PRIVACY POLICY

HEART BEATS

EVENT	ORGANIZER	LOCATION	DATE
HEART BEATS	ASOCIAȚIA NOTEABOUTLIFE	Cluj-Napoca	05.06.2021

 

1. Introduction

1.1 Privacy of personal data represents one of the main concerns for ASOCIAȚIEA NOTEABOUTLIFE . As such, we aspire to provide the highest standards of privacy and transparency for the personal data we’re processing in our current activity.

1.2 Since for conducting our business we are required to process a series of personal data, especially in relation to the specifics of our line of business, we wish to provide assurances that the processing will take place in compliance with the principles of transparency and security of personal data. This privacy policy is meant to help you understand what data we’re collecting, why we’re collecting it and what we’re doing with it.

2. Who are we?

2.1 ASOCIAȚIA NOTEABOUTLIFE  is a Romanian company, established at  Bucuresti, Bulevadrul Iuliu Maniu, Nr 67, Sc 1, Ap 23, sector 6, cu ACT. autorizare nr. 144/04.12.2014, CIF 33901802. ASOCIAȚIA NOTEABOUTLIFE acts as operator of personal data collected through the www.heartbeats.events     website (the “website”), , the means of monitoring and photo and video image capture within the Festival by persons authorized by Heart Beats.

2.2 The operator is required to manage safely and solely for specified purposes, the personal data that the users of the website are providing.

3. What kind of data is processed, the purpose of processing and the storage period for and the legal basis for processing for each category of data?

3.1.	WHAT KIND OF DATA IS PROCESSED	THE PURPOSE OF PROCESSING	STORAGE PERIOD	LEGAL BASIS FOR PROCESSING
3.1.1.	The e-mail address and set of cryptographic hash values (generated by applying the SHA-2 512 encryption algorithm) related to the password set by the users so that they can log into their accounts.	For the purpose of creating and accessing an account on the heartbeats.events website	We will store this data as long as you have an account on the Heart Beats website. You may request to us, at any time, to delete certain information or to close the account and we will respond to these requests, subject to storing certain information, including after closing the account, in situations where the applicable law or our legitimate interests require it. ease take note of the fact that as long as there is no request to delete this data, it will be deleted within 3 years counting from the last use of the account.	a) Art. 6 (1) par. b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; b) Art. 6 (a) par. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
3.1.2	Last name, first name, gender, country, date of birth, nationality, profile photo (with the exception of children under the age of 16) and number of access ticket  for the festival;	For the purpose of ensuring access and services to which the participant is entitled based on the ticket, fraud prevention, abusive use and for verifying the validity of the ticket or the pass once the check-in process has been completed;	20 days after the end of the Festival the first name, last name and photo will be deleted, and the other data will remain anonymized for the purpose of compiling statistics according to the following paragraph.	a) Art. 6 (1) lit. b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; b) Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
3.1.3	Date of birth gender, country.	For the purpose of evaluating the products and services provided, Heart Beats compiles statistics that show the preferences of the participants to the event for certain products and services available in the venue of the event. Heart Beats compiles these statistics for the purpose of improving the quality of the products and services provided so as to best meet the needs of the participants to the event. Important: all these statistics are anonymous.	5 years from the date of anonymization.	Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
3.1.4.	Name, surname, the contact details of the data subjects (e.g. email and / or telephone) could be used to inform them about the issues related to the organization and conduct of the event, offers or any other communications that are directly related to the product purchased. This data can be obtained directly from the buyer or from the ticketing platform.	For the purpose of informing about aspects related to the organization and conduct of the event or any other offers and announcements in close connection with the purchased product. For example, if a particular concert was canceled or rescheduled at another time, the data subjects could receive an informational message and / or any other offers, communications in this regard. Also, the data subject can be informed about the launch of the aftermovie.	72 hours from the end of the Festival or until the resolution of any request from a client. The operator has the right to store any correspondence between the parties up to one year from the date of the last email sent in order to protect any eventual rights in court.	Art. 6 (1) lit. b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Article 6 (a) lit. f – processing is necessary for the purpose of the legitimate interests pursued by the operator or by a third party.
3.1.5	Last name, first name, email and telephone number.	For the purpose of promoting products provided by Heart Beats and its partners, as well as conducting surveys.	Until withdrawal of consent.	Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
3.1.6	Name surname; Email and phone number; Country and nationality Date of birth, sex, Musical preferences – what did you like the person targeted at the previous edition, favorite scene and favorite type of show (data collected through the fields: – what did you like at the Heart Beats anniversary edition ?, choose your favorite scene, choose your favorite show type).	Information collected in the Pre-register Campaign; The data subjects understand (and accept) that they register to be able to purchase tickets at a promotional price, at the pre-sale stage, for the Festival. Subsequently, Heart Beats sends e-mails / text messages announcing the date on which the tickets for the campaign for which they have registered are put up for sale. Data regarding country, nationality, date of birth, sex – to facilitate the process of purchasing the ticket. Musical preferences – for statistical purposes. We store this data on an anonymous basis to analyze the participants’ preferences and establish the line-up for the next edition.	Last name, first name, e-mail, the set of cryptographic hash values (generated by applying the encryption algorithm SHA-2 512) related to the password, phone number – they are deleted within 72 hours from the expiration of the Preregister Campaign if the data subjects did not buy the product for which they registered. If the data subjects have purchased a Ticket in this campaign, their personal data will be processed from this step forward in order to ensure the purchased services and access to the Festival. The other data are anonymized within 72 hours upon the expiration of the Preregister Campaign if the data subjects did not buy the product for which they registered.	Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; Art. 6 (1) lit. b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
3.1.7	Name, surname, email, phone number, signature, photo and / or audio-video recordings that may include your image or voice in the event – “Activation in the Blood Network Caravan”. Name and legal representative (in the case of minors).	Information collected in order to carry out “Enter into Blood Network” campaign. These categories of data are processed to be able to offer a oneday ticket for free to participants who join this campaign or a discount voucher to purchase a fullsubscription. The phone number in particular is processed so that the Organizer can contact the participants on the day of the campaign to inform them about the schedule. Photo / video images for journalistic, artistic or commercial purposes and in order to promote the event.	Your name, first name, e-mail, telephone number, signature are deletedwithin 72 hours after the Festival ends.	Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; Art. 6 (1) lit. b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
3.1.8	Last name, first name, certificate attesting. the promotion (Last name, first name, date of birth, final grade). All the other information from this certificate must be DELETED by the Participant before submitting the certificate to the Organizer.	Information collected for the purpose of other  campaigns.	The data will be deleted within 72hours after the Festival ends.	Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; Art. 6 (1) lit. b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3.1.9	Heart Beats uses video monitoring means through which the images of the data subjects, respectively of all the visitors of the Event will be processed.	a) For the purpose of ensuring the security of property, spaces and people. b) In For the purpose of defending rights in court or for the purpose of a legal obligation.	20 days from the end of the event. Some data may be stored for a longer period, if storage is necessary to investigate a fraud, to defend in court the rights of either Party or in cases where compliance with requests from competent authorities is required.	Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; Art. 6 (1) lit. b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
3.1.10	Name, surname and email adress	Information collected for the purpose of carrying out the “Sparks of Magic 2020” campaign.	The data will be deleted within 72 hours after the Festival ends.	the processing of his or her personal data for one or more specific purposes; Art. 6 (1) lit. b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; Art. 6 (1) (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
3.1.11	Photographs or footage taken during the Event	For journalistic, information, artistic or commercial purposes and to promote the event.	Indefinitely.	a) Art. 6 (a) lit. f processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; b) Art. 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

 

3.2 In addition to the aforementioned purposes, Heart Beats, may process the personal data collected for the following purposes:

1. For the fulfillment of the obligations incumbent on us, as a result of the services provided (e.g. accounting, fiscal, audit, etc.), these are always compatible with the main purposes, for which the data was collected.
2. To the extent that the data subject has given their consent for the processing of their personal data for one or more specific purposes;
3. For any other purpose auxiliary to the above, or for any other purpose for which we have been provided with personal data, in compliance with the relevant legislation

3.3 In the situations in which we will use your data for purposes other than those mentioned in this Policy, we undertake to obtain your consent, unless we have a legal obligation or have a different legal basis for processing the data.

3.4 The operator does not create individual profiles.

4. How are we collecting your personal data?

4.1 We are collecting your personal data either directly from you, e.g. when you’re creating an account on our website/, you’re sending us an e-mail at office@heartbeats.eu, in which you’re requesting us an offer / information, and you’re giving your consent for communication of commercial messages, , etc., or indirectly, e.g. when you’re sending this information to the platforms of other collaborators for our company, in the process of purchasing the ticket.

4.2 Also, the HEART BEATS App / HEART BEATS website includes the top-up option, context in which

Europayment Services SRL, the euplătesc.ro payment platform provider, a personal data operator, collects and processes the user data necessary to process the payments required for topping up the tickets. For details regarding the category of data processed in this regard, the purpose of the processing and how this operator processes the data of the Buyers please consult their Privacy Policy by accessing the following link – https://www.euplatesc.ro/politica-de-confidentialitate.php .

4.3 We collect your personal data automatically, when you use our services from the website, we collect information through cookies and by logging your activity. For more information on the use of cookies, please refer to Art. 6 of this Policy.

4.4. If you choose to provide us with the personal data of others, such as when you purchase tickets on behalf of others, you are responsible for how you obtained these data and that you have a legal basis for processing them. We cannot held liable for the violation of the rights of the respective persons.

5. How are we storing the personal data?

5.1 For storing the personal data you’re providing as a user of our website, a cloud service is used.

6. COOKIES

6.1 The website contains cookies (very small files Heart Beats, is sending to the computers of website users or to other access devices).

6.2 There are two types of these cookies:

• Functionality cookies: These types of cookies improve the users’ website navigation experience and allow them to benefit from various features;

• Performance Cookies: These types of cookies are used to measure and analyze how HEART BEATS customers are using the Website. These cookies can continually improve the functionality of the website and the user experience.

6.3 Accessing the website implies the agreement of the users regarding placing these types of cookies on their device and access them on their next visit to the site.

6.4 Information on deleting and controlling cookies is available at www.aboutcookies.org . Deleting or blocking the cookies may prevent access to certain areas or features of the site.

6.5 For more information, please consult our Cookie Policy

7. To whom we’re disclosing your personal data?

7.1 For fulfilling the processing purposes, HEART BEATS may disclose your personal data to partners, third parties or entities supporting HEART BEATS in the conduct of their business, or to central / local public authorities, in the following cases listed as examples:

1. To our service providers and contractual partners, for example: marketing and advertising service providers; to our partner in charge of ensuring access to the Heart Beats Festival venue; to IT service provider; to courier services, payment services, banking services, etc. This data will be provided to the extent necessary and only on the basis of a confidentiality agreement from the contractual partners, which guarantees that this data is kept safe and that its processing is done according to the legislation in force;

2. To the accountants, auditors, lawyers, insurers or other such external advisers Operator might employ. This data will be provided to the extent necessary and only on the basis of a confidentiality agreement from the contractual partners, which guarantees that this data is kept safe and that its processing is done according to the legislation in force;

3. Authorities, institutions and public bodies, if there is a legal request from them or to the extent that there is a legal obligation from us;

4. The operator will be able to disclose this data whenever the law requires it, or in the case in which this action is necessary to allow the exercise of the rights provided by the law and / or to be able to take legal action against any illegal activity;

5. Your personal data may be transferred to third countries, based on the contractual relationships we have with our partners (both affiliates and other entities in the European Union) in order to compile statistics and other types of reports;

8. How long do we store your personal information?

8.1 As a matter of principle, Heart Beats will process your personal data according to the period

mentioned above and in order to achieve the processing purposes mentioned above. For more details about our data retention policy for certain specific processing, please review the third column of the Table from Art.3.

9. Your rights related to personal data processing:

9.1 If you have consented to processing activities, you may withdraw this consent at any time. This withdrawal will only take effect for the future and will not affect the legality of the processing prior to its withdrawal.

9.2 To the extent that your consent is withdrawn, HEART BEATS will prohibit the processing of your personal data and will take all actions to delete all records containing this data.

9.3 However, if processing is compulsory for the provision of services by HEART BEATS and this can be performed on the basis of other legal provisions, Heart Beats, will carry out such processing and will notify you to this regard.

9.4 In accordance with the data protection legislation, you have the following rights:

1) Right to information.

This right provides the data subject with the ability to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing. For example, a customer may ask for the list of processors with whom his or her personal data is shared.

2) Right to access.

This right provides the data subject with the ability to get access to his or her personal data that is being processed. This request provides the right for data subjects to see or view their own personal data, as well as to request copies of the personal data.

3) Right to rectification.

This right provides the data subject with the ability to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.

4) Right to withdraw consent.

This right provides the data subject with the ability to withdraw a previously given consent for processing of their personal data for a purpose. The request would then require the company to stop the processing of the personal data that was based on the consent provided earlier.

5) Right to object.

This right provides the data subject with the ability to object to the processing of their personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when a customer asks that his or her personal data should not be processed for certain purposes while a legal dispute is ongoing in court.

6) Right to object to automated processing.

This right provides the data subject with the ability to object to a decision based on automated processing. Using this right, a customer may ask for his or her request (for instance, a loan request) to be reviewed manually, because he or she believes that automated processing of his or her loan may not consider the unique situation of the customer.

7) Right to be forgotten.

Also known as right to erasure, this right provides the data subject with the ability to ask for the deletion of their data. This will generally apply to situations where a customer relationship has ended.

It is important to note that this is not an absolute right, and depends on your retention schedule and retention period in line with other applicable laws.

8) Right for data portability.

This right provides the data subject with the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.

9.5 If you wish to exercise the rights mentioned above, please contact the person responsible for the protection of personal data using the following contact details:

• E-mail: office@heartbeats.eu
• Bucuresti, Bulevadrul Iuliu Maniu, Nr 67, Sc 1, Ap 23, sector 6.

9.6 You can also file a complaint regarding the processing of your data with the National Authority for the Processing and Supervision of Personal Data (B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania, www.dataprotection.ro, anspdcp@dataprotection.ro) .

10. Information security

10.1 We are working hard to protect our website, App and users, as well as all personal data collected in accordance with this Policy, from any unauthorized access or from the modification, unauthorized disclosure or destruction of the information we hold.

10.2 In this regard:

a) Heart Beats, certifies that it meets the minimum requirements for the security of personal data, the data being processed in a way that provides protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures;

b) The used data storage systems have implemented back-up mechanisms to ensure the

redundancy of the stored data.

c) We are regularly reviewing the practices for collecting, storing and processing information, including physical information, as well as security measures, to prevent unauthorized access to the systems.

d) We are restricting the access of our employees and contractors to your personal information, and the contractual relations with these persons are subject to strict rules regarding contractual confidentiality obligations, including under the sanction of termination of contracts.

1. When does this Privacy Policy apply?

Our privacy policy applies to all services provided by our company and excludes services that have separate privacy policies and do not contain the provisions of this privacy policy.

12. Amendments.

12.1 Our privacy policy may change, but we promise not to reduce your rights under these changes without your explicit consent. We will publish any amendment to the privacy policy on our webpage, amendment which will come into effect within one day and, if the changes are significant, we will provide more prominent notification (including, for some services, email notification of privacy policy changes). We will also store earlier versions of this Privacy Policy in the archive so that it can be reviewed by you at any time.

12.2 The latest update of this policy was made on the 25 of September 2020.