Privacy Policy

In this Privacy Policy, we use the term “FC Como Women” (and “we”, “us” and “our”) to refer to FC Como Women Srl. Full details about FC Como Women Srl are provided in the “Legal notice” section below. 

The user's personal data are used by SSD FC COMO WOMEN SRL, which is the data controller, remains in compliance with the principles of personal data protection established by the GDPR Regulation 2016/697.

Introduction

FC Como Women Srl (hereafter referred to as “FC Como Women”, “we”, “us” and “our”), is the data controller for the personal information we process. We recognise that your privacy is important and consequently we are committed to protecting it. This Privacy Policy explains what personal information we process about you when you:

  • purchase our products or services such as tickets, memberships and merchandise;
  • attend events or home matches;
  • use our web site or the Stadium wifi facilities;
  • communicate with us by email, telephone or on social media;
  • subscribe to our direct marketing communications;
  • interact with us as a representative of our suppliers or partners.
Other websites

Our websites and digital platforms may contain links to other websites which are outside our control and are not covered by this Privacy Policy. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy policy, which may differ from ours.

How to contact us about this Privacy Policy

We have a Data Protection Officer (DPO) who you can contact if you have questions about this Privacy Policy or about your personal data in general. Please write to:

Data Protection Officer,

FC Como Women Srl, 

Via Alessandro Volta, 62, 

22100 Como (CO), 

Italy

Alternatively email: dpo@comowomen.it


Personal information we process and what we use it for

FC Como Women will only process your personal information for the purposes outlined in the following sections. If these purposes change over time or we want to use data for a new purpose which we did not originally anticipate, we will only go ahead if the new purpose is closely related to the original purpose. If the new purpose is incompatible with the original purpose, we will seek your specific consent for the new purpose; or if a clear legal provision exists requiring or allowing the new processing in the public interest, we will inform you accordingly.

Visitors to our website

You can access and browse our websites without the need for you to actively provide us with your personal data. However, you will need to register a user account in order to purchase tickets, memberships or coaching courses (see “Registering on our websites” for more information).

When you visit our website, we automatically collect information about your device and about your visit. This helps us to better understand how you use our digital platforms and enables us to design our site to better suit our your needs whilst also creating better, more personalised content which improves your experience for future visits. The information we collect includes:

  • how you have reached our digital platform, the internet protocol (IP) address you have used, and the MAC address of your device
  • your operating system, browser type, versions and plug-ins
  • your journey through our digital platform, including which links you click on and any searches you made, how long you stayed on a page, and other page interaction information
  • photos you share with us
  • videos you have watched and the duration
  • offers you have redeemed
  • what content you like or share
  • which adverts you saw and responded to
  • which pop up or push messages you might have seen and responded to
  • your current subscription status
  • information collected in any forms you complete
  • location based services
  • ticketed access to our venues
  • We may also infer your country of location from the IP address you have used to access our digital platforms.
Cookies

Some of this information is collected by cookies which are small text files that store basic information that a website can use to track on-line traffic flows, recognise repeat site visits and record information about your on-line preferences. They often include an anonymous unique identifier that is sent to your browser from our websites, which is then stored on your computer's hard drive. Cookies do not attach to your system and damage your files but observe user behaviour and compile aggregate data that we then use to improve web services. We also use cookies to measure the effectiveness of advertising.

For further, more detailed information on how we use cookies, please refer to our Cookie Policy.

The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. The only exception to this is the placement of non-essential cookies on your devices where we rely on article 6(1)(f) of the GDPR which requires us to obtain your consent.

Purchasing our products or services

We need to process your personal data in order to provide you with the products and services you purchase from us. If you have already registered an account, then we will use the information you provided during the registration process to deliver and communicate with you about your purchase. In addition to this, we will need to collect your payment card details in order to process payment

The legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party.

Depending on the service or product you have purchased, we may also need to collect additional information such as:

  • details of any disability or access requirement when you purchase a ticket for an event or service which will take place at the stadium or any of our other locations. This enables us to make reasonable adjustments to make your visit safe and comfortable and compliant with the Equality Act 2010. The legal bases we rely on for this are article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation and article 9(2)(b) as the processing is necessary for the purposes of carrying out our obligations in the field of social security and social protection law.
  • details about any medical conditions you may have when you enrol in one of our coaching courses. We have a duty of care for all participants that enrol in our coaching courses. Processing this information enables us to administer appropriate first aid in the event that participants are injured or taken ill whilst on our premises. The legal bases we rely on are article 6(1)(a) and 9(2)(a) which require us to obtain your explicit consent.
  • details about your vehicle where the product or service you have purchased entitles you to a parking space. The legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party.
  • When you scan your ticket using a mobile device to enter the Stadium, we process this information to keep a record of who is in the Stadium. This is because we are legally required, for health and safety purposes, to know who is on our premises. 
Fraud screening and prevention

Sometimes where there is suspicion of illegal activity such as fraud or ticket touting, we will ask you to provide a copy of an identity document such as a passport. This is usually only necessary for overseas customers and some domestic customers where the value of the purchase exceeds a threshold or where the delivery address is different to the card address.

In addition, we may keep the personal information of individuals suspected of suspicious purchasing and touting activity. This information may be shared with other clubs and local law enforcement agencies as we attempt to protect the public against seriously improper conduct.

We also requested copies of identity documents for ticket holder name changes i.e. maiden to marital surname, to verify the name change and ultimately to prevent tickets being reallocated to different people. 

When we have completed the check process, we delete the copies.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data for our legitimate interests. In this case our legitimate interests are protecting us and our customers against fraud.

Stadium wifi

When you attend the Stadium we provide an open wifi network for your use. We may ask you for any personal information, such as your name or email address, when you connect to the wifi but we have to collect your device’s IP address and MAC address in order to facilitate your connection. We retain these two pieces of information for the duration of a season. At the end of each season we delete all such data from the wifi system. 

We also operate a web filtering system which blocks access to indecent or malicious websites that could pose a security threat to our wifi network. The filtering system will collect information about the websites you visit whilst you are using our wifi network. We retain this information for 1 month in order to assist us with any investigations into the mis-use the wifi network or any security incidents.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

This information is not personally identifiable and we do not combine it with other data you may have provided us through your other interactions with us. Consequently, this data remains.

Direct marketing and market research

When you register your account on our website or sign up to receive communications, we ask you to set your contact preferences for marketing and market research communications from us and our partners. These settings are opted out by default meaning that we and our partners will only send you such communications where you actively opt-in.

We also include the option to opt-in to marketing and market research communications on some of our online forms i.e. competitions and quizzes. Again, we will only ever send you these communications if you opt-in.

For research purposes, when sending communications that individuals have opted in to receive, we may track the open and click through rates. This activity helps us to measure the success of campaigns for those who have provided their consent to receive marketing materials, and for specific Club updates for those individuals who have an existing relationship with the Club and are therefore receiving information as a legitimate interest. This activity can be disabled through opting out at any time.

If you do opt-in and you later change your mind, we provide an unsubscribe link at the bottom of every marketing communication. You can also object to marketing communications by contacting our Data Protection Officer.

The legal basis we rely on to process this data is article 6(1)(a) of the GDPR, which allows us to process personal data with your consent.

Competitions, voting, and quizzes

From time to time we will run competitions, votes and quizzes. When you take part in these activities we may ask you for some basic personal information to enable us to administer the competition, vote or quiz. This will usually consist of your name and email address which we will need in order to contact you if you win. 

As stated in the Direct Marketing section, we will not use this information to send you marketing communications unless you opt-in.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Making an enquiry or complaint

When you contact us to make an enquiry or complaint, we collect personal information such as your email address so that we can respond to you.

We may monitor or record telephone calls for security purposes and to improve the quality of services that we provide to you.

We record details of all enquiries or complaints on our systems and share them with the areas of the business that are best placed to address them.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. In this case our legitimate interests are dealing with the enquiry or complaint and any subsequent issues that may arise, and to check on the level of service we provide.

CCTV

We have CCTV systems in our premises, including the football stadium, for the purposes of public and staff safety. CCTV is also installed on the outside of some of our buildings for the purposes of monitoring building security.

In all locations, signs are displayed notifying you that CCTV is in operation and providing details of who to contact for further information.

Images captured by CCTV will not be kept for longer than required and will not be stored.

Body Worn Cameras incorporating audio recording may also used by our Stadium security staff when necessary for operational purposes. The aim of the technology is to:

  • Promote the safety of Fans and Security Staff
  • Reduce the potential number of confrontational situations
  • Reduce potential escalation of incidents
  • Augment opportunities for evidence capture
  • Support the investigation of any recorded incidents
  • If you are involved in an incident you have the right to request images/audio recording of yourself in accordance with the General Data Protection Regulations (GDPR) and Data Protection Act 2018 and be provided with a copy of the images. You can request this by contacting the Data Protection Officer.

We shall only disclose images and audio to authorised bodies who require it for the purposes stated above. Images and audio will not be released to the media or placed on the internet for public viewing.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. In this case our legitimate interests are public and staff safety, crime prevention and detection.

Applying for a job at FC Como Women

When you apply for a job with us, we collect and process a range of personal data in order to assess your suitability for employment. You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

We ask for:

  • personal details including name and contact details
  • details of your qualifications, skills, experience and employment history;
  • information about your current level of remuneration, including benefit entitlements;
  • The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

We will also ask whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process. The legal bases we rely on for this are article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation and article 9(2)(b) as the processing is necessary for the purposes of carrying out our obligations in the field of social security and social protection law.

You will also be asked to provide equal opportunities information including information about your ethnic origin, sexual orientation, health, and religion or belief. This is not mandatory – if you don’t provide it, it won’t affect your application. This is done for the purposes of equal opportunities monitoring only and we won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. The legal bases we rely on are article 6(1)(a) and 9(2)(b) which require your explicit consent.

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts. It these situations the legal basis we rely on is article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation

When we make a job offer we will also seek information from third parties, such as references supplied by former employers and information from employment background check providers. For some roles, we are legally obliged by safeguarding legislation to conduct criminal records checks. This usually applies to roles that involve working with minors. The legal basis we basis we rely on is article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation.

Sharing your information

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

We will not share your data with third parties, unless your application for employment is successful and we make you an offer of employment. The organisation will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.

Keeping your information

If you are unsuccessful after assessment for the role, we will hold your data on file for 6 months after the end of the relevant recruitment process. At this point your data will be deleted unless you have told us that you would like your details retained in our talent pool. If this is the case, then we would proactively contact you should any further suitable vacancies arise.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

Responding to requests to exercise your data subject rights

When you contact us to exercise your data subject rights (see “Your Rights” for more information) we will ask you for some information so that we can confirm your identity and ensure that we action your request against the right account. This will usually be your email address, however if you do not have an email address or cannot remember it, we may ask for other information. We do not store this information – we just use it to confirm your identity.

We maintain a record of all the data subject rights requests that we receive. If you do make a request, this record will capture your name and a differential piece of data such as your email address or contact number. We keep this record to evidence our compliance with data protection legislation and as a record of our activities in case we are challenged.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Automated Decision-making and profiling

Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without human review.

The only time we conduct any form of automated-decision making based on profiling is when you visit our websites. We use third party software to analyse the way you use our websites in order to provide you with a more personalised experience next time you visit our websites. For example, we may analyse the products you buy from our shop or the types of web pages you look at the most. Next time you visit our website we will then tailor the content we provide you based on those preferences. We might also suggest other products or services you might be interested in.
These activities are fully automated and you can turn them off by disabling our website’s cookies in your web browser. Our Cookie Policy explains how to do this.

We do not conduct any other forms of automated-decision making particularly anything that could have a legal or similarly significant effect on you. If this changes over time, we will seek your explicit consent and update this privacy notice accordingly.

Sharing your information

FC Como Women shares your personal data internally and with selected third-parties in the following circumstances:

Third party service providers

In order to provide our products and services to you or to otherwise fulfil contractual arrangements that we have with you, we may need to appoint data processors to carry out some of the data processing activities on our behalf. These may include, for example, payment processing organisations, delivery organisations, fraud prevention and screening and credit risk management companies, mailing houses and IT system providers. We have contracts in place with our data processors which means that they cannot do anything with your personal information unless we have instructed them. They will not share your personal information with any other organisations and will hold it securely and retain it for the period we instruct.

Commercial Partners

We may also share personal data, such as your name and contact details, with our commercial partners but only where you have explicitly consented to this or requested that we do so. For example, when you enter a competition which is a joint promotion, or you request to receive certain marketing communications. In any case, we will provide you with clear information before we share your personal data.


Other football clubs

Some European countries require their football clubs to keep full records of all away fans attending their matches. Consequently, when you purchase an away match ticket for a European game, we may be required to disclose your personal information to the hosting club. As this activity forms part of us providing you with the product or service you have purchased, the legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party. You can object to us sharing your data with other clubs however it we will not be able to guarantee your entry at the match.

Publicity and media

We may disclose your personal data publicly via the media or social media. For example, when sharing a comment or opinion you have provided or if you win a competition or promotion we may disclose your name online. In such cases, we will clearly notify you of the sharing and you will have the choice not to participate or to otherwise object to such sharing, subject to our other legal obligations.

Legal and other

We may also share your data with third parties:

  • if we are under a legal or regulatory duty to do so
  • if it is necessary to do so to enforce our terms and conditions of sale or other contractual rights
  • to lawfully assist the police or security services with the prevention and detection of crime or terrorist activity
  • where such disclosure is necessary to protect the safety or security of any persons
  • and/or (e) otherwise as permitted under applicable law.

International data transfers

We are based in Italy but sometimes your personal information may be transferred outside of the European Economic Area (EEA). For example, some of our third-party suppliers or commercial partners to which we disclose your personal data may be situated outside of the EEA. Where we do transfer your personal data outside of the EEA, we make sure that we put one of the EU’s approved suitable safeguards in place, for example using approved contractual agreements or by obtaining your explicit consent for the transfer.


Security

Protecting your personal information is very important to us and as such we have put a range of security defences in place in order to ensure it.

This includes:

  • Technical measures such as encryption when we send your data over the internet, anti-virus software, secure user accounts on our systems that restrict access to your personal information, regular data back-ups, and conducting security testing of our systems.
  • Physical security measures that ensure that physical access to your data, whether it is in electronic or hard copy form, is also restricted and controlled.
  • Personnel security measures such as contractual clauses in employment contracts that require our employees to protect the confidentiality of your data, and regular awareness training about data protection and information security.
  • Some of our IT systems are provided by third party suppliers. In these cases the security of your data is a shared responsibility and we have contracts in place which outline each party’s responsibilities for the security of data. 
Keeping your information

We retain your personal information for the minimum reasonable time period to allow us to fulfil the purposes that we collected it for. We will delete or destroy your data after that time except where we need to keep any personal information to comply with our legal obligations, resolve ongoing disputes or defend ourselves against future legal claims, or enforce our agreements.

Occasionally, we may continue to use data without further notice to you. This will only be the case where any such data is anonymised and you cannot be identified as being associated with that data.
Please contact privacy@comowomen.it for further information about our retention periods.

Your Rights

You have certain rights in relation to your personal information. In order to exercise any of the following rights please complete the data subject access request form here or contact the DPO using the details above.

Right of access. You have the right to access the data that we hold on you. If you require access to your information, you should make a subject access request in writing.

Right to rectification. You can request that we update any of your personal information, which is out of date or incorrect. We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

Right to erasure: In some circumstances you can ask for your personal information to be deleted. You should be aware however that this is not an absolute right and there are situations where legally, we will not be able to comply with your request. If we cannot comply with your request, we will clearly explain our reasons.

Right to object. You can object to our processing of your personal information where we do so in our legitimate interests or in the public interests. If you do object, you should provide specific reasons why you are objecting to the processing of your data. You should be aware that this is not an absolute right, and we can continue processing if we can demonstrate compelling legitimate grounds for the processing or if the processing is for the establishment, exercise or defence of legal claims. If we cannot comply with your request, we will clearly explain our reasons.

Right to restrict processing. In some circumstances, you have the right to ask us to restrict the processing of your personal data. This may be because you have issues with the content or accuracy of the information we hold and want us to restrict processing whilst these issues are addressed. Alternatively it could be because you have objected to our processing of your data for the purposes of our legitimate interests, and you want us to restrict processing whilst we considering our response. Where we comply with these requests, we will always inform you before lifting the restriction.

Consent withdrawal. Where you have given clear consent for us to process your personal data for a specific purpose, you have the right to withdraw your consent at any time. Please note that we do not rely on consent for the majority of employee personal information we process.

ID Validation

In order to understand exactly who is in attendance at the Stadium on matchdays we are at times ask the relevant ticket holders over the age of 18 to verify their identification by providing the Club with a copy of a valid passport or driving licence.

The lawful basis the Club has applied for collecting this data under data protection law is GDPR Article 6(1) - legal obligation; we have a common law duty of care to protect the welfare and wellbeing of individuals who attend matches in the Stadium. 

Your personal data will be retained only for the purposes stated in this section of the privacy notice and will be held by the Club for no more than 31 days at which point it will be automatically purged.

Changes to this policy

As FC Como Women changes, this Privacy Policy is expected to change as well. We reserve the right to amend this Privacy Policy at any time, for any reason, without notice to you, other than the posting of the amended Privacy Policy on our websites. We may email periodic reminders of this Privacy Policy and will email relevant data subjects to notify them of any material changes. You should check our website frequently to see the current Privacy Policy that is in effect and any changes that may have been made to it.

More information & Complaints

Should you have any questions regarding this Privacy Policy or if you wish to make a complaint about how we process your personal information, please contact privacy@comowomen.it.