Croydon Football Club – Privacy Statement (GDPR)
Croydon Football Club understands and respects the privacy of our supporters, players and other persons involved with activities associated with the club. The club understands the importance of protecting personal data and how it is used.
Croydon Football Club will only collect, store, and use personal data in ways described within this document, and in a way consistent with our obligations and your rights under the law. The policy is advised by
The Board acts as ultimate data controller and are responsible for deciding how to process any personal data but may delegate access and usage of the data to carefully selected persons on behalf of the club, within defined parameters.
The General Data Protection Regulation (GDPR) requires Croydon Football Club to make public its approach to ensuring the privacy of individuals’ data. For the purpose of this Privacy Statement, the term “Club” or “CFC” is used to mean Croydon Football Club.
CFC will only process personal data for the purposes of the Club as instructed by the board, the County FA or The FA, or as specifically permitted under GDPR.
The individuals whose data maybe processed include (but are not exclusively) current, former, and on occasion prospective players (and their parents or guardians); employees; volunteers; club members; referees; managers; coaches; sponsors; donors; contractors; board/committee members; partners; and suppliers, as well as other third-party personal data. This will purely be for administrative and Club management/developmental purposes.
The type of data may include (but is not exclusive to): Name; Date of birth; Gender; Address; Billing Address; Email address; Telephone number; Mobile Number; Business-name; Job title; Profession; Guest Details; Child Name; Child School & Year; Child Medical Conditions; Personal preferences and interests; basic corporate information
This policy has been based on key definitions under GDPR found here and general advice/policies offered by the FA.
The General Data Protection Regulation (GDPR) allows the use of Legitimate Interest Assessment (LIA) as a means of obtaining the consent of individuals whose data is held, in cases where the individual might reasonably expect such data to be held and where there is minimal impact on the individual’s privacy. The Club will use LIA as a means of consent wherever appropriate and will seek opt-in consent where the above conditions do not apply.
An individual is deemed to have provided consent to CFC processing their personal data, if they clearly indicate specific and informed agreement, either by a statement or positive action, in terms of the provision of that data.
3) Individual’s Rights Under GDPR
The Club, in complying with the principles of GDPR, will ensure that data is processed lawfully, fairly and in a transparent manner:
- data, in respect of an individual, is held only when there is a lawful basis for doing so. A lawful basis will include, but may not be limited to a legal obligation, a contract, a specified purpose, or the protection of an individual’s vital interest.
- data collected will be adequate, relevant and limited to what is necessary for the purposes for which it is processed. It will be maintained as accurately as possible and updated where necessary/practicable.
- access to data will be limited to specific data owners and stored in secure locations (on password protected devices/locked sites) or formats (password protected files) to ensure appropriate security.
- data will not be retained for any longer than is necessary, based on the reasons for which it was first collected.
- Individuals will be advised of the purposes of data collection when said data is initially requested, or as soon as possible thereafter.
- every individual whose data is held by the Club may request a copy of the data held for that individual, with a clear explanation of the lawful basis for it being held. CFC will respond within one month of the request and promptly rectify such data, if requested. Such requests should be made by email to firstname.lastname@example.org or in writing to the Club
- every individual also has the right to request for their data be erased. The Club may refuse to erase data where there is a legal reason for it being held and, in other circumstances, will advise of any disadvantage that might accrue to the individual by the erasure, before acting on the request. Such requests should be made by email to email@example.com or in writing
- CFC will advise of the right to object should data be used for Direct Marketing and shall immediately cease the processing of data for such purposes if requested
- automated decision making or profiling will not be utilised in the processing of data held by CFC
- The Club will not share data with any third-party organizations, except in some limited but highly unexpected circumstances, where CFC may be legally required to share certain personal data. This could be in the unlikely event CFC are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority, or the police.
4) Policy Amendments
CFC keeps this Privacy Statement under regular review and will post updates to the Club website promptly, where appropriate and as mandated by the Board.