Privacy protection is important to us. This Cape Epic (Pty) Ltd Event Registration and Participation Privacy Policy ("Privacy Policy") describes how we process personal information through your registration and participation in our Events. Extraneous processing of personal information is also dealt with although separate policies may be applicable.
When we use the term "personal information" we mean any data that identifies you or makes you identifiable as a natural person.
When we use the term "Events" we mean the sport events, races and competitions listed in Annex 1. These Events include, without limitation, the FNB Wines2Whales and Absa Cape Epic.
This Privacy Policy applies only to our processing your personal information after registration has been finalised.
We maintain one or more privacy policies for the processing of data related to the use of our website (www.epic-series.com), our marketing activities, and our social networking pages, profiles, and feeds. You can find this policy/these policies in the footer of our website/s. For our merchandising activities, please see the policies on our Cape Epic (Pty) Ltd store website (https://cape-epic.shop/ and https://wines2whales.store). The provisions of this Privacy Policy also apply to Cape Epic (Pty) Ltd volunteer activities, crew, management of sponsors and media accreditation.
It is important to note various definitions under the Processing of Personal Information Act 4 of 2013 (“POPIA”). These definitions are used throughout this Privacy Policy -
“Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person
“Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information
“Operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party
“Data Subject” means the person to whom personal information relates
1. Who is the Responsible Party of your Personal Information?
Cape Epic (Pty) Ltd organises the Event for which you have registered. We own and operate our registration database system.
Our third party service providers are regulated using service provider agreements setting out inter alia what information the service provider is able to process in the rendering of their services.
Outside of an Event, typically the party that you contract and/or otherwise deal with is the Responsible Party.
2. What Personal Information do we collect?
In the context of our Events, we collect personal information about you. Please see Annex 2 for a detailed description on the personal information we collect. On a more general level, the personal information we collect can include the following:
We do not collect or store participant rider credit card information. Credit card payments are currently facilitated and processed by DPO Paygate and Cybersource.
In respect of volunteers, employees and/or applicants: we process the personal information of volunteers, employees, job applicants and others. The personal information of these parties (including landowners, charities, media, e-commerce store customers and similar) may be retained for a period following submission depending on our possible or anticipated level of interest in the applicant for future positions or roles. The personal information of employees is processed regularly in the performance of our contractual and other obligations to our employees. We may retain the personal information of employees following the termination of an employment relationship for legal, tax or other reasons. Security protocols are applied to the processing of employee personal information. The aforegoing similarly applies to sponsors and service providers and similarly referenced persons/parties to the extent applicable.
3. How do we collect your personal information?
Personal information you provide to us: You must provide us with your consent upon accessing the Cape Epic (Pty) Ltd website and when creating an online profile. Opt-in/opt-out options also become accessible at this point permitting or preventing additional services, enhancements and the like. Most of the personal information we receive is voluntarily provided by our riders in the course of registering for an Event. Similarly, volunteers, service providers and/or sponsors may provide us with personal information, also typically in relation to the rendering of services, fulfilling a role or rendering certain contractual obligations in respect of an Event.
Our registration system is only accessible by an authorised person holding the required level of administrator credentials. We use a tiered permission structure granting limited access and function depending on the credentials of the accessing person. See paragraph 7 below for more.
Riders are free to choose which information you want to provide to us or whether you want to provide us with personal information at all. However, some information, such as information requested in the registration procedure and information collected during the Event may be necessary for the performance of our contractual obligations in the context of your Event participation. Without providing this personal information, you will not be able to enter into a contract with us by registering for our Events.
Other parties may supply personal information to us voluntarily and/or as part of a contractual obligation (or in the conclusion of a contract) whereafter the information may be processed in the performance of our contractual obligations.
4. Why and on which legal basis do we collect and use your personal information?
The reasons for using your personal information may differ depending on the purpose of the collection. Please see Annex 2 for a detailed description on the purposes for which we use your personal information (which annex typically applies to our Events). On a more general level, we regularly use your personal information for the following purposes and on the following legal grounds:
This also includes our e-mail marketing activities. If you sign up to our e-mail newsletter during registration, we will use your personal information for our e-mail newsletters. You may unsubscribe from our e-mail newsletter at any time [unsubscribe from this list]. You may also contact us via e-mail, phone or mail at the address provided at the end of this document to request that we remove you from our e-mail list. Cape Epic (Pty) Ltd (typically) only contacts its riders via email correspondence.
We will only use your personal information for the purposes for which we have collected it.
5. With whom do we share your personal information?
As required in accordance with how we use it, we will share your personal information with third parties. Please see Annex 2 for a detailed description of the third parties and the personal information we might share with them. On a more general level, we share your personal information with the following categories of third parties:
6. How long do we keep your personal information?
We will store personal information for as long as necessary to fulfill the purposes for which we collect personal information, in accordance with our legal obligations and legitimate business interests. Afterwards, or at the end of the statutory retention times, the pertinent personal information will be stored on our database to ensure continuous data retrieval, to the benefit of the client, in line with our Loyalty Program. However, extraneous and/or unnecessary information will be deleted as applicable. For example, legislation, tax and/or legal requirements, may require us to retain certain information for up to 10 years.
7. How do we protect your information?
We implement a variety of security measures to maintain the safety of your personal information. However, no system of security can be 100% secure and so we cannot guarantee in all cases the security of the information that we process. In the event we learn that personal information is compromised as a result of a breach of security, we will take steps to investigate and comply with notification obligations and take other steps, in accordance with applicable laws and regulations.
The majority of collected personal information is processed and stored digitally/electronically. Certain personal information may be collected, processed and/or stored in physical format in certain instances where electronic/digital processing is not possible or practical, for example, in late rider substitutions in our Events.
We typically apply three types of security protocols in the processing of personal information, physical, electronic or procedural, or a combination of such protocols, depending on the format of the information. Information held in hardcopy (paper or similar) format is secured by means of physical security. This means that the premises at which the information is held are secured by lock and key, security alarm, armed response or similar.
Where information held in electronic format is processed, depending on the systems used in such processing, we may apply various protocols: Data: Incorporating the use of DLP tools/software adds a layer of protection by restricting the transmission of personal data outside the network. All workstations and laptops are password protected (strong multicharacter passwords, regularly changed), a firewall is used to prevent unauthorised network access and storage drives are encrypted where necessary and/or possible (firewall on servers and 2FA on MS Office 365/Dropbox). Spam detection for emails using Mimecast and MS Office 365. SOPHOS security is used on our electronic devices. We may also use encryption and pseudonymisation: pseudonymisation, or the processing of personal information so as to anonymise such information, may be used where applicable and may include field level encryption in databases, encryption of entire data stores at rest, as well as encryption for data in use and in transit.
Procedurally, identity and access management controls limit access to personal information for authorised employees. The two key principles applied are separation of duties and least privilege and help ensure that employees have access only to information or systems applicable to their job function. Only those who need access to certain personal information to perform their duties have access. Access is secured by means of identity and password. In certain instances, users with access may be further restricted to viewing rights only.
Awareness of a possible security compromise will trigger the implementation of various notifications. As soon as is reasonably possible, upon there being reasonable grounds to suspect a compromise, the Information Officer will advise the Information Regulator (in accordance with the provisions of POPIA) and, where possible, the data subject. Both will be notified in the manner/s set out in POPIA. Further instructions from the Regulator in respect of notification will be executed as required.
8. How do we safeguard your personal information when there is an international transfer?
In the event of any international transfer of personal information, the provisions of POPIA would be followed thus ensuring that the receiving party would use the same or similar standards to those set out in POPIA.
9. What rights and choices do you have?
We want you to understand your rights and choices regarding how we may use your personal information.
Individual rights. You have specific rights under applicable privacy law in respect to your personal information that we hold, including a right of access and erasure and a right to prevent certain processing activities.
Under POPIA, you, the data subject, have the following rights in respect to your personal information that we hold:
(a) to be notified that—
(i) personal information about him, her or it is being collected as provided for in terms of section 18; or
(ii) his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
(b) to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;
(c) to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
(d) to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
(e) to object to the processing of his, her or its personal information—
(i) at any time for purposes of direct marketing in terms of section 11(3)(b); or
(ii) in terms of section 69(3)(c);
(f) not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
(g) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
(h) to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
(i) to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99 (of POPIA).
If you wish to exercise one of these rights, please contact us using the contact details below.
For e-mail marketing, we provide the following easily usable option:
10. How to contact us?
If you have any questions or concerns about our Privacy Policy or if you want to exercise your rights, please contact us using the address at the beginning of the Privacy Policy or contact the organiser of the Event, whose contact details you will find in Annex 1. You can also send an e-mail to: privacy@epic-series.com.
11. Information Officer
Cape Epic (Pty) Ltd has appointed Information Officers. Please find the names and contact details of the Information Officers in Annex 1.
12. Online Privacy Policy Updates
We may make changes to our Privacy Policy from time to time. Please review our Privacy Policies regularly as updated Privacy Policies will apply to future Events.
Organising Entity |
Information Officer |
List of Events
|
Cape Epic (Pty) Ltd |
Michael Flinn |
FNB Wines2Whales |
Cape Epic (Pty) Ltd |
Michael Flinn |
Absa Cape Epic |
Cape Epic (Pty) Ltd |
Michael Flinn |
Mountain Ultra Trail by UTMB |
(Please note that the list is subject to change from time to time and is not exhaustive)
Categories of Personal information |
Purposes of Use and Legal Basis for Processing (in brackets) |
Recipients |
Name Home address Identity / passport number Country representing E-mail address Phone number Membership in a national triathlon/endurance sport organisation |
|
Business Support Vendors: Vendors that provide Cape Epic (Pty) Ltd with business support software, including e-mail account applications, spreadsheet and word editors, presentation programs, data storage and management applications, and IT security software. These vendors may, by contract, only process data on behalf of Cape Epic (Pty) Ltd. Marketing Vendors: Vendors that provide marketing services for Cape Epic (Pty) Ltd – either by marketing software applications or by external marketing management. These vendors may, by contract, only process data on behalf of Cape Epic (Pty) Ltd. Analytics Vendors: Vendors that provide Cape Epic (Pty) Ltd with applications or software to analyze or enhance personal information. These vendors may, by contract, only process data on behalf of Cape Epic (Pty) Ltd. Event Photographer Name is made public in rankings, results and Event registration lists. |
Gender Date of birth Team registration |
|
Business Support Vendors Analytics Vendors Gender is made public in rankings, results and Event registration lists Timing Service Provider: Service provider responsible for timing during the Event. Provider also responsible for bib allocation and specification of race category classification. |
Bib number Race category classification |
|
Business Support Vendors Event Photographer for allocation of photos Medical Teams for medical support Race category classification is made public in rankings, results and/or Event registration lists Bib/race number is made public in Event registration lists and results |
Medical condition Current medications Allergies to medications Medical aid provider and number Blood type Any previous medical attention during an endurance event Mental/physical condition Emergency contact |
|
Emergency contact information is collected and may be used by Cape Epic (Pty) Ltd Mediclinic collects, processes and stores all rider information. Personal information is collected directly from the rider by way of Mediclinic’s website. The personal information is processed with Mediclinic as Operator. The personal information does not pass to any third party.
|
Information on incidences occurring during or in the context of the Event |
|
Local Medical Team, hospitals, lawyers, other riders/athletes and others: only to the extent needed for the medical treatment and legal issues resulting from an incident during the Event. Business Support Vendors |
Nationality (optional) Additional "Tell Us Your Story" – Information shared by you during registration (optional)
|
|
Nationality and ranking are made public Business Support Vendors |
Race results (race time) |
|
Race results are made public (public rankings) Business Support Vendors |
Subscription to e-mail newsletter (optional) |
|
Marketing Vendors Business Support Vendors |
Opt-in to be contacted by Event Photographer (optional) Donation to charity (optional) Additional purchases (Event photos, engraved medals, Cape Epic (Pty) Ltd merchandise) (optional) |
|
Event Photographer Charities Other service providers whose products or services you order Business Support Vendors Merchandise Partners providing Cape Epic (Pty) Ltd with products or sending products directly to you. These partners may, by contract, only process data on behalf of Cape Epic (Pty) Ltd. |
Occupation (optional) Employer (optional) Job title (optional) Industry
|
|
Business Support Vendors Analytics Vendors |
Information on your communication with us (such as asking questions, cancelling a registration) |
|
Business Support Vendors
|
Information collected in the context of anti-doping testing |
|
All information is uploaded in the Anti-Doping Administration and Management System, in accordance with the rules of the World Anti-Doping Organization. Results are potentially visible to other Anti-Doping Organisations |
Name Gender Age Nationality Race time Location Picture Previous Race History/Results |
|
Tracking App Provider, which may, by contract, only process data on behalf of Cape Epic (Pty) Ltd. Made public on Cape Epic (Pty) Ltd’s website www.epic-series.com Business Support Vendors |