News
Store
Tickets

Privacy Policy

PRIVACY NOTICE
(Articles 13 and 14 of Regulation (EU) 2016/679 – “GDPR” and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018)

Version: 05/11/2025
Data Controller: PALERMO FOOTBALL CLUB S.P.A. (VAT No. 06804260823 – Tax Code 06804260823)
Registered Office: Viale del Fante, 11, 90146 Palermo (“Palermo FC” or the “Controller”).
Contacts: info@palermofc.comCertified Email (PEC): PALERMOCALCIO@PEC.IT
DPO: DPO.PALERMOCALCIO@PEC.IT

This notice explains how we collect, use, share and protect the personal data of users and fans of Palermo FC (“we”, “our”) through our websites, mobile applications, digital platforms, online store, events, sports facilities, and commercial activities.
For information on the management of cookies, please refer to our www.palermofc.com/en/cookie-policy.

 

INDEX

  1. Who is the Data Controller
  2. What Personal Data Are
  3. Data We Collect
  4. Purposes and Legal Bases for Processing
  5. Special Categories of Data
  6. Profiling and Automated Decisions
  7. Marketing Communications and Preferences
  8. Data Sharing and Disclosure
  9. International Data Transfers
  10. Data Security
  11. Data Retention
  12. Data Subject Rights
  13. Minors
  14. Contacts and Complaints
  15. Updates
  16. Simplified Notice for Young Users

 

  1. Who is the Data Controller

The Data Controller is Palermo Football Club S.p.A., located at Viale del Fante, 11, 90146 Palermo.
Email: info@palermofc.com
PEC: PALERMOCALCIO@PEC.IT
Data Protection Officer (DPO): DPO.PALERMOCALCIO@PEC.IT

 

  1. What Personal Data Are

Under Article 4(1) GDPR, “personal data” means any information relating to an identified or identifiable natural person (e.g., name, contact details, IP address, location, images, online behavior, payment data, preferences, habits).

 

  1. Data We Collect

We collect data directly, automatically, at events, or from third parties.

  1. a) Data provided directly by the user
    Contact details (name, surname, address, email, phone, date of birth, country of birth/residence);
    Account data (registration to Palermo FC sites/apps, memberships, fan clubs, loyalty programs, contests);
    Payment and shipping details (for online or phone purchases);
    Preferences, interests, feedback, participation in surveys and contests;
    Images or avatars voluntarily uploaded (e.g., profile photos, contests, fan zones).
  2. b) Data collected during visits or use of digital services
    Technical data (IP address, browser type, language, OS, device ID, plug-ins, time zone);
    Usage data (referral URLs, visited pages, session time, clicks, interactions, errors, scroll, searches, app logins);
    Cookies and similar technologies (for analytics and personalized advertising – see Cookie Policy).
  3. c) Data collected at events, stadiums, and facilities
    CCTV and video surveillance for security and public order;
    Photos and videos of participants, fans, and visitors, used for commercial, promotional, or media purposes (series, documentaries, social media, streaming, etc.) under Stadium Regulations and ticket terms.
  4. d) Data from third parties
    Commercial partners (official retailers, sponsors, ticketing providers, merchandising operators);
    Group companies and marketing agencies.

 

  1. Purposes and Legal Bases for Processing

Processing is carried out in compliance with Articles 6, 9, 10, 28, 32, and 44–49 GDPR and applicable Italian laws.

Purpose Legal Basis Description
Registration and service provision Art. 6(1)(b) GDPR – Contract performance To create and manage accounts, subscriptions, loyalty cards, fan IDs, ticketing, e-commerce, events, contests, and both online and offline services. Includes service communications and request management.
Marketing communications Art. 6(1)(a) GDPR – Explicit consent To send newsletters, promotions, offers, pre-sales, surveys, and commercial communications about Palermo FC, group companies, and partners via email, SMS, phone, push notifications, or social media.
Profiling/Segmentation Art. 6(1)(a) + Art. 22 GDPR Automated analysis of preferences, behaviors, and interactions to deliver personalized content, targeted promotions, and enhance user experience.
Processing of special data (e.g., disability) Art. 9(2)(a) GDPR – Explicit consent Collection and use of data on disability or health only to ensure accessibility, personalized services, or support during events.
Marketing automation tools Arts. 28 + 32 GDPR Use of secure automation and analytics platforms (CRM/DMP) managed by qualified providers for personalized and traceable communications.
Security, video surveillance, and public order Art. 6(1)(c) + 6(1)(e) GDPR CCTV management, access control, event monitoring, and prevention of unlawful acts under public security regulations.
Media production and content sharing Art. 6(1)(f) GDPR – Legitimate interest Use of photos/videos from matches or events for editorial, promotional, and institutional communication.
Analytics and service improvement Art. 6(1)(f) GDPR – Legitimate interest Aggregated and anonymized analysis of usage data to enhance websites, apps, services, and communication strategies.
  1. Special Categories of Data

Processed only when strictly necessary under Article 9 GDPR, with explicit consent or other legitimate basis.
Any data on criminal convictions or offences (Art. 10 GDPR) are processed only under adequate safeguards for security or public order reasons.

 

  1. Profiling and Automated Decisions

We may use profiling and data analytics tools (CRM, DMP, social media platforms) to analyze preferences, behaviors, purchases, and interactions to:

  • Offer personalized content and experiences;
  • Improve fan engagement;
  • Measure marketing effectiveness;
  • Prevent fraud or abnormal activity.
    Decisions are not fully automated and do not produce legal effects on the user. You can always request human intervention, explanations, or object to profiling.

 

  1. Marketing Communications and Preferences

With your consent (Art. 6(1)(a) GDPR), we may send you communications about events, offers, merchandise, and partnerships.
You can modify or withdraw your consent anytime through:

 

  1. Data Sharing and Disclosure

This section covers external processors and independent controllers. To clarify, service providers acting on behalf of Palermo FC operate as responsabili del trattamento (Data Processors) under written agreements in accordance with Article 28 GDPR, ensuring confidentiality and compliance with data protection requirements. Your data may be shared with:

  • Group and affiliated companies;
  • Service providers (hosting, IT, logistics, shipping, CRM, analytics, marketing automation, ticketing, payments, security, customer care);
  • Official partners and sponsors;
  • Sports authorities and regulators (FIGC, Lega Serie B, Police, etc.);
  • Co-producers and broadcasters (documentaries, films, social media, streaming);
  • Legal or tax advisors and competent authorities for compliance or disputes.
    All third parties act as processors (Art. 28 GDPR) or independent controllers under appropriate safeguards.

 

  1. International Data Transfers

Some partners or providers may be located outside the European Economic Area (EEA).
In such cases, Palermo FC:

  • Transfers data only to countries with an adequacy decision (e.g., UK, USA for Data Privacy Framework participants); or
  • Applies Standard Contractual Clauses (SCCs) approved by the European Commission and additional security measures.

 

  1. Data Security

Under Article 32 GDPR, we apply appropriate technical and organizational measures (encryption, access control, firewalls, backups, TLS/SSL, logging, staff training) to protect personal data.

 

  1. Data Retention

Data are kept only as long as necessary for their purposes:

Data Type Retention Period
Accounts and registrations Until deletion or inactivity >36 months
Contracts/purchases 5 years (civil) / 10 years (tax)
CCTV data 7–30 days (unless under investigation)
Marketing Until withdrawal, max 36 months from last interaction
Profiling 25 months
Events/contests 5 years
Security/public order Up to 10 years if required by law or authorities

After expiration, data are deleted, anonymized, or securely archived.

 

  1. Data Subject Rights

Under Articles 15–22 GDPR, you have the right to:

  • Access your data (Art. 15);
  • Rectify or delete data (Arts. 16–17);
  • Restrict processing (Art. 18);
  • Object to processing (Art. 21);
  • Data portability (Art. 20);
  • Not be subject to automated decisions (Art. 22);
  • Withdraw consent (Art. 7.3).
    Requests may be sent to:
    Email: info@palermofc.com
    PEC: PALERMOCALCIO@PEC.IT
    DPO: DPO.PALERMOCALCIO@PEC.IT
    You may also file a complaint with the Italian Data Protection Authority: “http://www.garanteprivacy.it”

 

  1. Minors

This notice is addressed to users aged 14 and over.
For minors under 14, consent-based processing is allowed only with parental authorization. Palermo FC may request proof of age or parental consent when required.

 

  1. Contacts and Complaints

Controller: Palermo Football Club S.p.A.
DPO: DPO.PALERMOCALCIO@PEC.IT
Complaints:https://www.garanteprivacy.it

 

  1. Updates

This policy may be periodically updated. Significant changes will be communicated via banner or email.
Last update: 05/11/2025

 

  1. Simplified Notice for Young Users

When you use Palermo FC’s website, app, or attend our events, we only collect the information we need (like your name or email).
We keep it safe and don’t store it longer than necessary.
If you are 14 or older, you can choose to receive news and offers.
If you are under 14, we need your parents’ permission.
You can always write to us to see or delete your data: info@palermofc.com