StartDatenschutzbestimmungen

NEWCASTLE RUGBY LIMITED PRIVACY POLICY – EVENTS, ACTIVITIES AND SERVICES Introduction Newcastle Rugby Limited (company number 03706046) whose registered office is at Kingston Park, Brunton Road, Kenton Bank Foot, Newcastle upon Tyne, NE13 8AF (we) are committed to protecting your personal data and respecting your privacy. We are registered as a controller with the Information Commissioner's Office with data protection register number ZA032224. This policy applies to your use of: • Any of the services, events or activities we organise or provide. • Others This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it. This policy is provided in a layered format so you can click through to the specific areas you're interested in set out below. [IMPORTANT INFORMATION AND WHO WE ARE] [INFORMATION FOR CHILDREN] [THE DATA WE COLLECT ABOUT YOU] [HOW IS YOUR PERSONAL DATA COLLECTED?] [HOW WE USE YOUR PERSONAL DATA] [DISCLOSURES OF YOUR PERSONAL DATA] [INTERNATIONAL TRANSFERS] [DATA SECURITY] [DATA RETENTION] [YOUR LEGAL RIGHTS] [GLOSSARY] [DESCRIPTION OF CATEGORIES OF PERSONAL DATA] Important information and who we are Newcastle Rugby Limited is the controller and is responsible for your personal data (collectively referred to as "Company", "we", "us" or "our" in this policy). Newcastle Rugby Limited works closely with Newcastle Rugby Foundation. When we mention "the Foundation" we are referring to the registered charity Newcastle Rugby Foundation or subsidiaries of it. Newcastle Rugby Limited is the controller responsible for processing personal data in relation to the following services, events and activities, the Services and Events and Activities. Our Services: these include match days, other first team or academy events or events relating to our primary function as a premiership rugby club, sponsorship and branding, hospitality, retail from the club shop or on-site bars and food outlets, Falcons Events services, including but not limited to stadium hire, offsite event catering and bus bar or pizza van hire Our Events and Activities: these include match days for our first team or academy and all other on-site events. This also includes relevant offsite events where Falcons Events are a primary supplier and occasionally events or activities run by Newcastle Rugby Foundation. When we engage other organisations to process your personal information on our behalf, there will always be a contract in place requiring that processor to keep your information secure and only use it for the purpose they have been instructed to. We sometimes share personal data. We have a responsible person who co-ordinates data protection compliance within Newcastle Rugby Limited (the [Data Protection Co-ordinator]). If you have any questions about this privacy policy, please contact them using the details set out below. Contact details Our full details are: • Newcastle Rugby Limited • Name or title of Data Protection Co-ordinator: Angela Alderson • Email address: angela.alderson@newcastle-falcons.co.uk • Postal address: Kingston Park Stadium, Brunton Road, Kenton Bank Foot, Newcastle upon Tyne, NE13 8AF • Telephone number: 0191 214 5588 You have the right to make a complaint about the way we process your personal data at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues but we would appreciate the chance to deal with any complaints or concerns you may have in the first instance. The ICO can be contacted: • By phone: 0303 123 1113 • In writing: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF • Online: www.ico.org.uk/concerns Changes to the privacy policy and your duty to inform us of changes We keep our privacy policy under regular review. This version was last updated on 11th September 2023. It may change and if it does, these changes will be reflected within this policy document. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the Services or when you next take part in one of our Events and Activities. It is important that the personal data we hold about you is accurate and up to date. Please let us know if your personal data changes. Third party links Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services. The data we collect about you We may collect, use, store and transfer different kinds of personal data about you as follows: • Identity Data: first names, last name, username or similar identifier, marital status, title, date of birth, gender, ethnicity • Contact Data: residential address, the rugby or sports club which you are a member of, the organisation or non-sports club you are a member of where relevant i.e. your employer where relevant, your email address and telephone numbers. • Device Data: includes the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting. • Profile Data: includes your username and password, transaction / appointment history, your preferences, feedback and survey responses. • Attendance/Transaction Data: includes details of your use of or attendance at any of our Services or Events and Activities. • Marketing and Communications Data: includes your preferences in receiving marketing from us (about different Services, Events and Activities we are running) and our third parties and your communication preferences. • Safeguarding Data: - this is the data we gather to promote the welfare of children and vulnerable adults to protect them from harm. We will collect and record appropriate safeguarding data to ensure that children and adults at risk of harm participation in our activities do not give rise to safeguarding risks. We understand that given the nature of such data that we must take particular care when processing it. This information is stored within our safeguarding reporting system with only the relevant individuals (the designated safeguarding leads – DSLs – for Newcastle Rugby and Newcastle Rugby Foundation and relevant appointed welfare officers) having access. • Special Category Data: • Health Data: includes any information you provide to us about your health or dietary requirements in order for you to participate in our Events and Activities. • Disability Data: where you participate in one of our events or activities for people with disabilities, or you purchase match day or car parking tickets for our accessible seating or parking bays, or you claim a complementary carer ticket, we will collect data about your disability in order to allow us to facilitate an easier purchasing process in future. How is your personal data collected? We will collect your personal data in the following ways: • Information you give us. This is information (including Identity, Contact, Safeguarding, Special Category and Marketing and Communications) you consent to giving us about you by filling in forms on our Website or through the club, or other organisation which we are organising our Events and Activities or Services with or through. We might also get some of this information by you corresponding with us (for example, by email). It includes information you provide when you take part in any of our Services, or register to participate in an Event or Activity or information you give us while taking part in that Event or Activity. If you contact us, we will keep a record of that correspondence. • Information we receive from other sources including third parties and publicly available sources. We will receive personal data about you from various third parties and public sources as set out below. • Device Data • Safeguarding data from other organisations • Identity and Contact Data from publicly available sources [such as the electoral register based inside the UK]; and How we use your personal data We will only use your personal data when the law allows us to do so. We will only send you direct marketing communications by email or text or social media if we have your consent or based on legitimate interest. You have the right to withdraw that consent or ask us not to contact you again at any time by contacting us. We will get your consent before we share your personal data with any third party, including the Newcastle Rugby Foundation, for marketing purposes. Purposes for which we will use your personal data The table below sets out the main data processing activities we are involved in. From time to time we may need to use personal data for other purposes. Where we do so and it involves you, we will tell you the basis on which we are processing your information. Individual Why we use your data including type of data Type of datai Lawful bases for processing (please see below for more and any Special Category data we record information on legal bases) You purchase match tickets, membership , hospitality, or season passes for Falcons and/or academy games If you purchase tickets, memberships or hospitality for one of our match days, events or activities we organise we will retain information provided at the point of purchase. The information we collect about you will depend on the event or activity you attend but will usually consist of contact data, identity data and attendance data. We will also record your marketing and communications data. All data: Identity Data, Contact Data: Consent/ Legitimate interests All data: Attendance Data: Marketing and communications data: Profile data Consent/ Legitimate interests legal obligation (this relates to our obligations under health and safety laws Additional legal basis for special category data: Health data and Disability data Explicit consent - where additional support is required to facilitate purchase. You purchase from our online shop If you purchase through our online retail store we will retain information provided at the point of purchase. This will usually include, contact data, identity data and purchase history. We will also record your marketing and communications data. All data: Identity Data, Contact Data: Consent/ Legitimate interests All data: Profile data Consent/ Legitimate interests Additional legal basis for special category data: Health data and Disability data Explicit consent - where additional support is required to facilitate purchase. You complete a feedback form or survey and/or enter a competition Where you have completed a feedback form, a survey or entered a competition we will retail contact data, identity data and the qualitative or quantitive feedback you’ve provided, as well as your attendance data where relevant. Where you’ve All data: Identity Data, Contact Data, Consent/ Legitimate interests All data: Attendance Data: Consent/ Legitimate interests entered a competition we will retain your contact and identity data as well as details of the competition you have entered. We will also record your marketing and communications data. All data: Marketing and communications data: [consent/legitimate interests You apply for a job with Newcastle Rugby Ltd Where you apply for a role with Newcastle Rugby Ltd we will retain your application for a reasonable period (up to 1 year). This will include your contact data and identity data, as well as other information within your CV supplied by you, and details of the role you applied for. All data: Identity Data, Contact Data, Consent/ Legitimate interests Additional legal basis for special category data: Health data and Disability data Explicit consent You attend an event catered for, or organised by, Newcastle Rugby Limited or its subsidiary Falcons Events To take part/attend our events either catered for or organised by Newcastle Rugby Ltd or Falcons Events we will collect contact data, identity data, profile data and attendance data. We will also record your marketing and communications data. All data: Identity Data, Contact Data, Consent/ Legitimate interests All Data: Attendance Data Profile data Consent/ Legitimate interests All data: Marketing and Communications Data: Consent/legitimate interests Additional legal basis for special category data: Health data and Disability data Explicit consent , or legitimate activities as a charity. You purchase sponsorship packages or If you purchase through our commercial department we will retain information provided at the All data: Identity Data, Contact Data, Consent/ Legitimate interests advertising through our commercial department point of purchase. This will usually include, contact data, identity data and purchase history. We will also record your marketing and communications data. All data: Attendance Data Profile data Consent/ Legitimate interests Additional legal basis for special category data: Marketing and communications data. Explicit consent , or legitimate interests You take part in our match day activities To take part in one of our Match Day Activities we will gather from you, or your parents or carer certain identity data and contact data. We will also record your attendance data relating to the Match Day Activities in which you take part. If there is any relevant Health or Disability information which we need to know for the activities in which you take part, we may record this. All data: Identity Data, Contact Data, Consent/ Legitimate interests All data: Attendance Data Profile Data Consent/ Legitimate interests/ necessary for a legal obligation (this relates to our obligations under health and safety laws) Additional legal basis for special category data: Health data and Disability data Explicit consent , or legitimate activities You take Services from us such as stadium rental If you take Services from us such as when we are paid by yourself or a business to provide stadium rental we may gather certain limited identity data and attendance data about you. All Data Identity data Consent/legitimate interests All data Profile data Consent/legitimate interests Additional legal basis for special category data Explicit consent , or legitimate activities for example dietary requirements Health data and Disability data An Interested Person (i.e. you are an individual who is interested in our Services, Events or Activities and you may receive updates on the things we do or make enquiries with us If you fill in on-line forms or otherwise contact us about our Services, Events or Activities we may gather contact and identity data from you so we can send you marketing information about our future events and activities All data: Identity and contact data: Marketing and communications data consent Visitor to our website who isn't in one of the categories set out above Not applicable. We won't record any personal data about you unless you fill in a form on our website. WE do use cookies that would allow us to track your activity on our site but the information obtained cannot be attributed to you as an individual. Not applicable We don’t make any routine use of your personal information (such as an online identifier) other than in statistical form, i.e. Google Analytics statistics about the online footfall to our site. Unless you fill in a form on our website, we probably can’t identify you Receipt of email marketing as part of future marketing and marketing automation When we contact you via email marketing we are able to track your individual activity on the email for example if you have opened the email and where you have clicked. This information, along with your contact data, identity data and marketing and communications data will be retained and used in future marketing, both automated and manual. All data: Contact data Identity data Profile data Marketing and communications data Consent Where there has been a Where we receive or witness a safeguarding concern relevant data on All data: Consent/ necessary for a legal obligation (this relates to our safeguardi ng issue or a safety/secu rity concern the incident (including contact data, identify data and safeguarding data) will be recorded in our secure reporting system. Contact data Identity data Safeguarding data Additional legal basis for special category data obligations under health and safety laws) We will only use your personal data for the purposes for which we originally collected it. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis upon which we propose to do so. Our Legitimate Interests We sometimes process personal data on the basis that it is in our legitimate interests to do so. The occasions where we will rely on legitimate interests as our processing condition are set out above. The legitimate interests are as follows: • To operate our activities and events: for health and safety, safeguarding and other reasons, we need to know who is attending our events and to have their identity and contact details and other information about them. We record attendance at out events so we know what activities you have taken part in. This also helps us with planning the content of future events and activities. • Direct marketing and promoting our services; examples include: Keeping you informed of updates about events and activities that we feel may be of interest to you based on your role, attendance at events or selection of “interested areas” in your dealings with us Legal Basis for Processing Personal Data In the above table where we outline the purposes for which we will use your personal data a number of bases are mentioned for processing personal data. The key is below: Consent: your consent to one or more specific purposes Legitimate interests: we’ve identified this is a legitimate interest of ours or a third party; we consider that use of your personal information is necessary to achieve that legitimate interest; and we’ve balanced all that against your interests, rights and freedoms Legal obligation - we’re required by law to do this Explicit consent - your explicit consent to one or more specific purposes Legitimate activities as a charity – we're allowed to process special category data where it is pursuant to the purposes and powers as a charity. Where we do this we must have in place appropriate safeguards such as limiting access to the data to those that need to use it. Disclosures of your personal data We will share your personal data with the third parties set out below for the purposes set out in the table above [Purposes for which we will use your personal data]: • Internal Third Parties as set out in the [Glossary]. • External Third Parties as set out in the [Glossary]. • Specific third parties listed in the table [Purposes for which we will use your personal data] above. • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy. We may need to share your personal information if we are required to do so by law, for example where there has been a safeguarding concern or a security or safety risk. International transfers We do not intend to transfer your data outside the UK. However, if we transfer your personal data out of the UK, we will ensure that we comply with data protection laws and make sure that a similar degree of protection is afforded to it by using at least one of the following safeguards: • The country in question has been deemed to provide an adequate level of protection for personal data; or • Where we use certain service providers, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK. Please contact us if you want further information on international data transfers. Data security All information you provide to us is stored securely by us either on our servers or otherwise within our office systems. Keeping your data safe and secure is of utmost importance to us and we shall put in place appropriate technical and organisational measures to keep your data secure, including when we disclose data to third parties. Where we have given you (or where you have chosen) a password that enables you to access certain parts of Our Sites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. If you believe the security of your account or your password may have been compromised, you should contact us at ticketoffice@newcastlefalcons.co.uk. Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. Only authorised staff of Newcastle Rugby Limited can access data stored on our servers. We have the following security procedures in place to protect your personal data: • Network Firewall • Web Application Firewall • Regular updating of software dependencies to include the latest patches • Data Protection and Security Awareness training for all staff with access to the data • Penetration Testing We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator within the relevant timescales required by data protection laws, when we are legally required to do so. Data retention Data processed by us in relation to the Activities and Services will be retained for 7 years. In some circumstances you can ask us to delete your data: see [Your legal rights] below for further information. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. Our processing condition for the anonymisation is that it is in our legitimate interests (the research / statistics that are generated as a result of the anonymization benefits our business and improves the performance of the App). In the event that we do not hear from you, or receive engagement from you, then we will treat [the account] as expired and your personal data may be deleted. Your legal rights Under certain circumstances you have the following rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights: • [Request access to your personal data]. • [Request correction of your personal data]. • [Request erasure of your personal data]. • [Object to processing of your personal data]. • [Request restriction of processing your personal data]. • [Request transfer or your personal data]. • [Right to withdraw consent]. You also have the right to ask us not to continue to process your personal data for marketing purposes. Where you do this we will retain data regarding your marketing preferences to make sure we don't market to you in the future. You can exercise any of these rights at any time by contacting us at dataprotection@newcastle-falcons.co.uk. Please note that we may not be required to comply with your request. If this is the case, we will notify you. Right of access to your personal data We try to respond to all requests within one (1) calendar month. Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated. We may need to request specific information from you in order to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request. You will normally not have to pay a fee to access your personal data. However, we may charge a reasonable fee if your request is clearly unfounded or excessive (particularly where requests are repetitive). Alternatively, we may refuse to comply with your request in such circumstances. AUTOMATED DECISION-MAKING Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decisionmaking in the following circumstances: • Where we have sent email marketing as part of an automated series of marketing i.e you will receive follow up contact upon taking certain actions • where we have notified you of the decision and given you 21 days to request a reconsideration; • where it is necessary to perform a contract with you and appropriate measures are in place to safeguard your rights; and • in limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you]. Information for children What are we allowed to do with information about you? As part of your membership with our junior fan club – Junior Falcons, we record information about the events and activities which you take part in with us. As part of the events or activities you take part in, we will collect the following types of information about you and other young people who take part in them: • Your registration details including your name, age, date of birth, address, favourite player and guardian contact details • Events, including match days, that you have attended • Competitions you have entered • Engagement with our retail department We will keep this information for the duration of your junior membership with us. After that time we will make it anonymous (so that no-one can tell who the information is actually about) or destroy it. The law in England allows us to use your information because you or your parents or carers have either consented to this use, or we are required to use your information by law, or we have a legitimate interest in using your information. From time to time we will contact about our Services, Events or Activities outside of our junior fan club, including on behalf of the Newcastle Rugby Foundation. You can tell us what to do, or what not to do, with your information (i.e. you have rights!). Among other things, you can: • Ask us to tell you more about who is handling your information, who it is being shared with and what they are doing with it • Ask us to stop using, and delete, the information we have collected about you • For more details about your rights, please have a look at this website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-dataprotection-regulation-gdpr/individual-rights/ If you want to know more about what we do with your personal data, you can find more detailed information in the remainder of this policy including how we use the information about you that we hold. If you decide you no longer want us to use your information or you would like to ask us for more information, please tell your parent/carer/guardian, or let us know directly using the contact details below. The organisation who is in charge of making sure we use your information properly is called Newcastle Rugby Limited. Glossary 1.1. Lawful basis Consent means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us. Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us. Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to. We may rely on the following 1.2. Third parties Internal third parties Falcons Events – as a subsidiary of Newcastle Rugby Limited and where relevant to the fulfilment of services External third parties Service providers acting as processors who provide services as follows: Name Function Location Basis for transfer outside the UK Newcastle Rugby Foundation Certain administrative functions relating to the Services, Events and Activities we provide and are involved with UK N/a Third partner suppliers/partners for example key sponsors, Premiership Rugby (Two Circles), the RFU We occasionally will contact you with information from third parties, however your personal information will not be shared with these parties directly without explicit consent. UK N/A Professional advisers acting as processors, controllers or joint controllers including lawyers, bankers, auditors and insurers based in in the UK who provide consultancy, banking, legal, insurance and accounting services]. HM Revenue and Customs, the Charity Commission, regulators and other authorities acting as processors, controllers or joint controllers] based in the UK who require reporting of processing activities in certain circumstances]. Our third party systems including Ticketmaster and Sports Alliance (Maileon, Dynamics) also retain your data within our customer system. 1.3. Your legal rights You have the right to: • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: o if you want us to establish the data's accuracy; o where our use of the data is unlawful but you do not want us to erase it; o where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or o you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. i Data protection laws require you to have a processing condition (such as consent, or processing required by law) for processing all data. However, if the data is special category data (such as data relating to racial or ethnic origin or health data) we need an additional processing condition which reflects the increased privacy requirement of such data. In this column we list both the general processing condition and the special category processing condition which we rely on • Data processor / NRL link ? Shared HR ?