Data policy

Redhill FC Data Protection Policy

Privacy policy

1. About this Policy

1.1 Redhill FC are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.

1.2 REDHILL FC handle personal data about current, former, and on occasion prospective players and their parents or guardians, employees, volunteers, committee members, other Club members, referees, coaches, managers, contractors, third parties, suppliers, and any other individuals that we communicate with.

1.3 In our official capacity with the FA, Surrey FA and Combined Counties League we may process personal data on our behalf and we will process personal data about you. We recognise the need to treat all personal data in an appropriate and lawful manner, in accordance with the EU General Data Protection Regulation 2016/679 (GDPR).

1.4 Correct and lawful treatment of this data will maintain confidence in the Club, and protect the rights of players and any other individuals associated with the Club. This Policy sets out our data protection responsibilities and highlights the obligations of the Club, which means the obligations of our employees, committee, volunteers, members, and any other contractor or legal or natural individual or organisation acting for or on behalf of the Club.

1.5 We are obliged to comply with this policy when processing personal data on behalf of the Club and this policy will help us to understand how to handle personal data.

1.6 The Club Committee will be responsible for ensuring compliance with this Policy. Any questions about this Policy or data protection concerns should be referred to the Data Information Officer info@redhillfc.co.uk.

1.7 We process employee, volunteer, member, referee, coach, manager, contractor, committee, supplier and third party personal data for administrative and Club management purposes. Our purpose for holding this personal data is to be able to contact relevant individuals on Club business [or administer the terms of your employment, and our legal basis for processing your personal data in this way is the contractual relationship we have with you. We will keep this data for 6 months after the end of your official relationship with the Club, unless required otherwise by law and / or regulatory requirements. If you do not provide your personal data for this purpose, you will not be able to carry out your role or the obligations of your contract with the club.

1.8 All the key definitions under GDPR can be found here.

2. Data protection principles

2.1 Anyone processing personal data must comply with the enforceable principles of data protection. Personal data must be:

  • 2.1.1 processed lawfully, fairly and in a transparent manner;

  • 2.1.2 collected for only specified, explicit and legitimate purposes;

  • 2.1.3 adequate, relevant and limited to what is necessary for the purpose(s) for which it is processed;

  • 2.1.4 accurate and, where necessary, kept up to date;

  • 2.1.5 kept in a form which permits identification of individuals for no longer than is necessary for the purpose(s) for which it is processed;

  • 2.1.6 processed in a manner that ensures its security by appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

2.2 We are responsible for and must be able to demonstrate compliance with the data protection principles listed above.

3. Fair and lawful processing

3.1 This Policy aims to ensure that our data processing is done fairly and without adversely affecting the rights of the individual.

3.2 Lawful processing means data must be processed on one of the legal bases set out in the GDPR. When special category personal data is being processed, additional conditions must be met.

4. Processing for limited purposes

4.1 The Club collects and processes personal data. This is data we receive directly from an individual and data we may receive from other sources.

4.2 We will only process personal data for the purposes of the Club as instructed by the committee, the County FA or The FA, or as specifically permitted by the GDPR. We will let individuals know what those purposes are when we first collect the data or as soon as possible thereafter.

5. Consent

5.1 One of the lawful bases on which we may be processing data is the individual’s consent.

5.2 An individual consents to us processing their personal data if they clearly indicate specific and informed agreement, either by a statement or positive action.

5.3 Individuals must be easily able to withdraw their consent at any time and withdrawal must be promptly honoured. Consents should be refreshed every season.

5.4 Explicit consent is usually required for automated decision-making and for cross-border data transfers, and for processing special category personal data. Where children are involved then the consent must be in writing from parent/guardian.

5.5 Where consent is our legal basis for processing, we will need to keep records of when and how this consent was captured.

5.6 Our Privacy Notice sets out the lawful bases on which we process data of our players and members.

6. Notifying individuals

6.1 Where we collect personal data directly from individuals, we will inform them about:

  • 6.1.1 the purpose(s) for which we intend to process that personal data;

  • 6.1.2 the legal basis on which we are processing that personal data;

  • 6.1.3 where that legal basis is a legitimate interest, what that legitimate interest is;

  • 6.1.4 where that legal basis is statutory or contractual, any possible consequences of failing to provide that personal data;

  • 6.1.5 the types of third parties, if any, with which we will share that personal data, including any international data transfers;

  • 6.1.6 their rights as data subjects, and how they can limit our use of their personal data;

  • 6.1.7 the period for which data will be stored and how that period is determined;

  • 6.1.8 any automated decision-making processing of that data and whether the data may be used for any further processing, and what that further processing is.

6.2 If we receive personal data about an individual from other sources, we will provide the above information as soon as possible and let them know the source we received their personal data from.

6.3 We will also inform those whose personal data we process that we, the Club, are the data controller in regard to that data, and which individual(s) in the Club are responsible for data protection.

7. Adequate, relevant and non-excessive processing

7.1 We will only collect personal data that is required for the specific purpose notified to the individual.

7.2 You may only process personal data if required to do so in your official capacity with the Club. You cannot process personal data for any reason unrelated to your duties.

7.3 The Club must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised.

8. Accurate data

We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at the start of each season. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

9. Timely processing

We will not keep personal data longer than is necessary for the purpose(s) for which they were collected. We will take all reasonable steps to destroy or delete data which is no longer required, as per our Privacy Notice.

10. Processing in line with data subjects’ rights

10.1 As data subjects, all individuals have the right to:

  • 10.1.1 be informed of what personal data is being processed;

  • 10.1.2 request access to any data held about them by a data controller;

  • 10.1.3 object to processing of their data for direct-marketing purposes (including profiling);

  • 10.1.4 ask to have inaccurate or incomplete data rectified;

  • 10.1.5 be forgotten (deletion or removal of personal data);

  • 10.1.6 restrict processing;

  • 10.1.7 data portability; and

  • 10.1.8 not be subject to a decision which is based on automated processing.

10.2 The Club is aware that not all individuals’ rights are absolute, and any requests regarding the above should be immediately reported to the committee, and if applicable escalated to the Surrey County FA / FA for guidance.

11. Data security

11.1 We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

11.2 We have proportionate procedures and technology to maintain the security of all personal data.

11.3 Personal data will only be transferred to another party to process on our behalf (a data processor) where we have a GDPR-compliant written contract in place with that data processor.

11.4 We will maintain data security by protecting the confidentiality, integrity and availability of the personal data.

11.5 Our security procedures include:

  • 11.5.1 Entry controls. Any stranger seen in entry-controlled areas should be reported.

  • 11.5.2 Secure desks, cabinets and cupboards. Desks and cupboards should be locked if they hold personal data.

  • 11.5.3 Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed.

  • 11.5.4 Equipment. Screens and monitors must not show personal data to passers-by, and should be locked when unattended. Excel spreadsheets will be password protected.

  • 11.5.5 Personal Devices. Anyone accessing or processing Club’s personal data on their own device must have password-only access or similar lock functions and appropriate anti-virus protection. These devices must have the Club’s personal data removed prior to being replaced or prior to such individual ceasing to work with or support the Club.

12. Disclosure and sharing of personal information

12.1 We share personal data with Surrey County FA, The FA, and applicable leagues using the Whole Game System.

12.2 We may share personal data with third parties or suppliers for the services they provide and instruct them to process our personal data on our behalf as data processors. Where we share data, we will ensure a compliant written contract is in place incorporating minimum data processor terms under GDPR.

12.3 We may share personal data where required to comply with a legal obligation, enforce contracts, or protect the rights, property or safety of the Club, its members, players or others.

13. Transferring personal data outside the EEA

We may transfer personal data outside the European Economic Area (EEA) provided appropriate safeguards apply.

14. Reporting a personal data breach

14.1 In the case of a breach of personal data, we may need to notify the applicable regulatory body and the individual.

14.2 If you know or suspect a personal data breach, inform a committee member immediately and preserve all relevant evidence.

15. Dealing with subject access requests

15.1 Individuals may make a formal request for information we hold about them. Anyone receiving such a request should forward it to the board/committee immediately and escalate where required.

15.2 When receiving telephone enquiries, we will only disclose personal data after confirming the caller’s identity.

16. Accountability

16.1 The Club will implement appropriate technical and organisational measures and must be able to demonstrate GDPR compliance.

16.2 This includes:

  • 16.2.1 providing fair processing notices at all data capture points;

  • 16.2.2 training committee members and volunteers on GDPR and this policy;

  • 16.2.3 reviewing privacy measures implemented by the Club.

17. Changes to this policy

We reserve the right to change this policy at any time. Where appropriate, we will notify you by email.