Privacy statement (CapCup)

Capgemini

Feb 26, 2025

Who is the data controller?
Information we collect and how we collect it
The purposes and the lawful bases
Sharing of the personal data
Transfers to third countries
Data retention
How to exercise your data protection rights
Changes to this privacy statement

1. Who is the data controller?

The data controller for the processing described in this notice is Capgemini Finland Oy.

If you have questions or would like to contact us regarding this Privacy Statement, please contact us by Petra.fyhr@capgemini.com.

2. Information we collect and how we collect it

We may collect, use, store and transfer the following types of your personal data:

Name (first and last name)
Email address
Company (= team you belong to)
Special diet
Clothing size (for companies which have chosen to order player outfits)
Chosen name (for the application)
Player number
Role in the team

The information is collected directly from you via the registration form or in the app. We may also receive or confirm information from or with your employer.

In the section 3 we have explained the purposes for which we process your personal data and the lawful bases we rely on.

3. The purposes and the lawful bases

We will use your personal data only when the law allows us to. In the connection of the processing activities laid down in this privacy statement, we will rely on the following lawful bases:

Your consent cf. GDPR Article 6 (1) (a) or Article 9 (2) (a).
Our legitimate interests, when your interests and fundamental rights do not override those interests cf. GDPR Article 6 (1) (f).

Below, you can find a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. 

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To manage the tournament information in the application, and especially to identify you and other players in the application and to provide the users of the application with information about the tournament.	– Chosen name – Player number – Role in the team – Company	Consent ^{Please note that without your consent, you will not be able to attend the tournament}
To manage the event, to register you as a player, to communicate with you and provide you with support.	– Name – Email address – Company – Player number – Role in the team	Necessary for our legitimate interest to manage the event, and in more detail to register and identify the players, to communicate with you, to enable you to participate, and to take other measures necessary to organize the event.
To fulfil your wishes regarding your diet in the event and clothing size for the tournament clothing.	– Name – Special diet – Clothing size	Consent ^{Please note that without your consent, we may not be able to fulfil your wishes.}

To the extent that we have referred to our legitimate interest as the legal basis for the processing of personal data specified above, we have conducted a balancing test for those interests to ensure that our interest is not overridden by your interests or fundamental rights and freedoms. Please contact us if you wish to receive more information on the balancing test.

We may disclose your personal data within the Capgemini group where required for the above specified purposes. We base this processing on our legitimate interest to transmit personal data within the Capgemini group for internal administrative purposes, such as for the purposes of using centralized IT systems and alignment of business operations and strategies. Please note that all processing activities carried out by Capgemini, including any cross-border transfers of personal data shall be covered and framed by Capgemini’s Binding Corporate Rules (BCR). Capgemini BCR include both its EU and UK BCR.

Your chosen name, player number, role in the team, and company will be visible on the tournament application to the users of the application.

Additionally, we may disclose personal data to third parties:

when it is necessary for the purposes listed in section 3
when required by law we may disclose your personal data to public authorities such as health authorities, tax authorities, and law enforcement authorities
We may assign your personal data, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.
when we believe in good faith that disclosure is necessary to establish or exercise our legal rights or defend against legal claims, protect your safety or the safety of others, investigate fraud, or respond to a government request.

We share information, including personal information, with our trusted third-party service providers that we use to provide services to us and process your data on our behalf and under our instruction, e.g. hosting of data and maintenance IT-systems, communication, analytics and other services for us. These third-party service providers may have access to or process your personal information for the purpose of providing these services for us. We do not permit our third-party service providers to use the personal information that we share with them for any other purpose than in connection with the services they provide to us. We have entered into data processor agreements with our data processors.

5. Transfers to third countries

We will not transfer your personal data to recipients outside EU or EEA unless we have ensured compliance with GDPR Chapter V.

Some of our third-party service providers are established outside the EEA, including in the US, so their processing of your personal data will involve a transfer of data outside the EEA. However, to ensure that your personal information receive an adequate level of protection we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data; or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in Europe.
If you require further information about on our current data processors established outside the EEA and the safety measures in place to allow for the transfer of personal data, you can request it from us (please see section 1).

6. Data retention

We retain the personal information we collect where we have an ongoing legitimate need to do so. When we have no ongoing legitimate need to process your personal information, we will either delete or anonymize it.

Personal data referred to in section 2 will be retained for the duration of the tournament and for 30 days after it, unless you withdraw you consent earlier. If you withdraw your consent earlier, the personal data in question will be removed within 3 working days from when we receive your request. Please see the consequences of withdrawing your consent in more detail in section 3.
Data may be retained for longer period if we are legally obliged to do so, or if retention is necessary to establish, exercise or defend legal claims.

7. How to exercise your data protection rights

You have certain choices available to you when it comes to your personal information. Below is a summary of those choices, how to exercise them and any limitations.

Under certain circumstances, you have the right to:

Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. Please note that the law prohibits that we delete entries in medical records.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to another party (also known as data portability).
Where our processing is solely based on your specific consent you have the right to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

If you wish to exercise any of the data protection rights that are available to you then please send your request to us and we will action your request in accordance with applicable data protection laws. Please see section 1 for the contact information.

You have the right to complain to your local data protection authority if you are unhappy with our data protection practices. In Finland you can lodge a complaint with the Office of the Data Protection Ombudsman at https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman.

8. Changes to this privacy statement

This privacy statement may be updated from time to time to reflect changing legal, regulatory, or operational requirements. We encourage you to periodically consult our website for the latest information on our privacy practices.

If there are any material changes to this privacy statement, and you are a registered customer you will be notified by email prior to the change becoming effective.