FIVA Privacy Statement
for the FIVA Registry System
About this FIVA Privacy Statement
This FIVA Privacy Statement of Fédération Internationale des Véhicules Anciens with registered seat at 6, Place de la Concorde, F-75008 Paris, France (hereinafter referred to as “FIVA”, “us“ or “we“) informs about processing of personal data in relation to the online FIVA system used for issuing FIVA Cards for historic vehicles and young-timer vehicles[1] available at https://applications.fiva.org/ (the “System”).
When using the System, FIVA and individual national FIVA bodies (“ANFs”) primarily act as controllers. Therefore, this FIVA Privacy Statements is a specific privacy notice of both FIVA and individual ANFs that needs to be read in conjunction with the general privacy statements of both FIVA (available here) and individual ANFs (typically available on their websites (“General Privacy Statements”). These General Privacy Statements contain information in relation to our typical controller agendas and purposes of processing where we act as individual controllers.
1. Controllers’ contact details and DPO
For general inquiries regarding the System, please use our general contact details. We have appointed an external data protection officer at FIVA. For data subject requests and general privacy inquiries, please use our DPO contact details.
For specific inquiries about your applications or issued FIVA Cards, please contact your ANF’s representatives. See ANFs’ General Privacy Statements for their contact details.
2. Overview of purposes of processing and legal bases
When we collect personal data in the System, we process these data for the following purposes and based on the following legal bases. These are pursued and relied upon jointly by FIVA and ANFs:
Purpose of the processing personal data | Legal basis (Art. 6 (1) GDPR) |
1. Issuing and administering of FIVA Cards | Public interest (letter e) and legal obligation (letter c)[2] |
2. Preserving and promotion of the technical and cultural heritage | Legitimate interest (letter f) and public interest (letter e) |
3. Security of personal data and IT systems | Legitimate interest (letter f) and legal obligation (letter c)[3] |
The three above mentioned purposes are also regard as ours or ANFs’ legitimate interest pursued. Generally, we rely on legitimate interest where we cannot reply on explicit provision of the law, decree or regulation when pursuing such purpose. In case such explicit provision exists, we rely either on public interest or legal obligation, depending on if such provision is formulated as a direct obligation or not.
3. More detailed explanation of purposes and positions
Each purpose of processing is explained in bit more detail below:
Issuing and administration of FIVA Cards
This purpose of processing covers the whole application process of issuing and administration of FIVA Cards which primarily driven and pursued by individual ANFs as data controllers. ANFs decide whether to issue FIVA Cards or not while FIVA is merely a provider of technical solution for this process and if needed can provide guidance or technical help. In addition, some ANFs may use the System for national Cards where FIVA Card serves that purpose. In some situations, FIVA also cooperates with non-ANF organisations when issuing FIVA Cards. In relation to this purpose, FIVA acts as a data processor of each individual ANFs using the System. This purpose includes:
Scope of personal data covers information from the application, information in the electronic and paperback FIVA Card, information recorded or stored by scrutineers and administrators appointed by individual ANF as well as login and technical information about individual account. This purpose also includes administering FIVA Cards after their issuance via the System throughout the validity of the issued FIVA Cards for example when holders’ personal details or any other information in the FIVA Card needs to be updated. This information is primarily stored and processed within the vehicle holders’ database of the System that is primarily administered and managed by ANF.[4] Please note additional information regarding this purpose can be found in General Statements of individual ANFs. We also regard “issuing and administration of FIVA Cards via the System” as the the task carried out in public interest.
Preserving and promotion of the technical and cultural heritage
FIVA is a worldwide non-profit organisation dedicated to the protection, preservation and promotion of historic vehicles that form part of the world-wide technical and cultural heritage. Individual ANFs were established for the same purpose. Therefore, the main purpose of processing personal data via the System is preserving valuable historical information about the vehicles. This purpose is pursued by both FIVA and individual ANFs on the basis that national FIVA bodies pursue the same unifying goal. Therefore, FIVA and individual ANFs act as joint controllers under Article 26 GDPR.
The essence of the joint controllers’ agreement concluded between FIVA and ANFs is as follows:
Each historical vehicle has such historical information attached to it and naturally such information outlives its owners. Therefore, applicants must understand that although their contact details will not be processed forever, historical information about the vehicles is meant for preserving.
This purpose covers not only information in the issued FIVA Cards but also information stored within the System based on application and scrutineering process. This valuable information is meant for future generations. This information is primarily stored and processed within the vehicle database of the System that is administered and managed by FIVA, while ANFs may as joint controllers use such information for the same, substantially similar or compatible purpose, for example for issuing FIVA Cards. This database is primarily focused on preserving history of vehicles and so it may include information about previous owners.
Generally, information about deceased persons is not subject to the GDPR, but EU Members States might provide otherwise. Some member states (such as France) may guarantee rights or protect data of deceased person. Additionally, In France, relatives of deceased persons have certain data subject rights under Article 85 of the French Data Protection Act. Similar regime applies in Italy. Therefore, we monitor developments in this area closely and strive to anonymize personal data about previous owners where legally required or requested. We have to balance the history and the privacy in this respect. FIVA generally accepts that the purpose of preserving and promotion of the technical and cultural heritage legitimises the general interest on preserving previous owner details. However, it ultimately remains for the individual ANFs to determine whether using such data within the “history” section of FIVA Cards is compliant with local data protection laws. Information about important or famous previous owners can be stored in the System while each ANF shall consult their DPO the extent this is permitted. Once the information gets to the System, FIVA reserves right to store and process it for this purpose.
In addition, FIVA is implementing a QR code function integrated with the System. Each FIVA Card issued vehicle can get stickers with QR code that will display information about the vehicle alone to anyone scanning it. Such information is based on vehicle database of the System but does not display direct identifiers of the owner such name, surname, address or contact details. Owners of the vehicles determine if to place such sticker on their vehicle. This will serve to the promotion of historic vehicle with FIVA status and will be practically used by stewards during the FIVA events to identify eligible vehicles. This QR code functionality is also part of the purpose of preserving and promotion of the technical and cultural heritage.
Security of personal data and IT systems
Articles 32 to 34 of GDPR require from each controller and processor to maintain adequate level of security of personal data. Certain layer of personal data within the System is processed for the purpose of ensuring such adequate security. This includes processing data via tools for management of logins, user information, authentication, removal of bugs, detecting harmful content and further development of the System. In this respect, FIVA and individual ANFs act as joint controllers based on the joint controllers’ agreement explained above.
4. Compatible purposes of processing
Once the personal data is collected by virtue of the System, depending on the circumstances of the individual case, FIVA and/or individual ANFs might process the personal data for other compatible purposes described in their respective General Privacy Statement. When doing so, each party acts as individual controller. FIVA’s compatible purposes practically include any purposes explained in FIVA’s General Privacy Statement (if relevant in the individual case) but mainly:
Please see your respective ANF’s General Privacy Statement for their own or compatible purposes. If your ANF do not have any General Privacy Statements, please see FIVA’s General Privacy Statement on the basis that activities of ANFs are FIVA are very much similar and interlinked. FIVA’s General Privacy Statement might use as a global reference to what ANF’s are doing with personal data locally.
5. What personal data we process?
In general, the System is based on two separate databased: (i) vehicle holders’ database; and (ii) vehicle database. Composed of two in most cases, we process standard contact and identification types of personal data such as name, surname, address, phone number, email, date of birth, ID data, VIN number of the vehicle, brand of the vehicle, year of manufacture of the vehicle, any specification of the historic vehicle, photos, and videos from the events.
6. Who are recipients of your personal data?
If you’re an applicant, your information will be shared with the ANF determined based on your residence and FIVA including our staff, employees, officials, and vendors. If you change country of your residence and report this, or if ANF reports this, your ANF will change. The System has two databases that are stored separately: (i) vehicle holders’ database; and (ii) vehicle database. Vehicle holders’ database is only meant for the local law purposes of individual ANFs acting as a controller. Vehicle database serve the global purpose of FIVA and therefore can be used by any ANF or generally future generations. The System is construed in a way that the information from both databases is not easily interlinked, even though FIVA and your local ANF can make such connection. Therefore, we treat any publication from vehicle database very carefully, as shown by the QR code functionality.
The only FIVA’s vendor that has an ongoing technical access to encrypted personal data stored in the System is our provider of cloud and server capacities located in the EU. From the security reasons we do not publish its business name.
FIVA’s vendors that might have “need to know” access to your personal data stored within the System only based on ad hoc situation are:
7. What countries do we transfer your personal data to?
Specifically to the System, we do not undertake any transfer of personal data to vendors or partners outside of the European Union / EEA. Servers of the Systems are securely hosted within the EU and we do not use cloud services from non-EEA countries to support operation of the System. This does not concern the website of www.fiva.org, its domain hosting, tools and cookies placed on the website, which are subject to the General Privacy Statement.
8. How long do we store your personal data?
General retention periods for our purposes are as follows:
Purpose | General retention period |
Issuing and administering of FIVA Cards | Throughout validity of issued FIVA Card and 3 years afterwards. Unfinished applications are stored for 24 months. |
Preserving and promotion of the technical and cultural heritage | Generally, throughout existence of historic vehicle if it concerns information about vehicle. |
Security of personal data and IT systems | During storing of any personal data within the System (depending on the above retention periods) |
9. How we collect your personal data?
In the System, we typically collect most personal data directly from the applicants or ANFs directly. The provision of personal data is voluntary and to the best of our knowledge, is not a legal or contractual obligation. However, such provision might be required under the local law in order to obtain FIVA Card. Therefore, if not provided, FIVA Card cannot be issued. However, please note that provision of such data does not automatically mean FIVA Cards will be issued.
Personal data about scrutineers and administrators in the System are collected from ANFs. Here, the provision of personal data might by required by internal regulations and contractual relationship of such persons to their ANF. System cannot work without scrutineers and admins and so non-provision might result in ANF not being able to issue FIVA Cards.
In some cases, some personal data might be shared in between two or more ANFs. For example, when the vehicle is sold from one country to another. Each ANFs retains information about the current vehicle owner, but FIVA and both ANFs may retain, and process information related to the vehicle itself – a history of which might include personal data of others.
10. What rights do you have?
"If we process your personal data on the basis of consent to the processing of personal data, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You have the right to effectively object to the processing of personal data for direct marketing purposes, including profiling. "You also have the right to object to the processing of your personal data on the basis of the legitimate interests we follow, as explained above. You are also entitled to the processing of personal data on the legal basis of a public interest.” If you exercise your right to object, we will gladly demonstrate to you the way how we evaluated these legitimate interests as overriding the interests, rights, and freedoms of the data subjects. |
The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions.
Among others, you have:
You have a right to lodge a complaint related to personal data to the relevant data protection supervisory authority or apply for judicial remedy. Please note that our lead competent data protection authority is the French supervisory authority: Commission Nationale de l'Informatique et des Libertés – CNIL, 3 Place de Fontenoy, TSA 80715 – 75334 Paris, Cedex 07, Tel. +33 1 53 73 22 22, Fax +33 1 53 73 22 00, Website: http://www.cnil.fr/, https://www.cnil.fr/en/contact-cnil. However, since our establishment is in Italy, also Italian Data Protection Authority can be regarded as our supervisory authority: Garante per la protezione dei dati personali, Piazza Venezia, 11, 00187 Roma, Tel. +39 06 69677 1, Fax +39 06 69677 785, Email: segreteria.stanzione@gpdp.it, website: http://www.garanteprivacy.it/.
List of data protection authorities around the EU / EEA can be found here. Please see the data protection authority depending on the country of your ANF.
11. Do we process your personal data via automated means which produces legal effects concerning you?
The System does not automatically screen nor evaluate applications. This is done by scrutineers, admins or generally employees or officials of ANFs. We do not currently conduct processing operations that would lead to the decision which produces legal effects or similarly significantly affects concerning you based solely on automated processing of your personal data in light of Article 22 GDPR.
12. Changes to this FIVA Privacy Statement
We reserve right to update this FIVA Privacy Statement from time to time by posting the most current version and its effective date on our website or within the System. In case we change this privacy policy substantially, we shall bring such changes to your attention by explicit notice, on our websites or by email.
Fédération Internationale des Véhicules Anciens
Torino, 10th July 2024
[1] For the purposes of this FIVA Privacy Statement, reference to historic vehicles includes young-timer vehicles.
[2] In FIVA member states, the local legislation empowers individual ANFs to issue FIVA Cards, issue national cards for historical vehicles or generally to determine the status of historic vehicle. This legislation serves as the basis for processing within the meaning of Article 6 (3) GDPR.
[3] Articles 32 to 34 of the GDPR.
[4] When issuing cards in some countries, even a non-ANFs organisation can be involved to issue FIVA Cards. Please refer to local legislation and applicable terms.