skip navigation

Cape Epic & Wines2Whales Privacy Policy

Cape Epic (Pty) Ltd Event Registration and Participation Privacy Policy

 

Privacy protection is important to us. This Cape Epic (Pty) Ltd Event Registration and Participation Privacy Policy ("Privacy Policy") describes how we process personal information through your registration and participation in our Events.  Extraneous processing of personal information is also dealt with although separate policies may be applicable.

When we use the term "personal information" we mean any data that identifies you or makes you identifiable as a natural person.

When we use the term "Events" we mean the sport events, races and competitions listed in Annex 1. These Events include, without limitation, the FNB Wines2Whales and Absa Cape Epic.

This Privacy Policy applies only to our processing your personal information after registration has been finalised.

We maintain one or more privacy policies for the processing of data related to the use of our website (www.epic-series.com), our marketing activities, and our social networking pages, profiles, and feeds. You can find this policy/these policies in the footer of our website/s. For our merchandising activities, please see the policies on our Cape Epic (Pty) Ltd store website (https://cape-epic.shop/ and https://wines2whales.store). The provisions of this Privacy Policy also apply to Cape Epic (Pty) Ltd volunteer activities, crew, management of sponsors and media accreditation.

It is important to note various definitions under the Processing of Personal Information Act 4 of 2013 (“POPIA”).  These definitions are used throughout this Privacy Policy -

“Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person

“Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information

“Operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party

“Data Subject” means the person to whom personal information relates


1. Who is the Responsible Party of your Personal Information?
Cape Epic (Pty) Ltd organises the Event for which you have registered. We own and operate our registration database system.

Our third party service providers are regulated using service provider agreements setting out inter alia what information the service provider is able to process in the rendering of their services.

Outside of an Event, typically the party that you contract and/or otherwise deal with is the Responsible Party.


2. What Personal Information do we collect?
In the context of our Events, we collect personal information about you. Please see Annex 2 for a detailed description on the personal information we collect. On a more general level, the personal information we collect can include the following:

  • If you register for an Event: Name, e-mail address, identity/passport number, phone number, address, birth date, place of birth, profile photograph/s, survey information, gender, nationality, profession, preferences or hobbies, team name, information on medical conditions and medications, emergency contact information, relay information, sponsorship information and other information you provide during registration.
  • If, in the course of registration, you subscribe to our newsletter: Name, e-mail address, marketing campaign information such as your reaction to our marketing and your interest in our Events.
  • In the course of preparing the Event and during the Event, we might add other information, such as your registration number and the age group to which you are allocated as well as your timing information, performance and/or placing in the Event.
  • Post Event Loyalty Program: We store collected information in order to inter alia offer rewards, discounts, and benefits upon registration for future Events.


We do not collect or store participant rider credit card information.  Credit card payments are currently facilitated and processed by DPO Paygate and Cybersource.

In respect of volunteers, employees and/or applicants: we process the personal information of volunteers, employees, job applicants and others.  The personal information of these parties (including landowners, charities, media, e-commerce store customers and similar) may be retained for a period following submission depending on our possible or anticipated level of interest in the applicant for future positions or roles. The personal information of employees is processed regularly in the performance of our contractual and other obligations to our employees.  We may retain the personal information of employees following the termination of an employment relationship for legal, tax or other reasons.  Security protocols are applied to the processing of employee personal information.  The aforegoing similarly applies to sponsors and service providers and similarly referenced persons/parties to the extent applicable.


3. How do we collect your personal information?
Personal information you provide to us
: You must provide us with your consent upon accessing the Cape Epic (Pty) Ltd website and when creating an online profile.  Opt-in/opt-out options also become accessible at this point permitting or preventing additional services, enhancements and the like. Most of the personal information we receive is voluntarily provided by our riders in the course of registering for an Event. Similarly, volunteers, service providers and/or sponsors may provide us with personal information, also typically in relation to the rendering of services, fulfilling a role or rendering certain contractual obligations in respect of an Event.

Our registration system is only accessible by an authorised person holding the required level of administrator credentials. We use a tiered permission structure granting limited access and function depending on the credentials of the accessing person.  See paragraph 7 below for more.

Riders are free to choose which information you want to provide to us or whether you want to provide us with personal information at all. However, some information, such as information requested in the registration procedure and information collected during the Event may be necessary for the performance of our contractual obligations in the context of your Event participation. Without providing this personal information, you will not be able to enter into a contract with us by registering for our Events.

Other parties may supply personal information to us voluntarily and/or as part of a contractual obligation (or in the conclusion of a contract) whereafter the information may be processed in the performance of our contractual obligations. 


4. Why and on which legal basis do we collect and use your personal information?
The reasons for using your personal information may differ depending on the purpose of the collection. Please see Annex 2 for a detailed description on the purposes for which we use your personal information (which annex typically applies to our Events). On a more general level, we regularly use your personal information for the following purposes and on the following legal grounds:

  • We use your personal information for the performance of our contractual services or for the preparation of a contract with you. If you register for our Events or if you contact us to register for our Events or you’re involved in our Events in some other way (for example, as a volunteer, service provider or sponsor), we use your personal information to conduct our Events and make your participation in our Events possible. We will use your personal information to organise your participation in the Events, for example by allocating a bicycle/bib number to you and specifying your race category classification. We will send you e-mails with organisational information and communicate with you in case of questions. We may monitor you during an Event and share your medical data with our medical teams to help you in case of a medical emergency. We will refer our rider participants to an appropriate third party service provider as/when required and personal information may also be shared with that third party in so doing.
  • We use your personal information if justified by our legitimate interests. The usage of your personal information may be necessary for our own business interests. For example, we may use some of your personal information to evaluate and review our Events, the demographics of our riders and our overall business performance (such as Event participation, cancellations, Event-related incidents) and improve and individualise your experience and enjoyment of our Events. If necessary, we may also use your personal information to pursue or defend ourselves against legal claims.
  • We use your personal information after obtaining your consent. In some cases, we may ask you to grant us separate consent to use your personal information. Where we ask you for your consent, you are free to deny your consent and the denial will have no negative consequences for you. You are also free to withdraw your consent at any time with effect for the future. If you have granted us consent to use your personal information, we will use it only for the purposes specified in the consent form.

This also includes our e-mail marketing activities. If you sign up to our e-mail newsletter during registration, we will use your personal information for our e-mail newsletters. You may unsubscribe from our e-mail newsletter at any time [unsubscribe from this list]. You may also contact us via e-mail, phone or mail at the address provided at the end of this document to request that we remove you from our e-mail list.  Cape Epic (Pty) Ltd (typically) only contacts its riders via email correspondence.

  • We use your personal information to comply with legal obligations. We are obligated to retain certain personal information because of legal requirements, for example, tax or commercial laws or we may be required by law to provide personal information on request and/or to perform in terms of a contractual obligation to you.

We will only use your personal information for the purposes for which we have collected it.


5. With whom do we share your personal information?
As required in accordance with how we use it, we will share your personal information with third parties. Please see Annex 2 for a detailed description of the third parties and the personal information we might share with them. On a more general level, we share your personal information with the following categories of third parties:

  • Personal information is processed in various ways, for various purposes and by various entities (as more fully set out in this policy).Where personal information is processed outside of South Africa, we ensure that it is processed under the same or similar levels of protection as envisaged under POPIA.See paragraph 8 below for more.
  • Service providers and advisors. Third-party vendors and other service providers that perform services for us, which may include marketing campaign services, providing mailing or e-mail services, medical support, Event surveillance, time keeping, services related to the registration and organisation of our Events, website development services, payment processing, data enhancement services or fraud prevention. If applicable, such service providers will, by appropriate data processing agreements, be bound to process (certain) personal information only on our behalf and under our instructions.
  • Event photographer/s. If you participate in our Event/s and have given us consent to do so, we will disclose your bicycle/bib number, name, e-mail address and phone number to the Event photographer/s, who may contact you with photos from the attended Event.
  • Mediclinic Team.  Mediclinic professional and support personnel performs all medical services in relation to the Cape Epic (Pty) Ltd Events. Riders complete a medical screening questionnaire created by Mediclinic on their secure platform.  We do not have access to sensitive medical information. Information disclosed to Mediclinic includes riders’ medical condition/s, current medications, allergies to medications, medical aid provider and number, blood type, any previous medical attention during an endurance event, mental/physical conditions and emergency contact information.
  • Purchasers and third parties in connection with a business transaction. Personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of our assets or shares, reorganisation, financing, change of control or acquisition of all or a portion of our business, or in the event of an insolvency or similar proceedings.
  • Law enforcement, regulators and other parties for legal reasons. Personal information may be disclosed to third parties as required by law or subpoena or if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) to enforce our legal claims or to protect the security or integrity of our services; and/or (c) to exercise or protect the rights, property, or personal safety of Cape Epic (Pty) Ltd and any related entities, our partners, employees, riders, visitors or others.
  • The public. The official rankings and information justifying the ranking (including, for example, riders’ name, gender, nationality, photograph and the like) will be disclosed to the visitors of our Events and on, for example, our websites, social media, mobile applications and the like.
     


6. How long do we keep your personal information?
We will store personal information for as long as necessary to fulfill the purposes for which we collect personal information, in accordance with our legal obligations and legitimate business interests. Afterwards, or at the end of the statutory retention times, the pertinent personal information will be stored on our database to ensure continuous data retrieval, to the benefit of the client, in line with our Loyalty Program. However, extraneous and/or unnecessary information will be deleted as applicable. For example, legislation, tax and/or legal requirements, may require us to retain certain information for up to 10 years.


7. How do we protect your information?
We implement a variety of security measures to maintain the safety of your personal information. However, no system of security can be 100% secure and so we cannot guarantee in all cases the security of the information that we process. In the event we learn that personal information is compromised as a result of a breach of security, we will take steps to investigate and comply with notification obligations and take other steps, in accordance with applicable laws and regulations.

The majority of collected personal information is processed and stored digitally/electronically.  Certain personal information may be collected, processed and/or stored in physical format in certain instances where electronic/digital processing is not possible or practical, for example, in late rider substitutions in our Events.

We typically apply three types of security protocols in the processing of personal information, physical, electronic or procedural, or a combination of such protocols, depending on the format of the information.  Information held in hardcopy (paper or similar) format is secured by means of physical security.  This means that the premises at which the information is held are secured by lock and key, security alarm, armed response or similar.

Where information held in electronic format is processed, depending on the systems used in such processing, we may apply various protocols: Data: Incorporating the use of DLP tools/software adds a layer of protection by restricting the transmission of personal data outside the network.  All workstations and laptops are password protected (strong multicharacter passwords, regularly changed), a firewall is used to prevent unauthorised network access and storage drives are encrypted where necessary and/or possible (firewall on servers and 2FA on MS Office 365/Dropbox). Spam detection for emails using Mimecast and MS Office 365. SOPHOS security is used on our electronic devices. We may also use encryption and pseudonymisation: pseudonymisation, or the processing of personal information so as to anonymise such information, may be used where applicable and may include field level encryption in databases, encryption of entire data stores at rest, as well as encryption for data in use and in transit.

Procedurally, identity and access management controls limit access to personal information for authorised employees. The two key principles applied are separation of duties and least privilege and help ensure that employees have access only to information or systems applicable to their job function. Only those who need access to certain personal information to perform their duties have access. Access is secured by means of identity and password.  In certain instances, users with access may be further restricted to viewing rights only.

Awareness of a possible security compromise will trigger the implementation of various notifications.  As soon as is reasonably possible, upon there being reasonable grounds to suspect a compromise, the Information Officer will advise the Information Regulator (in accordance with the provisions of POPIA) and, where possible, the data subject.  Both will be notified in the manner/s set out in POPIA.  Further instructions from the Regulator in respect of notification will be executed as required.


8. How do we safeguard your personal information when there is an international transfer?
In the event of any international transfer of personal information, the provisions of POPIA would be followed thus ensuring that the receiving party would use the same or similar standards to those set out in POPIA.


9. What rights and choices do you have?
We want you to understand your rights and choices regarding how we may use your personal information.

Individual rights. You have specific rights under applicable privacy law in respect to your personal information that we hold, including a right of access and erasure and a right to prevent certain processing activities.

Under POPIA, you, the data subject, have the following rights in respect to your personal information that we hold:

(a)  to be notified that—

(i)  personal information about him, her or it is being collected as provided for in terms of section 18; or

(ii)  his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;

(b)  to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;

(c)  to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;

(d)  to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);

(e)  to object to the processing of his, her or its personal information—

(i) at any time for purposes of direct marketing in terms of section 11(3)(b); or

(ii) in terms of section 69(3)(c);

(f)  not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);

(g)  not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;

(h)  to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and

(i)  to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99 (of POPIA).

If you wish to exercise one of these rights, please contact us using the contact details below.

For e-mail marketing, we provide the following easily usable option:

  • E-mail settings and preferences. If you no longer want to receive marketing e-mails from us, you may choose to unsubscribe at any time by clicking the link at the bottom of any mailer or by clicking this link [unsubscribe from this list].



10. How to contact us?
If you have any questions or concerns about our Privacy Policy or if you want to exercise your rights, please contact us using the address at the beginning of the Privacy Policy or contact the organiser of the Event, whose contact details you will find in Annex 1. You can also send an e-mail to: privacy@epic-series.com.


11. Information Officer
Cape Epic (Pty) Ltd has appointed Information Officers. Please find the names and contact details of the Information Officers in Annex 1.


12. Online Privacy Policy Updates
We may make changes to our Privacy Policy from time to time. Please review our Privacy Policies regularly as updated Privacy Policies will apply to future Events.


Annex 1 – CAPE EPIC (PTY) LTD Events and Organising Entities

Organising Entity

Information Officer

List of Events

 

Cape Epic (Pty) Ltd 

Michael Flinn

FNB Wines2Whales

Cape Epic (Pty) Ltd

Michael Flinn

Absa Cape Epic

Cape Epic (Pty) Ltd

Michael Flinn

Mountain Ultra Trail by UTMB

(Please note that the list is subject to change from time to time and is not exhaustive)


Annex 2 – Cape Epic (Pty) Ltd Events

Categories of Personal information

Purposes of Use and Legal Basis for Processing (in brackets)

Recipients

Name

Home address

Identity / passport number

Country representing

E-mail address

Phone number

Membership in a national triathlon/endurance sport organisation

  • Event registration, preparation and operation (performance of a contract/preparation of a contract with you).

  • If name and e-mail are provided in group registrations, they are used to send special links to each group member for full online registration (performance of a contract/preparation of a contract with you).

  • Name used for commentating on the Event and in rankings (performance of a contract).

  • Address used for demographic analysis (legitimate interests in analysing demographics for marketing and business development).

  • Create your customer file or add your data to your existing customer file (performance of a contract/legitimate interest to offer customers individualized services).

  • Pass on to Event Photographer (consent).

  • Name and e-mail address is used in marketing e-mails (consent).

Business Support Vendors: Vendors that provide Cape Epic (Pty) Ltd with business support software, including e-mail account applications, spreadsheet and word editors, presentation programs, data storage and management applications, and IT security software. These vendors may, by contract, only process data on behalf of Cape Epic (Pty) Ltd.

Marketing Vendors: Vendors that provide marketing services for Cape Epic (Pty) Ltd – either by marketing software applications or by external marketing management. These vendors may, by contract, only process data on behalf of Cape Epic (Pty) Ltd.

Analytics Vendors: Vendors that provide Cape Epic (Pty) Ltd with applications or software to analyze or enhance personal information. These vendors may, by contract, only process data on behalf of Cape Epic (Pty) Ltd.

Event Photographer

Name is made public in rankings, results and Event registration lists.

Gender

Date of birth

Team registration

  • Event registration (performance of a contract/preparation of a contract with you).

  • Number/Bib allocation and specification of race category classification (performance of a contract).

  • Analysis of customer groups (demographics) (legitimate interests in analysing customers for marketing and business development).

  • Gender used in rankings (performance of a contract).

  • Create your customer file or add your data to your existing customer file (performance of a contract/legitimate interest to offer customers individualised services).

Business Support Vendors

Analytics Vendors

Gender is made public in rankings, results and Event registration lists

Timing Service Provider: Service provider responsible for timing during the Event. Provider also responsible for bib allocation and specification of race category classification.

Bib number

Race category classification

  • Event preparation and operation (performance of a contract).

  • Identify you during a race (performance of a contract).

  • Race category classification used for rankings (performance of a contract).

  • Data passed on to Event Photographer for identification of riders (consent).

  • Create your customer file or add your data to your existing customer file (performance of a contract/legitimate interest in offering customers individualised services).

Business Support Vendors

Event Photographer for allocation of photos

Medical Teams for medical support

Race category classification is made public in rankings, results and/or Event registration lists

Bib/race number is made public in Event registration lists and results

Medical condition

Current medications

Allergies to medications

Medical aid provider and number

Blood type

Any previous medical attention during an endurance event

Mental/physical condition

Emergency contact

  • Contact your emergency contact in case of a severe medical incident (performance of a contract).

  • Create your customer file or add your data to your existing customer file using additional security measures (performance of a contract).

  • Administer medical treatment to riders as required.

 

Emergency contact information is collected and may be used by Cape Epic (Pty) Ltd

Mediclinic collects, processes and stores all rider information.  Personal information is collected directly from the rider by way of Mediclinic’s website.  The personal information is processed with Mediclinic as Operator.  The personal information does not pass to any third party.

 

 

Information on incidences occurring during or in the context of the Event

  • Help you during the Event (performance of a contract).

  • After race used, if needed, for legal issues related to the incident (legitimate interests/exercise of defence of legal claims).

Local Medical Team, hospitals, lawyers, other riders/athletes and others: only to the extent needed for the medical treatment and legal issues resulting from an incident during the Event.

Business Support Vendors

Nationality (optional)

Additional "Tell Us Your Story" ­– Information shared by you during registration (optional)

 

  • Used for commentating on the Event (performance of a contract).

  • Nationality used for ranking (performance of a contract).

  • Nationality used for demographic analysis (legitimate interests in analysing customers for marketing and business development).

  • Create your customer file or add your data to your existing customer file (performance of a contract/legitimate interest to offer customers individualised services).

Nationality and ranking are made public

Business Support Vendors

Race results (race time)

  • Used for commentating on the Event (performance of a contract).

  • Add your data to your existing customer file (performance of a contract/legitimate interest to offer customers individualised services).

Race results are made public (public rankings)

Business Support Vendors

Subscription to e-mail newsletter (optional)

  • Send marketing material (consent).

  • Create your customer file or add your data to your existing customer file (legitimate interest to offer customers individualised services).

Marketing Vendors

Business Support Vendors

Opt-in to be contacted by Event Photographer (optional)

Donation to charity (optional)

Additional purchases (Event photos, engraved medals, Cape Epic (Pty) Ltd merchandise) (optional)

  • Pass on the wish to be contacted to Event Photographer (consent).

  • Pass on donation and related information to charity (legitimate interest in passing on information to relevant party).

  • Provide you with engraved medal or additional merchandise products (performance of a contract).

  • Create your customer file or add your data to your existing customer file (performance of a contract/legitimate interest to offer customers individualised services).

Event Photographer

Charities

Other service providers whose products or services you order

Business Support Vendors

Merchandise Partners providing Cape Epic (Pty) Ltd with products or sending products directly to you. These partners may, by contract, only process data on behalf of Cape Epic (Pty) Ltd.

Occupation (optional)

Employer (optional)

Job title (optional)

Industry

 

  • Analysis (demographics) (legitimate interests in analysing customers for marketing and business development).

  • Contact you or your employer to gain new sponsors for our Events (consent).

  • Create your customer file or add your data to your existing customer file (legitimate interest to offer customers individualised services).

Business Support Vendors

Analytics Vendors

Information on your communication with us (such as asking questions, cancelling a registration)

  • Providing you with support and customer service (depending on the reason for our communication: performance of a contract/preparation of a contract with you or pursuit of our legitimate interest to communicate with interested third parties).

  • Enable cancellation (performance of a contract).

  • Create your customer file or add your data to your existing customer file (performance of a contract/legitimate interest to offer customers individualised services).

Business Support Vendors

 

Information collected in the context of anti-doping testing

  • Anti-doping tests are conducted in compliance with the World Anti-Doping Code. Information collected in this context is only used to test for prohibited substances and, where applicable, impose sanctions on riders/athletes using such drugs (depending on jurisdiction at the venue: legal obligation/task carried out in the public interest/performance of a contract or consent).

All information is uploaded in the Anti-Doping Administration and Management System, in accordance with the rules of the World Anti-Doping Organization. Results are potentially visible to other Anti-Doping Organisations

Name

Gender

Age

Nationality

Race time

Location

Picture

Previous Race History/Results

  • Name, nationality, location during the race, race time used in race tracking app (performance of a contract/ legitimate interest in allowing fans to follow the riders' race).

  • Website development service providers may have access to this information whilst updating Cape Epic (Pty) Ltd’s online social media profiles with additional data.

Tracking App Provider, which may, by contract, only process data on behalf of Cape Epic (Pty) Ltd.

Made public on Cape Epic (Pty) Ltd’s website www.epic-series.com

Business Support Vendors