en fr

General Privacy Statement

About this FIVA Privacy Statement

This FIVA General Privacy Statement of Fédération Internationale des Véhicules Anciens with registered seat at 6, Place de la Concorde, F-75008 Paris, France (hereinafter referred to as “FIVA”, “us“ or “we“) informs about general processing operations with personal data and cookies in line with Article 13 and 14 of the GDPR. When processing personal data FIVA acts as a data controller. FIVA uses also specific privacy statements (such as FIVA Privacy Statement for FIVA Cards’ system) that need to be read in conjunction with this general privacy statement. In case of conflict, specific privacy statements prevail. In case the specific privacy statement is silent, this general might still apply.

1. Controller’s contact details and DPO

For general inquiries, please use our general contact details. We have appointed an external data protection officer at FIVA. For data subject requests and general privacy inquiries, please use our DPO contact details.

General contact details: By post to FIVA, Attn: Secretary General, Villa Rey, Strada Val San Martino Superiore 27/B, 10131 Torino, Italy and by email to: secretary@fiva.org

DPO contact details: By post to FIVA, Attn: Data Protection Officer, Villa Rey, Strada Val San Martino Superiore 27/B, 10131 Torino, Italy and by email to: dpo@fiva.org

2. Purposes of processing and legal bases

FIVA pursues the following purposes of processing relying on these legal bases:

	Purpose of the processing personal data	Legal basis (Art. 6 GDPR)
1.	Preserving and promotion of the technical and cultural heritage	Legitimate interest (Art. 6 (1) (f) GDPR)
2.	Statutory, administrative and governance purposes	Legal obligation (Art. 6 (1) (c) GDPR), contract performance (Art. 6 (1) (b) GDPR) and legitimate interest (Art. 6 (1) (f) GDPR)
3.	Direct marketing and PR purposes	Legitimate interest (Art. 6 (1) (f) GDPR) and consent where required (Art. 6 (1) (a) GDPR)
4.	Security of personal data and IT systems	Legitimate interest (Art. 6 (1) (f) GDPR) and legal obligation (Art. 6 (1) (c) GDPR)
5.	Establishment, exercise or defence of legal claims (legal agenda)	Legitimate interest (Art. 6 (1) (f) GDPR) and contract performance (Article 6 (1)(b) GDPR)
6.	Employment and personnel purposes	Legal obligation (Art. 6 (1) (c) GDPR) and contract performance (Art. 6 (1) (b) GDPR)
7.	Tax and accounting purposes	Legal obligation (Art. 6 (1) (c) GDPR)
8.	Archiving purposes	Compatible purposes in the regime of Article 89 GDPR
9.	Statistical purposes	Compatible purposes in the regime of Article 89 GDPR

Generally, we rely on legitimate interest where we cannot rely on explicit provision of the law, decree or regulation when pursuing such purpose. In such case, our legitimate interests pursued are identical to the above-mentioned purposes. In case such explicit provision exists, we rely either on public interest or legal obligation, depending on if such provision is formulated as a direct obligation or not.

3. Detailed information about the purposes of processing

The above purposes are explained in bit more detail below:

Preserving and promotion of the technical and cultural heritage

As stems from FIVA’s Statute, FIVA is a non-profit international association of Federations, Clubs and other organisations concerned with the protection, preservation and promotion of mechanically propelled road vehicles and hence concerned with the restoration, use and culture of these vehicles, as part of wider technical and cultural heritage. Therefore, any processing of personal data undertaken in relation to our core non-profit purpose is covered by this purpose. For example, this purpose convers the following activities that we undertake to preserve and promote technical and cultural heritage:

Ø maintaining our databases of vehicles, maintaining historical records, documents and information,

Ø organising any events, conferences, FIVA WORLD rallies or other historic vehicle rallies or events,

Ø promoting historic vehicles and events,

Ø partnership, co-operation or funding projects such as with UNESCO or projects with individual ANFs;

Ø monitoring and commenting on legislative proposals that might relate to historic vehicles;

Ø fundraising

Ø cooperation with museums and major collections;

Ø practically any activities undertaken by FIVA’s bodies, commissions and the President;

Ø any similar activities that support our unifying purpose.

Statutory, administrative and governance purposes

This covers any processing of personal data regarding our officers, members, representatives in connection with activities that are required for operation of FIVA as a non-profit organisation, as stated in the Statute or internal regulations, in particular:

Ø election and maintenance of FIVA memberships;

Ø organising and participating in meetings of FIVA authorities, FIVA assembly meetings and similar;

Ø election and voting process internally;

Ø conducting reports about our activities.

Direct marketing and PR purposes

We consider it to be in our legitimate interests to carry out marketing activities to support our commercial activities and raise awareness of our activities, including, for example:

Ø Sending newsletters and bulletins informing about our non-profit activities;

Ø Interacting without online audiences via our websites or social media profiles while you can currently find us on Facebook, Flickr, Instagram, YouTube, Pinterest;

Ø Publishing blogs, articles or comments;

Ø Organizing any PR or similar events promoting FIVA and our activities.

Security of personal data and IT systems

Although measures to ensure appropriate level of personal data security are not primarily directed for processing of personal data, processing personal data to some necessary extent might be needed in order for these measures to be implemented:

Ø access rights management;

Ø security incident management and evaluation of suspicious reports;

Ø monitoring to prevent breaches of confidentiality, integrity and availability of important data and personal information by unauthorised access to electronic communication networks, spreading of malicious program codes, targeted overloading of servers and damage to assets important to the FIVA's IT infrastructure,

Ø performing software development, enhancement and testing to ensure adequate security, user experience and functionality necessary for the efficient provision of modern services.

Establishment, exercise or defence of legal claims (legal agenda)

We need to enforce, perform and manage contracts and we do that based on our legitimate interests pursuant to the Art. 6(1)(f) of the GDPR or based on contract performance pursuant to the Art. 6(1)(b) of the GDPR. This includes for example:

Ø debt recovery

Ø litigation, proceedings and enquiries;

Ø court, administrative or other legal proceedings;

Ø providing assistance to public authorities;

Ø combating fraud related to historical vehicles;

Ø contractual agenda;

Ø asset management;

Ø GDPR requests;

Ø legal agenda - pre-contractual negotiation.

Employment and personnel purposes

These purposes include both employees as well as FIVA officials who we regard as our internal personnel irrespective of the exact nature of the relationship, whether employment or not. In relation to our personnel, we are obliged to process certain limited data by the employment, commercial, social deductions and insurance regulations, as the case may be. This include for example:

Ø HR recruitment process;

Ø payroll, social contributions and benefits agenda;

Ø changes in management positions;

Ø keeping a list of employees or members of commission;

Ø concluding, amending and terminating employment contracts, material liability agreements, out-of-work agreements, graduate practice, dual education, acquisition of new job candidates;

Ø pre-contractual relationships with future or potential employees;

Ø internal education and organization of activities oriented to personal and career growth and increasing the satisfaction of members; or

Ø any other employment – related matters.

Tax and accounting purposes

In order to comply with tax, billing & accounting regulations we must process certain limited scope of personal data. We do this because we are obliged to do so pursuant to the applicable local tax and accounting regulations in line with the Art. 6(1)(c) of the GDPR.

Archiving purposes

General archiving purposes include the processing of personal data necessary in particular for:

Ø retention of registry of records

Ø the retention of records of the received and sent mail;

Ø decommissioning and disposal of registry records

Ø the transmission of archival documents to the state archives;

Ø disclosure of archive documents in accordance with legal restrictions on personal data under the law,

Ø issuing of originals of documents and certificates

Ø making copies of archive documents.

Statistical purposes

General statistics (legal bases for the original compatible purposes) are the processing of personal data which is necessary in particular for:

Ø the performance of the necessary processing operations with personal data originally processed for other legitimate purposes resulting in the compilation of pseudonymised or anonymised statistical outputs, reports, reports, reports, reports, analyses, cost comparisons;

Ø monitoring of important statistical indicators from data

Ø the use of necessary cookies and other digital identifiers, which allow the collection and evaluation of basic statistics on the use of our website to improve its performance and availability in case of increased traffic, without the possibility of sharing them with a third party and use for marketing analytics purposes.

4. Who are recipients of your personal data?

We take the confidentiality of your personal data very seriously and have internal policies in place to ensure that your data is only shared with authorized personnel at our institution or a verified third party. Our staff might have access to your personal data on a strictly need-to-know basis in relation to the FIVA Card and your historic vehicle. Personal data of our members, business partners or other natural persons and their historic vehicles are provided to the extent necessary to following categories of recipients:

- national bodies authorised by FIVA or other properly mandated processors;

- our professional advisors (e.g. attorneys or auditors);

- providers of standard software and cloud services (e.g. Microsoft One Drive or SharePoint);

- providers of technical (IT) support of our institution;

- visitors of our websites and various social media profiles;

- law enforcement officials.

We also use sub-contractors to support us in providing services who might process personal data for us. We ensure that selection of our sub-contractors and any processing of personal data by them is compliant with the GDPR in terms of technical and organizational security of processing operations. If we use our own recipients to process personal data (internal staff of our institution), your personal data are always processed on the basis of authorizations and instructions that inform our recipients about not only our internal privacy policies but also about their legal responsibility for their violations. If we are requested by the public authorities to provide your personal data, we examine the conditions laid down in the legislation to accept the request and to ensure that if conditions are not met, we do not adhere to the request. In case that you have a question about our current processors, do not hesitate to contact our DPO for further information.

5. What countries do we transfer your personal data to?

By default, we seek not to transfer your personal data outside the EU and/or European Economic Area where not necessary. However, some of our sub-contractors or the above-mentioned recipients of personal data might be based, or their servers might be located in the United States of America (U.S.). As such, US is regarded a third party not ensuring adequate level of protection. However, companies certified under the EU-US Privacy Shield mechanism according to the Commission (EU) are regarded as ensuring adequate level of protection. Any transfer of personal data outside the European Economic Area is done by us only under strict compliance with the GDPR. We ensure the third-party recipients are either certified under the EU-US Privacy Shield, concluded EU model clauses with us or follow equivalent safeguards in place.

6. How long do we store your personal data?

We must not and we do not want to store your personal data for longer than necessary for the given purpose of processing. Due to this legal requirement but also due to technical and financial aspects of data storage we actively delete data where no longer necessary. Retention periods are either provisioned in respective laws or are set out by us in our internal policies. When processing of your personal data is based on consent and you decide to withdraw your consent, we do further not process your personal data for the specific purpose. However, it does not exclude the possibility that we process your personal data on different legal grounds especially due to our legal obligations.

General retention periods for our purposes are as follows:

Purpose of processing	General retention period
1. Preserving and promotion of the technical and cultural heritage	Generally, throughout existence of historic vehicle if it concerns information about vehicle. If not, 3 years from end of project, event or other activity.
2. Statutory, administrative and governance purposes	Generally, from 5-10 years depending on the applicable legislation.
3. Direct marketing and PR purposes	Generally, for a maximum of 2 years.
4. Security of personal data and IT systems	Throughout the storage of personal data and use of the IT systems
5. Establishment, exercise or defence of legal claims (legal agenda)	Generally, 3 years from the moment when the legal dispute is settled or the agreement is terminated.
6. Employment and personnel purposes	For the duration of the employment relationship and the expiry of the statutory retention periods for certain types of documents (usually 10 years after the termination of employment).
7. Tax and accounting purposes	Purposes the retention period are governed by local law and depending on the type of information or document in which billing personal data might be included the storage period is 10 years.
8. Archiving purposes	During the storage periods according to the archiving plan or legislation.
9. Statistical purposes	Only as long and only if other purposes of processing are relevant. As soon as the data is not personal, GDPR does not apply, and retention periods are unlimited towards anonymous data.

The above retention periods only specify the general periods during which personal data are processed for the specific purposes. However, we proceed to erasure or anonymization of personal data before the expiry of these general periods if we consider the personal data to be unnecessary in view of the above-mentioned processing purposes. Conversely, in some specific situations, we may keep your personal data longer than stated above if it is required by law or our legitimate interest. If you are interested in information about a specific retention period for storing your personal data, please do not hesitate to contact our DPO.

7. How we collect your personal data?

Generally, we collect your personal data directly from you. In this case provision of personal data is voluntary. You can provide your personal data to us by different means e.g.:

§ by registration on our websites (regarding the registration for FIVA Cards);

§ communication with you;

§ activity on our profiles on social media;

§ completing and submitting a contact form with your comments, queries or questions.

However, we may also obtain your personal information from national bodies authorised by FIVA. This is typically the case when you apply for FIVA card through one of our authorised national bodies.

8. What rights do you have?

"If we process your personal data on the basis of consent to the processing of personal data, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You have the right to effectively object to the processing of personal data for direct marketing purposes, including profiling.

"You also have the right to object to the processing of your personal data on the basis of the legitimate interests we follow, as explained above. You are also entitled to the processing of personal data on the legal basis of a public interest.”

If you exercise your right to object, we will gladly demonstrate to you the way how we evaluated these legitimate interests as overriding the interests, rights, and freedoms of the data subjects.

The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions.

Among others, you have:

Ø Right to request access to your personal data according to Article 15 of the GDPR. This right includes the right to confirm whether we process personal data about you, the right to access to personal data and the right to obtain a copy of the personal data we process about you if it is technically feasible;

Ø Right to rectification according to Article 16 of the GDPR, if we process incomplete or inaccurate personal data about you;

Ø Right to erasure of personal data according to Article of the 17 GDPR;

Ø Right to restriction of processing according to Article 18 GDPR;

Ø Right to data portability according to Article 20 GDPR;

Ø Right to object against the processing including profiling based on legitimate or public interest according to Article 21 (1) of the GDPR;

Ø Right to object against processing for direct marketing purposes including profiling according to Article 21 (2) of the GDPR;

Ø Right to not be subject to the automated individual decision making according to the Article 22 of the GDPR.

You have a right to lodge a complaint related to personal data to the relevant data protection supervisory authority or apply for judicial remedy. Please note that our lead competent data protection authority is the French supervisory authority: Commission Nationale de l'Informatique et des Libertés – CNIL, 3 Place de Fontenoy, TSA 80715 – 75334 Paris, Cedex 07, Tel. +33 1 53 73 22 22, Fax +33 1 53 73 22 00, Website: http://www.cnil.fr/, https://www.cnil.fr/en/contact-cnil. However, since our establishment is in Italy, also Italian Data Protection Authority can be regarded as our supervisory authority: Garante per la protezione dei dati personali, Piazza Venezia, 11, 00187 Roma, Tel. +39 06 69677 1, Fax +39 06 69677 785, Email: segreteria.stanzione@gpdp.it, website: http://www.garanteprivacy.it/.

9. Do we process your personal data via automated means which produces legal effects concerning you?

We do not currently conduct processing operations that would lead to the decision which produces legal effects or similarly significantly affects concerning you based solely on automated processing of your personal data in light of Article 22 GDPR.

10. Cookies and similar tracking technologies

Cookies are small text files that improve website usage e.g. by allowing us to recognize previous visitors when logging in to a user environment, remembering a user's choice when opening a new window, measuring website traffic, or how evaluation of usage of the website for the improvement. Our website uses cookies in particular to measure its traffic. You can always stop storing these files on your device by changing your web browser to a different setting.

Cookie name	Description of cookie purpose	Provider	Type	Expiry
cookieyes-consent	CookieYes sets this cookie to remember users’ consent preferences so that their preferences are respected on their subsequent visits to this site.	Fiva.org	necessary	1 year
pll_language	This cookie is used to remember the language selected by the user when he comes back to visit again the website by Polylang	Fiva.org	preference	1 year
pys_session_limit	Used by PixelYourSite to configure the duration of a session, used for WooCommerce and EDD reports.	Fiva.org	Analytical	1 hour
pys_start_session	Used by PixelYourSite to start a session, used for WooCommerce and EDD reports.	Fiva.org	Analytical	session
pys_first_visit	Used by PixelYourSite to configure the type of WooCommerce reports the plugin will track.	Fiva.org	Analytical	7 days
pysTrafficSource	It allows the plugin to track the traffic source.	Fiva.org	Analytical	7 days
pys_landing_page	This cookie is set by the PixelYourSite plugin that manages analytical services	Fiva.org	Analytical	7 days
last_pysTrafficSource	Used by PixelYourSite to track the last traffic source.	Fiva.org	Analytical	7 days
last_pys_landing_page	Used by PixelYourSite to track the last landing page	Fiva.org	Analytical	7 days
pbid	Used by PixelYourSite, allowing the plugin to assign external_id to users, improving API events performance.	Fiva.org	Analytical	6 months
_ga_*	Contains a unique identifier used by Google Analytics 4 to determine that two distinct hits belong to the same user across browsing sessions.	Fiva.org	Analytical	1 year
_ga	Contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions.	Fiva.org	Analytical	1 year
_fbp	Facebook Pixel advertising first-party cookie. Used by Facebook to track visits across websites to deliver a series of advertisement products such as real time bidding from third party advertisers.	Fiva.org	Marketing	3 months
lastExternalReferrerTime	Detects how the user reached the website by registering their last URL-address.	Fiva.org		Persistent
lastExternalReferrer	Detects how the user reached the website by registering their last URL-address	Fiva.org		Persistent
__wpdm_client	unclassified	Fiva.org	unclassified	Session
	unclassified	Fiva.org	unclassified

11. Social networks

Please read relevant privacy policies to better understand the processing of your personal data by providers of social media platforms. We only have a typical admin control over the personal data processed by us via our own social network profile. We assume that by using these social media platforms (e.g. Facebook), you understand that your personal data might be processed for other purposes and that your personal data might by transferred to other third countries and third parties by providers of social media platforms. We are not responsible for conduct of social networks providers.

For more information on the processing of personal data, it is therefore necessary to familiarize yourself with the rules of their processing, published by social network providers, which are easily accessible via the following links:

- Facebook / Instagram cookie policy

- Google / YouTube cookie policy

- Pinterest

- Flickr

12. Changes to this FIVA General Privacy Statement

We reserve right to update this FIVA General Privacy Statement from time to time by posting the most current version and its effective date on our website or within the System. In case we change this privacy policy substantially, we shall bring such changes to your attention by explicit notice, on our websites or by email.

Fédération Internationale des Véhicules Anciens

Torino, 21 July 2024

General Privacy Statement

Cookie settings