of 17th Oct 2020
A data subject is a natural person about whom Worldloppet has information, or the information that can be used to identify a natural person. Data subjects are, for example, customers, collaborators, and employees as natural persons whose personal data Worldloppet has received in connection of providing its services.
Worldloppet has committed to treating the personal data of all the data subjects, respecting all their rights. Based on this, the company has developed the main principles of data processing policy regarding the collection, use, disclosure, transfer and storage of personal information.
Our goal is to provide responsible processing of personal data, which is based on best practice, bearing in mind that Worldloppet is always ready to demonstrate the compliance of the processing of personal data with the purposes set. Worldloppet´ s all processes, instructions, operations and activities related to processing personal data are based on the following principles:
- Legality. The processing of data subjects’ personal information will be carried out in accordance with applicable laws or regulations, in particular with reference to the EU general data protection regulation 2016/679 (hereinafter: the “Regulation”) for the protection of natural persons in relation to the processing of personal data, and to the national legislation implementing the Regulation as well to the measures taken by the national supervisory authority. In case of processing personal data, there is a legal basis for this, for example fulfilment of a contract, a consent, or it is necessary for the performance of a task carried out in the public interest.
- Fairness. The processing of personal data is fair, requiring, first of all, that the data subject has sufficient information on how their personal data are processed.
- Transparency. The processing of personal data is transparent to the data subject.
- Purposefulness. Personal data is collected for precisely and clearly defined and legitimate purposes and will not be processed later in a way that does not conform to these purposes. Worldloppet services have therefore follow the proportionality and necessity principles, in such a manner as to reduce the collection and use of user identification data of data subjects to the minimum, while at the same time preventing processing whenever the use of anonymous data or any other arrangements allow to achieve the intended purpose.
- Correctness. The personal data are correct and, if necessary, updated, and all reasonable steps will be taken to delete or correct the personal data which are incorrect from the point of view of the purpose for processing personal data.
- Principle of restricted storage – personal data shall be stored in a form that allows data subjects to be identified only for as long as it is necessary to fulfil the purpose for which the personal data is processed.
- Reliability and confidentiality. Processing of personal data is carried out in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by using reasonable technical or organizational measures.
2. Legal basis and purposes of the processing
As data subject, your personal data is processed by the Controller for the following purposes:
2.1. For the performance of the contract or to provide the services requested by the customer.
In particular Controller may process your data and the data of the persons indicated by you to perform administrative and operational activities necessary to: authentication and access to the services; statistical analysis of the services and other similar services in connection with the participation in sports events; manage purchase requests for goods; manage payment requests submitted by you, to allow banks and credit institutions to verify the selected payment method, charge the amounts due and manage any other service procedures; to offer a platform with useful contacts and information on the events organised by Worldloppet members and partners; manage, upon your request, interactions between the services and third party social networking platforms, to which you can connect based on your preferences, in order to share your activities or information about yourself; the issuing of administrative, accounting and tax-related documents relating to the services you have asked for.
As regards the publication and disclosure, through the website and the services (for instance Global Ranking) of race results of sport events, each single participant will be required to grant authorization at the time of registration collected by the organiser.
2.2. For sports events coverage and rating
Within the scope of its mission, aimed at uniting long distance xc skiing enthusiasts, Worldloppet may collect, publish and process for statistical purposes, through its platform, personal data of sports events participants, in particular regarding the results (including finishing positions, overall time and rank in age group) achieved in sport races, that are already accessible due to the public nature of the event and of the relevant results and/or on the basis of specific agreements between the participant and the event organiser. Always with a view to cover sports events, Worldloppet may also acquire, directly or through its business partners, images relating to such events.
Worldloppet uses the data for information purposes without infringing the rights of freedoms of the data subject and that the processing of data relating to images and results as described above can be reasonably expected by the data subject taking part in a public race or event whose results are meant to be disclosed and commented also outside the circle of participants. In the event of photos being used by Worldloppet for the purpose of covering events, the legal basis for the processing may also be the explicit consent given by the data subject at the time of registration to the sport event.
We use sport events data on the grounds of performance of a contract and of our legitimate interest (to keep the records of the results of member and partner races, to declare the seasonal winners, to issue Worldloppet Master achievements, to handle the complaints, to keep statistical records).
2.3. For marketing purposes
Worldloppet may process your data to send you commercial information and or for promotional initiatives associated with Worldloppet products or services by electronically means (newsletter, email). You have the right to withdraw your consent at any time, by writing to email@example.com or using unsubscribe button of our newsletter.
2.4. For compliance with a legal obligation
Your data and the data of the persons indicated by you will be processed by Controller for compliance with legal obligations, including without limitation, tax obligations related to the performance of the contract and the provision of the services.
In any case, the data subject has the right to object at any time to the processing of his or her personal data, for reasons relating to his or her particular situation, and withdraw the previously given consent by writing to firstname.lastname@example.org with effects for the future. The controller shall not do any further processing without appropriate consent. The withdrawal of one’s consent shall not affect the legality of the data processing based on the consent given prior to its withdrawal.
3. Types of data collected and storage periods
3.1. Personal data of employees, President and Board Members: name, date of birth, address, and bank account details, phone, e-mail. Data is held during the fulfilment of duties and 8 years after agreement is finished for fulfilment of accounting laws of Estonian Republic.
3.2. Data of member organizations and partners: name of company, address, phone, e-mail, website address, names of contact persons. This data is held and updated constantly until membership is active and 8 years after membership is finished for fulfilment of accounting laws of Estonian Republic.
3.3.Personal data of Worldoppet passport owners (name, date of birth, sex, nationality, address, phone, e-mail). Worldloppet passports owners’ data is collected when purchasing the passport via online shop www.worldloppetstore.com or at every member race office. Member race send list of sold Worldloppet passports with passport owners data once a year to Worldloppet office. Every member race has data of only those Worldloppet passport owners, who have purchased passport at their office.
Personal data of Worldoppet passport owners is kept in online database until organization exists as these passports does not have an expiration date. It is necessary to collect stated data to avoid duplicate passport owners. E-mail addresses are also used for contacting purposes and sending out passport owner’s newsletter until person unsubscribes form newsletter. All data collected is necessary for fulfilment of organization objectives – nomination of Worldloppet Masters.
Data of passport owners is not public, is not given out for any third party. In this respect, Worldloppet has engaged Juniper Solutions based in Trento, Italy (whose services have certification for compliance with ISO 27001 standard) as subcontractor, thus ensuring confidentiality, integrity, availability and resilience of IT systems and services through which data are processed and stored.
Passport owners´ data is duplicated on paper files, kept in Worldoppet office in Tartu, Estonia.
Providing of personal data when purchasing Worldloppet passport is required for the fulfilling of our services and refusal to provide the personal data will result in failure to service you.
3.4. E-mail addresses of the subscribers of an email newsletter are collected via www.smaily.com platform upon subscription and kept until person unsubscribes form newsletter.
3.5. Personal data of e-shop www.worldloppetstore.com customers (name, address, phone, e-mail, payment details). Data of e-shop customers is collected via WordPress platform WooCommerce and kept up to one year from last order for accounting purposes. WordPress as subcontractor, thus ensuring confidentiality, integrity, availability and resilience of IT systems and services through which data are processed and stored. Credit card payments are managed via subcontractor Every Pay and bank transfers are managed by LHV Pank AS.
3.6. Race results of skiers who have participated in WL member races (name, sex, data of birth, nationality). Race results of the participants are provided by Worldloppet member organizations and Global Ski Calendar partner organizations on the basis of mutual agreement and kept for indefinite time as a matter of public interest. Consent for process personal data related to results is provided by data subject at the time of the registration to a race. The data collected is necessary for fulfilment of organization objectives – foe example nomination of Worldloppet Masters, composing of Global Ranking of participants, nomination of Virtual Racers. Participants’ data is not given out for third parties. For years 1979-2011 race results are kept in paper files in Worldoppet office in Tartu, Estonia. Data of race results starting from 2001 is available publicly on website www.worldloppet.com.
At public result list we show following data: name, sex, age group, nationality. Providing Worldloppet with race results matched with personal data is required for the fulfilling of our services and refusal to disclose it data will result in failure to service you (for example without above named data it is impossible to match Passport owner race results to owner, to match person with his/her previous race history, to match person to MyLoppet service, to appoint Global Ranking scores, to appoint Virtual Racer nomination).
3.7. Data of MyLoppet users is collected during the user registration is the same as for Worldloppet passport owners named in point 3.3. and is used and treated in the same way. Only registered MyLoppet users can become the Virtual Racers.
3.8. Data on visits to the website www.worldloppet.com. This data includes IP addresses, proxy servers, devices, location, browser types, pages and files used on our website, searches, operating systems and system configurations, dates and times associated with the website visit.
This data is only used to extract anonymous statistical information on website use as well as to check correct functioning. Such data may also be used to establish liability in case computer crimes are committed against Worldloppet site and their users, also upon request by the judicial authority.
3.9. Personal data (name, e-mail address) resulting from normal communication between the data subject and Worldloppet office; is kept in virtual mailbox rented from Microsoft Office and is not public.
3.10. Personal data made clearly public by the data subject (e.g. in social media) is not stored by Worldloppet and is public.
3.11. Social media features. Worldloppet websites may use social media features, such as the Facebook- and/or Instagram-like button. For person may be given an option by such a Social Media features to post information about person´s activities on a website to a personal profile page that is provided by a third-party social media network in order to share with others within his/her network.
These features are hosted by the respective social media network or directly on our website. To the extent these features are hosted by the respective social media networks, the latter may receive information that the user has visited our website from his/her IP address. If the user is logged into his/her social media account, it is possible that the respective social media network can link the user`s visit of our websites with his/her social media profile.
When interacting with us in social media, such as following Worldloppet or share our content on Facebook and Instagram or other sites, we may receive information from those social networks including person´s profile information, picture, user ID associated with social media account, friends list, and any other information person has permitted at social network to share with third parties. The information we receive is dependent upon each person´s privacy settings.
3.12. Public and/or freely available data recordings of sport events. Worldloppet also act as an aggregator of results from competitive and non-competitive sports events. To this end, the Controller may process personal information acquired from lists, public directories (including but not limited to rankings and results from sports events organised by business partners and/or affiliates) or that is freely available to the general public.
4. Data processing methods
All personal data are processed mainly using electronic instruments and methods; nevertheless this does not exclude the use of paper files. These data will be stored in such a manner to allow identification of the data subjects only for the time strictly necessary to accomplish the purposes for which the data were collected in the first place and, in any case, within the terms of the law.
In order to ensure that personal data are always correct, updated, relevant and complete, we invite both users and other data subjects to keep their data up-to-date through the Worldloppet website MyLoppet service or notify us of any changes by sending an email to email@example.com.
Data processed for providing our services is available to relevant employees and persons of the Controller as well as natural persons and employees at companies that we have hired to technically process this data for us. These are entities that work as administrators of databases and IT networks, providers of services necessary for the web shop functioning, providers of photographic and video services and other subjects that may provide for the technical aspects of the partner races.
5. Data storage and security
We undertake to ensure security of your personal data. In order to prevent unauthorised access to it, or its unauthorised disclosure, we have introduced adequate physical, electronic and managerial procedures for the protection and security of the information that we collect on the Website. You acknowledge that your personal data that you provide to us shall be systematically administered in an automatic way by the use of automatic and all other information system tools.
In this respect, Worldloppet has engaged Juniper Extensible Solutions S.r.l., Italy as subcontractor, thus ensuring confidentiality, integrity, availability and resilience of IT systems and services through which data are processed and stored.
6. Data subject rights.
Every person has the right to:
- request and obtain information as to whether or not personal data concerning them are held and being processed by Worldloppet,
- check his/her personal data,
- request access to the personal data,
- request corrections to the personal data,
- request limiting of the personal data,
- request and obtain erasure of their personal data where the information and the data are not necessary – or no longer necessary – in relation to the purposes referred to above or on other legal grounds,
- request the transfer of personal data,
- request an evaluation by a supervisory authority.
These requests may be submitted by sending an email to firstname.lastname@example.org. Any request by e-mail must be submitted together with a copy of an identification document so that the person’s identity can be verified.
The person has the right to turn to Data Protection Inspectorate or to court if he/she finds that his/her personal data has been misused. Contact info for the Data Protection Inspectorate can be found from http://www.aki.ee/en
It is understood that data subject´s personal data may be communicated to third parties such as law enforcement authorities or other public administrations whenever this is permitted by law or required by orders or measures issued by a competent authority. These subjects will process such data as independent data controllers.
The data protection specialist changes and/or erases the personal data after the person has been identified and if it is not in conflict with fulfilment of organization objectives. It may occur that after deletion of personal data, it is not possible for person to use services provided by Worldloppet and/or become a Worldloppet Master, Global Skier, Virtual Racer or be ranked in Global Ranking.
- Third party websites
Worldloppet provides links to third party websites and services for the sole purpose of facilitating user navigation. You acknowledge that the inclusion of such hypertext links does not imply nor is intended to provide any kind of recommendation or endorsement of the linked websites and that Worldloppet makes no warranties with respect to the contents, goods and services provided through them.
The Controller may amend or update all or part of this document at any time, also where amendments are made to laws or regulations governing the protection of personal data.
This Private Policy shall take effect as of May 28th 2018, amended October 15th 2020.
Worldloppet subcontractors and partners:
- Worldloppet member races, listed here https://www.worldloppet.com/races/
- Global Calendar partner races listed here https://www.worldloppet.com/globalcalendar/
- Juniper Extensible Solutions S.r.l., .IVA n. 01692370222 Trento, Italy
- EveryPay AS reg code 12280690 Arnika tee 31A, 11912 Tallinn, Estonia email@example.com
- LHV Pank AS reg code 12417231 Tartu mnt 2, 10145 Tallinn, Estonia firstname.lastname@example.org Sendsmaily OÜ reg code 12837097 Paldiski mnt 29, 10612 Tallinn, Estonia email@example.com
- Eesti Post AS reg code 10328799 Pallasti 28, 10001 Tallinn, Estonia firstname.lastname@example.org
- Bluehost – Endurance International Group 10 Corporate Drive, Suite #300, Burlington, MA 01803, USA
- WordPress – Automattic Inc. 60 29th Street #343, San Francisco, CA 94110, USA
- Facebook Inc 1601 Willow Road, Menlo Park, California 94025, USA email@example.com
- Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA