South Shields Westoe RFC
Summary of how we and the RFU use your data
• South Shields Westoe RFC uses your personal data to manage and administer your membership and your involvement with its teams and club, and to keep in contact with you for these purposes.
• Some data is shared with the RFU, who use your data to regulate, develop and manage the game.
• Where we or the RFU rely on your consent, such as any consent we seek for email marketing, you can withdraw this consent at any time.
• Amongst the data we collect from you may be medical (including injury) information. We will hold this where you (or your parent) have given consent so that we can ensure we are aware of your condition and can that you are supported appropriately.
• Where you work in a particular role within the game, you may be required to undergo a Disclosure & Barring Service check using the RFU’s eDBS system. The result of this check will be input into your Game Management Service (GMS) record.
What does this policy cover?
This policy describes how South Shields Westoe RFC (also referred to as “the Club”, “we” or “us”) will make use of the data we handle in relation to our members and players, including our use of the Game Management System (“GMS”) provided by the Rugby Football Union (“RFU”). The policy also describes the RFU’s use of data on GMS.
It also describes your data protection rights, including a right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
What information do we collect?
We collect and process personal data from you or your parent when you join and when we carry out annual renewals of your membership. This includes:
• your name
• your gender,
• your date of birth,
• your RFU ID (as assigned in GMS)
• your home address, email address and phone number;
• your passport and NI details, where we have to check your eligibility or ability to work for us, if applicable.
• your type of membership and involvement in particular teams, or any key role you may have been allocated, such as Chair, Safeguarding Lead, Membership Secretary etc.;
• your payment and/or bank account details, where you provide these to pay for membership;
• your marketing preferences, including any consents you have given us;
• your medical conditions or disability, where you provide this to us with your consent (or your parent’s consent) to ensure we are aware of any support we may need to provide to you.
Some information will be generated as part of your involvement with us, in particular data about your performance, involvement in particular matches in match reports and details of any disciplinary issues or incidents you may be involved in on and off the pitch, such as within health and safety records.
What information do we receive from third parties?
Sometimes, we receive information about you from third parties. For example, if you are a child, we may be given information about you by your parents.
We may receive information relating to your existing registrations with other clubs or rugby bodies or disciplinary history from the RFU through GMS. Additionally, for certain role holders or those working with children, we may receive information from the Disclosure and Barring Service and RFU on the status of any DBS check you have been required to take.
How do we use this information, and what is the legal basis for this use?
We process this personal data for the following purposes:
• To fulfil a contract, or take steps linked to a contract: this is relevant where you make a payment for your membership and any merchandise, or enter a competition. This includes:
o taking payments;
o communicating with you;
o providing and arranging the delivery or other provision of products, prizes or services;
• As required by the Club to conduct our business and pursue our legitimate interests, in particular:
o we will use your information to manage and administer your membership and your involvement with its teams and club, and to keep in contact with you for these purposes;
o we will also use data to maintain records of our performances and history, including match reports, score lines and team sheets;
o SS&W Ltd use CCTV cameras to maintain the security of our premises, and may use this video to investigate incidents at the Club or its premises;
o we may choose to send you promotional materials and offers by post or by phone, or by email where we want to send you offers relating to similar products and services that you have already bought;
o we use data of some individuals to invite them to take part in market research;
• Where you give us consent:
o we will send you direct marketing or promotional material by email;
o we may handle medical or disability information you or your parent provides to us, to ensure we support you appropriately;
o on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.
• For purposes which are required by law:
o we maintain records such as health and safety records and accounting records in order to meet specific legal requirements;
o we ensure, where you will work with children, that you have undergone an appropriate DBS check – this is also carried out with your consent.
o where you hold a role at the Club requiring us to check your right to work, we may process information to meet our statutory duties;
o we may respond to requests by government or law enforcement authorities conducting an investigation.
How does the RFU use any of my information?
The RFU provides GMS, but make its own use of the following information:
• your name;
• your gender;
• your date of birth;
• your RFU ID (as assigned in GMS);
• your home address, email address and phone number; and
• your type of membership and involvement in particular teams at the Club, or any key role you may have been allocated, such as Chair, Safeguarding Lead, Membership Secretary etc.
The RFU uses this information as follows:
• As required by the RFU to conduct its business and pursue its legitimate interests, in particular:
o communicating with you or about you were necessary to administer Rugby in England, including responding to any questions you send to the RFU about GMS;
o administering and ensuring the eligibility of players, match officials and others involved in English rugby – this may involve the receipt of limited amounts of sensitive data in relation to disabled players, where they are registered for a disabled league or team, or in relation to anti-doping matters;
o maintaining records of the game as played in England, in particular maintaining details of discipline and misconduct;
o monitoring use of GMS, and using this to help it monitor, improve and protect its content and services and investigate any complaints received from you or from others about GMS;
o maintaining statistics and conducting analysis on the make-up of rugby’s participants;
o ensuring compliance with the current RFU Rules and Regulations including those on the affiliation of clubs, referee societies, constituent bodies and other rugby bodies, and registration of players; and
o communicating with you to ask for your opinion on RFU initiatives.
• For purposes which are required by law:
o The RFU will ensure, where you will work with children and where this is required, that you have undergone an appropriate DBS check – this is also carried out with your consent.
o The RFU may respond to requests by government or law enforcement authorities conducting an investigation.
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below in the “How do I get in touch with you or the RFU?” section.
Who will we share this data with, where and when?
In addition to sharing data with the RFU, we will share you data with: [Durham County Officials and our club sponsors]. Some limited information may be shared with other stakeholders in rugby, such as other clubs, Constituent Bodies, referee societies, league organisers, so that they can maintain appropriate records and assist us in organising matches and administering the game.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our or the RFU’s legitimate interests in compliance with applicable laws.
Personal data will also be shared with third party service providers, who will process it on our behalf for the purposes identified above. Such third parties include the RFU as the provider of GMS
Where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor's Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request.
What rights do I have?
You have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and toobtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format.
In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping.
You have the same rights for data held by the RFU for its own purposes on GMS.
To exercise any of these rights, you can get in touch with us– or, as appropriate, the RFU or its data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to the Information Commissioner’s Office.
Much of the information listed above must be provided on a mandatory basis so that we can make the appropriate legal checks and register you as required by RFU Rules and Regulations. We will inform you which information is mandatory when it is collected. Some information is optional, particularly information such as your medical information. If this is not provided, we may not be able to provide you with appropriate assistance, services or support.
How do I get in touch with you or the RFU?
We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data or would like to opt out of direct marketing, you can get in touch at email@example.com or by writing to The Data Officer, South Shields Westoe RFC, Dean Road, South Shields.
If you have any concerns about how the RFU process your data, you can get in touch at firstname.lastname@example.org or by writing to The Data Protection Officer, Rugby Football Union, Twickenham Stadium, 200 Whitton Road, Twickenham TW2 7BA.
How long will you retain my data?
We process the majority of your data for as long as you are an active member and for  years after this.
Where we process personal data for marketing purposes or with your consent, we process the data for  unless you ask us to stop, when we will only process the data for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.
Where we process personal data in connection with performing a contract or for a competition, we keep the data for 6 years from your last interaction with us.
We will retain information held to maintain statutory records in line with appropriate statutory requirements or guidance.
The RFU will maintain records of individuals who have registered on GMS, records of DBS checks and the resulting outcomes and other disciplinary matters for such period as is set out in the RFU’s privacy notice to be set out on www.englandrugby.com.
Records of your involvement in a particular match, on team sheets, on results pages or in match reports may be held indefinitely both by us and the RFU in order to maintain a record of the game.
Up dated on 25/05/2018
South Shields Westoe RFC
This policy sets out South Shields Westoe RFC’s (the club) commitment to protecting
personal data and how that commitment is implemented with regards to the collection
and use of personal data.
The club will collect and hold necessary data on:
- members of the club;
- parents of junior players and supporters who submit personal data;
- sponsors and business partners;
- referees and other officials.
The club is committed to:
- ensuring that it complies with the eight data protection principles, as listed
- meeting its legal obligations as laid down by the Data Protection Act 1998,
although as a ‘not-for-profit’ organisation, it is not required to register with the
Information Commissioner’s Office (ICO);
- ensuring that data is collected and used fairly and lawfully
- processing personal data only in order to meet its operational needs or to fulfill
its legal requirements
- taking steps to ensure that personal data is up to date and accurate
- establishing appropriate retention periods for personal data
- ensuring that data subjects' rights can be appropriately exercised
- providing adequate security measures to protect personal data
- ensuring that a nominated officer is responsible for data protection compliance
and provides a point of contact for all data protection issues
- ensuring that all club officers are made aware of good practice in data
- providing adequate training for all staff responsible for personal data
- ensuring that everyone handling personal data knows where to find further
- ensuring that queries about data protection, internal and external to the
organisation, are dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within the club
Data protection principles
Personal data shall be processed fairly and lawfully
- data is only collected with the consent of the data subject (or in the case of
junior members with the consent of parents);
- data on players and coaches will be passed to the RFU and to Durham County
RFU for competition and other appropriate purposes;
Personal data shall be obtained for one or more specified and lawful purposes, and
shall not be further processed in any manner incompatible with that purpose or
Personal data shall be adequate, relevant and not excessive in relation to the
purpose or purposes for which they are processed
this data may include:
- ethnicity and disability data which may be used to identify and keep under
review equality of opportunity at the Club and within the game, and
(anonymously) for statistical and reporting purposes;
- Injuries data which may be used to identify and keep under review equality
of opportunity at the Club and within the game, and (anonymously) for
statistical and reporting purposes;
- criminal records data - the RFU is registered with the Criminal Records
Bureau (CRB) to assist it in ensuring that those who take up appointments
do not pose a risk to the children in its care and as such RFU may process
criminal records data disclosed by the CRB, which will be processed in
accordance with the CRB’s Code of Practice.
Personal data shall be accurate and, where necessary, kept up to date
- all data will be factual, accurate and subject to regular updating.
Personal data processed for any purpose or purposes shall not be kept for longer
than is necessary for that purpose or those purposes
- data which is no longer relevant will, after a reasonable period, be destroyed.
Personal data shall be processed in accordance with the rights of data subjects
under the Data Protection Act 1998.
Appropriate technical and organisational measures shall be taken against
unauthorised and unlawful processing of personal data and against accidental loss
or destruction of, or damage to, personal data
- all paper records will be kept secure and physical access will be restricted to
officials of the club and to the data subject;
- all electronically held data will be kept secure and officials of the club who
work either at home or using mobile devices to are required by the club to
ensure that data is secure with adequate firewalls, virus protection etc in place
and that laptops and other mobile devices are kept physically secure.
Personal data shall not be transferred to a country or territory outside the
European Economic Area unless that country or territory ensures an adequate
level of protection for the rights and freedoms of data subjects in relation to the
processing of personal data
Data Subject Access Requests
The data subject may request access to records held by the club on him/her.Such
information will be provided within 40 days of the request. The club may charge
of fee of £10 for the disclosure. Data will only be disclosed if:
- a living individual can be identified from the data;
- the data relates to the identifiable living individual, whether in personal or
family life, business or profession;
- that data is obviously about a particular individual;
- the data linked to the individual provides particular information about that
- the data is used to inform or influence actions or decisions affecting an
- the data has biographical significance in relation to the individual;
- the data focuses or concentrates on the individual as its central theme rather
than some other person; or
- the data impacts or has the potential to impact on an individual whether in a
person, family, business or professional capacity.
Data will not be disclosed in such a way as would identify a third party.
The following statement will be attached to all club communication which requires
personal detail to be entered
DATA PROTECTION ACT
The information that is required in this document may be stored on a computer and, if
so, it is subject to the Data Protection Act 1984. The Act requires that all the
information is strictly confidential and may only be accessed by those with the legal
right to see it. The information will not be given to anyone else without your written
You have the right to examine the information that is stored on a computer at any
reasonable time. You have a right to correct any information that you feel is wrong or
misleading. Please contact the Club Secretary or Club Registration Officer if you wish
to examine the information stored about you or your child
Further reference may be made to