrawal of consent, but no later than 2 months after the end of the festival |
| Surname, first name, date of birth, sex, nationality, country, photograph identity card, if the participant is minor: full name of legal representative and accompanying person, National identity card number of the legal representative and the accompanying person accompanying person, telephone number of the legal representative legal representative and accompanying person, e-mail address of e-mail address of the legal representative, accompanying ticket code Bank account details |
Ensuring access and security in the perimeter of the festival, respectively services to which the participant is entitled on the basis of the ticket |
Article 6(1)(b) GDPR - contract performance |
until withdrawal of consent, but no later than 2 months after the end of the festival |
| Photo and video recording | for journalistic, information, commercial, marketing and promotional purposes VIBE | GDPR Article 6(1)(f) - legitimate interest | until withdrawal of consent, but not later than 3 years |
| Full name, e-mail address, telephone number | commercial purpose of promoting products and VIBE services and for statistical purposes |
Article 6(1)(f) GDPR - legitimate interest | until withdrawal of consent, but not later than 10 years |
| Declaration in relation to Article 13(1)(f) of the GDPR | personal data will not be transferred to a third country or an international organization |
| Recipients and categories of personal data: | personal data are not transferred outside the employees of the processor and the data controller |
| How the data is processed: | electronic, on paper |
| Declaration in relation to Article 13(2)(e) of the GDPR: | the provision of personal data is not based on a legal or contractual obligation, is not a prerequisite for the conclusion of a contract, and the data subject is not obliged to provide personal data. If personal data are not provided, participation in the festival cannot be guaranteed. |
| Declaration in relation to Article 13(2)(f) of the GDPR: | automated decision-making is not used |
III. Data management principles
1. The Data Controller shall process personal data in accordance with the principles of good faith, fairness, accuracy and transparency, as well as in accordance with applicable laws and the provisions of this Notice.
2. The Data Controller shall process personal data only on the basis of the purposes and for the purposes set out in this Notice and shall not go beyond the purposes set out in this Notice.
3. Where the data controller intends to use personal data for a purpose other than that for which they were originally collected, it shall inform the data subject and, unless there is another legal basis for the processing as provided for in the GDPR, obtain the data subject's prior explicit consent and give him or her the opportunity to object to the use.
4. The data controller does not check the personal data provided, the only person responsible for the accuracy of the personal data provided is the person who provides them.
5. The Data Controller shall transfer the personal data it processes to third parties only with the express and unequivocal consent of the data subject, given in full knowledge of the scope of the data transferred and the recipient of the data transfer, it being understood that the Data Controller has the right and obligation to transfer to the competent authorities any personal data at its disposal and stored by it in accordance with the law, which it is obliged by law or by a final and binding obligation of a public authority to transfer or to transfer. The Data Controller shall not be liable for such transfer and its consequences.
6. The data controller shall ensure the security of personal data, take technical and organizational measures and establish procedural rules to ensure the security of the data collected, stored and processed and to prevent accidental loss, destruction, unauthorized access, unauthorized use, unauthorized alteration and unauthorized disclosure.
7. The data controller shall keep a record of the data it processes in accordance with applicable laws, ensuring that the data are made available to employees and other persons acting in the interests of the data controller who need to know them in order to perform their tasks or duties. All persons acting in the interest of the data controller shall have the right to have access only to the data the processing of which is necessary for the performance of the tasks of that person.
IV. Rights of the data subject
1. The data subject may exercise his/her rights in the following ways:
- by e-mail
- by post
- in person
2. Rights of the data subject
2.1 Right to information and access
The data subject may at any time request the data controller to inform him or her of the data processed by him or her or by a processor to whom he or she has delegated the processing, the purpose, legal basis and duration of the processing, the name and address of the processor and his or her activities in relation to the processing, the circumstances of the personal data breach, the effects of the breach and the measures taken to remedy it, as well as the legal basis and the recipient of the data transfer, where the personal data of the data subject are transferred.
In this context, the data subject has the right to request a copy of the processed data. In the case of a request transmitted in electronic form, the data controller will fulfill the request mainly in electronic form (in pdf format), unless the data subject's request does not contain an explicit request to the contrary.
The data controller hereby draws the data subject's attention to the fact that if the right of access as described above adversely affects the rights and freedoms of others, in particular trade secrets or intellectual property of others, the data controller has the right to refuse to comply with the request to the extent necessary and proportionate.
2.2. Right to rectification, modification
The data subject has the right to request rectification, amendment or integration of the personal data processed.
2.3. Right to data portability
The data subject shall have the right to receive personal data relating to him or her provided to the data controller in a structured, commonly used and machine-readable format and the right to have such data transmitted to another controller without the data controller preventing him or her.
The data subject shall also have the right to request, where technically feasible, the direct transfer of personal data between controllers.
2.4. Right to erasure ("right to be forgotten")
The data subject has the right to request erasure of some or all of his or her personal data.
In this case, the data controller will delete the personal data without undue delay if:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- processing which was based on the data subject's consent, but the data subject has withdrawn that consent and there is no other legal basis for the processing;
- processing which was based on the legitimate interests of the data controller or a third party, but the data subject has objected to the processing and there is no overriding legitimate ground for the processing, except an objection to processing for direct marketing purposes;
- the personal data have been processed unlawfully by the data controller;
- erasure of personal data is necessary to comply with a legal obligation.
In any case, the data controller shall inform the data subject of any refusal to erasure of the data (for example, where processing is necessary for the establishment, exercise or defense of legal claims), stating the reasons for the refusal. The erasure of personal data shall be carried out in such a way that, once the request for erasure has been complied with, the previous (erased) data can no longer be restored.
In addition to exercising the right to erasure, the data controller will erase personal data if the processing is unlawful, the purpose of the processing has ceased or the lawful data storage period has expired, or if ordered to do so by a court or public authority.
2.5. Right to restriction of processing
The data subject may request restriction of the processing of his/her personal data if:
- the data subject contests the accuracy of the personal data - in this case, the restriction applies for the period of time allowing the data controller to verify the accuracy of the personal data;
- the processing is unlawful, but the data subject objects to the erasure of the data and instead requests the restriction of its use;
- the data controller no longer needs the personal data for the purposes of the processing but the data subject needs them for the establishment, exercise or defense of legal claims; or
- the data subject has objected to the processing - in which case the restriction shall apply for the period until it is established whether the legitimate reasons of the data controller outweigh the legitimate reasons of the data subject.
In the case of a restriction on processing, the data controller shall not process the personal data concerned by the restriction, with the exception of storage, or shall process them only if the data subject has consented or, in the absence of such consent, insofar as the data are necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State of the European Union. The data controller shall inform the data subject in advance of the lifting of the restriction.
2.6. Right to protest
Where the legal basis of the processing is the legitimate interest of the data controller or of a third party (with the exception of mandatory processing), the data subject has the right to object to the processing. The data controller is not obliged to comply with the objection if he/she can prove that
- processing is justified by compelling legitimate grounds overriding the interests, rights and freedoms of the data subject; or
- processing relates to the establishment, exercise or defense of legal claims by the data controller
The data controller will examine the legitimacy of the data subject's objection and, if the objection is justified, will cease processing.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes.
2.7. Appeal
See point VII.
2.8. Right to withdraw consent
The data subject has the right to withdraw his or her consent to the processing at any time, provided that the withdrawal of consent does not affect the lawfulness of the processing based on the consent prior to its withdrawal.
3. The data controller shall examine without undue delay the request submitted as described above, decide whether to accept or refuse the request, take the necessary measures and inform the data subject. If the request is refused, the information shall include the legal basis for the refusal, the reasons for the refusal and the remedies available to the data subject.
4. The data controller shall inform all recipients to whom or with whom personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort.
V. Data protection inciden
1. The data controller shall immediately notify the data protection incident to the National Data Protection Authority, unless the data protection incident is unlikely to present a risk to the rights and freedoms of data subjects. The data controller shall keep a record of data protection incidents together with the actions taken in relation to the incident. Where the incident is serious (i.e. likely to lead to a high risk to the rights and freedoms of the data subject), the data controller shall inform the data subject of the personal data breach without undue delay.
VI. Amendment of the information note
1. The data controller reserves the right to change this policy at any time by unilateral decision, informing the data subject via the contact details provided.
2. If the data subject does not agree to the change, he or she may request the erasure of his or her personal data as provided for in point IV.
VII. Legal remedies
1. VIBE, as data controller, may be contacted in relation to the management of personal data via the contact details indicated in point I.
2. In the event of a personal data breach relating to the processing of personal data, the data subject has the right to lodge a complaint with the competent data protection supervisory authority of the Member State in which he/she has his/her habitual residence, place of work or the place of the alleged breach.
The complaint should be sent to: in Romania, to the National Authority for
Protection, București, bdul G-ral Gheorghe Magheru, nr. 28-30, sector 1, 010336,
telephone: +40-318-059-211, e-mail: [email protected]
3. The data subject may take legal action in the following cases:
- in case of infringement,
- against a legally binding decision of the supervisory authority concerning him,
- where the supervisory authority does not resolve the complaint or does not inform the person concerned within three months of the progress of the procedure or the outcome of the complaint.
The General Court has jurisdiction.
The court of the person's domicile also has alternative territorial jurisdiction.