In accordance with Regulation (EU) 2016/679 (“GDPR”), this Privacy Policy explains how OGR-CRT S.C.P.A. processes the personal data of users, website visitors, customers and suppliers. This Privacy Policy also applies to processing activities carried out for marketing purposes following the collection of personal data through offline channels, including during events.
In certain cases, personal data is processed directly by third parties (for example, in connection with registration for events organised by external organisers). In such cases, please refer to their privacy policies.
The Data Controller is OGR-CRT S.C.P.A. (hereinafter also referred to as the “Controller”), with registered office at Via XX Settembre 31, Turin (Italy). The Data Controller has appointed a Data Protection Officer (“DPO”), who may be contacted at: privacy@ogrtorino.it.
All personal data is processed in accordance with applicable EU and Italian legislation, including laws, regulations and provisions issued by competent authorities.
Below is an overview of the processing activities, grouped by area.
Website services
The Data Controller processes the personal data of users of the ogrtorino.it website in the following ways:
Communications and Contacts
The Controller processes personal data for communication, information and marketing purposes as follows:
.
Events
Personal data may be processed by the Controller in connection with the organisation and hosting of events, as follows:
OGR KEY Membership Programme
OGR Torino operates the “OGR KEY” Membership Programme, designed to encourage engagement and provide access to dedicated services and benefits.
Additional processing purposes
2.1 Cookies and Website navigation
The ogrtorino.it website uses technical cookies, which are necessary for the operation of the Website and cannot be disabled, as well as analytics and profiling cookies, which require the Data Subject’s consent. For detailed information on the types of cookies used, the third parties involved and the applicable retention periods, please refer to the Cookie Policy available in the Website footer.
.
2.2 Social Media
Where third-party tools (such as plugins, widgets or tracking pixels) are used to install cookies on the Data Subject’s device, responsibility for providing information and obtaining consent for such cookies lies with the relevant third-party providers. Please refer to the privacy and cookie policies of: Meta (Facebook/Instagram) and LinkedIn.
Personal data is processed using electronic tools in accordance with the confidentiality and security principles set out in the GDPR. Appropriate technical and organisational measures are adopted to prevent unauthorised access, loss or unlawful use.
Provision of personal data required to access the services described above is mandatory to the extent that, without such data, it would not be possible to provide the services requested. This means that Data Subjects are free not to provide their data, although this may prevent the proper provision of some services. Unless otherwise expressly stated, processing of such data does not require a Data Subject’s consent and is strictly necessary to fulfil a request made by that Data Subject. Where processing is based on consent, Data Subjects may withdraw their consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal of consent.
Personal data may only be accessed by persons authorised by the Controller in accordance with Article 29 GDPR. In addition, personal data may be accessed by entities acting either as independent Data Controllers (for example, public authorities) or as Data Processors under Article 28 GDPR (for example, service providers supporting the Controller in the administration of the Website, as well as professionals and consultants appointed by the Controller). To obtain an updated list of the entities that may have access to personal data, requests should be sent by email to: privacy@ogrtorino.it.
The Controller ensures that personal data is not disclosed in ways inconsistent with the purposes described above. Personal data processed by the Controller may also be transferred to third countries or servers located outside the European Economic Area (EEA). Where transfers outside the EEA are necessary, the Controller ensures that such transfers take place only where an adequacy decision has been adopted by the European Commission or where other appropriate safeguards required under applicable data protection legislation are in place, including through the adoption of standard contractual clauses.
The exercise of the rights set out in this section is not subject to any formal requirements and is entirely free of charge, except where requests are manifestly unfounded or excessive, as provided for under Article 12(5) GDPR.
In connection with the processing activities described in this Privacy Policy and in accordance with the GDPR, Data Subjects may exercise the following rights:
As a Data Subject, you also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or with the supervisory authority of the EU Member State in which you habitually reside or work, or where the alleged infringement occurred, in relation to any processing activity you consider non-compliant. Requests concerning the exercise of the rights referred to above should be sent directly to the Controller by email at: privacy@ogrtorino.it.
In accordance with Article 14 GDPR, in some cases personal data – including photographs – may be received from partners involved in events and initiatives held at OGR Torino. In such cases, the partner concerned is responsible for ensuring that an appropriate legal basis for the transfer is in place. OGR Torino carries out sample checks and displays appropriate notices on site. However, anyone wishing to object to such processing may do so by sending an email to: privacy@ogrtorino.it.
In certain cases, personal data is processed directly by third parties (for example, in connection with registration for events organised by external organisers). In such cases, please refer to their privacy policies.
- Data Controller and Data Protection Officer (DPO)
The Data Controller is OGR-CRT S.C.P.A. (hereinafter also referred to as the “Controller”), with registered office at Via XX Settembre 31, Turin (Italy). The Data Controller has appointed a Data Protection Officer (“DPO”), who may be contacted at: privacy@ogrtorino.it.
- Purposes of processing, Legal basis and Retention periods
All personal data is processed in accordance with applicable EU and Italian legislation, including laws, regulations and provisions issued by competent authorities.
Below is an overview of the processing activities, grouped by area.
Website services
The Data Controller processes the personal data of users of the ogrtorino.it website in the following ways:
| Purpose | Legal basis | Retention period |
| a) Reserved area / Account registration | Performance of a contract or implementation of pre-contractual measures (Art. 6(1)(b) GDPR) | 5 years from the last login |
| b) Contact forms | Performance of a contract or implementation of pre-contractual measures (Art. 6(1)(b) GDPR) | 2 years from the request |
| c) Registration forms for events and initiatives | Performance of a contract or implementation of pre-contractual measures (Art. 6(1)(b) GDPR) | 2 years from the request |
- a) Reserved area / Account registration: personal data is processed for users’ account registration and administration, as a personal account is required to access the services available through the Controller’s digital platform. Personal data is processed to identify users, enable secure authentication and support the functionalities of the reserved area, including any personal preferences and settings. Users may also register through their Apple or Google accounts. Where this option is selected, personal data is not collected directly by OGR-CRT S.C.P.A. but is made available by the relevant providers at the Data Subject’s explicit request. In this context, Apple and Google act as independent Data Controllers, as they are responsible for the authentication process. For further information on the operation of social login features, please refer to Apple’s and Google’s privacy policies.
- b) Contact forms: personal data is processed to respond to requests for information, support or clarification submitted through the contact channels made available by the Controller on the Website. Processing is strictly limited to handling the specific request received.
- c) Registration forms for events and initiatives: personal data submitted through registration forms is processed to handle users’ participation in events and initiatives organised by the Controller, including the communication of organisational information, access control and any activities connected with the event.
Communications and Contacts
The Controller processes personal data for communication, information and marketing purposes as follows:
| Purpose | Legal basis | Retention period |
| a) Marketing communications | Consent of the Data Subject (Art. 6(1)(a) GDPR) | 2 years from consent |
| b) Press mailing list and Media accreditation | Legitimate interest of the Controller (Art. 6(1)(f) GDPR) | 2 years from the last contact |
| c) Soft spam communications | Legitimate interest of the Controller (Art. 6(1)(f) GDPR) and/or consent of the Data Subject (Art. 6(1)(a) GDPR) | 2 years from the last qualifying contact |
- a) Marketing communications: personal data is processed to send informational, promotional and commercial communications about the Controller’s activities, upon obtaining the Data Subject’s consent.
- b) Press mailing list and Media accreditation: personal data is processed to maintain relationships with media professionals and press representatives, including press accreditation activities and the distribution of press releases, informational materials and institutional updates.
- c) Soft spam communications: the Controller may use the Data Subject’s email contact details to send commercial communications concerning services or products similar to those previously used or requested by the Data Subject, in accordance with Article 130(4) of Legislative Decree no. 196/2003 (“Italian Privacy Code”) and applicable legislation. Data Subjects may object to such processing at any time, free of charge and through simple procedures.
.
Events
Personal data may be processed by the Controller in connection with the organisation and hosting of events, as follows:
| Purpose | Legal basis | Retention period |
| a) Ticketing of paid OGR events | Performance of a contract or implementation of pre-contractual pre-contractual measures (Art. 6(1)(b) GDPR) | 10 years from commencement of processing |
| b) Booking of free OGR events | Performance of a contract or implementation of pre-contractual measures (Art. 6(1)(b) GDPR) | 10 years from commencement of processing |
| c) Images taken during events | Consent of the Data Subject (Art. 6(1)(a) GDPR) | Please refer to the description below |
| d) Special categories of personal data (e.g. allergies) connected with events and initiatives | Consent of the Data Subject (Art. 9(2)(a) GDPR) | For the duration of the event and any related activities |
| e) Security and participation in OGR-CRT events | Legitimate interest (Art. 6(1)(f) GDPR) and compliance with a legal obligation (Art. 6(1)(c) GDPR) | 48 hours from the end of the event |
| f) Contacting event participants for feedback surveys | Legitimate interest (Art. 6(1)(f) GDPR) | 2 years from the request |
- Ticketing of paid OGR events: personal data is processed to enable the purchase of tickets for events organised by the Controller, including the handling of transactions, the issuing of admission tickets and any organisational communications connected with the event. The 10-year retention period is required to comply with applicable accounting and tax obligations arising from financial transactions.
- Booking of free OGR events: personal data is processed to handle bookings for free events organised by the Controller, including the registration of participants, the sending of organisational communications and event access control. Even in this case, the retention period takes into account any applicable record-keeping obligations.
- Images taken during events: personal data is processed to document events organised by the Controller, including through the collection of photographs and audiovisual content for communication and promotional purposes across OGR Torino’s institutional channels, including its website, social media channels and press materials. For events organised directly by the Controller, such content is collected with the consent of the Data Subject. In accordance with Article 14 GDPR, where OGR Torino receives from partners or third-party event organisers photographs or videos to be published on its channels, such publication takes place on the basis of the organiser’s declaration that the necessary legal basis for processing is in place. Anyone wishing to object to the publication of content concerning them may submit a written request to: privacy@ogrtorino.it.
- Special categories of personal data (e.g. allergies and other specific needs): any special categories of personal data – such as information concerning food allergies, intolerances or other specific health-related needs – are processed exclusively to ensure the Data Subject’s safe and appropriate participation in events and initiatives. Although providing such data is optional, it may be necessary to accommodate the specific needs declared by the Data Subject.
- Security and participation in OGR-CRT events: personal data is processed for security purposes, access control and event organisation activities, as well as to comply with applicable legal and regulatory obligations. Such processing is necessary to ensure the proper and safe conduct of activities and the protection of individuals and premises. Data collected for these purposes is retained for no longer than 48 hours following the end of the event, unless otherwise required by law.
- Contacting event participants for feedback surveys: personal data is processed on the basis of the Controller’s legitimate interest in improving the services provided and assessing the quality of organised events, including those held at OGR. Survey responses are collected and analysed anonymously and do not allow the identification of respondents.
OGR KEY Membership Programme
OGR Torino operates the “OGR KEY” Membership Programme, designed to encourage engagement and provide access to dedicated services and benefits.
| Purpose | Legal basis | Retention period |
| a) Administration of the OGR KEY Membership Programme | Performance of a contract (Art. 6(1)(b) GDPR) | 2 years from the access |
| b) Sending of personalised communications (profiling) | Consent of the Data Subject (Art. 6(1)(a) GDPR) | 2 years from consent |
| c) Payment processing activities | Fulfilment of a request made by the Data Subject (Art. 6(1)(b) GDPR) | 10 years from commencement of processing |
- a) Administration of the OGR KEY Membership Programme: users may access a personal area on the Website, through which they may purchase the membership option best suited to their needs. The Programme provides access to exclusive services, sections and benefits offered by OGR Torino and selected partners. Processing activities include contact details, personal identification data and information about the Programme. Participation in the Programme is entirely voluntary. For the implementation of certain initiatives and the provision of benefits under the Terms and Conditions, OGR Torino may work with selected partners, to whom only the personal data strictly necessary for such purposes is disclosed. The Membership Programme has a duration of one year; membership holders’ personal data is deleted 2 years after the last access to the Programme.
- b) Sending of personalised communications (profiling): profiling activities are limited to analysing information such as declared interests, age and occupation for the purpose of personalising communications. Where consent for profiling is not provided, users will continue to receive general communications sent to all users, as well as communications about their selected areas of interest, with no profiling activities being carried out.
- c) Payment processing activities: personal data is processed to enable payments for tickets, products or services offered by the Data Controller. Processing is limited to the information strictly necessary to complete the transaction. Payments are processed through external payment providers, including Satispay and PayPal, which act as independent Data Controllers and independently process the data required to complete payment transactions in accordance with applicable legislation. For further information, please refer to the privacy policies of: Satispay and PayPal.
Additional processing purposes
| Purpose | Legal basis | Retention period |
| a) Invoicing and accounting | Legal obligation (Art. 6(1)(c) GDPR) | 10 years from commencement of processing |
| b) Compliance with obligations imposed by law, regulations, EU legislation or orders issued by competent authorities | Legal obligation (Art. 6(1)(c) GDPR) | 10 years from commencement of processing |
| c) Internal whistleblowing reporting channel | Please refer to the relevant privacy policy | Please refer to the relevant privacy policy |
| d) Customer and supplier administration | Performance of a contract and/or compliance with a legal obligation (Art. 6(1)(b) and (c) GDPR) | 10 years from termination of the relationship |
- Invoicing and accounting: personal data is processed to issue invoices and credit notes, as well as to handle related accounting documentation, in compliance with applicable tax and administrative obligations. Processing is limited exclusively to the data required to fulfil such obligations and ensure the proper maintenance of accounting records.
- Compliance with legal obligations: personal data is processed to comply with obligations imposed under applicable legislation, including tax, accounting and administrative obligations, as well as to respond to requests or orders issued by judicial authorities or other competent public authorities.
- Whistleblowing: processing activities connected with the handling of internal whistleblowing reports are governed by a dedicated privacy policy, available at: https://ogrtorino.whistlelink.com/
- Customers and suppliers: personal data of customers and suppliers (whether individuals or representatives of legal entities) is processed for the administration of contractual and pre-contractual relationships, the performance of contractual obligations, and compliance with applicable tax, accounting and administrative obligations.
2.1 Cookies and Website navigation
The ogrtorino.it website uses technical cookies, which are necessary for the operation of the Website and cannot be disabled, as well as analytics and profiling cookies, which require the Data Subject’s consent. For detailed information on the types of cookies used, the third parties involved and the applicable retention periods, please refer to the Cookie Policy available in the Website footer.
.
2.2 Social Media
Where third-party tools (such as plugins, widgets or tracking pixels) are used to install cookies on the Data Subject’s device, responsibility for providing information and obtaining consent for such cookies lies with the relevant third-party providers. Please refer to the privacy and cookie policies of: Meta (Facebook/Instagram) and LinkedIn.
- Processing methods and provision of data
Personal data is processed using electronic tools in accordance with the confidentiality and security principles set out in the GDPR. Appropriate technical and organisational measures are adopted to prevent unauthorised access, loss or unlawful use.
Provision of personal data required to access the services described above is mandatory to the extent that, without such data, it would not be possible to provide the services requested. This means that Data Subjects are free not to provide their data, although this may prevent the proper provision of some services. Unless otherwise expressly stated, processing of such data does not require a Data Subject’s consent and is strictly necessary to fulfil a request made by that Data Subject. Where processing is based on consent, Data Subjects may withdraw their consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal of consent.
- Disclosure of data to third parties and data transfers
Personal data may only be accessed by persons authorised by the Controller in accordance with Article 29 GDPR. In addition, personal data may be accessed by entities acting either as independent Data Controllers (for example, public authorities) or as Data Processors under Article 28 GDPR (for example, service providers supporting the Controller in the administration of the Website, as well as professionals and consultants appointed by the Controller). To obtain an updated list of the entities that may have access to personal data, requests should be sent by email to: privacy@ogrtorino.it.
The Controller ensures that personal data is not disclosed in ways inconsistent with the purposes described above. Personal data processed by the Controller may also be transferred to third countries or servers located outside the European Economic Area (EEA). Where transfers outside the EEA are necessary, the Controller ensures that such transfers take place only where an adequacy decision has been adopted by the European Commission or where other appropriate safeguards required under applicable data protection legislation are in place, including through the adoption of standard contractual clauses.
- Your rights
The exercise of the rights set out in this section is not subject to any formal requirements and is entirely free of charge, except where requests are manifestly unfounded or excessive, as provided for under Article 12(5) GDPR.
In connection with the processing activities described in this Privacy Policy and in accordance with the GDPR, Data Subjects may exercise the following rights:
- right of access to their personal data and to the information referred to in Article 15 GDPR
- right to rectification of inaccurate personal data and completion of incomplete data
- right to erasure of personal data, except where such data must be retained by OGR-CRT S.C.P.A. in accordance with legal obligations or where overriding legitimate grounds for processing apply
- right to restriction of processing in the cases provided for under Article 18 GDPR
- right to object to the processing of personal data, without prejudice to cases where processing is necessary for the establishment of a contractual relationship
- right to withdraw consent (where given) in relation to non-mandatory processing activities, without affecting the lawfulness of processing carried out prior to withdrawal of consent
As a Data Subject, you also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or with the supervisory authority of the EU Member State in which you habitually reside or work, or where the alleged infringement occurred, in relation to any processing activity you consider non-compliant. Requests concerning the exercise of the rights referred to above should be sent directly to the Controller by email at: privacy@ogrtorino.it.
In accordance with Article 14 GDPR, in some cases personal data – including photographs – may be received from partners involved in events and initiatives held at OGR Torino. In such cases, the partner concerned is responsible for ensuring that an appropriate legal basis for the transfer is in place. OGR Torino carries out sample checks and displays appropriate notices on site. However, anyone wishing to object to such processing may do so by sending an email to: privacy@ogrtorino.it.