Approval Record: Data Protection Policy
Reviewed by: CEO, April 18, 2024
Approved by: Management Committee, April 18,
Contents
Introduction ………………………………………………………………………………………………………………………………….3
Purpose ………………………………………………………………………………………………………………………………………..3
Roles and Responsibilities ……………………………………………………………………………………………………………..4
Data Protection Principles……………………………………………………………………………………………………………..5
Purpose Limitation …………………………………………………………………………………………………………………….5
Data Minimisation and/or Privacy by Design ……………………………………………………………………………….5
Accuracy ……………………………………………………………………………………………………………………………………6
Storage Limitation ……………………………………………………………………………………………………………………..6
Confidentiality, Integrity and Availability …………………………………………………………………………………….6
Reporting a Data Breach ………………………………………………………………………………………………………………..7
Data Subject’s Rights and Requests ………………………………………………………………………………………………..7
Accountability ……………………………………………………………………………………………………………………………….8
Training …………………………………………………………………………………………………………………………………………8
Direct Marketing……………………………………………………………………………………………………………………………8
Sharing Personal Data ……………………………………………………………………………………………………………………8
Compliance …………………………………………………………………………………………………………………………………..9
Reporting ……………………………………………………………………………………………………………………………………..9
Policy Review ………………………………………………………………………………………………………………………………..9
Disclaimer …………………………………………………………………………………………………………………………………….9
Introduction
Sligo Rovers F.C. (SRFC) holds personal data about our members, SRFC Personnel (i.e. all employees, workers, contractors, agency workers, consultants, directors, officers and volunteers), and other individuals for a variety of club-related purposes.
Personal data is:
“Any information concerning or relating to a living person who is either identified or identifiable (such a person is referred to as a “data Subject”)1. In simple SRFC terms this would include member addresses or season ticket holder addresses or football camp registration information.
Please see our Data Protection General Privacy Notice for more specific examples of the type of personal data we collect and for what purpose. Our Personal Data register also contains related information on the types of personal data we control, process and why. 2
The General Data Protection Regulation (GDPR) and the Data Protection Act (as amended) are applicable law and regulation that govern us with respect to our handling of personal data and the Data Protection Commission (DPC) is the data protection regulator which enforce these rules.3
Purpose
The purpose of this policy is to outline to SRFC personnel, the data protection rules that apply to us and to ensure that we endeavour to protect the personal data which we are responsible for in accordance with the applicable law and regulation stated.
The policy should be read in conjunction with all documents, law and regulation stated and any other related policies and procedures that may be in place in SRFC at any particular time.
In particular, SRFC Personnel are instructed to refer to the DPC website and the links contained in this document and footnotes for further useful help and guidance.
Please speak to the SRFC Data Protection Officer (DPO) and/or CEO/Management Committee if anything is not clear in this policy or if any clarifications or assistance is required.
Roles and Responsibilities
Officers of the Management Committee
Ultimate responsibility for compliance with this policy rests with the Officers of the Management Committee. They are responsible for ensuring that this policy is adhered to by all SRFC Personnel. The Officers will ensure that the DPO has the appropriate time and resources to devote to this role and has experience to address issues promptly and appropriately.
Legal, Risk and Compliance Committee
Delegated authority from the Officers rests with this Committee with respect to Legal, Risk and Compliance which includes Data Protection. The Officers and this Committee will act in accordance with the appropriate Terms of Reference and ensure that the Officers’ governance responsibilities with respect to data protection are fulfilled.
Chief Executive Officer
The CEO in conjunction with the DPO are responsible for following the Officers’ and LRC Committee’s direction as above.
Data Protection Officer
The DPO is responsible for overseeing this policy and, as applicable, developing related policies and privacy guidelines.
Data Protection Principles
In order to be able to demonstrate accountability to our stakeholders, we are responsible for, and must be able to demonstrate compliance with all data protection principles under GDPR. These are summarised below and further guidance on same can be found at: https://www.dataprotection.ie/sites/default/files/uploads/2019-07/190710%20Data%20Protection%20Basics.pdf
Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject whether that be our members, Personnel or any other person whose personal date we may control and process (otherwise known as Data Subjects). A key tool whereby we achieve this transparency is via the publication of data protection information in the privacy notices referred to at the outset of this policy.
We achieve lawfulness and fairness by ensuring that any personal data we control and process is done for a specific purpose and that which we are legally permitted to do under GDPR. The latter states that we are only allowed to control and process personal data where we have a legal justification for doing so which includes where:
· the data subject has given their consent;
· the processing is necessary for the performance of a contract with the data subject;
· we are required to meet our legal or compliance obligations;
· the data subject’s vital interests are to be protected; and
· we are pursuing legitimate interests for purposes where these are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects.
Our privacy notices referred to allude to these justifications so that data subjects are aware why and for what reasons we are controlling and processing their personal data.
More information on the lawful bases for controlling and processing personal data can be found here:
Purpose Limitation
Personal data is only collected for specified, explicit and legitimate purposes and is not to be processed in a manner incompatible with those purposes.
We will not use personal data for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the data subject of the new purposes and they have consented where necessary.
Data Minimisation and/or Privacy by Design4
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
SRFC Personnel will only process personal data when performing their duties requires it. SRFC Personnel cannot access or process personal data for any reason unrelated to their duties.
SRFC Personnel will only collect personal data that is required for their duties and must not collect excessive data. SRFC Personnel should ensure that any personal data collected by them is adequate and relevant for the intended purposes.
SRFC Personnel must ensure that when personal data is no longer needed for specified purpose, it is deleted or anonymised safely and via liaison with the DPO.
Accuracy
Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
We will always endeavour to ensure that the personal data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. SRFC Personnel must check the accuracy of any personal data at the point of collection and/or input. SRFC Personnel must take all reasonable steps to delete or amend inaccurate or out-of-date personal data.
Storage Limitation
Personal data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
We will take all reasonable steps to destroy or erase from our systems all personal data that we no longer require. This includes requiring third parties to delete such data where applicable. Please refer to our Records Management and Retention Policy as appropriate.
Confidentiality, Integrity and Availability
Personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we control or maintain on behalf of others and identified risks and with the following in mind:
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows (think CIA):
· Confidentiality (C) means that only people who have a need to know and are authorised to use the personal data can access it;
· Integrity (I) means that personal data is accurate and suitable for the purpose for which it is processed; and
· Availability (A) means that authorised users are able to access the personal data when they need it for authorised purposes.
SRFC Personnel must comply with all of our Data Protection and relevant policies with these requirements in mind. Please refer to these policies for full and further information.
The aforementioned data protection principles outlined follow through into all applicable data protection legal and regulatory requirements. Some of these requirements applicable to our business are expanded on in further detail per the below headings.
Reporting a Data Breach
We sometimes are required to report a data breach to the DPC and/or the data subject. A data breach can include a breach of any the tripartite acronym CIA stated in the section above.
Please refer to the following for the DPCs full guidance on what constitute a data breach and the action we need to take:
If SRFC Personnel know or suspect that a data breach has occurred, they must immediately consult the DPO for the correct steps to take and report this immediately to the DPO and/or Management Team in their absence.
Data Subject’s Rights and Requests
To ensure we are accountable to data subjects and so that data protection law can be enforced, data subjects have a number of rights which we need to be aware of so that we comply with our obligations. For example, data subjects can:
· withdraw processing based on consent at any time;
· receive certain information about our processing activities;
· request access to their personal data that we hold;
· prevent our use of their personal data for direct marketing purposes;
· ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
· restrict processing in specific circumstances;
· challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
· object to decisions based solely on Automated Processing, including profiling (ADM)5
· be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
· make a complaint to the supervisory authority; and
· in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.
Accountability
SRFC will implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. SRFC is responsible for, and must be able to demonstrate, compliance with the data protection principles.
SRFC will ensure that adequate resources and controls are in place to comply with and document GDPR compliance including where appropriate:
· appointing a suitably qualified DPO;
· implementing privacy by design and data minimisation when processing personal data and completing Data Protection Impact Assessments (DPIAs)6
· where processing presents a high risk to the rights and freedoms of data subjects;
· integrating data protection into internal documents including this policy, related policies and privacy notices; and
· training SRFC Personnel on the GDPR, this policy, related policies and privacy notices.
Training
All SRFC Personnel will receive data protection training. New joiners will receive training as part of their induction process.
Completion of training is compulsory.
If SRFC Personnel feel that further training on any aspect of the relevant law or this policy or related policies is required, please contact the DPO directly.
Direct Marketing
Broadly speaking and overall, we must only market to data subjects if they have given us their clear consent to do so in writing. Please see the following link for full information (with respect to what makes valid consent, the marketing rules in place or otherwise.): https://www.dataprotection.ie/en/dpc-guidance
Sharing Personal Data
The main rule is that we must keep personal data secure and only share it with the person to which the personal data relates.
Fundamental to all of this is for SRFC Personnel to take extreme care when handling personal data and triple checking that the person to receive this personal data is the correct recipient of same. This covers all communication channels including without limitation email, post, telephone, internet and in person etc. Please refer to operational procedures for the correct steps to take to ensure that the correct recipient and personal data to be shared is identified, verified and checked accordingly. Cookies
Another aspect of data protection which merits inclusion in this policy is the law relating to cookies (A cookie is a small text file that may be stored on a website user’s computer or mobile device that
contains data related to a websites users visit.). This is because cookies can intrude on website users’ privacy and SRFC (as a website operator) must obtain website user’s consent before any cookies deriving from our website our placed on the website user’s device (except for necessary cookies). For the full DPC guidance on this see: https://www.dataprotection.ie/en/dpc-guidance/guidance-cookies-and-other-tracking-technologies
SRFC complies with these requirements practically as follows:
Visitors to our website have the option to consent or otherwise to the use of particular cookie categories on the website (ie, preferences, statistics and marketing cookies.) Our website explains what cookies are to users – see: and users consents or otherwise to these cookies are obtained and managed by the Cookie Bot third party software tool present on our website – see:. This tool contains further cookie information and guidance for users and complies with applicable legal and regulatory requirements.
In order to access our website and avail of basic functionality users must consent to necessary cookies. This is consistent with applicable law and regulation for this type of cookie and which is justified on the basis that the website would not work if consent to these cookies was an option to website visitors.
Compliance
The Management Committee Officers take compliance with this policy very seriously. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under SRFC’s procedures, which may result in dismissal.
Reporting
Issues arising under this policy will be reported to the Board when required and in accordance with normal reporting channels.
Policy Review
This policy shall be reviewed on a risk basis approach to ensure that it meets the current requirements for SRFC and is in compliance with applicable legislation and regulation.
Disclaimer
This policy is intended to be used by all SRFC Personnel. In drafting this policy, it is our expectation to adhere to the intention of the legislation and in doing so, it is tailored to adopt to our current model; established on nature, scale and complexity, and corresponding available resources to fulfil the requirements of the legislation within our capacity.