PRIVACY POLICY

PURSUANT TO (EU) REGULATION 2016/679 ("GDPR") AND TO THE NATIONAL LEGISLATION CONCERNING THE PROTECTION OF PERSONAL DATA IN FORCE

(ver. 20/11/2024)
DEFINITION OF "DATA"


"Data" means:

- Non-sensitive data: personal data processed by AC Milan S.p.A. during Site navigation following user registration, such as name, surname, gender, place/country and date of birth, contact language, e-mail address and password, physical address (domicile and / or residence), information about products/services purchased and any other data (such as tax code and payment information) required for the purchase and issue of tickets and/or season tickets and other data (photograph, residence, address) required in order to issue the Supporter Card (CRN Card); If you are a minor, the data processed will be non-sensitive data of the person who exercises parental responsibility;

 

- Browsing data: information acquired from computer systems and software procedures that is used to ensure routine operation of the Site; this information is not collected in order to be associated with identified data subjects but may, through processing and association with data held by third parties, allow identification of users; this category of data includes IP addresses or domain names of computers used by users who connect to the site, URI addresses (Uniform Resource Identifier) of requested resources, the time of the request, the method utilized to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error, etc..) and other parameters related to the operating system and the IT environment of the user. You can find more information about the processing of such data within the Cookie Policy;


- Data related to “Regulatory Code of the transfer of access tickets to football events”: Data related to breaches of the this "Code" adopted by AC Milan S.p.A.

DATA SOURCE AND CATEGORIES OF DATA COLLECTED c/o THIRD PARTIES
Data are collected from the data subject (and thereby directly made available by you) while navigating the web site and any other web sites in which this Privacy Policy is published, as well as within the scope of services and products provided by them. Data relating to dispositions, on the other hand, may be communicated to AC Milan S.p.A by the competent authorities.
PURPOSES OF PROCESSING
LAWFULNESS OF PROCESSING
DATA RETENTION PERIOD
Data are processed by AC Milan S.p.A. as data controller of the processing for:
1. Website
Website Navigation: navigation data are only used to obtain anonymous statistical information about the use of the web site and to verify correct operation. Navigation data may be used to ascertain responsibility in the event of possible computer crimes against the Website.

Legitimate interest of the Company.
Navigation data are deleted immediately after processing or made anonymous.

Registration in the confidential area of the web site and management of the account MyMilan: non-sensitive data (i.e. name, surname, place and date of birth, gender, e-mail) are used for the creation and the management of the account, necessary to access all areas and services of the Website exclusively for registered users.
Required in order to execute a request by the data subject or fulfil contractual obligations.
For the duration of the contract and thereby until the user closes the account.
2. Stadium

Ticket management - Purchase and issuing tickets: non-sensitive data such as an example name, surname, gender, place / country, address and date of birth and tax code are processed for the issue of the ticket and / or season ticket and the provision of related services, comprehending possible refunds or donations. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.
Fulfilment of contractual obligations.


Fulfilment of a legal obligation to which 
the data controller is subject.

5 years from the end of the sporting season to which the ticket refers.

Ticket Management – Management of the CRN Card: the non-sensitive data required for the CRN Card are processed for the purpose of issuing and activating the provision of services, facilities and privileges connected with it (such as, for example but not limited to, pre-sales, promotions on tickets for AC Milan SpA home matches, dedicated events, discounts on services and products), made available at the discretion of the AC Milan SpA, including the sending of communications (also by electronic means) strictly pertaining to the contractual relationship and the benefits deriving therefrom, as well as the management of specific user requests. In particular, the identification document and your photo image are required for the identification of the buyer in the case of online purchase. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.

Fulfilment of contractual obligations.


Legitimate interest of the Company.


Fulfilment of a legal obligation to which the data controller is subject.

5 years from the end of the last sporting season to which the Card refers for possible administrative checks and/or for the management of a court litigation.


The identity documents collected for identification will be stored until the procedure required for CRN Card is completed.
Ticket management – Issue of passes release: non-sensitive data such as name, surname, place and date of birth, job and company, are required and processed for the issue of the passes for the subjects who must enter the stadium for service reasons. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.
Fulfilment of contractual obligations.
For the duration of the current season.
Authorization requests to Banners and / or choreographies: non-sensitive data are processed review the requests also by forwarding the content of the banner to the competent Authorities for the purposes of the release of the authorization.

Compliance with a legal obligation to which Company is subject.
For the duration of the current season
Application of the Code of Regulation for the transfer of admission ticket to football events: non-sensitive data relating to official measures of those who access the Stadium are treated for verify compliance with the Code of Regulation of the transfer of admission tickets to football events enforced by AC Milan S.p.A. and to prevent entry to those who violate this code. The data of those who are not allowed to enter at the Stadium they are kept in a black-list.

Compliance with a legal obligation to which the Company is subject. 

Data refers to legal provision collected in connection with the Code of Regulations for the transfer of admission titles to football event will be stored for 10 years after collection in order to comply with obligations to assess the possible re-offense.
3. Mondo Milan Museum

Purchase of tickets for access to the Mondo Milan Museum: Personal Data are processed to allow the purchase of tickets for access to the Mondo Milan Museum.

Fulfilment of contractual obligations.

5 years from the time of purchase.
4. E-commerce
Purchase of products or services: non-sensitive data (e.g. name, surname, e-mail address, residence address, telephone) are required in order to execute purchases, ensure shipment of purchased products (and related commercial invoices), notify the user about transactions made, purchase tickets for entry into the Stadium and purchase tickets.
Fulfilment of contractual obligations.

10 years from the date of purchase and/or termination of the contract.
5. Rossoneri Rewards

Participation in the loyalty programme: Personal Data is processed to enable participation in the loyalty programme, to receive communications relating to it, to collect and use points by using discounts and benefits. etc..

Fulfilment of contractual obligations.

Except in the case of litigation - which results in data being retained for the duration of the statutory limitation period - Personal Data is retained for 10 years from the time of purchase. In the event that no purchase is made as part of participation in the loyalty programme, the Personal Data is deleted at the time of unsubscription from the programme.

Invite a friend: each participant in the loyalty programme may indicate any friends, whose e-mail address he/she provides, to share coupons, discounts or other benefits governed by the regulations from time to time.

Fulfilment of contractual obligations.

The e-mail address of the friend identified by the participant is kept for as long as the coupon, discount or other benefit is valid.
6. Waiting lists

Subscribing on the “ticket alert” and “waiting list” services: by clicking on the specific button in the dedicated online forms (e.g., “alert me”, “subscribe and contact me”, “continue”, “updates”, “notify me”, etc.) the user is entitled to request the receipt of e-mail alerts and information (relating, for example, to the opening of the sale of tickets for the selected match/s and/or the opening of the sales phases for the selected campaign/s and/or the opening of the sales phase for the selected campaign/s)- These services may be reserved for MyMilan members only

Fulfilment of pre-contractual/service obligations.

Personal data are processed for as long as necessary to send information about the selected event(s) and/or sales campaign(s) and/or e-commerce products and are consequently deleted within a maximum of 1 week after the event has taken place or the communication has been sent.
7. Participation in initiatives and events

Disclosure of data related to the participation in specific magazines: any non-sensitive data provided and images and/or personal experiences shared if involved in specific magazines dedicated to supporters and their stories may be disclosed, following acceptance of a specific release/waiver, published on Internet web sites including social networks, on press and/or any other media.
Consent of the data subject.
Personal data, images and/or personal experiences shared are stored until consent is withdrawn.

Participation in promotions, competitions and prize contests: Non-sensitive data required will be processed for involvement in the initiative. Any further detailed information on the processing of personal data and the related means carried out on the occasion of each different initiative will be provided in the context of the regulations of that initiative or in dedicated privacy policies.
Fulfilling contractual obligations.

5 years from the termination of the initiative.

Registration for events: non-sensitive data provided also through dedicated forms, will be used for registration requests and for the management of entry lists.
Fulfilling contractual obligations.

The date are cancelled at the end of the relevant event.

Management of the photoboost with photo's printing: the collection of the image is through the use of Totem or by dedicated operators. The sending of the image(s) in digital format is through the user's e-mail address.

Service purposes.

The image is not stored but deleted immediately after printing of the photo unless the data subject requests to receive a copy via email. In this case, the image is stored for 10 days from the collection for sending in digital format.
8. Support and assistance

Call you to support you in the purchasing of products or services: by clicking on the "Let’s go" button, common data (e.g. name, surname, phone number, e-mail) are processed to: (i) let you to send a request of information and to be called through the dedicated form; (ii) call you one time useful by telephone in order to propose products or services provided by the Company.
Consent of the data subject.
For the term needed to call you.

Support to the data subject: non-sensitive data are processed in order to recognize the data subject and thereby provide assistance in response to specific requests of the said party regarding products or services provided by the Company or in order to optimize the use of services and send service notices regarding the user’s profile. Support can be provided through all the different channels made available by the Company (e.g. Help Centre).

Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract in order to fulfil a data subject’s request or to improve user services and meet user expectations.

No more than 10 years from the date of purchase and/or termination of the contract.
9. Carrying out promotional activities and statistical analyses

Direct Marketing sending by the Company using automated contact (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional methods (such as telephone calls with operator and surface mail) promotional and commercial communications and/or newsletter relating to the products/services offered by the Company and its partners (an updated list of which is available on the dedicated page of the website) disseminated to all fans, as well as customer satisfaction surveys, market surveys.

In addition, the e-mail address is processed for sending newsletters on news, initiatives and promotions of the Company after clicking on the “Subscription” button to subscribe to the newsletter, as well as for sending “Cart Recovery” communications in case of failure to complete the e-commerce process.
Consent of the data subject.

Processing is carried out until consent is revoked on the basis of personal data for the last 5 years.

Said data, if not kept for other purposes covered by this policy, are in any case deleted after 5 years or, if earlier, in case of revocation of consent possibly also by means of an unsubscribe request at the link of the bottom of each newsletter.

Soft Spam: sending to the e-mail address provided by you, commercial communications relating to products or services similar to those already purchased. Each sending will allow you to refuse further mailings.

Legitimate interest of the Company.
5 years from the last purchase.

Profiling: sending of customized sales communications promotional actions/offers and services tailored to your needs/preferences, habits, behaviour patterns and interests. To this aim, we will analyse your purchases (including for example tickets and merchandising products), the participation in events and initiatives as well as online navigation (including through the use of databases in the controllership of third parties such as social networks of Meta, LinkedIn, X, etc.).
Consent of the data subject.

Processing is carried out until consent is revoked on the basis of personal data for the last 5 years.

Said data, if not kept for other purposes covered by this policy, are in any case deleted after 5 years or, if earlier, in case of revocation of consent.

Statistical analysis and classification: Data collected may be processed in a manner that is not fully automated for carrying out aggregate statistical analysis, which are not used to support measures or decisions regarding specific individuals (e.g., for marketing, predictive and behavioural models).

Legitimate interest of the Company.

The activity is carried out on the basis of personal data from the last 5 years.
Communication to Fondazione Milan Onlus: communication of non-sensitive data to Fondazione Milan Onlus in order to send institutional communications and information material via e-mail, telephone and/or printed mail related to the activities of Fondazione Milan Onlus.
Consent of the data subject.
Withdrawal of consent.
10. Compliance purposes and prevention of abuse and fraud
Legal obligations: processing of data, including data related to dispositions, in order to fulfil the obligations defined by national and supranational legislations in force (laws, regulations, including sector-related ones).

Execution of legal obligations to which the Company is subject.

Data shall be kept for as long as required by law from time to time.
Defence before the Court and recovery of extrajudicial expenses: all Data may be processed if necessary, ascertain, exercise or defend the rights of the Company before the Court or to recover claims against the data subject.

Legitimate interest of the Company to defend themselves in court against the data subject.
In the event of judicial litigation, for the entire duration of such action until the terms for appeals are attained.

Data processing is carried out electronically by means of collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Once the above storage terms have elapsed, Data will be destroyed or rendered anonymous, in keeping with technical cancellation and backup procedures. Kindly also note that the CRN Card has a microchip containing RFID technology, which allows the card to be read by the access turnstiles at the stadium from a distance varying between 1 and 10 centimetres. No data is stored at the turnstiles, which are only enabled to verify that the codes stored on the card match the costs for the event in question.

DATA CONFERMENT

Conferment of Data for the following purposes refers to:

1. Website

a.    Website Navigation: compulsory and necessary; failure to provide data may make it impossible to browse the Website;

b.    Registration in the reserved area of ​​the website and management of the account MyMilan: optional, but failure to provide it does not allow you to use of services exclusively accessible through the reserved area; non-conferment does not affect free navigation of site pages that do not require registration;

2. Stadium:

c.     Management of tickets – Purchase and issue of tickets and/or season tickets, Management of Supporter Card (CRN card), Issue of Passes and enforcement of the “Regulatory Code of the transfer of access tickets to football events”: compulsory and necessary for issuing tickets and/or season tickets, badges and passes, as well as to meet the contract and allow access to the Stadium; any refusal to provide data or incompleteness may make it impossible for the Company to provide services in their entirety and to comply with legal obligations;

d.    Authorization for Banners and/or Choreographies: compulsory obtain clearance for the display of banners: incomplete compilation of the form will not allow your request of authorization and it will not therefore be possible to display the banner;

3. Mondo Milan Museum:

e.    Purchase of tickets for access to the Mondo Milan Museum: mandatory to ensure the performance of contractual obligations of the Controller towards the data subject;

4. E-commerce:

f.    Purchase of products and management of the order: mandatory to ensure the performance of contractual obligations of the Controller towards the data subject;

5. Rossoneri Rewards:

g.   Participation to the loyalty program and invite a friend: it is mandatory in order to ensure the performance of contractual obligations of the Controller towards the data subject;

6. Waiting lists:

h.    Subscribing on the “ticket alert” and “waiting list” services: optional, but failure to provide it does not allow the data subject to be included in the list and to be contacted in advance of the opening of the sale of ticketing products;

7. Participation in initiatives and events:

i.    Disclosure of data related to participation in specific magazines: optional and non–conferment will not entail any consequences other than the impossibility of taking part in the magazines and, in this context, to share personal images and/or experiences;

j.      Participation in promotions, competitions and prize draws: optional, but failure to provide it does not allow the data subject to take part in promotions, competitions and prize draws;

k.      Registration for events: optional, but failure to provide it does not allow the data subject to request registration for events;

l.    Management of the photoboost with photo's printing: optional, but failure to provide it does not allow the data subject to use the service;

8. Support and assistance:

m.      Call you to support you in the purchasing of products or services and Support to the data subject: is optional, but failure to provide it will make it impossible to receive the requested assistance;

9. Carrying out promotional activities and statistical analyses:

n.  Direct Marketing, Soft Spam and Profiling: optional, but failure to provide it does not allow the data subject to receive promotions, discounts and commercial communications, including those appropriate to your needs/preferences, and to be informed about any marketing initiatives promoted by third party companies;

o.    Statistical analysis and classification: compulsory to pursue the Company legitimate interest in conducting statistical analysis, subject to the exercise of the right to object;

p.    Communication Fondazione Milan Onlus optional, but failure to provide it does not allow the data subject to receive institutional communications and informative material about the activities of Fondazione Milan Onlus;

10. Compliance purposes and prevention of abuse and fraud:

q.    Legal obligations: it is compulsory to allow the data controller to fulfil the obligations defined by applicable regulations and laws (laws, regulations, including by sector) on a national and supranational scale;

r.    Defence before the Court and recovery of extrajudicial expenses compulsory to ensure the legitimate interest of the data controller to defend itself in court and/or recover a claim against the data subject;

RECIPIENTS OF DATA

Data may be transferred to persons acting as processing managers, including particular:

a. Authorities and supervisory and control bodies and, in general, public or private entities having a right to request such data. In particular, for Ticket Management - Supporter Card Management (Cuore Rossonero Card), Enforcement of the “Regulatory Code of the transfer of access tickets to football events” and Authorisation for Banners and/or Choreographies, the Security Operative Unit (G.O.S.), State Police and Police Headquarters;

b. Lawyers, accountants, auditors;

c. Companies managing call centers relevant to the recording of phone calls to monitor the quality of the service. For info relevant to the names of the companies please see below.

d. Other Group Companies for the purposes indicated above.

Data may be processed, on behalf of the data controller, to allow the performance of the activities described above by persons appointed as data processing managers, including, in particular:

a. Companies that offer e-mailing services for marketing purposes;

b. Companies that handle website maintenance;

c. Companies that deal with goods shipment services;

d. Companies that provide support in carrying out market studies;

e. Companies that manage the online store and handle shipping and invoicing of products.

f. Companies that offer the photoboosting service

TRANSFER OF PERSONAL DATA

The Company may transfer Data outside the EU countries. If this happens, pursuant to privacy legislation, the Company evaluates the impact of data transfers and adopts, if applicable, the most appropriate guarantees (for example, adequacy decisions or Standard Contractual Clauses).

AUTHORISED DATA PROCESSING SUBJECTS
Data may be processed by employees of company departments responsible for achieving the foregoing purposes who have been expressly authorized to process such data and have received appropriate operating instructions.
RIGHTS OF THE DATA SUBJECT - COMPLAINTS TO THE CONTROL AUTHORITY

Company can be contacted by e-mail at privacy@acmilan.com, whereby data subjects:

• ask the data controller to confirm the existence or otherwise of data processing concerning them and, if so, to obtain access to such data as well as to information about processing, such as: purposes, the categories of personal data, recipients or categories of recipients to whom data may be communicated, the filing period, the existence of an automated decision-making process and the logic used, as well as the existence of appropriate assurances in the event of data transfer to a non-EU country;

• obtain updating, correction, integration or cancellation of data, as well as processing restrictions;

• oppose entirely or in part: a) for reasons associated with their specific circumstances, the processing of data for the legitimate interests of the Company; b) to the processing of personal data concerning them for the purposes of direct marketing and/or profiled marketing carried out using automated (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional (such as phone calls with operator and traditional mail) contact methods;

• to receive data in a widely used, structured format that can be read by an automatic device, and, if technically feasible, transmit them to another data controller without impediments ("right to data portability");

• withdraw any consent granted at any time.

Data subjects may also exercise the same rights by contacting Customer Care or the Company's Help Centre, as well as, limited to the rights to object to promotional activities and to withdraw consents, by accessing their MyMilan account or by using the appropriate unsubscribe and opt-out functionality made available by the Company in each communication sent.

Data subjects also have the right to send a complaint to the competent Supervisory Authority.


In addition, the Company appointed a Data Protection Officer (DPO), a specialist figure responsible for monitoring the procedures adopted by our Company to protect data. You can contact our DPO by writing to dpo@acmilan.com.

PRIVACY POLICY

PURSUANT TO (EU) REGULATION 2016/679 ("GDPR") AND TO THE NATIONAL LEGISLATION CONCERNING THE PROTECTION OF PERSONAL DATA IN FORCE

(ver. 20/11/2024)
DEFINITION OF "DATA"


"Data" means:

- Non-sensitive data: personal data processed by AC Milan S.p.A. during Site navigation following user registration, such as name, surname, gender, place/country and date of birth, contact language, e-mail address and password, physical address (domicile and / or residence), information about products/services purchased and any other data (such as tax code and payment information) required for the purchase and issue of tickets and/or season tickets and other data (photograph, residence, address) required in order to issue the Supporter Card (CRN Card); If you are a minor, the data processed will be non-sensitive data of the person who exercises parental responsibility;

 

- Browsing data: information acquired from computer systems and software procedures that is used to ensure routine operation of the Site; this information is not collected in order to be associated with identified data subjects but may, through processing and association with data held by third parties, allow identification of users; this category of data includes IP addresses or domain names of computers used by users who connect to the site, URI addresses (Uniform Resource Identifier) of requested resources, the time of the request, the method utilized to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error, etc..) and other parameters related to the operating system and the IT environment of the user. You can find more information about the processing of such data within the Cookie Policy;


- Data related to “Regulatory Code of the transfer of access tickets to football events”: Data related to breaches of the this "Code" adopted by AC Milan S.p.A.

DATA SOURCE AND CATEGORIES OF DATA COLLECTED c/o THIRD PARTIES
Data are collected from the data subject (and thereby directly made available by you) while navigating the web site and any other web sites in which this Privacy Policy is published, as well as within the scope of services and products provided by them. Data relating to dispositions, on the other hand, may be communicated to AC Milan S.p.A by the competent authorities.
Data are processed by AC Milan S.p.A. as data controller of the processing for:
1. Management of activities on the Website
PURPOSES OF PROCESSING
Website Navigation: navigation data are only used to obtain anonymous statistical information about the use of the web site and to verify correct operation. Navigation data may be used to ascertain responsibility in the event of possible computer crimes against the Website.
LAWFULNESS OF PROCESSING

Legitimate interest of the Company.
DATA RETENTION PERIOD
Navigation data are deleted immediately after processing or made anonymous.
PURPOSES OF PROCESSING

Registration in the confidential area of the web site and management of the account MyMilan: non-sensitive data (i.e. name, surname, place and date of birth, gender, e-mail) are used for the creation and the management of the account, necessary to access all areas and services of the Website exclusively for registered users.
LAWFULNESS OF PROCESSING
Required in order to execute a request by the data subject or fulfil contractual obligations.
DATA RETENTION PERIOD
For the duration of the contract and thereby until the user closes the account.
2. Purchase of tickets and/or season tickets and access to the Stadium for matches
PURPOSES OF PROCESSING

Ticket management - Purchase and issuing tickets: non-sensitive data such as an example name, surname, gender, place / country, address and date of birth and tax code are processed for the issue of the ticket and / or season ticket and the provision of related services, comprehending possible refunds or donations. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.
LAWFULNESS OF PROCESSING
Fulfilment of contractual obligations.


Fulfilment of a legal obligation to which 
the data controller is subject.
DATA RETENTION PERIOD

5 years from the end of the sporting season to which the ticket refers.
PURPOSES OF PROCESSING

Ticket Management – Management of the CRN Card: the non-sensitive data required for the CRN Card are processed for the purpose of issuing and activating the provision of services, facilities and privileges connected with it (such as, for example but not limited to, pre-sales, promotions on tickets for AC Milan SpA home matches, dedicated events, discounts on services and products), made available at the discretion of the AC Milan SpA, including the sending of communications (also by electronic means) strictly pertaining to the contractual relationship and the benefits deriving therefrom, as well as the management of specific user requests. In particular, the identification document and your photo image are required for the identification of the buyer in the case of online purchase. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.
LAWFULNESS OF PROCESSING

Fulfilment of contractual obligations.


Legitimate interest of the Company.


Fulfilment of a legal obligation to which the data controller is subject.
DATA RETENTION PERIOD

5 years from the end of the last sporting season to which the Card refers for possible administrative checks and/or for the management of a court litigation.


The identity documents collected for identification will be stored until the procedure required for CRN Card is completed.
PURPOSES OF PROCESSING
Ticket management – Issue of passes release: non-sensitive data such as name, surname, place and date of birth, job and company, are required and processed for the issue of the passes for the subjects who must enter the stadium for service reasons. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.
LAWFULNESS OF PROCESSING
Fulfilment of contractual obligations.
DATA RETENTION PERIOD
For the duration of the current season.
PURPOSES OF PROCESSING
Authorization requests to Banners and / or choreographies: non-sensitive data are processed review the requests also by forwarding the content of the banner to the competent Authorities for the purposes of the release of the authorization.
LAWFULNESS OF PROCESSING

Compliance with a legal obligation to which Company is subject.
DATA RETENTION PERIOD
For the duration of the current season
PURPOSES OF PROCESSING
Application of the Code of Regulation for the transfer of admission ticket to football events: non-sensitive data relating to official measures of those who access the Stadium are treated for verify compliance with the Code of Regulation of the transfer of admission tickets to football events enforced by AC Milan S.p.A. and to prevent entry to those who violate this code. The data of those who are not allowed to enter at the Stadium they are kept in a black-list.
LAWFULNESS OF PROCESSING

Compliance with a legal obligation to which the Company is subject. 
DATA RETENTION PERIOD

Data refers to legal provision collected in connection with the Code of Regulations for the transfer of admission titles to football event will be stored for 10 years after collection in order to comply with obligations to assess the possible re-offense.
3. E-commerce
PURPOSES OF PROCESSING

Purchase of tickets for access to the Mondo Milan Museum: Personal Data are processed to allow the purchase of tickets for access to the Mondo Milan Museum.
LAWFULNESS OF PROCESSING

Fulfilment of contractual obligations.
DATA RETENTION PERIOD

5 years from the time of purchase.
4. E-commerce
PURPOSES OF PROCESSING
Purchase of products or services: non-sensitive data (e.g. name, surname, e-mail address, residence address, telephone) are required in order to execute purchases, ensure shipment of purchased products (and related commercial invoices), notify the user about transactions made, purchase tickets for entry into the Stadium and purchase tickets.
LAWFULNESS OF PROCESSING
Fulfilment of contractual obligations.
DATA RETENTION PERIOD

10 years from the date of purchase and/or termination of the contract.
5. Rossoneri Rewards
PURPOSES OF PROCESSING

Participation in the loyalty programme: Personal Data is processed to enable participation in the loyalty programme, to receive communications relating to it, to collect and use points by using discounts and benefits. etc..
LAWFULNESS OF PROCESSING

Fulfilment of contractual obligations.
DATA RETENTION PERIOD

Except in the case of litigation - which results in data being retained for the duration of the statutory limitation period - Personal Data is retained for 10 years from the time of purchase. In the event that no purchase is made as part of participation in the loyalty programme, the Personal Data is deleted at the time of unsubscription from the programme.
PURPOSES OF PROCESSING

Invite a friend: each participant in the loyalty programme may indicate any friends, whose e-mail address he/she provides, to share coupons, discounts or other benefits governed by the regulations from time to time.
LAWFULNESS OF PROCESSING

Fulfilment of contractual obligations.
DATA RETENTION PERIOD

The e-mail address of the friend identified by the participant is kept for as long as the coupon, discount or other benefit is valid.
6. Waiting lists
PURPOSES OF PROCESSING

Subscribing on the “ticket alert” and “waiting list” services: by clicking on the specific button in the dedicated online forms (e.g., “alert me”, “subscribe and contact me”, “continue”, “updates”, “notify me”, etc.) the user is entitled to request the receipt of e-mail alerts and information (relating, for example, to the opening of the sale of tickets for the selected match/s and/or the opening of the sales phases for the selected campaign/s and/or the opening of the sales phase for the selected campaign/s)- These services may be reserved for MyMilan members only
LAWFULNESS OF PROCESSING

Fulfilment of pre-contractual/service obligations.
DATA RETENTION PERIOD

Personal data are processed for as long as necessary to send information about the selected event(s) and/or sales campaign(s) and/or e-commerce products and are consequently deleted within a maximum of 1 week after the event has taken place or the communication has been sent.
7. Participation in initiatives and events
PURPOSES OF PROCESSING

Disclosure of data related to the participation in specific magazines: any non-sensitive data provided and images and/or personal experiences shared if involved in specific magazines dedicated to supporters and their stories may be disclosed, following acceptance of a specific release/waiver, published on Internet web sites including social networks, on press and/or any other media.
LAWFULNESS OF PROCESSING
Consent of the data subject.
DATA RETENTION PERIOD
Personal data, images and/or personal experiences shared are stored until consent is withdrawn.
PURPOSES OF PROCESSING

Participation in promotions, competitions and prize contests: Non-sensitive data required will be processed for involvement in the initiative. Any further detailed information on the processing of personal data and the related means carried out on the occasion of each different initiative will be provided in the context of the regulations of that initiative or in dedicated privacy policies.
LAWFULNESS OF PROCESSING
Fulfilling contractual obligations.
DATA RETENTION PERIOD

5 years from the termination of the initiative.
PURPOSES OF PROCESSING

Registration for events: non-sensitive data provided also through dedicated forms, will be used for registration requests and for the management of entry lists.
LAWFULNESS OF PROCESSING
Fulfilling contractual obligations.
DATA RETENTION PERIOD

The date are cancelled at the end of the relevant event.
PURPOSES OF PROCESSING

Management of the photoboost with photo's printing: the collection of the image is through the use of Totem or by dedicated operators. The sending of the image(s) in digital format is through the user's e-mail address.

LAWFULNESS OF PROCESSING

Service purposes.
DATA RETENTION PERIOD

The image is not stored but deleted immediately after printing of the photo unless the data subject requests to receive a copy via email. In this case, the image is stored for 10 days from the collection for sending in digital format.
8. Support and assistance
PURPOSES OF PROCESSING

Call you to support you in the purchasing of products or services: by clicking on the "Let’s go" button, common data (e.g. name, surname, phone number, e-mail) are processed to: (i) let you to send a request of information and to be called through the dedicated form; (ii) call you one time useful by telephone in order to propose products or services provided by the Company.
LAWFULNESS OF PROCESSING
Consent of the data subject.
DATA RETENTION PERIOD
For the term needed to call you.
PURPOSES OF PROCESSING

Support to the data subject: non-sensitive data are processed in order to recognize the data subject and thereby provide assistance in response to specific requests of the said party regarding products or services provided by the Company or in order to optimize the use of services and send service notices regarding the user’s profile. Support can be provided through all the different channels made available by the Company (e.g. Help Centre).
LAWFULNESS OF PROCESSING

Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract in order to fulfil a data subject’s request or to improve user services and meet user expectations.
DATA RETENTION PERIOD

No more than 10 years from the date of purchase and/or termination of the contract.
9. Carrying out promotional activities and statistical analyses
PURPOSES OF PROCESSING

Direct Marketing sending by the Company using automated contact (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional methods (such as telephone calls with operator and surface mail) promotional and commercial communications and/or newsletter relating to the products/services offered by the Company and its partners (an updated list of which is available on the dedicated page of the website) disseminated to all fans, as well as customer satisfaction surveys, market surveys.

In addition, the e-mail address is processed for sending newsletters on news, initiatives and promotions of the Company after clicking on the “Subscription” button to subscribe to the newsletter, as well as for sending “Cart Recovery” communications in case of failure to complete the e-commerce process.
LAWFULNESS OF PROCESSING
Consent of the data subject.
DATA RETENTION PERIOD

Processing is carried out until consent is revoked on the basis of personal data for the last 5 years.

Said data, if not kept for other purposes covered by this policy, are in any case deleted after 5 years or, if earlier, in case of revocation of consent possibly also by means of an unsubscribe request at the link of the bottom of each newsletter.
PURPOSES OF PROCESSING

Soft Spam: sending to the e-mail address provided by you, commercial communications relating to products or services similar to those already purchased. Each sending will allow you to refuse further mailings.
LAWFULNESS OF PROCESSING

Legitimate interest of the Company.
DATA RETENTION PERIOD
5 years from the last purchase.
PURPOSES OF PROCESSING

Profiling: sending of customized sales communications promotional actions/offers and services tailored to your needs/preferences, habits, behaviour patterns and interests. To this aim, we will analyse your purchases (including for example tickets and merchandising products), the participation in events and initiatives as well as online navigation (including through the use of databases in the controllership of third parties such as social networks of Meta, LinkedIn, X, etc.).
LAWFULNESS OF PROCESSING
Consent of the data subject.
DATA RETENTION PERIOD

Processing is carried out until consent is revoked on the basis of personal data for the last 5 years.

Said data, if not kept for other purposes covered by this policy, are in any case deleted after 5 years or, if earlier, in case of revocation of consent.
PURPOSES OF PROCESSING

Statistical analysis and classification: Data collected may be processed in a manner that is not fully automated for carrying out aggregate statistical analysis, which are not used to support measures or decisions regarding specific individuals (e.g., for marketing, predictive and behavioural models).
LAWFULNESS OF PROCESSING

Legitimate interest of the Company.
DATA RETENTION PERIOD

The activity is carried out on the basis of personal data from the last 5 years.
PURPOSES OF PROCESSING
Communication to Fondazione Milan Onlus: communication of non-sensitive data to Fondazione Milan Onlus in order to send institutional communications and information material via e-mail, telephone and/or printed mail related to the activities of Fondazione Milan Onlus.
LAWFULNESS OF PROCESSING
Consent of the data subject.
DATA RETENTION PERIOD
Withdrawal of consent.
10. Compliance purposes and prevention of abuse and fraud
PURPOSES OF PROCESSING
Legal obligations: processing of data, including data related to dispositions, in order to fulfil the obligations defined by national and supranational legislations in force (laws, regulations, including sector-related ones).
LAWFULNESS OF PROCESSING

Execution of legal obligations to which the Company is subject.
DATA RETENTION PERIOD

Data shall be kept for as long as required by law from time to time.
PURPOSES OF PROCESSING
Defence before the Court and recovery of extrajudicial expenses: all Data may be processed if necessary, ascertain, exercise or defend the rights of the Company before the Court or to recover claims against the data subject.
LAWFULNESS OF PROCESSING

Legitimate interest of the Company to defend themselves in court against the data subject.
DATA RETENTION PERIOD
In the event of judicial litigation, for the entire duration of such action until the terms for appeals are attained.

Data processing is carried out electronically by means of collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Once the above storage terms have elapsed, Data will be destroyed or rendered anonymous, in keeping with technical cancellation and backup procedures. Kindly also note that the CRN Card has a microchip containing RFID technology, which allows the card to be read by the access turnstiles at the stadium from a distance varying between 1 and 10 centimetres. No data is stored at the turnstiles, which are only enabled to verify that the codes stored on the card match the costs for the event in question.

DATA CONFERMENT

Conferment of Data for the following purposes refers to:

1. Website

a.    Website Navigation: compulsory and necessary; failure to provide data may make it impossible to browse the Website;

b.    Registration in the reserved area of ​​the website and management of the account MyMilan: optional, but failure to provide it does not allow you to use of services exclusively accessible through the reserved area; non-conferment does not affect free navigation of site pages that do not require registration;

2. Stadium:

c.     Management of tickets – Purchase and issue of tickets and/or season tickets, Management of Supporter Card (CRN card), Issue of Passes and enforcement of the “Regulatory Code of the transfer of access tickets to football events”: compulsory and necessary for issuing tickets and/or season tickets, badges and passes, as well as to meet the contract and allow access to the Stadium; any refusal to provide data or incompleteness may make it impossible for the Company to provide services in their entirety and to comply with legal obligations;

d.    Authorization for Banners and/or Choreographies: compulsory obtain clearance for the display of banners: incomplete compilation of the form will not allow your request of authorization and it will not therefore be possible to display the banner;

3. Mondo Milan Museum:

e.    Purchase of tickets for access to the Mondo Milan Museum: mandatory to ensure the performance of contractual obligations of the Controller towards the data subject;

4. E-commerce:

f.    Purchase of products and management of the order: mandatory to ensure the performance of contractual obligations of the Controller towards the data subject;

5. Rossoneri Rewards:

g.   Participation to the loyalty program and invite a friend: it is mandatory in order to ensure the performance of contractual obligations of the Controller towards the data subject;

6. Waiting lists:

h.    Subscribing on the “ticket alert” and “waiting list” services: optional, but failure to provide it does not allow the data subject to be included in the list and to be contacted in advance of the opening of the sale of ticketing products;

7. Participation in initiatives and events:

i.    Disclosure of data related to participation in specific magazines: optional and non–conferment will not entail any consequences other than the impossibility of taking part in the magazines and, in this context, to share personal images and/or experiences;

j.      Participation in promotions, competitions and prize draws: optional, but failure to provide it does not allow the data subject to take part in promotions, competitions and prize draws;

k.      Registration for events: optional, but failure to provide it does not allow the data subject to request registration for events;

l.    Management of the photoboost with photo's printing: optional, but failure to provide it does not allow the data subject to use the service;

8. Support and assistance:

m.      Call you to support you in the purchasing of products or services and Support to the data subject: is optional, but failure to provide it will make it impossible to receive the requested assistance;

9. Carrying out promotional activities and statistical analyses:

n.  Direct Marketing, Soft Spam and Profiling: optional, but failure to provide it does not allow the data subject to receive promotions, discounts and commercial communications, including those appropriate to your needs/preferences, and to be informed about any marketing initiatives promoted by third party companies;

o.    Statistical analysis and classification: compulsory to pursue the Company legitimate interest in conducting statistical analysis, subject to the exercise of the right to object;

p.    Communication Fondazione Milan Onlus optional, but failure to provide it does not allow the data subject to receive institutional communications and informative material about the activities of Fondazione Milan Onlus;

10. Compliance purposes and prevention of abuse and fraud:

q.    Legal obligations: it is compulsory to allow the data controller to fulfil the obligations defined by applicable regulations and laws (laws, regulations, including by sector) on a national and supranational scale;

r.    Defence before the Court and recovery of extrajudicial expenses compulsory to ensure the legitimate interest of the data controller to defend itself in court and/or recover a claim against the data subject;

RECIPIENTS OF DATA

Data may be transferred to persons acting as processing managers, including particular:

a. Authorities and supervisory and control bodies and, in general, public or private entities having a right to request such data. In particular, for Ticket Management - Supporter Card Management (Cuore Rossonero Card), Enforcement of the “Regulatory Code of the transfer of access tickets to football events” and Authorisation for Banners and/or Choreographies, the Security Operative Unit (G.O.S.), State Police and Police Headquarters;

b. Lawyers, accountants, auditors;

c. Companies managing call centers relevant to the recording of phone calls to monitor the quality of the service. For info relevant to the names of the companies please see below.

d. Other Group Companies for the purposes indicated above.

Data may be processed, on behalf of the data controller, to allow the performance of the activities described above by persons appointed as data processing managers, including, in particular:

a. Companies that offer e-mailing services for marketing purposes;

b. Companies that handle website maintenance;

c. Companies that deal with goods shipment services;

d. Companies that provide support in carrying out market studies;

e. Companies that manage the online store and handle shipping and invoicing of products.

f. Companies that offer the photoboosting service

TRANSFER OF PERSONAL DATA

The Company may transfer Data outside the EU countries. If this happens, pursuant to privacy legislation, the Company evaluates the impact of data transfers and adopts, if applicable, the most appropriate guarantees (for example, adequacy decisions or Standard Contractual Clauses).

AUTHORISED DATA PROCESSING SUBJECTS
Data may be processed by employees of company departments responsible for achieving the foregoing purposes who have been expressly authorized to process such data and have received appropriate operating instructions.
RIGHTS OF THE DATA SUBJECT - COMPLAINTS TO THE CONTROL AUTHORITY

Company can be contacted by e-mail at privacy@acmilan.com, whereby data subjects:

• ask the data controller to confirm the existence or otherwise of data processing concerning them and, if so, to obtain access to such data as well as to information about processing, such as: purposes, the categories of personal data, recipients or categories of recipients to whom data may be communicated, the filing period, the existence of an automated decision-making process and the logic used, as well as the existence of appropriate assurances in the event of data transfer to a non-EU country;

• obtain updating, correction, integration or cancellation of data, as well as processing restrictions;

• oppose entirely or in part: a) for reasons associated with their specific circumstances, the processing of data for the legitimate interests of the Company; b) to the processing of personal data concerning them for the purposes of direct marketing and/or profiled marketing carried out using automated (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional (such as phone calls with operator and traditional mail) contact methods;

• to receive data in a widely used, structured format that can be read by an automatic device, and, if technically feasible, transmit them to another data controller without impediments ("right to data portability");

• withdraw any consent granted at any time.

Data subjects may also exercise the same rights by contacting Customer Care or the Company's Help Centre, as well as, limited to the rights to object to promotional activities and to withdraw consents, by accessing their MyMilan account or by using the appropriate unsubscribe and opt-out functionality made available by the Company in each communication sent.

Data subjects also have the right to send a complaint to the competent Supervisory Authority.


In addition, the Company appointed a Data Protection Officer (DPO), a specialist figure responsible for monitoring the procedures adopted by our Company to protect data. You can contact our DPO by writing to dpo@acmilan.com.