Privacy policy

• ATHLETIC CLUB
• Postal address: Alameda de Mazarredo 23, 48009 Bilbao
• E-mail: [email protected]
• Phone number: (+34) 94 424 08 77

2.1. Obtained from the data subject.

If you are a member, supporter, or assignee of another member’s membership card, or user of our website, you have provided data yourself, either off-line or on-line, when applying for membership or registration, or any of our products or services (tickets, products from our on-line shop, visiting the museum or the stadium, etc.), or contacting us for information.

By providing us with your data, you warrant that you are entitled to do so, and that the information is accurate, up to date, and does not infringe any contractual restrictions or third party rights. You are responsible for keeping your data accurate and up-to-date, and ATHLETIC CLUB accepts no responsibility if you do not do so. You undertake not to impersonate other users by using their registration data for the different services and/or contents of the website.

2.2. Obtained automatically when visiting our website:

We collect information through cookies and other tracking and web analytics technologies when you visit our website.  That means that data are sent from your browser to our servers to optimise our services and improve your user experience. Such data may be collected and stored automatically by us or by third parties on our behalf.  Please check out our cookie policy.

• Internet retargeting technology:

Our website does NOT use internet retargeting technology, but we do use such technologies on Google, social networks, etc. We believe that showing personalised advertising, based on your interests, is more interesting for our partners/supporters than advertising that does not have a personal connection.

To do this, we work with companies that use tracking technologies to display ads from us on the internet. Retargeting technologies may collect information about your visits to our website or mobile applications and your interaction with our communications, including advertising. They analyse their cookies to show you advertising based on your browsing behaviour, both on our website and on other third-party sites. We do not store any personal data about you using this technology, as it is stored in your own browser.

• Localisation services:

In relation to this, we use location-based services to help you find the nearest Athletic shop through mobile applications such as Google Maps and Bing Maps.  To facilitate this process, we load an image into the application, and save the map image and route data on our server. If you use these mobile apps, they can receive information about your actual location (such as GPS signals sent by a mobile device) or information that can be used to approximate your location. Generally, you can enable or disable your location services in your device or browser settings. For more information about Google Maps and Bing Maps please see their privacy policies.

2.3. Obtained from someone other than the data subject.

It is possible that your data have not been provided to us directly by you, but by a third party to whom you have previously provided such data. For example: Someone who decides to associate you, the president of a supporters’ club who provides details about its members, clubs or entities or organisations with which we reach agreements to develop social, cultural or sporting projects, etc. In such cases, the types of data we may process are mainly identification data and, in some cases, data on personal characteristics, or data on social circumstances.

With respect to the data of other people, you must respect their privacy, taking particular care when passing on or publishing their personal data. Only the data subject may authorise the processing of their personal data.  In addition to infringing the legislation on data protection, the publication of third party data without their consent may also infringe legislation relating to the right to honour, right to privacy or the right to self-image of third parties.

It is the responsibility of those who provide data of third parties: a) to have their prior and express consent to use them, and b) to inform them of how we will process their data. By accepting this privacy policy, whoever provides third party data expressly warrants that they have the authorisation to provide such data, exonerating us from any liability in the event of any claim by the data subject.

The types of data we process may include:

• Obtained from the data subject: identification data (name and surname, ID card number, VIP username and password, membership code, image, etc.), contact data (phone number, postal address, e-mail address, invoice or delivery address); commercial and financial data (information about the products ordered, customer history, and data needed to pay fees by direct debit (bank account). We do not keep information on online transactions, as this information is only managed by the entity that owns the payment gateway.
• Obtained automatically when visiting our website: IP address of the user, the date and time of the visit, the URL of the site from which the user came, the pages visited on our website, information about the browser used (browser type and version, operating system, etc.). Also, online profile data (information about preferences and interests, browsing or purchasing habits, the commercial transactions that have taken place or information you requested), in order to send you personalised information or exclusive campaigns, etc.
• Passed on by a third party: identification data; data on personal characteristics; data on social circumstances.

Special categories of data:
We do not process special categories of data on this website.

Data relating to minors:
If you are under the age of 14 and would like to provide us with your data so that you can use our web services, request our services or products, or take part in any of the activities we offer, you can register on the ATHLETIC CLUB websites and apps only with the permission and consent of your parents. Ask them to help you fill in the forms where we ask for your personal details.

Parents of children under the age of 14 must prevent minors in their care from accessing the web pages and apps and/or providing personal data without their supervision, and the Club accepts no responsibility in this regard.

If we find that a child under the age of 14 has registered without authorisation, we may ask their parents or guardians to send the appropriate documents proving that they have given their permission. If not, the user or registration will be deregistered as soon as possible.

If parents, guardians or legal representatives of minors detect unauthorised data processing, they may submit their complaints or queries to [email protected].

We may process the data you provide us together with all the data generated during the course of our relationship with you for different purposes, under different legal grounds:

• Purpose 1: If you are a member or supporter of the Club, a member of a supporters’ club, an assignee of another member’s membership card: to stay in contact and for communication reasons, to manage the contractual relationship and the rights and obligations of members, and/or registration or participation in activities or events, as well as for access control and compliance with the regulations on the prevention of violence in sports venues. Legal grounds: fulfilment of the legal or contractual relationship that links us to you.
• Purpose 2: If you purchase any of our products or tickets: to manage the contractual and/or commercial relationship, including after-sales and warranty services. Legal grounds: compliance with the legal or contractual relationship that links us to you and/or compliance with a regulation that affects us: fiscal, tax, consumers and users, prevention of violence in sports venues, etc.
• The provision of the requested data is obligatory as they are essential for executing and/or maintaining the contractual or pre-contractual relationship and complying with the legal obligations resulting from it; if you do not provide such data, we will not be able to provide the service deriving from said relationship.
• Purpose 3: If you are a user of our website, or a sender or recipient of an e-mail: to manage your online requests and to stay in contact and keep in touch with you. Legal grounds: legitimate interest
• Purpose 4: To carry out opinion and/or satisfaction surveys and raffles and promotions for our members and supporters, participants in activities and/or events … Legal grounds: legitimate interest
• Purpose 5: To share your data with the Athletic Foundation, in accordance with General Data Protection Regulation 48, when it is necessary to provide a service that requires the communication of data between both entities. Legal grounds: legitimate interest
• Purpose 6: If you attend or take part in activities, events, competitions or sporting, social or cultural projects that we may promote or organise: to manage the registration and/or participation in these activities, and to stay in contact and keep in touch with you. For competitions, including the publication of the winner’s identification and image data, only in connection with the competition in question. Legal grounds: Consent of the data subject.
• Purpose 7: Image capture and dissemination: we also inform you that photographs or videos may be taken at activities or events organised by the Club or the Foundation, in order to provide information and publicise the activity, and to document it as part of the audiovisual memory of the Club/Foundation. Legal grounds: Legitimate interest (in the case of images in the ground, at matches, as they are public events, or open to the public, constitute graphic information about them, and the images of people are merely ancillary to the event itself). Consent of the data subject, in other cases.

Said contents may be published on the internet (on this website, on our social media profiles, etc.), on paper (reports, brochures, programmes, magazines, advertising and information posters and other printed material, etc.), as well as on the Club’s own premises.

If you do not want your image to be captured or disseminated, please let us know if possible at the time the image is captured or by sending an e-mail to [email protected], so that we can respond to your request as a matter of priority.

• Purpose 8: To send you information about our activities, products and/or services similar to those you requested by means of electronic communications. If we already have a prior contractual relationship, the legal grounds will be our legitimate interest. Otherwise, we will only send you these types of communications if you authorise us to do so by ticking the option that we expressly include on the corresponding forms, or if you authorise us to do so in the preferences centre. The legal grounds in the latter case is the consent of the data subject. The electronic communications we send you will include an option to stop receiving such communications.
• Purpose 9: To draw up a commercial profile based on the information you provide us and the information obtained from your browsing. This helps us to get to know you better and to tailor the information we send you to your preferences. To do so, we will use certain criteria (such as, your customer history, your browsing behaviour, participation, and your interactions on our website [visits, specific clicks on the site or its ads, downloads, etc.], your requests for information, your newsletter subscriptions, etc.), to provide you with personalised information, based on your profile. Legal grounds: legitimate interest.

We may make automated decisions based on that profile. However, the only consequence for you resulting from these automated decisions will be to send you personalised information, so we understand that this does not have a significant impact on your rights (as it has no legal effect on them). Nor does it affect you significantly in a similar way, or have a discriminatory effect, which is why these profiles are based on our legitimate interest.

• Any comments you make on ATHLETIC CLUB’s social media profiles may be published on our website, along with any photographs included in those comments.

• When the legal grounds are based on consent, you may withdraw this consent at any time by sending us an e-mail to that effect to[email protected]. This withdrawal does not affect the processing of your data for the rest of the purposes described above.
• If the processing of your data is based on our legitimate interest, we consider this to be proportionate and to have a minimal impact on your privacy, but your interests, rights or freedoms will always prevail over our legitimate interest, so if you do not want us to process your data for these purposes, please send us an e-mail to [email protected] and we will act accordingly.
• Specific information regarding legitimate interest as a legal basis for sending information about our activities, products and/or services similar to those requested to members, supporters and online purchasers on our website by means of electronic communications:
  – This legitimate interest is foreseeable for the data subject as a member, supporter or customer.
  – The impact of the processing on data subjects is very limited.
  – We have a procedure for sending commercial communications in order to comply with data protection regulations.
  – We have analysed the weighting of this legitimate interest, which can be requested by the data subject, who can always express their opposition to the sending of these communications. Therefore, we consider that sending commercial communications is proportionate and has a minimal impact on privacy, but your interests, rights or freedoms will always prevail over our legitimate interest, so if you do not want us to process your data for these purposes, please send us an e-mail in this regard to [email protected] and we will act accordingly.

• Specific information on legitimate interest as a legal basis for capturing images. – This legitimate interest is foreseeable for the data subject since at events/activities the participant can reasonably expect us to capture/disseminate images that are merely incidental to the event/activity to graphically document it.- We have a procedure for capturing and disseminating images to comply with data protection regulations and minimise the data to be processed.- We have analysed the weighting of this legitimate interest, which can be requested by the data subject, who can always express their opposition to the capture/dissemination of their image. Therefore, we consider that the capture of images at these activities or events is proportionate and has a minimal impact on privacy, but your interests, rights or freedoms will always prevail over our legitimate interest, so if you do not want us to process your data for these purposes, please let us know at the event/activity itself or send us an e-mail in this regard to [email protected] and we will evaluate your request.

We will keep the personal data you provide us with for the duration of the contractual, pre-contractual or commercial relationship and, once these are terminated, for as long as the data subject does not request their deletion. Even if deletion is requested, we may keep them for as long as necessary, and limit their processing, solely for the following purposes:

• To comply with the legal/contractual obligations to which we are subject,
• and/or during the statutory periods of limitation of any liability on our part,
• and/or the exercise or defence of claims deriving from the relationship maintained with the data subject.

In coordination with the above criteria, the deletion of personal data either in computerised records or on paper may be carried out, at the organisation’s discretion, depending on logistical and/or storage space requirements that make it advisable to delete information or documentation.

The data you provide us may be disclosed to third parties to fulfil purposes directly related to the legitimate functions of the transferor and transferee, such as:

1. Banking institutions for managing collections and payments.
2. Entities or bodies to which there is a legal obligation to disclose data: for example,
   1. the Tax Administration, for compliance with fiscal and tax obligations;
   2. Third parties who impose the anti-violence regulations and the Professional Football League for security, access control and compliance with anti-violence regulations in sports venues: for example, the opposing team when our supporters travel to their ground, UEFA and FIFA, security forces and bodies, etc.

3. If you are a participant in one of our competitions, the details of the winners will be passed on to the companies responsible for providing the prize and, where appropriate, we may pass on details of the participants to the jury, although we will endeavour to send them pseudonymised.
4. Transport companies: responsible for the logistics of shipping and delivering our services and products.
5. We will pass data between the Club and the Athletic Foundation, when necessary, in order to manage the benefits or rights to which the member or supporter is entitled.
6. The Professional Football League, as owner of the membership management programme.
7. Third party collaborators and sponsors: to carry out commercial actions on their behalf, provided that you have given your consent via the form established for this purpose. However, you can withdraw your consent by sending an e-mail to [email protected]

ATHLETIC CLUB will ensure that personal data is always processed and located in the European Economic Area. However, in certain circumstances, we may make international transfers of data, for example, where it is necessary to enter into or execute a contract, in the interest of the data subject, between ATHLETIC CLUB and another natural or legal person; or where it is necessary to execute a contract between the data subject and ATHLETIC CLUB, for example when using service providers located outside the European Union, who may have access to personal data to provide ancillary services to our business (hosting, housing, SaaS, remote backups, IT support or maintenance services, e-mail managers, sending e-mails and e-mail marketing, file transfer, etc.) or to execute pre-contractual measures taken at the request of the data subject.

These entities may be different and vary over time, but we will endeavour to choose entities from countries with a level of protection equivalent to the European level of data protection, or which have the appropriate guarantees to achieve this level, or on the basis of one of the exceptions provided for in the GDPR.

• Use of Whatsapp instant messaging

In the event that we provide you with an instant messaging app to facilitate communication with you, please use it responsibly, read the privacy policy of the app and configure it according to your preferences before sending information with personal data by such means.

Although these types of instant messaging apps can be useful in certain circumstances, we would like to remind you that the information you post on the internet is accessible to many known and unknown people, so there is a risk to your privacy and the privacy of others.

We recommend that you do not provide personal, private and/or intimate information or information that you want to keep confidential, as there are more secure ways to do so.  We cannot be held responsible for the functioning and availability of the service as it is not provided by us but by third parties.

• Use of social networks

• Users have the opportunity to join the Club’s pages or groups on different social networks. Please note that unless the Club requests your data directly (e.g. to answer enquiries in a private environment), your data will belong to the relevant social network. Therefore, users are advised to carefully read the terms and conditions of use and privacy policies of the relevant social network, and to ensure that they set their preferences regarding the processing of their data.
• Social network features incorporated into our website

Our services may include certain social network features and widgets, such as the “Facebook Connect” connection button, the “Like” button, the “Share” button and other common interactive social media mini-programs.  We shall not be held responsible for the proper functioning of these.

The provision of certain registration data (or their use if you are already registered as a member or supporter and mark the corresponding option on the registration form, or data from your Facebook profile if you use the Facebook Connect option to register) shall be compulsory in some cases: for example, to access certain services or content, such as online shopping, online supporter, contact, VIP area, access to view or download audiovisual content … as these data are essential requirements for processing for the purposes described further above in this section. Failure to provide the information will mean that we cannot carry out the services requested.

• Rules for using social networks:

Please note that if you decide to take part, publish or share content through our official page on a social network, such content will be public, and it will be your sole responsibility to ensure that such content complies with legal regulations.

You can prevent your personal data associated with this participation from appearing by configuring your privacy settings, or by pseudonymising your data (e.g. by using a nickname or alias).

We would like to remind you that, with regard to other people’s data, you must respect their privacy and take special care when communicating or publishing their personal data. Only the data subject may authorise the processing of their personal data.

The user may only publish personal data, photographs and information or other content that belongs to them or for which they are authorised by a third party on this website or on our official social media page. If you publish data of third parties, it is your responsibility to have their prior and express consent to use and publish them. In addition to infringing the legislation on data protection, the publication of third party data without their consent may also infringe legislation relating to the right to honour, right to privacy or the right to self-image of third parties.

In any case, we may remove any content published by a user from this website and from our social media pages when we detect that the user has violated current legislation and the provisions of this privacy policy.

Social networks are not hosted directly on our services. Your interaction with these social networks is governed by their policies, not ours. Read the privacy policies of these social networks for more detailed information about the process of collecting and transferring your personal data, your rights and your privacy settings.

• Data we collect through social networks

We collect data through these applications, in particular through functional and analytical cookies to enable them to function properly.  These cookies may collect information about your IP address, or your browsing.

In addition, if you log in to one of these social networks during a visit to one of our websites or mobile applications, the social network may add that information to your profile and that information will be transferred to the social network. If you do not want this data transfer to take place, please log out of the social network before entering our websites or mobile apps, as we have no influence over this data collection and transfer via social plug-ins.

• Showing other third party sites on our website

Likewise, we can offer third-party content or services through our website (using framing techniques), preserving the appearance of our website, and displaying the appearance of the third party providing the service within it. Please note that the information you provide will be supplied to those third parties, not to us, and therefore the policies of those third parties will apply, not ours.

Where applicable, you may exercise your rights of access, rectification, deletion, limitation and opposition to your data being processed, and other rights, at the postal or e-mail address stated at the beginning of this privacy policy, in both cases by means of a written and signed request, attaching a copy of your ID card or passport or other valid document that identifies you. If you wish to modify your data, you must notify us at the same address, with the Club disclaiming all liability if you fail to do so.

• Right of access: You can ask us what personal data we are processing and even ask us for a copy of them.
• Right of rectification: You can ask us to rectify inaccurate personal data or to complete those which are incomplete, including by means of an additional statement.
• Right of erasure (right to be forgotten): You can request us to delete your personal data when: they are not necessary for the purposes for which they were collected, you withdraw your consent, they have been unlawfully processed or to comply with a legal obligation.
• Right to limitation of processing: You can request us to limit the processing of your personal data, in which case we will only retain them for asserting or defending claims.
• Right of opposition: You can object to the processing of your data if such treatment is based on the legitimate interest of the person responsible for the processing or it is for advertising purposes.

Once we have received any of the above requests, we will respond to you within the legally established time frames. You may make a complaint to the Spanish Data Protection Agency. If you would like more information about the rights that you may exercise and to request the forms required to exercise your rights, you can visit the website of the Spanish Data Protection Agency at www.aepd.es