Updated May 23rd 2018
As data controller, Sparta Atletik og Motion is responsible to its customers in ensuring that data are stored and managed according to applicable privacy laws. When you register for one of our events or download one of our apps, your personal data will be securely collected by:
Sparta Atletik og Motion
Gunnar Nu Hansens Plads 11
DK-2100 Copenhagen Ø
CVR: 10 05 09 79
By accepting, you undertake to ensure that your contact information is up to date at all times. If you have questions, please contact our data protection advisor on email@example.com
We process personal data in order to sell registrations and take online payment for our events. We collect the necessary information to supply the participant with the purchased registration in its entirety, including delivery of participant information (printed and digital), issue of running number (either by collection or dispatch) and delivery of the participant's results (e.g. time and place) on one or more of the following platforms: printed results lists, printed diplomas, websites, apps, e-mail and SMS.
The personal data collected are not disclosed to third parties unless such disclosure has been actively accepted by the participant as part of the data options in the registration form for the event or as part of acceptance of our commercial terms and conditions.
Personal data being processed may include (but are not limited to):
- Distance (for results list and participant information)
- Nationality (for results list and language of communication)
- First name and surname (for results list, participant information and issue of running number)
- Gender (for results list groupings)
- Date of birth (for results list age category calculations)
- Club and/or team (for results list and participant information)
- Previous results or expected time (for allocation to correct starting group)
- Address, postcode, city and country (for participant information and issue of running number)
- Product choices: e.g. T-shirt size, charity donations, transport, hotel etc.
- Telephone number
- Permission choices: e.g. newsletter, third-party offers etc.
We use e-mails and mobile number to send the required race information to participants. Participants will not be able to opt out of information e-mails as these are necessary in order to ensure the smooth running of the event. We are then able to send out marketing material for similar events. Participants can opt out of such marketing material.
We further use Firebase Analytics to collect anonymised statistical data about the users of our app. If users accept this, our app is also able to track user location locally.
We are entitled to use personal data for statistical and technical purposes in order to simplify the user experience and identity-recognise users on our platform.
Presentation and deletion of personal data
A registered participant's personal data are presented on our event participant and results lists, but limited to the data required to organise our event. This will usually include (but not be limited to):
- First name and surname
- Age and age group (gender and age range)
- Starting group and running number
- Club and/or team
- Times (start time, split times and finish time)
- Place (overall, gender and age group)
- Status (not started, started, completed, not completed or disqualified)
The personal data presented on participant and results lists are saved on a continuous basis without the option to delete with reference to the exemptions for social, historical and statistical data contained in the Danish Act on Processing of Personal Data. In exceptional circumstances, this may be overturned by contacting our data protection advisor on firstname.lastname@example.org.
Presentation and deletion of images and video
Photographs, film recordings, interviews and similar media materials in which participants appear as part of our events may subsequently freely be used by organisers, partners and sponsors as well as for marketing purposes. The presented images and video are saved on a continuous basis without the option of deletion with reference to the provisions on situation images contained in the Danish Act on Processing of Personal Data. In exceptional circumstances, this may be overturned by contacting our data protection advisor on email@example.com.
Technical and organisational security measures
We are responsible for taking the required technical and organisational measures to ensure an appropriate level of security. Such measures are implemented with due regard for the current technical level, implementation costs and the nature, scope, composition and purpose of the processing and the risks of varying likelihood and seriousness to the rights and freedoms of physical persons. We take the categories of personal data into consideration when determining these measures.
We implement the required guarantees for the implementation of appropriate technical and organisational measures in such a way that the processing of personal data meets the requirements pursuant to applicable legislation on the protection of personal data.
Data and payment security
We collect and store all personal and payment date that are processed on behalf of our events in Ultimate Sport Service's systems which are secured using SSL/TSL-encrypted connections. Ultimate Sport Service's registration and OnReg payment platform have PCI certification and are scanned by TrustKeeper on a monthly basis.
For payments made by debit card and where the payment window is hosted by Ultimate Sport Service, we collect the participant's card information, including card number, expiry date and card verification value. Where this information is isolated in the user's registration session, it is sent to the provider of the payment gateway and then deleted unless the user has given his/her active consent to the storage of the user's card details (limited to card number and expiry date - card verification values are not saved) by Sparta. Saved debit card information is stored in encrypted form with a three-part key distributed across Sparta, an external, PCI-approved host and the cardholder where all three entities must be present in order to open the encryption.
Storage and hosting of personal data
Personal data processed by Sparta are stored in Ultimate Sport Service's cloud which is hosted on the Amazon EC2 platform located in Ireland (EU).
We ensure that employees who process personal data have undertaken to observe confidentiality or are subject to suitable statutory confidentiality.
We ensure that access to the personal data is limited to those employees for whom it is necessary in order to process the personal data in order to fulfil the delivery obligations to the participant according to this document.
We ensure that those employees who process the personal data for the participant solely process such data according to this document.
Breach of security
We inform participants without undue delay of any breach of personal data security that may potentially lead to accidental or illegal destruction, loss, change, unauthorised disclosure or access to personal data processed for the participant.
We will further assist the participant in ensuring compliance with the participant's obligations to (i) document all breaches of personal data security, (ii) report any breaches of personal data security to the competent regulatory authority/authorities and (iii) inform the registrants of such breaches of personal data security.
Assistance and documentation for compliance with obligations
We will at the participant's request provide the participant with sufficient information to enable the participant to verify that the requirements contained in applicable data protection legislation are being complied with. We will further give permission for and assist in any audits, including inspections, that may be performed by an auditor authorised to perform such audits by the participant.
We will without delay inform the participant if we believe that a request according to the above contravenes applicable data protection legislation.
We will assist the participant as necessary and as may be deemed reasonable by meeting the participant's obligations in the processing of personal data according to applicable data protection legislation within the scope of this document, including:
- responding to requests from registrants on the exercise of their rights
- impact analyses
- preliminary regulatory authority hearings
Data processing outside the scope of this agreement
We may process personal data outside the scope of this document in cases where this is required by EU law or national law to which we are subject.
In the processing of personal data outside this agreement, we will inform the participant of the reason for such processing. In such instance, we will, however, to the extent that this is legal, first inform the participant of such order and, to the extent that this is possible, give the participant the opportunity to object.
Questions and support
All questions about practical issues relating to this should be sent to Sparta. Questions pertaining solely to payment for registration should be sent to Sparta.