This Privacy Policy describes the management methods of the rent.decathlon.it website with reference to the processing of personal data of users who take advantage of the online booking services for sports equipment.
INFORMATION ON THE PROCESSING OF PERSONAL DATA (ART. 13 REG. UE 2016/679 - GDPR)
Edition: June 2026
1 DATA CONTROLLER AND DPO
- Data Controller: Decathlon Italia S.r.l. Unipersonale, with registered office in Viale Valassina, 268 - 20851 Lissone (MB), VAT no. 11005760159. Email for exercising rights: [email protected] - PEC: [email protected].
- Data Protection Officer (DPO): Decathlon Italia has appointed a DPO, who can be contacted directly at the email address: [email protected].
2 ORIGIN AND TYPE OF DATA PROCESSED
The Data Controller processes personal data voluntarily provided during the online booking process and at the rental desk. Data is collected exclusively and directly from the data subject (Art. 13 GDPR):
- Personal and Contact Data: Name, surname, date and place of birth, residential address, email address, and mobile phone number.
- Document Data: Details of the identity document (type, number, expiration date).
- Dimensional Data for Safety: Weight, height, gender, level of practice, and shoe size.
Please note: This information does not constitute data concerning health (ex Art. 9 GDPR), but mere dimensional data collected for the sole and strict purpose of technically adjusting the equipment (e.g., ski bindings) and limiting the risk of injury. - Payment and Anti-Fraud Verification Data: Transactional information. Full credit card data does not transit through nor is it saved on Decathlon's servers (PCI-DSS Tokenization). For strict anti-fraud purposes, the Customer is required to physically present the card used in the store[cite: 18].
- Electronic Signature Data: In order to validly conclude the contract in a native digital format, we acquire the graphic stroke of the signature affixed by the data subject on the tablet in the point of sale (Graphic Electronic Signature). We specify that the system exclusively stores the encoded image of the signature and its logical association with the document, without the continuous collection of behavioral biometric data (speed, pressure, rhythm) falling under Art. 9 GDPR.
- Technical Data and Audit Trail: IP address, timestamp, and system logs necessary to certify the integrity of the signed electronic document.
3 PURPOSES AND LEGAL BASES OF PROCESSING
The processing is carried out exclusively for the following purposes:
| Processing Purpose | Legal Base (GDPR) |
|---|---|
| A. Execution of the Booking: Management of the shopping cart, collection of the down payment, sending service communications, and blocking the equipment. | Art. 6.1.b Execution of a contract or pre-contractual measures. |
| B. Contract Preparation and Safety: Advance preparation of the Contract and technical adjustment of the equipment compliant with the user to prevent injuries[cite: 31, 32]. | Art. 6.1.b Execution of the contract. |
| C. Identification and Electronic Signature: Acquisition of document details and the graphic stroke of the signature at the time of store collection on a tablet for the legally valid and binding signing of the contract. | Art. 6.1.c Compliance with a legal obligation (Written form requirement ex Civil Code and Legislative Decree 82/2005 CAD). |
| D. Asset Protection and Fraud Prevention: Credit risk management, validity control of payment methods via physical verification of the card, actions for damages recovery, litigation management, or reports to the Authorities. | Art. 6.1.f Legitimate interest of the Data Controller to defend their rights and company assets. |
| E. Administrative-Accounting Compliance: Invoicing, bookkeeping, legally compliant digital preservation, and related tax obligations. | Art. 6.1.c Compliance with a legal obligation. |
4 PROCESSING METHODS AND EXCLUSION OF PROFILING
Processing takes place using computer and electronic tools, with logic strictly related to the indicated purposes and, in any case, in such a way as to guarantee the security and confidentiality of the data through encryption (including the signature trace on the tablet) and strict logical access controls.
No fully automated decision-making process is adopted, nor is any profiling activity carried out based on rental data that produces legal effects on the data subject.
5 DATA RECIPIENTS
Data will not be disclosed to the public in any way. For the pursuit of the indicated purposes, data may be communicated to[cite: 47]:
- Employees and collaborators of Decathlon specifically authorized and trained.
- Decathlon Group companies.
- Technological Partners: Cloud providers, payment gateways, and Service Providers for the generation, encryption, and legally compliant Digital Preservation of electronically signed documents, formally appointed as External Data Processors (Art. 28 GDPR).
- Public Bodies: Law Enforcement or Judicial Authorities in the event of reports of a crime (e.g., misappropriation).
6 DATA TRANSFER OUTSIDE THE EU
Personal data is stored on servers located within the European Economic Area (EEA).
Should data be transferred to third countries for technical or disaster recovery reasons, Decathlon guarantees that this will take place in strict compliance with articles 44 et seq. of the GDPR (Adequacy Decisions or Standard Contractual Clauses).
7 DATA RETENTION PERIOD
Data is kept for the time strictly necessary to achieve the purposes for which it was collected:
- Contractual Data (including the Electronic Signature) and Accounting Data: Sent to compliant digital preservation and kept for 10 years from the conclusion of the rental (ordinary Italian prescription term, ex art. 2220 c.c.).
- Canceled Bookings (No-Show): Kept for 12 months from the date scheduled for the rental to manage the collection or refund of the penalty.
- Dimensional Data (Safety): Deleted or anonymized concurrently with the material conclusion of the rental contract, as it is no longer necessary, unless an accident/injury occurs requiring its precautionary retention.
8 RIGHTS OF THE DATA SUBJECT
Pursuant to articles 15-22 of the GDPR, the data subject has the right to ask Decathlon for:
- Access to their personal data;
- Rectification or erasure (right to be forgotten) of the same, without prejudice to the tax and civil law retention obligations of the signed contract;
- Restriction of processing;
- Data portability;
- Objection to processing for reasons related to their particular situation.
Exercise modalities: Rights can be exercised by sending an email to [email protected] or a registered letter with return receipt to the registered office of Decathlon Italia.
The data subject always has the right to lodge a complaint with the Data Protection Authority (Garante per la Protezione dei Dati Personali - www.garanteprivacy.it).