PRIVACY NOTICE

– PROCESSING OF PERSONAL DATA DURING THE VIBE FESTIVAL –

VIBE EVENTS MANAGEMENT SRL (hereinafter: VIBE) organizes a festival during which personal data is processed in accordance with the provisions of this Privacy Notice.

The purpose of this Notice is to establish the principles for processing personal data collected directly from data subjects in connection with the festival, so that data subjects are properly informed about the data processed by VIBE or by processors acting on its behalf, the purposes and legal basis for processing, the duration of processing, details of data processors involved, and – in case of data transfer – the legal basis and recipients of such transfers.

Legal framework taken into account when preparing this notice:

GDPR:

Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), and Romanian Law No. 190/2018 implementing the GDPR.

Definitions

The definitions used in this Notice correspond to those provided in Article 4 of the GDPR. In case of discrepancies, the definitions in the applicable legislation shall prevail.

I. Data Controller, Data Processors and Contact Information

Data Controller

NAME: VIBE EVENTS MANAGEMENT SRL

REGISTERED OFFICE: Florești, Str. Gârbăului, No. 200 C, Cluj County

Mailing address: Cluj-Napoca, Str. Meteor, No. 74, Cluj County

EMAIL: [email protected]

VAT Number: 36889061

Company Registration Number: J12/10/2017

Authorized Representative: Rés Konrád Gergely

Data Processors

Personal data may be transferred for processing to the following processors:

• Ticket sales and related access services (on-site entry):
  
  NETPOSITIVE EVENTS SRL
  
  Address: Cluj-Napoca, Str. Mamaia, No. 12, Ap. 11, Cluj County
  
  VAT No: RO47032416
  
  Company Registration Number: J12/6445/2022
   

• Cashless payment system administration:
  
  FESTIPAY ZRT.
  
  Address: 1135 Budapest, Reitter Ferenc utca 46-48, Hungary
  
  VAT No: HU25405983
  
  Company Registration Number: CG.01-10-048644
   

• Advertising and promotional services:
  
  PUBLICITY NEXT SRL
  
  Address: Cluj-Napoca, Str. Meteor, No. 74, Cluj County
  
  VAT No: 342689714
  
  Company Registration Number: J12/855/2015

II. Data Subjects, Processed Data, Purpose, Legal Basis, Method, and Storage Duration

Category of data subjects: Festival participants, and if applicable, their companions and/or legal representatives.

 

Processed data	Purpose of processing	Legal basis	Retention period
Name; email address; phone number; home address; bank account details	Ticket purchase	Art. 6 (1) a) GDPR (consent)	Until consent is withdrawn, but no later than 2 months after the festival ends
Name, date of birth, gender, nationality, country; photo of ID; for minors: name of companion/legal guardian, personal ID number and ID number, phone number and email address of companion/guardian, ticket code, bank account details	Access to the venue, safety, and provision of services based on ticket	Art. 6 (1) b) GDPR (performance of a contract)	Until consent is withdrawn, but no later than 2 months after the festival ends
Photos and videos taken during the festival	Journalistic, informational, and commercial purposes, promotion of VIBE services and products	Art. 6 (1) f) GDPR (legitimate interest of the controller)	Until consent is withdrawn, but no longer than 3 years
Name; email; age; city	Commercial purposes and statistical analysis, promotion of VIBE products and services	Art. 6 (1) f) GDPR (legitimate interest of the controller)	Until consent is withdrawn, but no longer than 10 years

 

Additional declarations:

• International data transfers: No data is transferred to third countries or international organizations.
   

• Data recipients: Only employees of the controller and authorized processors.
   

• Processing method: Both electronic and paper-based.
   

• Data provision: Not required by law or contract, but necessary for participation in the festival.
   

• Automated decision-making: Not applicable.

III. Principles of Data Processing

1. The Data Controller processes personal data in accordance with the principles of good faith, fairness, transparency, and applicable legal provisions as outlined in this Notice.
    

2. Personal data is processed solely for the purposes stated in this document and will not be used for other purposes.
    

3. If the Controller wishes to use the data for a purpose other than the original one, the data subject will be informed, and—if no other legal basis applies under the GDPR—the Controller will request explicit prior consent or allow the subject to object to the new use.
    

4. The Controller does not verify the accuracy of personal data provided; responsibility lies entirely with the person who submitted the data.
    

5. Personal data will only be shared with third parties if the data subject has given clear and explicit consent, knowing the type of data and the recipient. However, the Controller is legally obliged to provide personal data to competent authorities when required by law or a final binding decision. The Controller is not liable for consequences resulting from such disclosures.
    

6. The Controller implements appropriate technical and organizational measures to ensure data security and to prevent accidental loss, destruction, unauthorized access, misuse, alteration, or disclosure.
    

7. Data is stored in compliance with relevant laws and is accessible only to employees or agents of the Controller whose roles require access. Each individual involved is granted access only to the data necessary to perform their duties.

IV. Rights of the Data Subject

1. Exercising rights:
   
   The data subject may exercise their rights:
    

• by email
   

• by post
   

• in person
   

1. Rights of the data subject:
    

2.1. Right to information and access:

The data subject may request details at any time about the data processed, the purpose, legal basis, duration, data processor’s identity, data breaches, and possible data transfers.

They may request a copy of their data. Requests sent electronically will be answered in PDF format, unless otherwise specified.

If fulfilling the request would infringe on others’ rights (e.g., trade secrets), the controller may deny access in part or in full.

2.2. Right to rectification:

The data subject may request correction, completion, or update of their personal data.

2.3. Right to data portability:

The data subject may request their data in a structured, commonly used, machine-readable format, and/or request its transfer to another controller.

2.4. Right to erasure (“right to be forgotten”):

Data subjects may request the deletion of their data without undue delay if:

• the data is no longer needed for its original purpose;
   

• consent was withdrawn and no other legal basis applies;
   

• a valid objection was made;
   

• the processing was unlawful;
   

• legal obligation requires erasure.
   

If deletion is refused (e.g., for legal defense), the controller will inform the data subject, explaining the reason. Deleted data cannot be recovered.

2.5. Right to restriction of processing:

Restriction can be requested if:

• data accuracy is contested (restriction applies until clarified);
   

• processing is unlawful but deletion is not desired;
   

• the controller no longer needs the data, but the data subject does (e.g., for legal action);
   

• an objection has been filed and is under review.
   

While restricted, data cannot be processed (except storage), unless consented to or used for legal claims. Data subjects will be informed before restrictions are lifted.

2.6. Right to object:

Where processing is based on legitimate interest, the data subject may object. The controller may reject the objection if:

• a compelling legitimate interest prevails;
   

• the data is required for legal defense or action.
   

In cases of direct marketing, objections must always be respected – processing must cease.

2.7. Right to legal remedy:

See Section VII.

2.8. Right to withdraw consent:

Consent may be withdrawn at any time. Withdrawal does not affect the lawfulness of prior processing based on that consent.

3. Response to requests:

The controller will review the request, make a decision, and inform the data subject. If denied, the legal basis and available remedies will be communicated.

4. Notification of third parties:

All third parties to whom data was disclosed will be informed about any correction, deletion, or restriction, unless impossible or involving disproportionate effort.

V. Data Protection Incident

1. The Data Controller shall notify the National Supervisory Authority for Personal Data Processing without delay in case of a data protection incident, unless it is unlikely to result in a risk to the rights and freedoms of the data subject.
    

2. The Controller shall keep records of all such incidents and the measures taken in response to them.
    

3. If the incident is considered serious (i.e. likely to result in a high risk to the rights and freedoms of the data subject), the Controller shall inform the data subject without undue delay.

VI. Modification of the Privacy Notice

1. The Data Controller reserves the right to modify this Privacy Notice at any time by unilateral decision, and shall inform the data subject of such modification via the contact information provided.
    

2. If the data subject does not agree with the modifications, they may request the deletion of their personal data in accordance with the provisions of Section IV.

VII. Legal Remedies and Enforcement of Rights

1. For any questions or comments regarding the processing of personal data, the data subject may contact the Data Controller using the contact details provided in Section I.
    

2. If the data subject believes that the processing of their personal data violates the law, they have the right to lodge a complaint with the competent supervisory authority of the EU member state of their habitual residence, workplace, or the place of the alleged infringement.
   
   In Romania, complaints can be submitted to:
   
   National Supervisory Authority for Personal Data Processing
   
   Address: Bucharest, B-dul G-ral Gheorghe Magheru no. 28-30, Sector 1, Postal Code 010336
   
   Phone: +40-318-059-211
   
   Email: [email protected]
    

3. The data subject may file a lawsuit in the following cases:
    

   • if they believe their rights have been infringed;
      

   • against a legally binding decision of the supervisory authority;
      

   • if the authority does not handle their complaint or does not inform them within 3 months about the progress or outcome of their case.
      

4. The competent court is the Tribunal (District Court).
   
   The lawsuit may also be initiated, at the data subject’s choice, before the court of their place of residence.

Data protection notice for participation in the youth and market research conducted during VIBE festival

By participating in market research, you accept the following data processing terms:

1. Data Controller

The personal data you provide is handled by VIBE Events Management SRL, Asociația MIK, Publicity Next SRL (Diversity Advertising) and Case Solvers Kft.. Data processing and analysis are carried out by Case Solvers Kft..

1. Collected Data and Their Purpose

Email Address

• Used for conducting the prize draw and notifying the winners.

• May also be used to send newsletters and promotional offers from VIBE Events Management SRL.

Demographic Data

• Demographic data – such as age, gender, or type of residence – is processed for statistical purposes in order to provide aggregated insights into the social characteristics of the participants and young people in general. The results serve research, evaluation, and development purposes.

Data related to personal information and preferences.

• These data serve as a statistical sample for the youth research conducted by Asociația MIK and contribute to the evaluation of the festival experience and to quality assurance during the event.

1. Legal Basis for Data Processing

The data processing necessary for participation in the research and the prize draw is based on your intent to participate, and is carried out under Article 6(1)(b) of the GDPR, as it is necessary for the performance of a contract in which you are a party.

1. Data Retention Period

The data collected during the research will be stored for an indefinite period by VIBE Events Management SRL, Asociația MIK, Publicity Next SRL, and Case Solvers Kft..

1. Data Transfer and Security

Data is transferred to Case Solvers Kft. Asociația MIK and Publicity Next SRL solely for processing and analytical purposes, in accordance with applicable data protection laws. Data will not be shared with any other third parties. Appropriate technical measures are in place to ensure the security of your data.es

1. Rights and Options

• You have the right to access your personal data.

• You may request correction or deletion of your data.

For further information or to exercise your rights, please contact us at: [email protected].