PRIVACY POLICY – HEAD Watersports GmbH
HEAD Watersports GmbH offers you a wide range of products and services related to diving and swimming. These products and services are offered online at divessi.com and via the MySSI app for mobile use (collectively referred to as "MySSI").
Chapters 1 through 8 below, including the Appendix ("General Provisions"), explain how we collect and use your personal data when you use MySSI. The Appendix in Chapter 9 ("California Provisions" and together with the General Provisions, the "Privacy Policy") contains additional provisions in accordance with the California Consumer Privacy Act ("CCPA"), which apply only to persons residing in California. The California Provisions supplement the General Provisions; however, in the event of any conflict between the General Provisions and the California Provisions, the California Provisions shall prevail solely with respect to California residents.
Where necessary, we will update this Privacy Policy with regard to the development of MySSI and in accordance with changes in legislation and case law. We therefore review and revise this Privacy Policy as needed and recommend that you review it regularly in order to familiarize yourself with the latest version.
MySSI is provided by HEAD Watersports GmbH ("SSI", "we", "us") as the controller within the meaning of Art. 4 (7) of the General Data Protection Regulation ("GDPR"). You may contact us at:
Address: Johann-Höllfritsch-Straße 6 – 90530 Wendelstein – Germany – Email: privacy@diveSSI.com
Telephone: +49-9129-909938-0
You may contact our Data Protection Officer at:
Address: HEAD Watersports GmbH c/o Datenschutz – Johann-Höllfritsch-Straße 6 – 90530 Wendelstein – Germany
Please note that, together with the authorized SSI Training Centers, we jointly determine the purposes and means of processing in relation to the delivery of training, the provision of educational content, and the issuance of certifications, including the delivery of certifications to students, as well as the management of certifications and students' personal data within MySSI. You may obtain a copy or summary of the joint controllers' agreement, as required, by contacting SSI at privacy@diveSSI.com.
Where we engage external service providers that process personal data on our behalf and in accordance with our instructions, this is carried out on the basis of Art. 28 GDPR within the framework of a data processing agreement (see Section 4 for details). This applies in particular to technical, organizational, and operational support services in connection with the operation, further development, support, hosting, tracking, consent management, marketing, and communication of MySSI.
The GDPR and national data protection laws protect the fundamental rights and freedoms of individuals and their right to the protection of personal data. Pursuant to Art. 4 (1) GDPR, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, etc. Therefore, addresses, telephone numbers, email addresses, user IDs, credit card numbers, social media account identifiers, usernames, IP addresses, GPS data, etc. are considered personal data.
We collect certain personal data from users of MySSI ("Users" or "you") during the use of MySSI, as explained in detail below.
Please note that you are not legally required to provide us with your personal data. However, if you do not provide us with certain personal data, we may not be able to offer you all services available within MySSI.
If you use MySSI purely for informational purposes without otherwise interacting with us, we only collect the personal data that your browser transmits to us. In order to display MySSI, we collect the following personal data, which is technically necessary for us to provide MySSI to you:
- IP address,
- Date and time of the request,
- Time zone difference from Greenwich Mean Time (GMT),
- Content of the request (specific page),
- Access status/HTTP status code,
- Amount of data transferred in each case,
- Website from which the request originates,
- Browser used,
- Operating system and its interface,
- Language and version of the browser software.
If you contact us by email or via the contact form, we process the personal data you provide in this context (e.g., name, email address, inquiry, etc.) in order to respond to your message.
In the event that follow-up questions arise, your personal data may be forwarded to the responsible department or person (e.g., IT department, legal department, logistics, etc.). Processing takes place for the performance of a contract or in order to take steps at your request prior to entering into a contract (Art. 6 (1) (b) GDPR), to comply with legal obligations (Art. 6 (1) (c) GDPR), or on the basis of our legitimate interests (Art. 6 (1) (f) GDPR).
Where we engage external service providers to process contact inquiries and support us in CRM, communication, support, or marketing processes, they process your data exclusively on our behalf and on the basis of a data processing agreement pursuant to Art. 28 GDPR.
SSI provides users with training programs — also referred to as SSI digital learning products — on MySSI. We process the following information from participants in SSI training programs:
- First name, last name,
- Street, PO box/house number,
- Postal code, city,
- State, country,
- Email address,
- Telephone numbers,
- Date of birth,
- Salutation, gender,
- Personal photo,
- Language,
- SSI Master ID,
- Course type, course progress,
- Certification data (number, date, instructors, number of dives at the time of certification, year diving began),
- SSI Authorized Training Center affiliation,
- Current geolocation data when using various MySSI app features,
- Health data,
- Insurance data from diving-specific policies (if required),
- SSI membership number (for Professionals),
- Quality assurance data (for Professionals).
SSI may transmit the above-mentioned data to its members — SSI DiveCenters or Resorts ("SSI Authorized Training Centers") and SSI Professionals or Instructors ("Instructors") — via MySSI for training and certification purposes. Likewise, external companies may have access to the data in order to manage and improve the digital workflows of SSI digital learning products.
Where external companies process personal data exclusively on our behalf, this is carried out on the basis of data processing agreements pursuant to Art. 28 GDPR. If external companies pursue their own purposes, we will provide separate information in this Privacy Policy.
The legal basis for processing this data is the performance of a contract (Art. 6 (1) (b) GDPR), your consent (Art. 6 (1) (a) GDPR), or legitimate interests (Art. 6 (1) (f) GDPR).
MySSI Login
The personal data listed under Section 2.1 above is processed when you register for MySSI or when an authorized SSI Training Center or Instructor registers you in order to create a user profile.
Once your data has been entered into MySSI, you will receive an automatically generated email from SSI containing your username and password to activate your MySSI account. Activation of your account is mandatory for every SSI certification and secures your access to learning content as well as your personal profile information (e.g., learning progress, certifications obtained, education level, etc.). The personal account also contains information regarding the status of your training and certification at all times.
The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).
In order to identify you and verify whether you possess all necessary certifications required for diving, we may share your personal data, as described above, with other authorized SSI Training Centers and potentially their affiliated Instructors if you have given your consent and activated this option in your privacy settings within your MySSI account, as explained in detail under Section 2.4.
The legal basis for sharing your data with other authorized SSI Training Centers is your consent (Art. 6 (1) (a) GDPR).
Use of the Digital Learning Platform
Within the scope of training and for certification purposes, learning progress, completed performance requirements, examination results, etc. are recorded and stored. The SSI Authorized Training Center selected by you and all affiliated Instructors of the SSI Authorized Training Center, SSI, and the external service providers required for service delivery have access to this data.
The legal basis for sharing your data with other authorized SSI Training Centers is your consent (Art. 6 (1) (a) GDPR).
As part of SSI quality management, participants/users receive questionnaires regarding their training program by email as well as additional information/documents, e.g., regarding course progress, certification data, etc. In addition, they receive correspondence concerning quality assurance and further educational offers via the platform. The described processing is based on our legitimate interest (Art. 6 (1) (f) GDPR).
Within the digital learning system, users may provide additional personal information on individual pages of the training programs, create personal notes, and ask questions relating to specific content, which they may share with their SSI Authorized Training Center or Instructors upon request. The processing is based on legitimate interests (Art. 6 (1) (f) GDPR).
MySSI also enables the user to upload certain documents necessary for training and certification, which may also be viewed by other authorized parties, such as SSI, SSI Authorized Training Centers, or Instructors. The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR).
Use of Digital Certification and Documentation Features
MySSI also enables users to upload certain documents required for training and certification, such as proof of First Aid, CPR, oxygen administration in diving emergencies, and a physician-signed medical certificate, which may also be viewed by other authorized parties such as SSI, authorized SSI Training Centers, or Instructors based on the personal settings within the privacy feature.
The described processing is necessary for the performance of a contract (Art. 6 (1) (b) GDPR), except for the processing of your medical information. In this case, the legal basis for processing is your explicit consent (Art. 9 (2) (a) GDPR).
Use of the Digital DiveLog Function with GPS Data Transmission
When using the DiveLog function (digital logbook) with the location-sharing function activated by the user on the user's smartphone and/or tablet, and for the purpose of identifying available dive sites and logging dives for you, we process the following when using DiveLog:
- Your GPS or location data, provided you have activated the location transmission feature on your smartphone and/or tablet.
The legal basis for the described processing activity is your consent (Art. 6 (1) (a) GDPR).
By activating the sharing functions of the personal profile as a dive buddy, geolocation data of the dive site, maximum depth and time, as well as the first and last name of the diver who shared the data, and logged dive data may be shared with the dive buddy via QR code scan between personal mobile devices.
The described processing is based on your consent (Art. 6 (1) (a) GDPR).
Use of the Equipment Feature
If you use the MySSI equipment feature, you may register your equipment in your profile on MySSI and receive automatic reminders for necessary equipment servicing.
You may upload the following information to MySSI:
- Personal equipment and related data such as brand, model, description, serial number, purchase date, dealer/store, etc.,
- Certain equipment-related documents such as proof of service and maintenance, warranty certificates, copies of purchase invoices, etc.
The legal basis for this processing activity is legitimate interest (Art. 6 (1) (f) GDPR).
Use of the SSI Authorized Training Center Locator and SSI Event Calendar Features with GPS Data Transmission
GPS information regarding a user's location (if activated by the user) is used to provide the user with requested information, such as the Training Center Locator. The SSI Event Calendar accesses GPS data in order to identify the nearest authorized SSI Training Center or nearest event. The described processing is based on your consent (Art. 6 (1) (a) GDPR).
Tailored Marketing Communication from SSI or Third Parties and Product Improvement
SSI collects your postal code, city, state, country, date of birth, course type, course progress, affiliation with an authorized SSI Training Center, your current geolocation data, and the data listed above in Section 2.3 in order to determine your interests and provide you with tailored advertising materials via newsletters, within the app, or on your personal dashboard, as well as special offers based on your interests (profiling). The legal basis for processing is your consent (Art. 6 (1) (a) GDPR and Art. 5 para. 3 ePrivacy Directive). In addition, SSI collects functional data relating to MySSI in order to improve MySSI and SSI's products and services. The legal basis for this processing is our legitimate interest (Art. 6 (1) (f) GDPR).
Where you have consented to this, we may also use cookie, device, event, and usage data, as well as information regarding visits to specific pages, content, and conversion events, in order to measure the effectiveness of our marketing activities, create audiences, expand existing audiences (Custom Audiences, Similar Audiences/Lookalikes), and personalize advertisements on Google and Meta platforms. In particular, shortened or hashed contact information, online identifiers, cookie IDs, device identifiers, IP addresses, browser and device information, and interaction data may be processed and transmitted to the respective providers. The legal basis for the use of the following services is your consent (Art. 6 (1) (a) GDPR and Art. 5 para. 3 ePrivacy Directive). You may revoke or adjust your consent at any time with future effect via our consent management tool.
Google Ads / Google Enhanced Conversions / Google Remarketing
Where you have consented, we use these services provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) in order to measure conversions, analyze the effectiveness of our advertising, create remarketing audiences, and display interest-based advertising to you within Google services and the Google advertising network. In this context, personal data and online identifiers may be transmitted to Google. Where hashed customer data is used for Enhanced Conversions, this takes place exclusively on the basis of your consent. Further information regarding the type, scope, and functioning of the processing can be found in the cookie settings and in the information provided by the respective provider.
Google Analytics 4 / Google Tag Manager / Data Studio
Where you have consented, we use additional services of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics 4 is used to analyze user behavior on our website and enables us to understand how users interact with our content (e.g., page views, clicks, duration of stay, technical information regarding end devices). The IP address is processed only in shortened form.
Google Tag Manager is used to technically manage and trigger tracking and analysis tools. The Tag Manager itself does not process personal data, but may integrate other services that process personal data.
We use Google Looker Data Studio to evaluate and visualize data. Aggregated data from various sources (e.g., Google Analytics) is processed for this purpose. Google Looker Data Studio does not independently collect data.
Processing takes place exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR in conjunction with Art. 5 para. 3 ePrivacy Directive.
Google may also transfer data to third countries, particularly the United States. Such transfers take place on the basis of the EU-US Data Privacy Framework or appropriate safeguards.
Meta Ads / Dataset ID / Conversions API / Custom Audiences
Where you have consented, we use these services of Meta ([insert Meta contact details]) in order to track the use of MySSI and our websites, measure conversion events, create audiences for advertising campaigns, generate similar audiences, and display personalized advertising to you on Facebook, Instagram, and connected Meta services. In this context, Meta Pixel, similar tracking technologies, or server-side interfaces such as the Conversions API may be used. In particular, online identifiers, device information, usage data, event data, IP addresses, and, where applicable, hashed contact data may be processed and transmitted to Meta. Where joint controllership exists with Meta for certain processing activities, particularly for the collection and transmission of event data for advertising and measurement purposes, we fulfill our related information obligations within this Privacy Policy; the essential content of the corresponding agreement may be provided upon request.
The use of Google Ads, Meta Ads, and related tracking, remarketing, and conversion measurement procedures takes place exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR in conjunction with Art. 5 para. 3 ePrivacy Directive or the respective applicable national regulations governing the storage of and access to information on your device. You may revoke or adjust your consent at any time with future effect via our consent management tool.
Pinterest Tag – SCUBAGO ONLY
Where you have consented, we use the Pinterest Tag (Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) in order to track user behavior after interaction with our Pinterest content and optimize our marketing activities.
In particular, information regarding visited pages, interactions, and technical device information may be processed and transmitted to Pinterest.
Processing takes place exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR.
LinkedIn Insight Tag (STILL UNDER CLARIFICATION REGARDING START OF USE)
Where you have consented, we use the LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland).
The Insight Tag enables us to measure conversion events, analyze the use of our website, and create audiences for marketing purposes.
In particular, information regarding your use of our website, device information, and online identifiers may be transmitted to LinkedIn.
Processing takes place exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR.
Microsoft Clarity
Where you have consented, we use Microsoft Clarity (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA) in order to analyze user behavior on our website and improve usability.
Clarity enables us, in particular, to evaluate click behavior, scrolling movements, and general interactions with the website. In this context, so-called session replays may also be created, through which user interactions can be reviewed in anonymized form.
The collected data is processed in pseudonymized form and is not used to personally identify individual users.
Processing takes place exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR.
A transfer of data to the United States cannot be ruled out and takes place on the basis of appropriate safeguards.
Flockler
We use Flockler to integrate social media content (e.g., feeds) on our website.
When loading such content, it may be technically necessary for data (e.g., IP address, technical browser information) to be transmitted to third parties in order to correctly display the content.
Where personal data is processed in this context, this takes place exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR.
Emarsys (Marketing Automation and CRM)
Where you have consented, we use Emarsys (SAP Emarsys eMarketing Systems GmbH, Märzstraße 1, 1150 Vienna, Austria) for the implementation and optimization of our marketing activities and the management of customer relationships.
Emarsys enables us, in particular, to send and personalize email communications (e.g., newsletters), segment user groups, and analyze user interactions with our content (e.g., open rates, click behavior, and website usage).
In this context, personal data such as email address, usage data, device information, and interaction data may be processed and — where technically necessary — combined with additional data from our systems in order to provide personalized content and offers.
Processing takes place exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR where it concerns marketing and tracking purposes. Where Emarsys is additionally used for the dispatch of transactional messages or for the performance of contracts, processing takes place on the basis of Art. 6 (1) (b) GDPR.
Where data is processed outside the EU/EEA, this takes place on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR.
Further information regarding the type, scope, and functioning of processing by the individual providers for the respective purposes can be found in the cookie settings and in the information provided by the respective provider.
Newsletter
If you subscribe to the newsletter and confirm the subscription through the email received as part of the double opt-in procedure, we process your first name, email address, IP address, country, and language, as well as optionally selected interests relating to newsletter content. The newsletter is sent for the purpose of sending (i) personalized marketing and product information regarding goods and services from the HEAD Group sports portfolio, (ii) personalized advertising information and news corresponding to your categories of interest and/or based on your website usage (e.g., frequent viewing of products within your selected categories of interest and geolocation), (iii) satisfaction surveys regarding services, products, and consulting of the HEAD Group and needs analyses, (iv) competitions, vouchers, discount campaigns, and sweepstakes, and (v) electronic greeting cards by email.
A general newsletter sign-up is possible independently of registration for a MySSI account. In the context of such a general newsletter sign-up, we process the data you provide in the registration form, particularly your email address and optionally your first name, country, language, and interests, in order to send you general and — where requested by you — personalized information regarding products, services, promotions, events, and news of the HEAD Group and SSI. Registration in this case also takes place using the double opt-in procedure.
If we collect your email address in connection with the sale of a product or service, we may also use your email address for direct marketing relating to similar products or services (via our newsletter), provided you have not opted out of this communication in advance. You have the right to unsubscribe at any time, and we will provide an unsubscribe option in all such communications, e.g., via an unsubscribe link. The legal basis for this processing is our legitimate interest (Art. 6 (1) (f) GDPR and Art. 13 (2) ePrivacy Directive). (Does not apply to customers from Australia.)
Based on your IP address and with the help of our "Browser Region Manager," we can determine the region in which you are located when using MySSI. This information is stored in order to redirect you to the regional subpage and subscribe you to the newsletter applicable to your country of residence. We do not determine your exact location. You may manually change your assigned country before subscribing to our newsletter by using the country drop-down menu on our website or after you have already subscribed by updating your settings (instead of selecting the country/language via the Browser Region Manager).
Based on your IP address and your usage behavior on MySSI, personalized advertising information and messages are sent (profiling). Based on your IP address and with the help of our "Browser Region Manager," we can send you regional offers where you have consented to this. In doing so, we also analyze the frequency of clicks solely for the categories of interest selected by you "[Diving, Open Water Dive, …]" and, for example, in the event of frequent use of the "[Diving]" section, send you information from this category of interest via email based on the consent declaration described above. The analysis is carried out on the basis of the following evaluation methods and sequence of preferences: the data relating to your usage behavior on MySSI is anonymized and compared with empirical values for similar data sets in our database. On this basis, we calculate probabilities for potential future contacts and purchases with us. This enables us to provide corresponding offers and send information that, according to our experience, was of interest to customers with similar behavior. In this process, we may also create anonymized and pseudonymized user profiles.
When registering for the newsletter, we also store your IP address and the date and time of registration. This data is stored solely as evidence in the event that a third party misuses an email address and subscribes to the newsletter without the knowledge of the rightful owner. The personal data collected during newsletter registration is not shared with third parties for marketing purposes.
Where we use external service providers for the dispatch, management, segmentation, analysis, or success measurement of newsletters, this takes place within the scope of processing on our behalf on the basis of a data processing agreement pursuant to Art. 28 GDPR, insofar as such service providers process the data exclusively in accordance with our instructions.
The legal basis for this processing activity is your consent (Art. 6 (1) (a) GDPR).
You may revoke your consent to receiving newsletters at any time with future effect and without stating reasons (for example, via an unsubscribe link at the end of each newsletter or by email to privacy@diveSSI.com).
Consent Management / CookieFirst
For the collection, management, and documentation of your consent regarding the use of cookies, similar technologies, and third-party services requiring consent, we use a consent management tool. In this context, your consent decision, the time of the decision, consent ID, language settings, information about the browser, device, and domain, as well as, where applicable, your shortened IP address, are processed in order to document granted or revoked consents and technically implement them. Processing takes place for compliance with our legal obligations (Art. 6 (1) (c) GDPR) as well as on the basis of our legitimate interests in legally compliant, user-friendly, and traceable consent management (Art. 6 (1) (f) GDPR).
Where we use the service provider CookieFirst or a functionally comparable provider for this purpose, processing by such provider takes place as a processor on the basis of a data processing agreement pursuant to Art. 28 GDPR.
Registered users of MySSI may select the confidentiality level of most of their information within their profile settings by specifying visibility settings such as "Everyone" (visible to all), "Dive Buddy" (visible to accepted dive buddies), or "Private" (visible only to the user). The default setting of MySSI for new users is always "Private," meaning that the new user must actively permit higher visibility levels. If the profile is set to "Private," only statistical data regarding the respective usage will be processed in order to identify trends, usage patterns, frequency of use, and regional activities.
Subject to your consent and for the purposes described below, we make your personal data available, namely first name, last name, street, PO box, postal code, city, state, country, email address, telephone numbers (optional), date of birth, personal photo, language, gender, SSI Master ID, course type, course progress, certification data (number, date, instructor, number of dives at the time of certification, year diving began), center affiliation, and other personal data that you voluntarily provide through MySSI, e.g., insurance data relating to diving insurance policies (if applicable), to other SSI Service Centers (an overview of all SSI Service Centers can be found here: https://my.divessi.com/ssi) worldwide and also to authorized SSI Training Centers when you join them or conduct business with them (an overview of all authorized SSI Training Centers can be found here: https://my.divessi.com/divecenter). This helps them identify you, verify you, confirm the status of your training and certifications, and provide you with corresponding training or services based on your personal status or training progress relating to your diving activities and/or certifications.
Please note that not all recipients (SSI Authorized Training Centers) have implemented an adequate level of data protection. The transfer of your data is subject to your voluntarily granted consent. Please also note that authorized SSI Training Centers may access your data only upon your request and by providing your name and date of birth.
The legal basis for the described processing is your consent (Art. 6 (1) (a) GDPR).
SSI does not process personal data of persons under the age of 18 participating in SSI training programs unless a parent or legal guardian has consented to the registration. Should SSI discover that data relating to a person under the age of 18 is being processed, SSI will delete such data.
If you purchase a digital kit in our webshop (www.divessi.com), we process your name, billing and shipping address, email address, telephone number, the order number associated with the ordered items, and information regarding the goods purchased by you for the purpose of contract fulfillment (Art. 6 (1) (b) GDPR).
If you wish to order other products, such as hardware, we process your name, billing and shipping address, email address, and telephone number and transmit this data to HEAD Watersports SpA (Salita Bonsen 4, 16035 Rapallo (GE), Italy), from whom you purchase the selected products and who processes your purchase. The legal basis for this processing is legitimate interest (Art. 6 (1) (f) GDPR).
SSI may disclose your personal data to external service providers or contractors. Where third parties process data on behalf of SSI, SSI enters into data processing agreements with them to ensure that user/student information is used in accordance with the SSI Privacy Policy.
SSI transfers data to the following recipients:
- SSI Service Centers (an overview of all SSI Service Centers can be found here: https://my.divessi.com/ssi)
- SSI Training Centers (an overview of all authorized SSI Training Centers can be found here: https://my.divessi.com/divecenter)
- IT service providers and/or providers of data hosting services;
- Providers of software solutions that also support us in delivering our services (including providers of marketing tools, marketing agencies, communication service providers, and call centers);
- Mola Business Solutions as a provider of technical, operational, marketing-related, and/or administrative support services; where Mola Business Solutions processes personal data exclusively on our behalf, this takes place on the basis of a data processing agreement pursuant to Art. 28 GDPR;
- Providers of consent management, tracking, analytics, newsletter, and advertising technologies insofar as these are used for the provision, control, measurement, and optimization of our digital services and marketing activities;
- Google companies in connection with Google Ads, remarketing, conversion measurement, Enhanced Conversions, and comparable advertising and analytics services where you have consented to their use;
- Meta companies in connection with Meta Ads, Meta Pixel, Conversions API, Custom Audiences, similar audiences, and comparable advertising and analytics services where you have consented to their use;
- Companies of the HEAD Group;
- Head Watersports SpA (Salita Bonsen 4, 16035 Rapallo (GE), Italy)
- LiveAboard.com BV (Keizersgracht 307-2, 1016 ED Amsterdam, The Netherlands)
- Third parties that fulfill our obligations in relation to services provided to you (e.g., parcel delivery providers for the shipment of your certification or purchased products, payment service providers, and banks for payment processing);
- Other third parties (e.g., auditors, insurance companies, legal representatives, insurance providers, etc.);
- Authorities and other public entities where required by law (e.g., tax authorities, etc.).
Where recipients process personal data as processors on our behalf, we contractually restrict processing to our instructions. Where recipients process data for their own purposes, this takes place only on the basis of a legal authorization, your consent, or another legal basis described in this Privacy Policy.
We may also transfer your personal data to companies and other contractual partners outside the EU/EEA in order to verify your SSI training status and certifications, provide our services, operate MySSI, process your order, maintain our IT systems and software, etc. However, such transfer does not alter our obligation to protect your personal data in accordance with this Privacy Policy. Where your personal data is transferred outside the EU/EEA, we ensure an adequate level of protection by transferring it to countries that provide an adequate level of protection based on a decision of the European Commission, or by entering into a transfer agreement incorporating the European Commission's Standard Contractual Clauses between us and the legal entity outside the EU/EEA receiving the data. In other cases, data transfers may take place on the basis of Art. 49 (1) GDPR. You may obtain a copy of the relevant safeguards by sending an email to privacy@divessi.com.
Where we use services from Google or Meta or other providers located in third countries outside the EU/EEA, personal data may also be transferred to third countries, particularly the United States, in this context. Such transfers take place only in compliance with legal requirements, particularly on the basis of an adequacy decision, appropriate safeguards such as Standard Contractual Clauses, or — where required — your explicit consent.
MySSI operates in encrypted HTTPS format. In addition, we implement appropriate technical and organizational security measures in order to protect your personal data against accidental or unauthorized deletion or alteration, as well as against loss, theft, unauthorized access, disclosure, reproduction, use, modification, or access. We and our employees are also bound by data secrecy and confidentiality obligations. Likewise, service providers and agents who require access to your personal data in order to fulfill their professional duties are subject to the same obligations to maintain data secrecy and confidentiality.
As a general rule, we store your personal data only as long as we need it to fulfill the purposes described above. We store the personal data processed through MySSI as long as required to fulfill our contractual obligations, as indicated in the respective sections above. Where processing depends on your consent, we store such data until you revoke your consent. In addition, we store your data in accordance with legal requirements (e.g., retention obligations in connection with accounting) and for as long as claims may be asserted against us. SSI stores your data for as long as your MySSI account remains active, and SSI stores your data for the duration of the contractual relationship you maintain with us. Laws may require SSI to retain certain data for specified periods. In other cases, SSI may retain data for a reasonable period after termination of the relationship with you in order to protect itself against legal claims or to manage its business.
If a registered user does not activate their MySSI account and does not obtain certification within 12 months after registration, the account and user data will automatically be deleted from MySSI.
Where data is processed in connection with consents, cookie settings, advertising measures, newsletter registrations, double opt-in records, or data processing and compliance documentation, we store such data only for as long as necessary for the respective purposes, documentation obligations, and statutory retention periods.
Your Rights
You have the following rights regarding your personal data processed by us:
- You have the right to access your personal data and obtain a copy of the personal data processed by us, Art. 15 GDPR;
- If your personal data processed by us is inaccurate or no longer up to date, you have the right to rectification, Art. 16 GDPR;
- You have the right to request deletion of your data ("right to be forgotten"), Art. 17 GDPR;
- You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and you have the right to have us transfer your data to another controller, Art. 20 GDPR;
- You have the right to request restriction of processing where the relevant requirements are met, Art. 18 GDPR;
- You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, Art. 22 GDPR.
Your Right to Object, Art. 21 GDPR
Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such advertising purposes; this also applies to profiling insofar as it is related to such direct marketing. If we process your data for legitimate purposes, you also have the right to object to such processing at any time on grounds relating to your particular situation.
In order for us to process your request regarding your rights listed above and ensure that personal data is not disclosed to unauthorized third parties, please submit the request with clear identification of your person and a brief description of the scope of the exercise of your data subject rights listed above.
Your Right to Lodge a Complaint
You also have the right to lodge a complaint with the competent supervisory authority, in particular with the supervisory authority of the Member State in which you have your habitual residence or place of work, if you believe that the processing of personal data relating to you violates applicable data protection laws.
Your Right to Withdraw Consent
If you have given us your consent for a specific processing activity, you may withdraw it at any time by sending an email to privacy@divessi.com. Withdrawal of your consent does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.
You may additionally adjust or withdraw consents granted for cookies, tracking, Google Ads, Meta Ads, remarketing, conversion measurement, and comparable marketing technologies at any time with future effect via our consent management tool.
If you have any questions regarding the processing of your personal data, you may contact us or our Data Protection Officer by email at privacy@diveSSI.com or by letter at: HEAD Watersports GmbH c/o Privacy – Johann-Höllfritsch-Straße 6 – 90530 Wendelstein – Germany.
9.1 Categories of Personal Information We Collect, Where We Collect It From, Why We Collect It, and With Whom We Share It
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household ("personal information").
We use the personal information we collect for our business purposes or for other purposes listed in this Privacy Policy. These purposes may include:
- Auditing related to current interaction with the consumer and concurrent transactions, including but not limited to counting ad impressions for unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such activity.
- Debugging to identify and repair errors that impair intended functionality.
- Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including but not limited to contextual customization of ads shown as part of the same interaction.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify, improve, enhance, or maintain the quality or safety of our products or services.
To help you better understand our privacy practices, the following table shows for the preceding twelve (12) months which categories of personal information we collected, the categories of sources from which we collected personal information, our business or commercial purposes for collecting the information, and the categories of third parties with whom we shared personal information.
Category of Personal Information
- Identifiers such as name, email, address, PTR number, and PPR number.
- Categories of personal information described in Cal. Civ. Code § 1798.80(e), such as name, email, address, credit card number or other payment information, and telephone number.
- Characteristics of protected classifications under California or federal law, such as age and gender.
- Commercial information such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Internet or other electronic network activity information, such as browsing history, search history, and information regarding a consumer's interaction with a website, application, or internet advertisement.
Sources
- Consumer.
- Third-party service providers.
- Affiliated companies.
- Third-party organizations for amateur and professional athletes.
- Third-party organizers of tournaments or other events.
Purposes
- To offer products or services at events we sponsor.
- To accept and fulfill product purchases.
- To provide newsletters or other mailings.
- To fulfill our contractual obligations toward you.
- To conduct market research and product development.
- To market our products and services to you.
Third Parties with Whom Information Is Shared
- Service providers.
- Affiliated companies.
- Third parties upon whom we rely in business, financial, or legal matters, such as financial institutions, debt collection agencies, insurance companies, creditor protection agencies, and legal advisors.
- Third parties that assist us in marketing or advertising our products and services.
Additionally, the processing of personal information of California consumers may also serve advertising, measurement, remarketing, and audience-building purposes in connection with Google Ads and Meta Ads, where permitted under applicable law or where corresponding consent has been granted. In particular, identifiers, internet or other electronic network activity information, and commercial information may be affected.
During the preceding twelve (12) months, we disclosed the following categories of personal information of California consumers for a business purpose:
- Identifiers
- Categories of personal information described in Cal. Civ. Code § 1798.80(e)
- Characteristics of protected classifications under California or federal law
- Commercial information
- Internet or other electronic network activity information
Some browsers include "do not track" features that allow you to tell a website that you do not want to be tracked. These features are not all uniform. We currently do not respond to such signals. Instead, we collect, use, and share information as described in this Privacy Policy regardless of a "do not track" setting.
You have the right to request that we provide you with the following information:
9.4.1
The personal information we have collected, used, or disclosed about you.
9.4.2
The categories of personal information we have collected about you.
9.4.3
The categories of sources from which we collected the personal information.
9.4.4
Our business or commercial purpose for collecting personal information.
9.4.5
The categories of third parties with whom we share personal information.
9.4.6
The specific personal information we have collected about you.
You have the right to request that we delete the personal information we have collected about you.
We do not sell your personal information and will not sell it. Therefore, we do not offer an opt-out from the sale of personal information.
Your privacy rights are important. If you exercise your privacy rights under California law, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through discounts or other benefits or imposing penalties.
- Provide you with a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
If you are a California resident and would like to submit a request regarding your California rights, you may contact us at: privacy@divessi.com. If you already have an account with us, you must submit your request through that account, but you are not required to create an account with us in order to submit a request.
If you submit a request to delete personal information, you must separately confirm this request. After we receive your request, we will send you a separate notice with instructions on how to confirm your deletion request.
We can only respond to your request if it is verifiable. This means that we are required to take reasonable steps to verify your identity.
If you maintain a password-protected account with us, we will verify your identity through our existing authentication procedures for that account, but you will be required to re-authenticate before we disclose or delete the information related to your request.
If you do not yet have an account with us, we will verify your identity by matching the following information provided in your request with the information we already maintain about you: name, address, telephone number.
Where necessary to verify your identity, we may request additional information from you that will assist us in doing so. Depending on the nature of the request, we may also require a signed declaration under penalty of perjury. We will use such additional information solely for the verification process and not for any other purpose. If we are unable to verify your request, we will not disclose any personal information.
We do not charge fees for processing or responding to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.
If you wish to submit a request to know or delete through an authorized agent, we require the following before processing the request:
- A notarized copy of your written authorization permitting the agent to submit the request, and
- Verification of your identity directly with us, as described above.
Consumers may submit the above-listed information to privacy@divessi.com. Authorized agents may also send the notarized copy of the written authorization to privacy@divessi.com.
If your authorized agent possesses a valid power of attorney pursuant to Sections 4000 through 4465 of the California Probate Code, we may require proof of such power of attorney instead of the information above.
We may deny a request from an agent if the agent does not provide proof that you authorized them to act on your behalf.
From time to time, we may update this Privacy Policy. When we do so, we will post it on our website and indicate the effective date of the update. If there are material changes to this Privacy Policy, we will post a prominent notice on our website and provide other legally required information.
Link to the list of SSI Service Centers – https://my.divessi.com/ssi
Link to the list of authorized SSI Training Centers – https://www.divessi.com/dealer-locator
Link to the diveSSI Website Privacy Policy – https://www.divessi.com/info/privacy-policy
Link to the MySSI System Privacy Policy – http://my.divessi.com/myssi_privacy
Link to the document describing the core content of the applicable joint controller agreement – https://my.divessi.com/ssi_dc_joint_controller_agreement