Data protection policy
1. About this Policy
1.1 This Policy is to help the club deal with data protection matters internally. This document is kept with other club / County Football Association / football league policies and a copy is given (or made available) to all members, volunteers and others who come into contact with personal data during the course of their involvement with the club.
1.2 Willow Wanderers FC (Club), (“we”, “our”, “us”)
handle personal data about current, former, and on occasion prospective players
[and their parents or guardians], volunteers, committee members, other Club members,
referees, coaches, managers, contractors, third parties, suppliers, and any
other individuals that we communicate with.
1.3 In your official capacity with the Club, you may process
personal data on our behalf and we will process personal data about you. We
recognise the need to treat all personal data in an appropriate and lawful
manner, in accordance with the EU General Data Protection Regulation 2016/679
(GDPR).
1.4 Correct and lawful treatment of this data will maintain
confidence in the Club and protect the rights of players and any other
individuals associated with the Club. This Policy sets out our data protection
responsibilities and highlights the obligations of the Club, which means the
obligations of our committee, volunteers, members, and any other contractor,
legal representative, individual or organisation acting for or on behalf of the
Club.
1.5 You are obliged to comply with this policy when
processing personal data on behalf of the Club, and this policy will help you
to understand how to handle personal data.
1.6 The Club’s committee will be responsible for ensuring
compliance with this Policy. Any questions about this Policy or data protection
concerns should be referred to the committee.
1.7 We process volunteer, member, referee, coach, manager,
contractor, committee, supplier and third party personal data for
administrative and Club management purposes. Our purpose for holding this
personal data is to be able to contact relevant individuals about Club business
and our legal basis for processing your personal data in this way is the
contractual relationship we have with you. We may keep this data for 60 months
after the end of your official relationship with the Club, unless required
otherwise by law and / or regulatory requirements. If you do not provide your
personal data for this purpose, you will not be able to carry out your role or
the obligations of your contract with the Club.
1.8 All the key definitions under GDPR can be found here.
2. What we need from you
2.1 To assist with our compliance with GDPR we will need you
to comply with the terms of this policy. We have set out the key guidance in
this section but please do read the full policy carefully.
2.2 Please help us to comply with the data protection
principles (set out briefly in section 3 of this policy and in further detail
below):
2.2.1 please ensure that you only process data in accordance
with our transparent processing as set out in our Privacy notice;
2.2.2 please only process personal data for the purposes for
which we have collected it (i.e. if you want to do something different with it
then please speak to the Chairman of the club first);
2.2.3 please do not ask for further information about
players and / or members and / or staff and / or volunteers without first
checking with the Committee;
2.2.4 if you are asked to correct an individual’s personal
data, please make sure that you can identify that individual and, where you
have been able to identify them, make the relevant updates on our records and
systems;
2.2.5 please comply with our retention periods listed in our
Privacy Notice and make sure that if you still have information which falls
outside of those dates, that you delete/destroy it securely;
2.2.6 please treat all personal data as confidential. If it
is stored in electronic format then please consider whether the documents
themselves should be password protected or whether your personal computer is
password protected and whether you can limit the number of people who have
access to the information. Please also consider the security levels of any
cloud storage provider (and see below). If it is stored in hard copy format
then please make sure it is locked away safely and is not kept in a car
overnight or disposed of in a public place;
2.2.7 if you are looking at using a new electronic system
for the storage of information, please talk to the Committee first so that we
can decide whether such a system is appropriately secure and complies with
GDPR;
2.2.8 if you are planning on sharing personal data with
anybody new or with a party outside the FA structure then please speak to the
Committee before doing so who will be able to check that the correct
contractual provisions are in place and that we have a lawful basis to share
the information;
2.2.9 if you receive a subject access request (or you think
somebody is making a subject access request for access to the information we
hold on them) then please tell [insert name] as soon as possible because we
have strict timelines in which to comply;
2.2.10 if you think there has been a data breach (for
example you have lost personal data or a personal device which contains
personal data or you have been informed that a coach has done so, or you have
sent an email and open copied all contacts in) then please speak to the
Chairman who will be able to help you to respond.
If you have any questions at any time then please just ask
the Committee. We are here to help.
3. Data protection principles
3.1 Anyone processing personal data must comply with the enforceable principles of data protection. Personal data must be:
3.1.1 processed lawfully, fairly and in a transparent
manner;
3.1.2 collected for only specified, explicit and legitimate
purposes;
3.1.3 adequate, relevant and limited to what is necessary
for the purpose(s) for which it is processed;
3.1.4 accurate and, where necessary, kept up to date;
3.1.5 kept in a form which permits identification of
individuals for no longer than is necessary for the purpose(s) for which it is
processed;
3.1.6 processed in a manner that ensures its security by
appropriate technical and organisational measures to protect against
unauthorised or unlawful processing and against accidental loss, destruction or
damage;
3.2 We are responsible for and must be able to demonstrate
compliance with the data protection principles listed above.
4. Fair and lawful processing
4.1 This Policy aims to ensure that our data processing is done fairly and without adversely affecting the rights of the individual.
4.2 Lawful processing means data must be processed on one of
the legal bases set out in the GDPR. When special category personal data is
being processed, additional conditions must be met.
5. Processing for limited purposes
5.1 The Club collects and processes personal data. This is data we receive directly from an individual and data we may receive from other sources.
5.2 We will only process personal data for the purposes of
the Club as instructed by the committee, the County FA or The FA, or as
specifically permitted by the GDPR. We will let individuals know what those
purposes are when we first collect the data or as soon as possible thereafter.
6. Consent
6.1 One of the lawful bases on which we may be processing data is the individual’s consent.
6.2 An individual consents to us processing their personal
data if they clearly indicate specific and informed agreement, either by a
statement or positive action.
6.3 Individuals must be easily able to withdraw their
consent at any time and withdrawal must be promptly honoured. Consents should
be refreshed every season.
6.4 Explicit consent is usually required for automated
decision-making and for cross-border data transfers, and for processing special
category personal data. Where children are involved then the consent must be in
writing from parent/guardian
6.5 Where consent is our legal basis for processing, we will
need to keep records of when and how this consent was captured.
6.6 Our Privacy Notice sets out the lawful bases on which we
process data of our players and members.
7. Notifying individuals
7.1 Where we collect personal data directly from individuals, we will inform them about:
7.1.1 the purpose(s) for which we intend to process that
personal data;
7.1.2 the legal basis on which we are processing that
personal data;
7.1.3 where that legal basis is a legitimate interest, what
that legitimate interest is;
7.1.4 where that legal basis is statutory or contractual,
any possible consequences of failing to provide that personal data;
7.1.5 the types of third parties, if any, with which we will
share that personal data, including any international data transfers;
7.1.6 their rights as data subjects, and how they can limit
our use of their personal data;
7.1.7 the period for which data will be stored and how that
period is determined;
7.1.8 any automated decision-making processing of that data
and whether the data may be used for any further processing, and what that
further processing is.
7.2 If we receive personal data about an individual from
other sources, we will provide the above information as soon as possible and
let them know the source we received their personal data from;
7.3 We will also inform those whose personal data we process
that we, the Club, are the data controller in regard to that data, and which
individual(s) in the Club are responsible for data protection.
8. Adequate, relevant and non-excessive processing
8.1 We will only collect personal data that is required for the specific purpose notified to the individual.
8.2 You may only process personal data if required to do so
in your official capacity with the Club. You cannot process personal data for
any reason unrelated to your duties.
8.3 The Club must ensure that when personal data is no
longer needed for specified purposes, it is deleted or anonymised.
9. Accurate data
We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at the start of each season. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
10. Timely processing
We will not keep personal data longer than is necessary for the purpose(s) for which they were collected. We will take all reasonable steps to destroy or delete data which is no longer required, as per our Privacy Notice.
11. Processing in line with data subjects’ rights
11.1.1 be informed of what personal data is being processed;
11.1.2 request access to any data held about them by a data
controller;
11.1.3 object to processing of their data for
direct-marketing purposes (including profiling);
11.1.4 ask to have inaccurate or incomplete data rectified;
11.1.5 be forgotten (deletion or removal of personal data);
11.1.6 restrict processing;
11.1.7 data portability; and
11.1.8 not be subject to a decision which is based on
automated processing.
11.2 The Club is aware that not all individuals’ rights are
absolute, and any requests regarding the above should be immediately reported
to the committee, and if applicable escalated to the County FA for guidance.
12. Data security
12.1 We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
12.2 We have proportionate procedures and technology to
maintain the security of all personal data.
12.3 Personal data will only be transferred to another party
to process on our behalf (a data processor) where we have a GDPR-compliant
written contract in place with that data processor.
12.4 We will maintain data security by protecting the
confidentiality, integrity and availability of the personal data.
12.5 Our security procedures include:
12.5.1 Entry controls. Any stranger seen in entry-controlled
areas should be reported.
12.5.2 Secure desks, cabinets and cupboards. Desks and
cupboards should be locked if they hold personal data.
12.5.3 Methods of disposal. Paper documents should be
shredded. Digital storage devices should be physically destroyed.
12.5.4 Equipment. Screens and monitors must not show
personal data to passers-by, and should be locked when unattended. Excel
spreadsheets will be password protected.
12.5.5 Personal Devices. Anyone accessing or processing the
Club’s personal data on their own device, must have and operate a password only
access or similar lock function, and should have appropriate anti-virus
protection. These devices must have the Club’s personal data removed prior to
being replaced by a new device or prior to such individual ceasing to work with
or support the Club.
13. Disclosure and sharing of personal information
13.1 We share personal data with the County FA and The FA, and with applicable leagues using Whole Game System.
13.2 We may share personal data with third parties or
suppliers for the services they provide, and instruct them to process our
personal data on our behalf as data processors. Where we share data with third
parties, we will ensure we have a compliant written contract in place
incorporating the minimum data processer terms as set out in the GDPR, which
may be in the form of a supplier’s terms of service.
13.3 We may share personal data we hold if we are under a
duty to disclose or share an individual’s personal data in order to comply with
any legal obligation, or in order to enforce or apply any contract with the
individual or other agreements; or to protect our rights, property, or safety
of our employees, players, other individuals associated with the Club or
others.
14. Transferring personal data to a country outside the EEA
We may transfer any personal data we hold to a country outside the European Economic Area (EEA), provided that one of the appropriate safeguards applies.
15. Reporting a personal data breach
15.1 In the case of a breach of personal data, we may need to notify the applicable regulatory body and the individual.
15.2 If you know or suspect that a personal data breach has
occurred, inform a member of the committee immediately, who may need to
escalate to the County FA as appropriate. You should preserve all evidence
relating to a potential personal data breach.
16. Dealing with subject access requests
16.2 When receiving telephone enquiries, we will only
disclose personal data if we have checked the caller's identity to make sure
they are entitled to it.
17. Accountability
17.1 The Club must implement appropriate technical and organisational measures to look after personal data, and is responsible for, and must be able to demonstrate compliance with the data protection principles.
17.2 The Club must have adequate resources and controls in
place to ensure and to document GDPR compliance, such as:
17.2.1 providing fair processing notice to individuals at
all points of data capture;
17.2.2 training committee and volunteers on the GDPR, and
this Data Protection Policy; and
17.2.3 reviewing the privacy measures implemented by the
Club.
18. Changes to this policy
We reserve the right to change this policy at any time. Where appropriate, we will notify you by email.