Ticket Management – Management of the CRN Card: the non-sensitive data required for the Carta Cuore Rossonero are processed for the purpose of issuing and activating the provision of services, facilities and privileges connected with it (such as, for example but not limited to, pre-sales, promotions on tickets for AC Milan SpA home matches, dedicated events, discounts on services and products), made available at the discretion of the AC Milan SpA, including the sending of communications (also by electronic means) strictly pertaining to the contractual relationship and the benefits deriving therefrom, as well as the management of specific user requests. In particular, the identification document and your photo image are required for the identification of the buyer in the case of online purchase. The non-sensitive data are disseminated to the central system of Police Headquarters in order to verify the existence of offenses and crimes that could inhibit access to the Stadium pursuant to the Italian Ministerial Decree 15 August 2009.

Fulfilment of contractual obligations.

Legitimate interest of the Company.

Fulfilment of a legal obligation to which the data controller is subject.

10 years from the end of the sporting season to which the Card refers for possible administrative checks and/or for the management of a court litigation.

The identity documents collected for identification will be stored until the procedure required for CRN Card is completed.

Compliance with a legal obligation to which the Company is subject. 

Data refers to legal provision collected in connection with the Code of Regulations for the transfer of admission titles to football event will be stored for 10 years after collection in order to comply with obligations to assess the possible re-offense.

Compliance with a legal obligation to which Company is subject.

Legitimate interest of the Company.

Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract in order to fulfil a data subject’s request or to improve user services and meet user expectations.

10 years from the date of purchase and/or termination of the contract.

Call you to support you in the purchasing of products or services: by clicking on the "Let’s go" button, common data (e.g. name, surname, phone number, e-mail) are processed to: (i) let you to send a request of information and to be called through the dedicated form; (ii) call you one time useful by telephone in order to propose products or services provided by the Company.

10 years from the date of purchase and/or termination of the contract.

Disclosure of data related to the participation in specific magazines: any non-sensitive data provided and images and/or personal experiences shared if involved in specific magazines dedicated to supporters and their stories may be disclosed, following acceptance of a specific release/waiver, published on Internet web sites including social networks, on press and/or any other media.

5 years from the termination of the initiative.

Registration for events: non-sensitive data provided also through dedicated forms, will be used for registration requests and for the management of entry lists.

The date are cancelled at the end of the relevant event.

Direct Marketing sending by the Company using automated contact (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional methods (such as telephone calls with operator and surface mail) promotional and commercial communications and/or newsletter relating to the products/services offered by the Company and its partners disseminated to all fans, as well as customer satisfaction surveys, market surveys.

Furthermore, the e-mail address is processed to send newsletters, by clicking on the “Subscribe me” button, on news, initiatives and promotions of the Data Controllers.

Withdrawal of consent. Data are stored for 5 years from collection and in any case, until consent is revoked, carried out by means of an unsubscribe request at the link of the bottom of each newsletter.

Soft Spam: sending to the e-mail address provided by you, commercial communications relating to products or services similar to those already purchased. Each sending will allow you to refuse further mailings.

Legitimate interest of the Company.

Profiling: sending of customized sales communications promotional actions/offers and services tailored to your needs/preferences, habits, behaviour patterns and interests. To this aim, we will analyse your purchases (including for example tickets and merchandising products), the participation in events and initiatives as well as online navigation.

Execution of legal obligations to which the Company is subject.

10 years from collection.

Legitimate interest of the Company.

5 years from collection.

Legitimate interest of the Company to defend themselves in court against the data subject.

Use of Meta Business Tools for Targeted Advertising: navigation data are processed by the Company and Meta Platforms Ireland Limited to promote targeted advertising based on measuring the level of interaction between the websites visited based on the data subject's preferences and targeted advertising within the social network through Meta Business Tools (i.e. only, Cookies, plug-ins and Pixels). Further information on how Meta Platforms Ireland Limited processes the Data, including the lawfulness of processing of processing and means of granting the data subject's rights, may be found in Meta Platforms Ireland Limited's Data Policy at https://www.facebook.com/about/privacy.

Data are stored for term provided by each Meta Business Tool implemented. Please you may find 

more information to Data Policy available at the following link https://www.facebook.com/about

/privacy.

Data processing is carried out electronically by means of collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Once the above storage terms have elapsed, Data will be destroyed or rendered anonymous, in keeping with technical cancellation and backup procedures. Kindly also note that the CRN Card has a microchip containing RFID technology, which allows the card to be read by the access turnstiles at the stadium from a distance varying between 1 and 10 centimetres. No data is stored at the turnstiles, which are only enabled to verify that the codes stored on the card match the costs for the event in question.

Conferment of Data for the following purposes:

a. Website Navigation: compulsory and necessary; failure to provide data may make it impossible to browse the Website;

b. Registration in the reserved area of the website and management of the account: compulsory for registration with the site and use of services exclusively accessible through the reserved area; non-conferment does not affect free navigation of site pages that do not require registration;

c. Online purchase of products and services, assistance for data subject: compulsory to ensure fulfilment of contractual obligations of the data controller as regards the data subject (such as shipment of goods purchased through the online store, release/mailing of the Cuore Rossonero Card);

d. Management of tickets – Purchase and issue of tickets and/or season tickets, Management of Supporter Card (CRN card), Issue of Passes and enforcement of the “Regulatory Code of the transfer of access tickets to football events”: compulsory and necessary for issuing tickets and/or season tickets, badges and passes, as well as to meet the contract and allow access to the Stadium; any refusal to provide data or incompleteness may make it impossible for the Company to provide services in their entirety and to comply with legal obligations;

e. Authorization for Banners and/or Choreographies: compulsory obtain clearance for the display of banners: incomplete compilation of the form will not allow your request of authorization and it will not therefore be possible to display the banner;

f. Disclosure of data related to participation in specific magazines: optional and non–conferment will not entail any consequences other than the impossibility of taking part in the magazines and, in this context, to share personal images and/or experiences;

g. Participation in promotions, competitions and prize draws: compulsory, non–conferment will not entail any consequences other than the impossibility of taking part in promotions, competitions and prize draws;

h. Legal obligations: it is compulsory to allow the data controller to fulfil the obligations defined by applicable regulations and laws (laws, regulations, including by sector) on a national and supranational scale;

i. Statistical analysis: compulsory to pursue the Company legitimate interest in conducting statistical analysis, subject to the exercise of the right to object;

j. Defence before the Court and recovery of extrajudicial expenses compulsory to ensure the legitimate interest of the data controller to defend itself in court and/or recover a claim against the data subject;

k. Call me: is optional and non-conferment will not allow you to send request of information and to be contacted in order to grant you support in the purchasing of product or services through the dedicated form provided;

l. Direct Marketing, Profiled Marketing, Third Party Marketing optional and non-conferment will not entail any consequence other than not being able to receive promotions, discounts and commercial communications, including those appropriate to your needs/preferences, and to be informed about any marketing initiatives promoted by third party companies;

m. Communication Fondazione Milan Onlus optional and non-conferment will not entail any consequence other than not being able to receive institutional communications and informative material about the activities of Fondazione Milan Onlus;

n. Use of Meta Business Tools for targeted advertising: is optional and non-conferment will not result in any consequences except the impossibility to receive targeted advertising based on interactions with websites visited. 

Data may be transferred to persons acting as processing managers, including particular:

a. Authorities and supervisory and control bodies and, in general, public or private entities having a right to request such data. In particular, for Ticket Management - Supporter Card Management (Cuore Rossonero Card), Enforcement of the “Regulatory Code of the transfer of access tickets to football events” and Authorisation for Banners and/or Choreographies, the Security Operative Unit (G.O.S.), State Police and Police Headquarters;

b. Lawyers, accountants, auditors;

c. Companies managing call centers relevant to the recording of phone calls to monitor the quality of the service. For info relevant to the names of the companies please see below.

d. Other Group Companies for the purposes indicated above.

Data may be processed, on behalf of the data controller, to allow the performance of the activities described above by persons appointed as data processing managers, including, in particular:

a. Companies that offer e-mailing services for marketing purposes;

b. Companies that handle website maintenance;

c. Companies that deal with goods shipment services;

d. Companies that provide support in carrying out market studies;

e. Companies that manage the online store and handle shipping and invoicing of products.

Data will not be disclosed and will not be transferred to non-EU countries. Should this occur, in order to ensure a suitable level of Personal Data protection, the transfer will only be made on the basis of EU decisions relevant to the suitability of the protection or the enforcement, by the Company of the Standard Contractual Clauses required by the European Commission.

Company can be contacted by e-mail at privacy@acmilan.com, whereby data subjects:

• ask the data controller to confirm the existence or otherwise of data processing concerning them and, if so, to obtain access to such data as well as to information about processing, such as: purposes, the categories of personal data, recipients or categories of recipients to whom data may be communicated, the filing period, the existence of an automated decision-making process and the logic used, as well as the existence of appropriate assurances in the event of data transfer to a non-EU country;

• obtain updating, correction, integration or cancellation of data, as well as processing restrictions;

• oppose entirely or in part: a) for reasons associated with their specific circumstances, the processing of data for the legitimate interests of the Company; b) to the processing of personal data concerning them for the purposes of direct marketing and/or profiled marketing carried out using automated (such as text messages, e-mails, social networks, instant messaging apps, push notifications) and conventional (such as phone calls with operator and traditional mail) contact methods;

• to receive data in a widely used, structured format that can be read by an automatic device, and, if technically feasible, transmit them to another data controller without impediments ("right to data portability");

• withdraw any consent granted at any time. Data subjects also have the right to send a complaint to the competent Supervisory Authority.

In addition, the Company have appointed a Data Protection Officer (DPO), a specialist figure responsible for monitoring the procedures adopted by our Company to protect data. You can contact our DPO by writing to dpo@acmilan.com.