PRIVACY POLICY

PURSUANT TO (EU) REGULATION 2016/679 ("GDPR") AND TO THE NATIONAL LEGISLATION CONCERNING THE PROTECTION OF PERSONAL DATA IN FORCE


(ver. 01/08/2023)


"Data" means:

- Non-sensitive data: personal data processed by AC Milan S.p.A. during Site navigation following user registration, such as name, surname, gender, place/country and date of birth, contact language, e-mail address and password, physical address (domicile and / or residence), information about products/services purchased and any other data (such as tax code and payment information) required for the purchase and issue of tickets and/or season tickets and other data (photograph, residence, address) required in order to issue the Supporter Card (CRN Card); If you are a minor, the data processed will be non-sensitive data of the person who exercises parental responsibility;

 

- Browsing data: information acquired from computer systems and software procedures that is used to ensure routine operation of the Site; this information is not collected in order to be associated with identified data subjects but may, through processing and association with data held by third parties, allow identification of users; this category of data includes IP addresses or domain names of computers used by users who connect to the site, URI addresses (Uniform Resource Identifier) of requested resources, the time of the request, the method utilized to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error, etc..) and other parameters related to the operating system and the IT environment of the user. You can find more information about the processing of such data within the Cookie Policy;


- Data related to “Regulatory Code of the transfer of access tickets to football events”: Data related to breaches of the this "Code" adopted by AC Milan S.p.A.

Data are collected from the data subject (and thereby directly made available by you) while navigating the web site and any other web sites in which this Privacy Policy is published, as well as within the scope of services and products provided by them. Data relating to dispositions, on the other hand, may be communicated to AC Milan S.p.A by the competent authorities.
 PURPOSES OF PROCESSING
 LAWFULNESS OF PROCESSING
 DATA RETENTION PERIOD
Data are processed by AC Milan S.p.A. as data controller of the processing for:
Ticket management - Purchase and issuing tickets: non-sensitive data such as an example name, surname, gender, place / country and date of birth and tax code are processed for the issue of the ticket and / or season ticket and the provision of related services, comprehending possible refunds or donations. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009. Fulfilment of contractual obligations.


Fulfilment of a legal obligation to which 
the data controller is subject.
5 years from the date of purchase of 
the ticket.

Ticket Management – Management of the CRN Card: the non-sensitive data required for the Carta Cuore Rossonero are processed for the purpose of issuing and activating the provision of services, facilities and privileges connected with it (such as, for example but not limited to, pre-sales, promotions on tickets for AC Milan SpA home matches, dedicated events, discounts on services and products), made available at the discretion of the AC Milan SpA, including the sending of communications (also by electronic means) strictly pertaining to the contractual relationship and the benefits deriving therefrom, as well as the management of specific user requests. In particular, the identification document and your photo image are required for the identification of the buyer in the case of online purchase. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.

Fulfilment of contractual obligations.


Legitimate interest of the Company.


Fulfilment of a legal obligation to which the data controller is subject.

10 years from the end of the sporting season to which the Card refers for possible administrative checks and/or for the management of a court litigation.


The identity documents collected for identification will be stored until the procedure required for CRN Card is completed.

Ticket management – Issue of passes release: non-sensitive data such as name, surname, place and date of birth, job and company, are required and processed for the issue of the passes for the subjects who must enter the stadium for service reasons. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009. Fulfilment of contractual obligations. For the duration of the current season.
Application of the Code of Regulation for the transfer of admission ticket to football events: non-sensitive data relating to official measures of those who access the Stadium are treated for verify compliance with the Code of Regulation of the transfer of admission tickets to football events enforced by AC Milan S.p.A. and to prevent entry to those who violate this code. The data of those who are not allowed to enter at the Stadium they are kept in a black-list.

Compliance with a legal obligation to which the Company is subject. 

Data refers to legal provision collected in connection with the Code of Regulations for the transfer of admission titles to football event will be stored for 10 years after collection in order to comply with obligations to assess the possible re-offense.

Authorization requests to Banners and / or choreographies: non-sensitive data are processed review the requests also by forwarding the content of the banner to the competent Authorities for the purposes of the release of the authorization.

Compliance with a legal obligation to which Company is subject.

For the duration of the current season
Website Navigation: navigation data are only used to obtain anonymous statistical information about the use of the web site and to verify correct operation. Navigation data may be used to ascertain responsibility in the event of possible computer crimes against the Website.

Legitimate interest of the Company.

Navigation data are deleted immediately after processing or made anonymous.
Registration in the confidential area of the web site and management of the account: non-sensitive data (i.e. name, surname, place and date of birth, gender, e-mail) are used for the creation and the management of the account, necessary to access all areas and services of the Website exclusively for registered users. Required in order to execute a request by the data subject or fulfil contractual obligations. For the duration of the contract and thereby until the user closes the account.
Support to the data subject: non-sensitive data are processed in order to recognize the data subject and thereby provide assistance in response to specific requests of the said party regarding products or services provided by the Company or in order to optimize the use of services and send service notices regarding the user’s profile.

Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract in order to fulfil a data subject’s request or to improve user services and meet user expectations.

10 years from the date of purchase and/or termination of the contract.

Receipt of communications on sales: by clicking on the “Sign me up” button, your Data will be processed to the subscription and management of a list and to send communications relating to the sale of ticketing products. Execution of pre-contractual/Service obligations. Until the end of the phase dedicated to the relevant sales campaign.

Call you to support you in the purchasing of products or services: by clicking on the "Let’s go" button, common data (e.g. name, surname, phone number, e-mail) are processed to: (i) let you to send a request of information and to be called through the dedicated form; (ii) call you one time useful by telephone in order to propose products or services provided by the Company.

Consent of the data subject. For the term needed to call you.
Purchase of products or services: non-sensitive data (e.g. name, surname, e-mail address, residence address, telephone) are required in order to execute purchases, ensure shipment of purchased products (and related commercial invoices), notify the user about transactions made, purchase tickets for entry into the Stadium and purchase tickets. Fulfilment of contractual obligations.

10 years from the date of purchase and/or termination of the contract.

Disclosure of data related to the participation in specific magazines: any non-sensitive data provided and images and/or personal experiences shared if involved in specific magazines dedicated to supporters and their stories may be disclosed, following acceptance of a specific release/waiver, published on Internet web sites including social networks, on press and/or any other media.

Consent of the data subject. Personal data, images and/or personal experiences shared are stored until consent is withdrawn.
Participation in promotions, competitions and prize contests: Non-sensitive data such as name, surname and e-mail of the natural or legal person and data required by specific regulations will be processed for involvement in the initiative. For each event a privacy notice is provided to data subjects. Fulfilling contractual obligations.

5 years from the termination of the initiative.

Registration for events: non-sensitive data provided also through dedicated forms, will be used for registration requests and for the management of entry lists.

Fulfilling contractual obligations.

The date are cancelled at the end of the relevant event.

Direct Marketing sending by the Company using automated contact (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional methods (such as telephone calls with operator and surface mail) promotional and commercial communications and/or newsletter relating to the products/services offered by the Company and its partners disseminated to all fans, as well as customer satisfaction surveys, market surveys.

Furthermore, the e-mail address is processed to send newsletters, by clicking on the “Subscribe me” button, on news, initiatives and promotions of the Data Controllers.

Consent of the data subject.

Withdrawal of consent. Data are stored for 5 years from collection and in any case, until consent is revoked, carried out by means of an unsubscribe request at the link of the bottom of each newsletter.

Soft Spam: sending to the e-mail address provided by you, commercial communications relating to products or services similar to those already purchased. Each sending will allow you to refuse further mailings.

Legitimate interest of the Company.

5 years from the last purchase.

Profiling: sending of customized sales communications promotional actions/offers and services tailored to your needs/preferences, habits, behaviour patterns and interests. To this aim, we will analyse your purchases (including for example tickets and merchandising products), the participation in events and initiatives as well as online navigation.

Consent of the data subject. Withdrawal of consent. Data are stored for 5 years from collection.
Communication to Fondazione Milan Onlus: communication of non-sensitive data to Fondazione Milan Onlus in order to send institutional communications and information material via e-mail, telephone and/or printed mail related to the activities of Fondazione Milan Onlus. Consent of the data subject. Withdrawal of consent.
Legal obligations: processing of data, including data related to dispositions, in order to fulfil the obligations defined by national and supranational legislations in force (laws, regulations, including sector-related ones).

Execution of legal obligations to which the Company is subject.

10 years from collection.

Statistical analysis: Data collected may be processed for analysis in a manner that is not fully automated, resulting in analysis that does not involve personal data, but only aggregate data, which are not used to support measures or decisions regarding individuals (e.g., for marketing, predictive and behavioral models).

Legitimate interest of the Company.

5 years from collection.

Defence before the Court and recovery of extrajudicial expenses: all Data may be processed if necessary, ascertain, exercise or defend the rights of the Company before the Court or to recover claims against the data subject.

Legitimate interest of the Company to defend themselves in court against the data subject.

In the event of judicial litigation, for the entire duration of such action until the terms for appeals are attained.

Use of Meta Business Tools for Targeted Advertising: navigation data are processed by the Company and Meta Platforms Ireland Limited to promote targeted advertising based on measuring the level of interaction between the websites visited based on the data subject's preferences and targeted advertising within the social network through Meta Business Tools (i.e. only, Cookies, plug-ins and Pixels). Further information on how Meta Platforms Ireland Limited processes the Data, including the lawfulness of processing of processing and means of granting the data subject's rights, may be found in Meta Platforms Ireland Limited's Data Policy at https://www.facebook.com/about/privacy.

Consent of data subject.

Data are stored for term provided by each Meta Business Tool implemented. Please you may find 

more information to Data Policy available at the following link https://www.facebook.com/about

/privacy.

Data processing is carried out electronically by means of collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Once the above storage terms have elapsed, Data will be destroyed or rendered anonymous, in keeping with technical cancellation and backup procedures. Kindly also note that the CRN Card has a microchip containing RFID technology, which allows the card to be read by the access turnstiles at the stadium from a distance varying between 1 and 10 centimetres. No data is stored at the turnstiles, which are only enabled to verify that the codes stored on the card match the costs for the event in question.

 DATA CONFERMENT

Conferment of Data for the following purposes:

a. Website Navigation: compulsory and necessary; failure to provide data may make it impossible to browse the Website;

b. Registration in the reserved area of the website and management of the account: compulsory for registration with the site and use of services exclusively accessible through the reserved area; non-conferment does not affect free navigation of site pages that do not require registration;

c. Online purchase of products and services, assistance for data subject: compulsory to ensure fulfilment of contractual obligations of the data controller as regards the data subject (such as shipment of goods purchased through the online store, release/mailing of the Cuore Rossonero Card);

d. Management of tickets – Purchase and issue of tickets and/or season tickets, Management of Supporter Card (CRN card), Issue of Passes and enforcement of the “Regulatory Code of the transfer of access tickets to football events”: compulsory and necessary for issuing tickets and/or season tickets, badges and passes, as well as to meet the contract and allow access to the Stadium; any refusal to provide data or incompleteness may make it impossible for the Company to provide services in their entirety and to comply with legal obligations;

e. Authorization for Banners and/or Choreographies: compulsory obtain clearance for the display of banners: incomplete compilation of the form will not allow your request of authorization and it will not therefore be possible to display the banner;

f. Disclosure of data related to participation in specific magazines: optional and non–conferment will not entail any consequences other than the impossibility of taking part in the magazines and, in this context, to share personal images and/or experiences;

g. Participation in promotions, competitions and prize draws: compulsory, non–conferment will not entail any consequences other than the impossibility of taking part in promotions, competitions and prize draws;

h. Legal obligations: it is compulsory to allow the data controller to fulfil the obligations defined by applicable regulations and laws (laws, regulations, including by sector) on a national and supranational scale;

i. Statistical analysis: compulsory to pursue the Company legitimate interest in conducting statistical analysis, subject to the exercise of the right to object;

j. Defence before the Court and recovery of extrajudicial expenses compulsory to ensure the legitimate interest of the data controller to defend itself in court and/or recover a claim against the data subject;

k. Call me: is optional and non-conferment will not allow you to send request of information and to be contacted in order to grant you support in the purchasing of product or services through the dedicated form provided;

l. Direct Marketing, Profiled Marketing, Third Party Marketing optional and non-conferment will not entail any consequence other than not being able to receive promotions, discounts and commercial communications, including those appropriate to your needs/preferences, and to be informed about any marketing initiatives promoted by third party companies;

m. Communication Fondazione Milan Onlus optional and non-conferment will not entail any consequence other than not being able to receive institutional communications and informative material about the activities of Fondazione Milan Onlus;

n. Use of Meta Business Tools for targeted advertising: is optional and non-conferment will not result in any consequences except the impossibility to receive targeted advertising based on interactions with websites visited. 

 RECIPIENTS OF DATA

Data may be transferred to persons acting as processing managers, including particular:

a. Authorities and supervisory and control bodies and, in general, public or private entities having a right to request such data. In particular, for Ticket Management - Supporter Card Management (Cuore Rossonero Card), Enforcement of the “Regulatory Code of the transfer of access tickets to football events” and Authorisation for Banners and/or Choreographies, the Security Operative Unit (G.O.S.), State Police and Police Headquarters;

b. Lawyers, accountants, auditors;

c. Companies managing call centers relevant to the recording of phone calls to monitor the quality of the service. For info relevant to the names of the companies please see below.

d. Other Group Companies for the purposes indicated above.


Data may be processed, on behalf of the data controller, to allow the performance of the activities described above by persons appointed as data processing managers, including, in particular:

a. Companies that offer e-mailing services for marketing purposes;

b. Companies that handle website maintenance;

c. Companies that deal with goods shipment services;

d. Companies that provide support in carrying out market studies;

e. Companies that manage the online store and handle shipping and invoicing of products.

 AUTHORISED DATA PROCESSING SUBJECTS
Data may be processed by employees of company departments responsible for achieving the foregoing purposes who have been expressly authorized to process such data and have received appropriate operating instructions.
 TRANSFER OF PERSONAL DATA

Data will not be disclosed and will not be transferred to non-EU countries. Should this occur, in order to ensure a suitable level of Personal Data protection, the transfer will only be made on the basis of EU decisions relevant to the suitability of the protection or the enforcement, by the Company of the Standard Contractual Clauses required by the European Commission.

 RIGHTS OF THE DATA SUBJECT - COMPLAINTS TO THE CONTROL AUTHORITY

Company can be contacted by e-mail at privacy@acmilan.com, whereby data subjects:

• ask the data controller to confirm the existence or otherwise of data processing concerning them and, if so, to obtain access to such data as well as to information about processing, such as: purposes, the categories of personal data, recipients or categories of recipients to whom data may be communicated, the filing period, the existence of an automated decision-making process and the logic used, as well as the existence of appropriate assurances in the event of data transfer to a non-EU country;

• obtain updating, correction, integration or cancellation of data, as well as processing restrictions;

• oppose entirely or in part: a) for reasons associated with their specific circumstances, the processing of data for the legitimate interests of the Company; b) to the processing of personal data concerning them for the purposes of direct marketing and/or profiled marketing carried out using automated (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional (such as phone calls with operator and traditional mail) contact methods;

• to receive data in a widely used, structured format that can be read by an automatic device, and, if technically feasible, transmit them to another data controller without impediments ("right to data portability");

• withdraw any consent granted at any time. Data subjects also have the right to send a complaint to the competent Supervisory Authority.


In addition, the Company have appointed a Data Protection Officer (DPO), a specialist figure responsible for monitoring the procedures adopted by our Company to protect data. You can contact our DPO by writing to dpo@acmilan.com.

Data are processed by AC Milan S.p.A. as data controller of the processing for:
 PURPOSES OF PROCESSING
Ticket management - Purchase and issuing tickets: non-sensitive data such as an example name, surname, gender, place / country and date of birth and tax code are processed for the issue of the ticket and / or season ticket and the provision of related services, comprehending possible refunds or donations. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.

 LAWFULNESS OF PROCESSING
Fulfilment of contractual obligations.


Fulfilment of a legal obligation to which 
the data controller is subject.


 DATA RETENTION PERIOD
5 years from the date of purchase of 
the ticket.
 PURPOSES OF PROCESSING

Ticket Management – Management of the CRN Card: the non-sensitive data required for the Carta Cuore Rossonero are processed for the purpose of issuing and activating the provision of services, facilities and privileges connected with it (such as, for example but not limited to, pre-sales, promotions on tickets for AC Milan SpA home matches, dedicated events, discounts on services and products), made available at the discretion of the AC Milan SpA, including the sending of communications (also by electronic means) strictly pertaining to the contractual relationship and the benefits deriving therefrom, as well as the management of specific user requests. In particular, the identification document and your photo image are required for the identification of the buyer in the case of online purchase. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.



 LAWFULNESS OF PROCESSING

Fulfilment of contractual obligations.


Legitimate interest of the Company.


Fulfilment of a legal obligation to which the data controller is subject.



 DATA RETENTION PERIOD

10 years from the end of the sporting season to which the Card refers for possible administrative checks and/or for the management of a court litigation.


The identity documents collected for identification will be stored until the procedure required for CRN Card is completed.

 PURPOSES OF PROCESSING
Ticket management – Issue of passes release: non-sensitive data such as name, surname, place and date of birth, job and company, are required and processed for the issue of the passes for the subjects who must enter the stadium for service reasons. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.

 LAWFULNESS OF PROCESSING
Fulfilment of contractual obligations.

 DATA RETENTION PERIOD
For the duration of the current season.
 PURPOSES OF PROCESSING
Application of the Code of Regulation for the transfer of admission ticket to football events: non-sensitive data relating to official measures of those who access the Stadium are treated for verify compliance with the Code of Regulation of the transfer of admission tickets to football events enforced by AC Milan S.p.A. and to prevent entry to those who violate this code. The data of those who are not allowed to enter at the Stadium they are kept in a black-list.

 LAWFULNESS OF PROCESSING

Compliance with a legal obligation to which the Company is subject. 



 DATA RETENTION PERIOD

Data refers to legal provision collected in connection with the Code of Regulations for the transfer of admission titles to football event will be stored for 10 years after collection in order to comply with obligations to assess the possible re-offense.

 PURPOSES OF PROCESSING
Authorization requests to Banners and / or choreographies: non-sensitive data are processed review the requests also by forwarding the content of the banner to the competent Authorities for the purposes of the release of the authorization.

 LAWFULNESS OF PROCESSING

Compliance with a legal obligation to which Company is subject.



 DATA RETENTION PERIOD
For the duration of the current season
 PURPOSES OF PROCESSING
Website Navigation: navigation data are only used to obtain anonymous statistical information about the use of the web site and to verify correct operation. Navigation data may be used to ascertain responsibility in the event of possible computer crimes against the Website.

 LAWFULNESS OF PROCESSING

Legitimate interest of the Company.



 DATA RETENTION PERIOD
Navigation data are deleted immediately after processing or made anonymous.
 PURPOSES OF PROCESSING
Registration in the confidential area of the web site and management of the account: non-sensitive data (i.e. name, surname, place and date of birth, gender, e-mail) are used for the creation and the management of the account, necessary to access all areas and services of the Website exclusively for registered users.

 LAWFULNESS OF PROCESSING
Required in order to execute a request by the data subject or fulfil contractual obligations.

 DATA RETENTION PERIOD
For the duration of the contract and thereby until the user closes the account.
 PURPOSES OF PROCESSING
Support to the data subject: non-sensitive data are processed in order to recognize the data subject and thereby provide assistance in response to specific requests of the said party regarding products or services provided by the Company or in order to optimize the use of services and send service notices regarding the user’s profile.

 LAWFULNESS OF PROCESSING

Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract in order to fulfil a data subject’s request or to improve user services and meet user expectations.



 DATA RETENTION PERIOD

10 years from the date of purchase and/or termination of the contract.

 PURPOSES OF PROCESSING
Receipt of communications on sales: by clicking on the “Sign me up” button, your Data will be processed to the subscription and management of a list and to send communications relating to the sale of ticketing products.

 LAWFULNESS OF PROCESSING
Execution of pre-contractual/Service obligations.

 DATA RETENTION PERIOD
Until the end of the phase dedicated to the relevant sales campaign.
 PURPOSES OF PROCESSING

Call you to support you in the purchasing of products or services: by clicking on the "Let’s go" button, common data (e.g. name, surname, phone number, e-mail) are processed to: (i) let you to send a request of information and to be called through the dedicated form; (ii) call you one time useful by telephone in order to propose products or services provided by the Company.



 LAWFULNESS OF PROCESSING
Consent of the data subject.

 DATA RETENTION PERIOD
For the term needed to call you.
 PURPOSES OF PROCESSING
Purchase of products or services: non-sensitive data (e.g. name, surname, e-mail address, residence address, telephone) are required in order to execute purchases, ensure shipment of purchased products (and related commercial invoices), notify the user about transactions made, purchase tickets for entry into the Stadium and purchase tickets.

 LAWFULNESS OF PROCESSING
Fulfilment of contractual obligations.

 DATA RETENTION PERIOD

10 years from the date of purchase and/or termination of the contract.

 PURPOSES OF PROCESSING

Disclosure of data related to the participation in specific magazines: any non-sensitive data provided and images and/or personal experiences shared if involved in specific magazines dedicated to supporters and their stories may be disclosed, following acceptance of a specific release/waiver, published on Internet web sites including social networks, on press and/or any other media.



 LAWFULNESS OF PROCESSING
Consent of the data subject.

 DATA RETENTION PERIOD
Personal data, images and/or personal experiences shared are stored until consent is withdrawn.
 PURPOSES OF PROCESSING
Participation in promotions, competitions and prize contests: Non-sensitive data such as name, surname and e-mail of the natural or legal person and data required by specific regulations will be processed for involvement in the initiative. For each event a privacy notice is provided to data subjects.

 LAWFULNESS OF PROCESSING
Fulfilling contractual obligations.

 DATA RETENTION PERIOD

5 years from the termination of the initiative.

 PURPOSES OF PROCESSING

Registration for events: non-sensitive data provided also through dedicated forms, will be used for registration requests and for the management of entry lists.



 LAWFULNESS OF PROCESSING
Fulfilling contractual obligations.

 DATA RETENTION PERIOD

The date are cancelled at the end of the relevant event.

 PURPOSES OF PROCESSING

Direct Marketing sending by the Company using automated contact (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional methods (such as telephone calls with operator and surface mail) promotional and commercial communications and/or newsletter relating to the products/services offered by the Company and its partners disseminated to all fans, as well as customer satisfaction surveys, market surveys.

Furthermore, the e-mail address is processed to send newsletters, by clicking on the “Subscribe me” button, on news, initiatives and promotions of the Data Controllers.



 LAWFULNESS OF PROCESSING
Consent of the data subject.

 DATA RETENTION PERIOD

Withdrawal of consent. Data are stored for 5 years from collection and in any case, until consent is revoked, carried out by means of an unsubscribe request at the link of the bottom of each newsletter.

 PURPOSES OF PROCESSING

Soft Spam: sending to the e-mail address provided by you, commercial communications relating to products or services similar to those already purchased. Each sending will allow you to refuse further mailings.



 LAWFULNESS OF PROCESSING

Legitimate interest of the Company.



 DATA RETENTION PERIOD
5 years from the last purchase.
 PURPOSES OF PROCESSING

Profiling: sending of customized sales communications promotional actions/offers and services tailored to your needs/preferences, habits, behaviour patterns and interests. To this aim, we will analyse your purchases (including for example tickets and merchandising products), the participation in events and initiatives as well as online navigation.



 LAWFULNESS OF PROCESSING
Consent of the data subject.

 DATA RETENTION PERIOD
Withdrawal of consent. Data are stored for 5 years from collection.
 PURPOSES OF PROCESSING
Communication to Fondazione Milan Onlus: communication of non-sensitive data to Fondazione Milan Onlus in order to send institutional communications and information material via e-mail, telephone and/or printed mail related to the activities of Fondazione Milan Onlus.

 LAWFULNESS OF PROCESSING
Consent of the data subject.

 DATA RETENTION PERIOD
Withdrawal of consent.
 PURPOSES OF PROCESSING
Legal obligations: processing of data, including data related to dispositions, in order to fulfil the obligations defined by national and supranational legislations in force (laws, regulations, including sector-related ones).

 LAWFULNESS OF PROCESSING

Execution of legal obligations to which the Company is subject.



 DATA RETENTION PERIOD

10 years from collection.

 PURPOSES OF PROCESSING
Statistical analysis: Data collected may be processed for analysis in a manner that is not fully automated, resulting in analysis that does not involve personal data, but only aggregate data, which are not used to support measures or decisions regarding individuals (e.g., for marketing, predictive and behavioral models).

 LAWFULNESS OF PROCESSING

Legitimate interest of the Company.



 DATA RETENTION PERIOD

5 years from collection.

 PURPOSES OF PROCESSING
Defence before the Court and recovery of extrajudicial expenses: all Data may be processed if necessary, ascertain, exercise or defend the rights of the Company before the Court or to recover claims against the data subject.

 LAWFULNESS OF PROCESSING

Legitimate interest of the Company to defend themselves in court against the data subject.



 DATA RETENTION PERIOD
In the event of judicial litigation, for the entire duration of such action until the terms for appeals are attained.
 PURPOSES OF PROCESSING

Use of Meta Business Tools for Targeted Advertising: navigation data are processed by the Company and Meta Platforms Ireland Limited to promote targeted advertising based on measuring the level of interaction between the websites visited based on the data subject's preferences and targeted advertising within the social network through Meta Business Tools (i.e. only, Cookies, plug-ins and Pixels). Further information on how Meta Platforms Ireland Limited processes the Data, including the lawfulness of processing of processing and means of granting the data subject's rights, may be found in Meta Platforms Ireland Limited's Data Policy at https://www.facebook.com/about/privacy.



 LAWFULNESS OF PROCESSING
Consent of data subject.

 DATA RETENTION PERIOD

Data are stored for term provided by each Meta Business Tool implemented. Please you may find 

more information to Data Policy available at the following link https://www.facebook.com/about

/privacy.

Data processing is carried out electronically by means of collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Once the above storage terms have elapsed, Data will be destroyed or rendered anonymous, in keeping with technical cancellation and backup procedures. Kindly also note that the CRN Card has a microchip containing RFID technology, which allows the card to be read by the access turnstiles at the stadium from a distance varying between 1 and 10 centimetres. No data is stored at the turnstiles, which are only enabled to verify that the codes stored on the card match the costs for the event in question.

 DATA CONFERMENT

Conferment of Data for the following purposes:

a. Website Navigation: compulsory and necessary; failure to provide data may make it impossible to browse the Website;

b. Registration in the reserved area of the website and management of the account: compulsory for registration with the site and use of services exclusively accessible through the reserved area; non-conferment does not affect free navigation of site pages that do not require registration;

c. Online purchase of products and services, assistance for data subject: compulsory to ensure fulfilment of contractual obligations of the data controller as regards the data subject (such as shipment of goods purchased through the online store, release/mailing of the Cuore Rossonero Card);

d. Management of tickets – Purchase and issue of tickets and/or season tickets, Management of Supporter Card (CRN card), Issue of Passes and enforcement of the “Regulatory Code of the transfer of access tickets to football events”: compulsory and necessary for issuing tickets and/or season tickets, badges and passes, as well as to meet the contract and allow access to the Stadium; any refusal to provide data or incompleteness may make it impossible for the Company to provide services in their entirety and to comply with legal obligations;

e. Authorization for Banners and/or Choreographies: compulsory obtain clearance for the display of banners: incomplete compilation of the form will not allow your request of authorization and it will not therefore be possible to display the banner;

f. Disclosure of data related to participation in specific magazines: optional and non–conferment will not entail any consequences other than the impossibility of taking part in the magazines and, in this context, to share personal images and/or experiences;

g. Participation in promotions, competitions and prize draws: compulsory, non–conferment will not entail any consequences other than the impossibility of taking part in promotions, competitions and prize draws;

h. Legal obligations: it is compulsory to allow the data controller to fulfil the obligations defined by applicable regulations and laws (laws, regulations, including by sector) on a national and supranational scale;

i. Statistical analysis: compulsory to pursue the Company legitimate interest in conducting statistical analysis, subject to the exercise of the right to object;

j. Defence before the Court and recovery of extrajudicial expenses compulsory to ensure the legitimate interest of the data controller to defend itself in court and/or recover a claim against the data subject;

k. Call me: is optional and non-conferment will not allow you to send request of information and to be contacted in order to grant you support in the purchasing of product or services through the dedicated form provided;

l. Direct Marketing, Profiled Marketing, Third Party Marketing optional and non-conferment will not entail any consequence other than not being able to receive promotions, discounts and commercial communications, including those appropriate to your needs/preferences, and to be informed about any marketing initiatives promoted by third party companies;

m. Communication Fondazione Milan Onlus optional and non-conferment will not entail any consequence other than not being able to receive institutional communications and informative material about the activities of Fondazione Milan Onlus;

n. Use of Meta Business Tools for targeted advertising: is optional and non-conferment will not result in any consequences except the impossibility to receive targeted advertising based on interactions with websites visited. 

 RECIPIENTS OF DATA

Data may be transferred to persons acting as processing managers, including particular:

a. Authorities and supervisory and control bodies and, in general, public or private entities having a right to request such data. In particular, for Ticket Management - Supporter Card Management (Cuore Rossonero Card), Enforcement of the “Regulatory Code of the transfer of access tickets to football events” and Authorisation for Banners and/or Choreographies, the Security Operative Unit (G.O.S.), State Police and Police Headquarters;

b. Lawyers, accountants, auditors;

c. Companies managing call centers relevant to the recording of phone calls to monitor the quality of the service. For info relevant to the names of the companies please see below.

d. Other Group Companies for the purposes indicated above.


Data may be processed, on behalf of the data controller, to allow the performance of the activities described above by persons appointed as data processing managers, including, in particular:

a. Companies that offer e-mailing services for marketing purposes;

b. Companies that handle website maintenance;

c. Companies that deal with goods shipment services;

d. Companies that provide support in carrying out market studies;

e. Companies that manage the online store and handle shipping and invoicing of products.

 AUTHORISED DATA PROCESSING SUBJECTS
Data may be processed by employees of company departments responsible for achieving the foregoing purposes who have been expressly authorized to process such data and have received appropriate operating instructions.
 TRANSFER OF PERSONAL DATA

Data will not be disclosed and will not be transferred to non-EU countries. Should this occur, in order to ensure a suitable level of Personal Data protection, the transfer will only be made on the basis of EU decisions relevant to the suitability of the protection or the enforcement, by the Company of the Standard Contractual Clauses required by the European Commission.

 RIGHTS OF THE DATA SUBJECT - COMPLAINTS TO THE CONTROL AUTHORITY

Company can be contacted by e-mail at privacy@acmilan.com, whereby data subjects:

• ask the data controller to confirm the existence or otherwise of data processing concerning them and, if so, to obtain access to such data as well as to information about processing, such as: purposes, the categories of personal data, recipients or categories of recipients to whom data may be communicated, the filing period, the existence of an automated decision-making process and the logic used, as well as the existence of appropriate assurances in the event of data transfer to a non-EU country;

• obtain updating, correction, integration or cancellation of data, as well as processing restrictions;

• oppose entirely or in part: a) for reasons associated with their specific circumstances, the processing of data for the legitimate interests of the Company; b) to the processing of personal data concerning them for the purposes of direct marketing and/or profiled marketing carried out using automated (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional (such as phone calls with operator and traditional mail) contact methods;

• to receive data in a widely used, structured format that can be read by an automatic device, and, if technically feasible, transmit them to another data controller without impediments ("right to data portability");

• withdraw any consent granted at any time. Data subjects also have the right to send a complaint to the competent Supervisory Authority.


In addition, the Company have appointed a Data Protection Officer (DPO), a specialist figure responsible for monitoring the procedures adopted by our Company to protect data. You can contact our DPO by writing to dpo@acmilan.com.