This Personal Data Policy sets out how Sporting 87 (‘we’) use and protect any information that you give us.
We are committed to safeguarding the right to privacy, including the rights of individuals to control the dissemination and use of personal data.
If we ask you to provide information by which you can be identified, the you can be assured that it will only be used in accordance with this statement. We may change this policy from time to time by updating this document. However, we will not use your personal data in any new ways without your consent.
The Controller (‘we’) is Sporting 87 Football Club, registered in England and Wales as charity number 1162311.
Address: Unit 2, 1 Northern Way, Bury St Edmunds, Suffolk. IP32 6NH.
We use the following legislation to inform our policy.
- UK Data Protection Act 1988 (DPA)
- The Privacy and Electronics Communications (EC Directive) Regulations 2003
- EU General Data Protection Regulation 2018 (GDPR)
Basis of lawful processing
We are responsible for the lawful processing of your personal data.
The basis for processing your personal data is for the performance of a contract, for the administration of your registration, and membership to the Football Association (FA). If you are a player member then we, as the organisers, will use your contact data to fulfill our part of the agreement.
Health records are a special category of personal data under GDPR. We process this with your consent for safeguarding, and health and safety purposes.
If you are under sixteen years old, we are required to make reasonable efforts to confirm parental consent to processing. We will hold additional personal data relating to your parent/carer and process your data in a way that meets our safeguarding obligations.
We have a legitimate interest to send you electronic communications and to contact you via telephone to keep you informed of Club and Trust sessions, matches, events and news.
If you’re not willing to provide your personal details for us to process, we will be unable to carry out our contract agreement and so will not register you as a member.
We occasionally send information regarding sections of the Club and Trust that you’re not currently actively involved in so you and/or your family and friends may consider taking-up these options. This is deemed to facilitate our ‘holistic’ provision to our ‘footballing community’.
When we consider it wholly appropriate and beneficial we may send marketing emails from third parties to individuals over sixteen years old, but will only do so with your active consent. You may withdraw this at anytime. You can be a member without consenting to this.
Personal information we collect and why we collect it
We collect personal information electronically through our website and paper forms for the purpose of managing your registration and membership with Sporting 87 and the FA.
If you are under sixteen years old you must obtain parental consent before providing us with any personal information.
When you register with us as a player or volunteer staff we may collect the following personal information from you.
- Date of birth
- Postal address
- Telephone number (if over sixteen years old)
- Email address (if over sixteen years old)
- Special educational needs
- Medical conditions
- Telephone number
- Email address
- Trade/profession (optional – see Q&A document)
We recognise that under GDPR regulations medical conditions are classed as sensitive data and therefore we take additional steps to maintain security of this information.
We only collect enough personal data through our website to enable us to process and deliver personal kit orders.
Other website actions
We collect contact details in order to respond to requests made via our Contact Us form.
- Email address
See Q&A document
Website visitation tracking
Our website uses Google Analytics (GA) to track user interaction. We use this data to determine the number of people using our website to better understand how they find and use the presented information, and to see how they navigate through the pages.
Although GA records data such as your geographical location, browsing device, internet browser and operating system, none of this information personally identifies you to us. GA also records your computer’s IP address, which could be used to personally identify you, but Google do not grant us access to this information. We consider Google to be a third party data processor (see below).
How we store your personal information
We retain your personal data electronically on our web server, email server and with our cloud storage provider.
Our web server is hosted in a UK data centre with ISO270001 (information security) and ISO90001 (quality management) accreditations. Access to the data centre is restricted to accredited technical staff and visitors only. We use 256 bit SSL/TLS technology to encrypt all data between your browser and our servers. SSL/TLS is the industry standard for encrypting transaction information on the internet.
Our cloud storage provider is ‘Dropbox’, which is accredited with ISO27018 (cloud privacy protection security). We back-up our we server data to Dropbox.
We restrict our use of emails and retain them for only as long as is necessary regarding the topic to which they pertain.
We take the following steps to secure electronic data.
- Password protection
- Lock paper documents in cabinets within a secure office and security controlled building
- Only allow relevant and correct level staff to access your data
When, why and how we may share your personal information
Our players play in competitions that are under the jurisdiction of the FA. We are responsible for registering players on the FA’s computer system called the ‘Whole Game System’. This means we share information with the County and National FA, and the FA affiliated competitions that we partake in.
To register a player with the FA we must share the following personal information.
- Date of birth
We cannot delete your personal information from the Whole Game System. You must contact the County FA to request this.
Our coaches and other staff
All our staff are trained and are aware of this policy. We share the personal information of players with only those staff directly involved with them, for the following reasons
- Informing you of activities and keeping you up-to-date with this information.
- Health and safety, including medical issues
Staff personal information is also subject to this policy.
How long we keep your personal data
We retain personal data for as long as necessary for us to carry out our contract.
Players and staff who leave
We retain your personal data for a maximum of twelve months after you leave, unless there is a legitimate reason in retaining it for a longer period, e.g. an ongoing insurance issue.
On request we will provide all your personal data that we hold on you or on your child. We will do this in a timely manner and without charge, in paper or electronic format (right to portability).
Right to accurate information
We have the responsibility to maintain accurate records. Please contact us to update yours at anytime.
Right to erasure (to be forgotten)
We will erase all personal data we hold on you / your child on your request. This may mean that our contract with you is then terminated through us being unable to fulfill our contract.
Right to withdraw consent to processing (where legal basis is consent)
You can withdraw consent to receive third party marketing emails at any time.
We will report any unlawful data breach to all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.