- Chinnor Rugby Club – Personal Information Privacy Statement
- Chinnor RFC Volunteer GDPR Compliance
Chinnor Rugby Club – Personal Information Privacy Statement
New data security regulations are coming into force in May 2018 that affects personal data held about you by any organisation or business that you may become associated with. As a Club, we too need to make sure that you are aware of how these changes affect both you and the Club with respect to data we hold and what we do with the data we hold about you.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and is not intended to override them.
What is Personal Data
Personal Data is any data that can contribute to identifying you as a unique individual. For example your National Insurance number uniquely identifies you on it’s own, whereas your name may not – there may be others with the same name - but would do with additional pieces of data eg your address.
The new regulations say that if we keep and process personal data about you, then we must do it in a way that protects your privacy. We can only keep data about you if we have a good legal reason for doing so. We also have to make sure that your data is kept safely and cannot be accessed by people not authorised to access it. Finally we have to make sure that we only keep data for as long as there is a valid reason to do so - when that valid reason goes away eg leaving the Club, then we must delete the data we hold.
You also have increased rights under the new law over the data we hold about you. You have the right to know what data we hold and to see it if you wish; to have it corrected if it is wrong, or even have it deleted if you wish – although there may be things that we can no longer do for you as a result eg 10% discount at the bar – see the section ‘Your Rights’ below.
Data Controller Contact Details
In the context of the law the Club is the Data Controller for information it holds on Members and Employees, with the exception of additional data required by the RFU.
Chinnor Rugby Football Club
Telephone - 01844 213735
What Information do we collect and where do we keep it?
We collect information to enable us to run the membership of the Club so we record
- Identity Data, including first name, last name, username or similar identifier, title, date of birth and gender etc.
- Contact Data, including address, email address and telephone numbers etc.
- Financial and Transaction Data, including payment details and other information about the membership and services you get as a Club member.
We include club sponsors as club members.
NOTE it is the Club’s responsibility to make as sure as it reasonably can, that Pitchero is complying with the new laws and to check regularly that it continues to do so.
We hold information on staff that allows us to manage their employment with us, including identity and contact data, as well as recording sickness, annual leave, salary, and tax information etc.. This information is kept on the Sage Accounting package that we use to run the Club’s finances. Some of it is also held by Rectory Homes, as we use their payroll service to pay salaries. You can ask to see or correct the information held by asking the Club General Manager. Both Sage and Rectory Homes will be governed by the same law on personal data privacy.
Players, Coaches, Physios
We are bound by contract with the RFU to collect and store information concerning players, coaches, physio staff and also concerning any children and minors we have as Club members (see Children and Minors below). The latter is used for safeguarding purposes. This information is loaded by the Club onto the GMS System operated by the RFU. It is then managed processed as required by the RFU.
Children and Minors
We are bound by contract with the RFU to collect and store information concerning any children and minors we have as Club members. This is used for safeguarding purposes. This information is loaded by the Club onto the GMS System operated by the RFU. It is then managed processed as required by the RFU.
We also sometimes wish to post pictures and videos of matches involving our Mini and Midi Youth sections onto our own website operated by Pitchero and also social media . In such cases we will only use pictures that involve children and minors who have either given their consent if they are between the ages of 14 and 18 and/or have had consent given by their legal parent or guardian if under 14.
Other Repositories of Personal Data
We may hold subsets of information on local personal computers for the purpose of administering local activities such as O2 Touch Rugby and the 300 Club. The activity administrator/organiser will maintain that data, extracting it from Pitchero or Chip/Cobra as appropriate, or will collect it directly from participants. They are required by Club rules to declare that they are keeping information, what information they are keeping and to delete it from their computers when finished with it. You have the right not to have your personal data held and processed this way and should contact the relevant administrator/organiser directly.
The Club maintains a full list of all the data types we hold (including data held by specific administrators/organisers), where it is held, what it is used for and for how long it is retained. The information is contained in a spreadsheet on the Club’s Cloud Store and is freely available to anyone in the Club, by contacting The General Manager – there is no actual personal data held on this spreadsheet.
How do we collect Personal Information
We use different methods to collect data from and about you including through:
- Direct interactions, such as you filling in forms on the Website or corresponding with us by post, phone, email or otherwise.
- Third parties or publicly available sources.
How we use your personal information
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where it is necessary for our legitimate interests (or those of a third party) in running the Club, where your interests and fundamental rights do not override the Club’s interests.
- Where we need to comply with a legal or regulatory obligations eg passing data to the RFU or complying with tax and other employment requirements.
Generally we do not rely on your consent as a legal basis for processing your personal data, except where children and minors are involved.
You have the right to opt out from receiving any email communications from the Club such as newsletters or other contacts concerning Club activities. To do so, contact the Club General Manager
We will not sell, rent or lease the data we capture to third parties, but we may disclose it in the circumstances set out below in “Disclosure to third parties”.
We have set out in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate and how long we will retain the personal data. That table is available in spreadsheet form by requesting it from the General Manager, either electronically or on paper.
Protection of Personal Information
We take precautions — including administrative, technical, and physical measures — to safeguard your personal information against loss, theft, and misuse, as well as against unauthorised access, disclosure, alteration, and destruction.
Although we will do our best to protect your personal information, we cannot guarantee the security of your data transmitted to the Website by virtue of the unsecure nature of the internet and any transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to try to prevent unauthorised access.
Disclosure to third parties
We may share your personal information with ruling sports bodies or to our third party service providers. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may also disclose your personal information if we are under a duty to disclose or share your personal data in order to comply with any legal obligation. This includes exchanging information with other organisations for the purposes of fraud protection and credit risk reduction.
You have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request for erasure and we will give you specific legal reasons if this is the case.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact the Club General Manager.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Issued by the Chinnor Rugby Club Board of Management
Dated 1st May 2018
Chinnor RFC Volunteer GDPR Compliance 1st Draft 23/04/18
Chinnor RFC Volunteer GDPR Compliance document