Privacy & Policy
EVENT: UNTOLD FESTIVAL
COORGANIZNIZERS: UNTOLD SRL, UNTOLD PRODUCTION S.R.L
LOCATION: Cluj–Napoca city, Cluj county, Romania
DATE OF EVENT: 8-11 August 2024
1. Introduction
1.1 The confidentiality of personal data is one of the main concerns within the Organizing companies. As such, we want to ensure the highest standards of confidentiality and transparency regarding the personal data we process in our current business.
1.2 Since in carrying out the activity it is necessary to process a series of personal data with predilection in relation to the specifics of our object of activity, we want to offer assurances that the processing will take place in compliance with the principles underlying the processing of personal data. This privacy policy is intended to help you understand what data we collect, why we collect it and what we do with it.
2. Information on joint controllership
2.1 The two organising entities of the UNTOLD 2024 Festival Edition are UNTOLD PRODUCTION SRL, established in Cluj-Napoca, Eremia Grigorescu, nr. 122A, registered with the Trade Register under no. J12/5129/2021, VAT number: 45114420 and UNTOLD SRL, established in Cluj-Napoca, Eremia Grigorescu, nr. 122A, registered with the Trade Register under no. J12/3105/2015, VAT number: RO35113711 (hereinafter collectively referred to as "Joint Controllers" or "us"). UNTOLD PRODUCTION SRL and UNTOLD SRL act as joint controllers, based on a written agreement between them by which they established the purposes and means of processing of personal data collected through the www.untold.com website (the "website”), and the UNTOLD App, the online and on-site check-on system, the means of video monitoring and photo and video image capture within the Festival by persons authorised by UNTOLD.
2.2 The joint controllers are required to manage safely and solely for specified purposes, the personal data that the users of the website are providing.
2.3. In collecting the data and information, we act as joint controllers since both entities operate within the same group of companies.
2.4. The essence of the processing of personal data by the parties is the Agreement of joint controllers concluded in accordance with Article 26 GDPR by which the parties have transparently established the responsibilities of each regarding the fulfilment of obligations, in particular respecting the provisions of Articles 13 and 14.
2.5. The joint controllers process personal data according to the obligations resulting from the Agreement concluded between them, but also from the obligations imposed by the specific legal provisions. The purpose of the data processing by us is to organise of the UNTOLD event at the highest level, both companies being co-organizers and contributing through the object of activity to its realization.
2.6. UNTOLD SRL will continue to manage, as before, the activities of personal data processing in connection with organizing and conducting the festival. UNTOLD PRODUCTION SRL contributes to the determination of the purposes of some processing of the data, given that some of the processing activities will be covered by commercial contracts concluded by UNTOLD PRODUCTION SRL (e.g. ticket sales). The type of personal data subject to processing, the purpose, the retention period and the legal basis for the processing remain unchanged. Also, people who do not participate in the 2024 Edition are not affected in any way by these changes.
2.7. Main attributions of the Joint Controllers:
• UNTOLD SRL will have the following main role: owning and managing the existing database, managing the www.untold.com page, the UNTOLD application and online platforms, organizing marketing campaigns, ensuring communication with the consumer.
• UNTOLD PRODUCTION SRL will have the following main role: ticket sales, marketing and advertising activities to promote the festival and / or the products and services of the UNTOLD 2024 festival edition.
2.8. We shall ensure that information on the processing of personal data is made available to data subjects in accordance with Article 12-14 GDPR.
2.9. All applicable principles, policies and practices regarding UNTOLD SRL apply to UNTOLD PRODUCTION SRL and vice versa.
2.10. We will comply with all legal requirements regarding the confidentiality in processing of personal data, including the obligation to carry out risk assessments and to conclude data processing agreements with its suppliers who process personal data.
2.11. We confirm that, in accordance with Article 32 of the GDPR, we have taken appropriate technical, physical and organizational security measures to protect personal data against unauthorized or illegal access, alteration, deletion, damage, loss or inaccessibility.
2.12. We will respect the principles of personal data processing as they are mentioned in art. 5 of the GDPR, respectively within the processing activities. We will process the personal data, which are the subject of this contract:
(a) lawfully, fairly and transparently to the data subject;
(b) for specified, explicit and legitimate purposes and not in a manner incompatible with the purposes stated at the time of collection of personal data;
(c) ensuring their adequacy, relevance, limiting processing to what is necessary in relation to the purposes for which they are processed;
(d) ensuring that personal data which are inaccurate are deleted or rectified without delay;
(e) storing personal data in a form which permits identification of data subjects for a period not exceeding the period necessary for the purposes for which the data are processed;
(f) processing personal data in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organisational measures.
3. What kind of data is processed, the purpose of processing and the storage period for and the legal basis for processing for each category of data?
3.1.1. For the purpose of creating and accessing an account on the www.untold.com website, in the Untold application and/or on external Untold platforms (In-town, Entertix, Extasy).
- What data do we process? The phone number and the set of cryptographic hash values (generated by applying the PBKDF2 encryption algorithm) related to the password set by the user so that he can log into his account.
- Storage period: We will store this data for as long as you have an account on the Untold website/app. We specify that to the extent that there is no request for anonymization of these data on [email protected], they will be anonymized within 5 years at most from the last use of the account.
- Legal basis for processing: Art. 6 (1) letter b) - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.1.2. For the purpose of purchasing an Untold product or service.
- What data do we process? Name, surname, e-mail, phone, country, town, address.
- Storage period: Until the end of the general prescription period of 3 years from the completion of the edition in which the ticket was bought or the edition about which the respective problem was reported.
- Legal basis for processing: Art. 6 (1) letter b) - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.1.3. For the purpose of returning purchased products or solving a problem addressed to us.
- What data do we process? Name, surname, e-mail, telephone number, IBAN and name of the account holder, as well as other information provided by e-mail or on other platforms to describe the problem.
- Storage period: Until the end of the general prescription period of 3 years from the completion of the edition in which the ticket was bought or the edition about which the respective problem was reported.
- Legal basis for processing: Art. 6 (1) letter b) - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.1.4. During the CHECK-IN process:
3.1.4.1 In order to ensure access to the perimeter of the festival and to provide the services to which the participant is entitled based on the ticket, to inform about the aspects related to the organisation and conduct of the event or any other offers and announcements related to the purchased product, to prevent fraud , abusive use and to check the validity of the ticket or subscription.
- What data do we process? Name, surname, e-mail, phone number, profile photo (except for minors under 18) and ticket / wristband number for access to the festival.
- Storage period: The profile picture will be deleted within 20 days after the end of the Festival. The other data will be anonymized within 3 years from the last edition in which the person concerned participated in the Festival, if this was not previously requested.
- Legal basis for processing: Art. 6 (1) letter b) - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.1.4.2. For internal purposes only, to carry out reports and surveys, organise access areas, create campaigns and dedicated activities, to respond to a request from public authorities, for complaints or complaints.
- What data do we process? Sex, country, city, county, date of birth.
- Storage period: These data are kept in the Organizer's archive without being associated with a natural person following the irreversible anonymization of personal data.
- Legal basis for processing: Art. 6 (a) letter f) the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.1.5. For marketing purposes:
3.1.5.1. For commercial purposes promoting Untold products and services.
- What data do we process? Name, surname, email address, phone number.
- Storage period: Data will be anonymized upon withdrawal of consent or within 4 years at most if the data subject no longer reacts to any commercial message.
- Legal basis for processing: Art. 6 (a) letter f) the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.1.5.2. For the purpose of subscribing to the Untold Newsletter with the consent of the data subject.
- What data do we process? Email address.
- Storage period: Until unsubscribe or withdrawal of consent.
- Legal basis for processing: Art. 6 (1) (a) the data subject has given his consent for the processing of his personal data for one or more specific purposes.
3.1.5.3. In order to carry out surveys to improve the quality of the services we offer, telephone calls may be recorded with the consent of the person concerned.
- What data do we process? Voice of the subject.
- Storage period: Recorded calls will be deleted within 30 days from the time of recording.
- Legal basis for processing: Art. 6 (1) (a) the data subject has given his consent for the processing of his personal data for one or more specific purposes.
3.1.6. In the REGISTER CAMPAIGN:
3.1.6.1. For the purpose of registering in the Register Campaign where the persons concerned register in a community where they receive recurring information about the latest promotions, campaigns, announcements, sales of tickets at a promotional price at the Untold Festival editions.
- What data do we process? Name, surname, email address, phone number.
- Storage period: Data will be anonymized upon withdrawal of consent or at most within 4 years from the last edition in which the person registered for the campaign. If the persons concerned bought a Ticket in this campaign, their personal data will be processed from this step forward in order to be able to ensure the purchased services and access to the Festival.
- Legal basis for processing: Art. 6 (1) letter b - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.1.6.2. For internal purposes only for making reports and surveys, organizing artistic moments, creating the concept of the annual event, creating campaigns and dedicated activities.
- What data do we process? Sex, country, county, date of birth.
- Storage period: These data are kept in the Organizer's archive without being associated with a natural person following the irreversible anonymization of personal data.
- Legal basis for processing: Art. 6 (a) letter f the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.1.7. In order to ensure the security of goods, premises and people, video monitoring means are used in the perimeter of the festival.
- What data do we process? Image of visitors from the event.
- Storage period: 20 days. Some data may be retained for a longer period if the retention is necessary for the investigation of fraud, for the defense of the rights in court of any of the Parties or in situations where it is necessary to comply with the requests made by the competent authorities.
- Legal basis for processing: Art. 6 (a) letter f the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.1.8. To take photographs and videos during the event, subsequently used for journalistic, informational, commercial, marketing and promotion purposes of the event, Untold products and services or adjacent products and services, in its own name by Untold or by any partner or sponsor of the Untold Festival, as well as for the purpose of making NFT (Non-fungible token) and trading them on the relevant market.
- What data do we process? Image of visitors from the event.
- Storage period: Until the deletion request from the data subject or no more than 15 years from the time of completion of the edition in which they were made.
- Legal basis for processing: Art. 6 (a) letter f the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.1.9. For the purpose of organising promotional campaigns and contests, as well as to ensure the sending of prizes.
- What data do we process? Name, surname, e-mail, social media profile (if applicable), information included in comments in campaigns organised by the Organizer or in partnership with other partners.
- Storage period: Until the expiry of the general limitation period of 3 years from the end of the campaign or contest.
- Legal basis for processing: Art. 6 (a) letter f the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.2 In addition to the aforementioned purposes, we process the personal data collected for the following purposes:
- For the fulfilment of legal obligations, as a result of the services provided (e.g. accounting, fiscal, audit, etc.), these are always compatible with the main purposes, for which the data was collected.
- To the extent that the data subject has given their consent for the processing of their personal data for one or more specific purposes.
- For any other purpose auxiliary to the above, or for any other purpose for which we have been provided with personal data, in compliance with the relevant legislation.
- To protect our legitimate interests, overriding the interests or rights and fundamental freedoms of the data subject, taking into account their reasonable expectations based on the relationship with the operator:
- To conduct market research and analysis that helps improve and customize our products and services.
- For direct marketing purposes, to send communications of general interest or messages asking you to rate the quality of our services/products
- For the management of the company's activity, the creation of internal reports that are used in the organization of the access and wristband pick-up areas of future editions, to organize dedicated campaigns and activities
- To prevent or detect misuse of our intellectual property, fraud or other crimes.
- To ensure security within the event, to resolve complaints related to fraud, criminal or contravention complaints, complaints related to the sale of tickets, cases where the Organizer needs to identify a person with the ticket series, to identify if that person entered the perimeter the festival and at what time, or to defend the company's rights in court.
3.3 In the situations in which we will use your data for purposes other than those mentioned in this Policy, we undertake to obtain your consent, unless we have a legal obligation or have a different legal basis for processing the data.
3.4 The Joint Controllers do not create individual profiles for those who participate at the Untold Festival.
4. How are we collecting your personal data?
4.1 We collect your personal data either directly from you, for example, when you create an account on our website/app, email us at [email protected], via through which you request an offer/information from us, you give your consent for the communication of commercial messages, when you purchase a product, etc., or indirectly, for example, when you transmit this information on the platforms of other collaborators of our company, in the process of purchasing the ticket /subscription.
4.2 We collect your personal data automatically, when you use our services on the Untold website or application, we collect information through cookies and by logging your activity. For more information on the use of cookies , please consult Art. 6 of this Policy.
4.3. If you choose to provide us with the personal data of other people, such as when you purchase tickets on behalf of others, you assume responsibility regarding the way in which you obtained this data and that you have a legal basis for processing it, we cannot be held responsible for violating the rights of the respective persons.
5. How are we storing the personal data?
5.1 For storing the personal data you're providing as a user of our website / App, a cloud service provided by Amazon Web Services EMEA S.A.R.L. is used.
5.2 Also, the data collected in the context of on-site check-in is stored by our partner, Festipay Zrt., on their servers in the European Union.
6. COOKIES
6.1 The website contains cookies (very small files sent to users' computers or other access devices).
6.2 There are two types:
6.2.1 Cookies based on their lifespan:
a) Session cookies
These are stored temporarily in the web browser's cookie folder to keep them until the user leaves the respective site or closes the browser window (for example, when logging in/logging out from an email or social media account).
b) Persistent cookies
These are stored on a computer's hard drive or device (and generally depend on the cookie's default lifespan). Persistent cookies also include those placed by a different website than the one the user is visiting at the moment, known as "third-party cookies," which can be used anonymously to store a user's interests to display the most relevant advertising to users.
6.2.2 Cookies based on their role:
a) Strictly necessary cookies
These types of cookies are required for web pages to function correctly. Strictly necessary cookies allow you to navigate the site and use its features. Without these cookies, certain features, such as automatic redirection to the least congested server or saving your wish list, cannot be provided.
b) Functional cookies
Functional cookies record information about the choices users make and allow website operators to customize the site according to user requirements. For example, cookies can be used to save preferences regarding categories/segments.
c) Performance and analytics cookies
These types of cookies allow website operators to monitor visits and sources of traffic, how users interact with the site or specific sections of the site.
The information provided by analytics cookies helps operators understand how visitors use websites and then use this information to improve how the content provided to users is presented.
d) Advertising cookies
These cookies can provide the ability to track users' online activities and create profiles for users, which can be used later for marketing purposes. For example, cookies can be used to identify products and services approved by a user, and this information is later used to send appropriate advertising messages to that user.
6.3. Accessing the site implies users' consent to the placement of these types of cookies on their device and their access on the next site visit.
6.4. In general, data about internet browsing activity is collected and analyzed anonymously. If this analysis reveals a specific interest, a cookie (a small text file used by most websites to store certain information useful for improving the browsing experience) is placed on the user's computer, and this cookie determines the type of advertising the user will receive, known as interest-based advertising.
6.5. You can see all the cookies used by our website in the Cookies Notice at the bottom of the page. You can withdraw your consent to the use of cookies at any time by changing the options in the appropriate cookie settings available. Blocking necessary cookies in your browser may also affect proper functioning. Disabling other types of cookies (other than necessary) may also affect your experience using the site.
6.6. The site may use or implement third-party social modules. In general, your interaction with such a module allows third parties to collect certain information about you, including your IP address, information from the page header, and information from your browser. The site has implemented the following buttons for social networks:
-> Facebook https://www.facebook.com/privacy
-> Instagram https://help.instagram.com/519522125107875
-> WhatsApp https://www.whatsapp.com/security
6.7. The site uses Google Analytics, a web analysis service provided by Google Inc., headquartered at 1600 Amphitheater Parkway, Mountain View, CA 94043, United States ("Google"). With your consent, Google will analyze how you use our site on our behalf. For this purpose, we use, among other things, the cookies detailed in the table above. The information Google collects about how you use the site (e.g., the URL you provide, our web pages you visit, your browser type, language settings, operating system, screen resolution) will be sent to a Google server in the United States.
7. To whom we’re disclosing your personal data?
7.1 In order to fulfill the processing purposes, the Operators disclose your personal data to partners, to third parties or entities that support the Operators in carrying out their activities, or to central/local public authorities, in the following examples listed:
1. To our service providers and contractual partners, for example: providers of marketing (including surveys) and advertising services; our partner in charge of providing access to the Untold Festival premises; the IT service provider; courier services, payment services, banking services, payment services, ticket sales, etc. These data will be provided to the extent necessary and only under a confidentiality commitment from the contractual partners, guaranteeing that these data are kept safe and that their processing is done in accordance with the legislation in force;
2. To the accountants, auditors, lawyers, insurers or other such external advisers of the Operator. These data will be provided to the extent necessary and only under a confidentiality commitment from the contractual partners, guaranteeing that these data are kept safe and that their processing is done in accordance with the legislation in force;
3. Authorities, institutions and public bodies, if there is a legal request from them or to the extent there is a legal obligation from us;
4. The operator will be able to disclose this data whenever the law requires it, or in the situation where this step is necessary to allow the exercise of the rights provided by the law and/or to be able to take legal action against any illegal activity;
5. Your personal data may be transferred to third countries, based on the contractual relationships we have with our partners (both affiliates and other entities in the European Union) in order to produce statistics and other types of reports. To the extent that data is processed outside the European Union, we will ensure by contractual or other measures that such data enjoys an adequate level of protection there, comparable to that which it would enjoy in the European Union, in accordance with European regulations.
8. How long do we store your personal information?
8.1 As a matter of principle, we will process your personal data only to the extent necessary to achieve the processing purposes mentioned above. For more details about our data retention policy for certain specific processing, please review the information from Art.3.
9. Your rights related to personal data processing:
9.1. When the processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal. You can therefore change or remove consent at any time, and we will act immediately accordingly, unless there is a legal reason or legitimate interest not to do so.
9.2. If we process your data based on our or third parties' legitimate interest, you can object to that processing for reasons related to your particular situation. In some cases, our legitimate interest or that of third parties may outweigh yours and we will not be able to accommodate your request to object to processing.
9.3. As a data subject, you benefit from a series of specific rights guaranteed by the General Data Protection Regulation no. 679/2016 (GDPR) and the legislation in force in Romania regarding the protection of personal data:
9.3.1. The right to information
The persons concerned whose personal data are processed within our specific activities have the right to receive from us information about the processing operations carried out in our capacity as data operator.
9.3.2 Right of access
You have the right to obtain from us a confirmation of whether or not we are processing personal data concerning you.
If we confirm that we have your personal data, you have the right to access it and obtain a series of relevant additional information.
9.3.3. The right to rectification
You have the possibility to obtain from the data operator, the rectification of inaccurate data concerning you or the completion of personal data that are incompletely recorded in our internal records.
9.3.4. The right to data erasure (“the right to be forgotten”)
You have the right to request that we delete the personal data that we process about you. We must comply with this request if:
a) personal data are no longer necessary to fulfill the purposes for which they were collected;
b) you oppose the processing for reasons related to your particular situation;
c) personal data were processed illegally;
d) personal data must be deleted to comply with a legal obligation that rests with us, except for the case where the data is necessary:
• for exercising the right to free expression and information;
• to comply with a legal obligation we have;
• for archiving purposes in the public interest, scientific or for historical studies or for statistical purposes;
• for ascertaining, exercising or defending a right in court.
9.3.5. The right to restriction of processing
You can ask us to restrict the processing of your personal data when:
• contest the accuracy of the personal data that we process, during the period that we check the accuracy of the data;
• data processing is illegal, but instead of requesting the deletion of personal data, you want to restrict their processing;
• the personal data are no longer necessary for us to achieve the purpose for which they were processed, but you request that data from us for ascertaining, exercising or defending a right in court;
• you objected to the processing and request restriction while we check whether it receives our legitimate interest for the processing.
9.3.6. The right to data portability
You have the right to obtain your data from us in a structured, commonly used and machine-readable format.
9.3.7. The right to opposition
At any time, the data subject has the right to object, for reasons related to the particular situation in which he is, to the processing. The operator no longer processes personal data, unless the operator demonstrates that it has legitimate and compelling reasons that justify the processing and that prevail over the interests, rights and freedoms of the data subject or that the purpose is to ascertain, exercise or defend a right in court.
You can object at any time to the processing of your personal data for direct marketing purposes, whatever your reason.
9.3.8. The right not to be the subject of a decision based exclusively on automatic processing, including the creation of profiles
This right is applicable if the automated individual decision-making process produces legal effects that concern or affect you to a significant extent.
9.3.9. The right to file a complaint
If you have a complaint about the way we process your personal data, please contact us in order to solve your problem using the following contact details:
● Email: [email protected]
● Address: str. G-ral Eremia Grigorescu, no. 122 A, Cluj-Napoca, Jud. Cluj.
You can also contact the National Supervisory Authority for the Processing of Personal Data through their website www.dataprotection.ro.
Please keep in mind the following aspects of interest, related to the method of analysis and response to the request for the exercise of rights:
We will make every effort to respond to your request within 30 days. This period can be extended due to reasons related to the specific legal right invoked or the complexity of your request with a maximum additional period of two months. In any case, if the legal response deadline will be extended, then we will inform you about the new deadline and the reasons that led to this extension.
10. Information security
10.1 We are working hard to protect our website, App and users, as well as all personal data collected in accordance with this Policy, from any unauthorized access or from the modification, unauthorized disclosure or destruction of the information we hold.
10.2. The Joint Controllers guarantee that they have implemented technical and organizational measures appropriate to the processing activities they perform, in order to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access to, transmission, storage or processing in any other illegal ways.
10.3. In this regard:
- The Joint Controllers certify that they meet the minimum requirements for the security of personal data, the data being processed in a way that provides protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures;
- or the data collected through the website and the App, in order to ensure access to the festival, we use a cloud service provided by Amazon Web Services EMEA SARL. Therefore, the security settings provided by Amazon are used. Access to data is done in a whitelist of security groups, which means that data can only be accessed from certain pre-defined IP addresses. Access is based on username and password, and within the organizing entities access to the database is allowed to a limited number of persons.
- The used data storage systems have implemented back-up mechanisms to ensure the redundancy of the stored data.
- We are regularly reviewing the practices for collecting, storing and processing information, including physical information, as well as security measures, to prevent unauthorized access to the systems.
- We are restricting the access of our employees and contractors to your personal information, and the contractual relations with these persons are subject to strict rules regarding contractual confidentiality obligations, including under the sanction of termination of contracts.
11. When does this Privacy Policy apply?
11.1. Our privacy policy applies to all services offered by our company and excludes services that have separate privacy policies and do not contain the provisions of this privacy policy.
12. Amendments
12.1 We will post any privacy policy changes on our page, which will take effect within one day and, if the changes are material, we will provide more prominent notice (including, for certain services, email notification of policy changes of confidentiality).
12.2. We will also keep previous versions of this Privacy Policy on file for your review at any time.
The most recent update of this policy was made on the 11th of September, 2023.