For the purpose of the Data Protection Act 1998 (Act) / EU General Data Protection Regulation 2016 (GDPR), the data controller is The Federation of Sports and Play Associations Limited, whose registered offices are at Federation House, First Floor, Unit 64, Sixth Street, Stoneleigh Park, Kenilworth, Warwickshire, England, CV8 2LG company registration no. GB 00216719, tel. +44 2476 414999.
The Federation of Sports and Play Associations Limited acts as data controller for its own activities and those of the following associations:
- Association of Play Industries (API)
- Association of Professional Sales Agents (APSA)
- British Golf Industry Association (BGIA)
- Sporting Goods Industry Association (SGIA)
- Sports and Physical Education Association (SPE)
Please read the following information carefully to understand our views and practices regarding the processing and handling of your personal data.
What is Personal Data?
Under the GDPR personal data is defined as:
Any information relating to an identified or identifiable natural person, ‘data subject’. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Who do we collect information from?
- Our Members
- Visitors to our web pages
- Visitors and contributors to our Blog page
- Newsletter subscribers
- Subscribers to our professional services
- Subscribers to news and promotions
- Visitors and contributors on our social media pages:
- Individuals requesting information
- We process personal data to help engage with customers and individuals across a variety of media. We collect additional data through questionnaires, subscriptions, requests, responses, applications, transactions and any other action that requires an individual to provide us with the personal information necessary for us to administer a service or respond to a request.
What kind of information do we collect?
- We collect information that you provide by filling in forms on our web pages. This includes information provided at the time of registering, subscribing to our services, using our services and responding to requests. We may also ask you for information when you report any problems with our services.
- We keep a record of correspondence if you contact us for information, make a request or file a complaint.
- We may also ask you to complete surveys that we use for research purposes.
- We keep the details of any applications and transactions you carry out through our web pages.
- We keep details of your visits to our web pages, but not limited to, traffic data, location data, download data and resources data.
- Any information incidental to that listed above.
In addition to the above, we process information on behalf of our customers (Controllers) about End Users, including:
- Information that you have submitted to us directly.
- Information collected by technology such as Google Analytics and other technology such as cookies placed on web pages. Please see ‘Device Information, cookies and 3rd party technology’ for more information. ‘
- Information acquired from information suppliers (Inc. data centres, call centres and research agencies) or where information about you is publicly available on the Internet.
Device information, cookies and 3rd party technology
We may collect information about your computer or other device, including where available your IP address, operating system and browser type, for system administration purposes. This is statistical data about your browsing actions and patterns, and does not identify you as an individual. This information is reviewed periodically and deleted when appropriate.
We may obtain information about your general Internet usage by using technology such as “cookies”, which store information on the hard drive of your computer or other device. This type of technology helps us to improve our web page performance and to deliver a better and more personalised service for the general public (public users) and our customers.
Cookies enable us to:
- Understand visitor numbers.
- Store information about a Public User’s preferences, and so allow us to customise our site according to a Public User’s interests and offer them products or services that we believe reflect or compliment these interests.
- Speed up web page performance and your searches.
- Recognise you when you return to our site.
- To find out more about cookies, including how to control and disable them, please visit http://www.allaboutcookies.org
- You may disable the use of some technologies such as cookies by activating settings on your browser, which allows you to refuse the setting of technologies such as cookies. If you ‘refuse all cookies’ you may be unable to access certain features on our web pages. If you do not disable these settings on your browser then you will be taken to have consented to the use of these technologies.
- We use Google Analytics and other monitoring software on our web pages. These types of technologies also allow the proprietor of the technology e.g. Google to access your information, we have no control over how your information is processed by third parties such as Google. Please read the Privacy Policies (see links below) of these providers to understand how they may use your information.
3rd party services we use on our web pages that may set cookies, include:
- Google Analytics – https://www.google.com/policies/privacy/
- Tawk.to – https://www.tawk.to/privacy-policy/
- Hotjar – https://www.hotjar.com/privacy
Transfer of data outside of the European Economic Area (EEA)
How do we protect your personal data?
Our data processing partners are accredited with ISO/IEC 27001:2013 Information Security Management System; this governs key aspects of our Data and Management Security compliance under the GDPR.
The core tenants of our ISO/IEC 27001:2013 Information Security Management System include:
- Encryption of data
- Confidentiality, Integrity and Availability
- Risk assessment
- Business continuity
- Testing and assessments
Information that you provide to us is stored on secure servers and is accessible only by you or the authorised user(s) of our services, where appointed by ourselves.
- We take measures to pseudonymise and encrypt your personal data.
- We ensure the ongoing confidentiality, integrity, availability and resilience of our processing systems and services.
- We ensure that we can restore availability and access to your personal data in a timely manner in the event of a physical or technical incident.
- We implement processes for regularly testing, assessing and evaluating the effectiveness of our technical and organisational measures, to ensuring the security of processing. Please note that the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data transmitted to our site; any transmission is at your own risk. Once we have received your information whether collected by us or on its own, we will use strict procedures and security features in order to reduce the risk of unauthorised access, loss or misuse.
How do we use the information we hold about you?
- To ensure that content on our web pages is presented in the most effective manner for you and for the device through which you access our content and services.
- To provide you with information, products or services that you request from us, or which we feel may interest you, where you have consented to be contacted for such purposes.
- To provide you with information, products or services that we feel may interest you, reasonably and with minimal impact on your privacy, and where there is a compelling justification for our processing your data without your explicit consent.
- To carry out our obligations arising from any contracts entered into between you and us.
- To allow you to participate in the interactive features of our services, when you choose to do so.
- We use your information to send you marketing communications, communicate with you about products and services and let you know about changes to our policies and terms. We also use your information to respond to you when you contact us.
- We use your information to generate personal profile reports about you, which we use to help tailor our content and our interactions with you and match content and communications to your specific habits, preferences and interests.
- If you are an existing customer or an authorised user of an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about products and services similar to those that were the subject of a previous sale or service to you.
- We do not disclose personal information about individuals to advertisers or sell your information to any other organisation for marketing purposes.
- We use the information we hold on you to help verify accounts and activity, and to promote safety and security on and off our Services, such as by investigating suspicious activity or violations of our terms or policies. We work hard to protect your data using qualified and trusted suppliers, who may adopt automated systems and advanced technology such as encryption and machine learning to protect your information.
When may we disclose your personal information to 3rd parties?
- If we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If the Federation of Sports and Play Associations Limited or substantially all of its assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions and other agreements; or to protect the rights, property, or safety of the Federation of Sports and Play Associations Limited, our customers, or others.
Links to other web pages
Our web pages may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check the relevant policies before you submit any personal data through these websites.
How can you manage or delete information we hold on you? Your 8 individual rights of control
The General Data Protection Regulation (GDPR) empowers individuals and gives you control over your personal data.
1. How can you access your information? (Right of access)
You have the right to access the information we hold about you, including personal data and supplementary information. This provision allows you to become aware of, and verify, the lawfulness of the data we are processing.
You can find out if we hold any personal information about you by making a data subject access request.
If we do hold information about you we will:
- Confirm that your personal data is being processed.
- Give you a description of the information we hold.
- Tell you why we are holding it.
- Tell you whom else it has been disclosed to.
- Let you have a copy of your personal data.
2. How can you update or change your information? (Right to rectification)
Upon receiving a ‘right to rectification’ request we will:
- Let you know if we have disclosed the relevant personal data to third parties, and (where possible) inform these third parties of the rectification.
- Inform you about the third parties to whom your data has been disclosed.
- Respond to your request within one month.
- Send you an explanation informing you of your right to complain to the supervisory authority and to a judicial remedy in the event we are not taking action in response to your request for rectification.
3. How are we using your data? (Right to be informed)
We do not make a charge for this information.
4. How can you delete your data? (Right to erasure ‘to be forgotten’)
The right to erasure does not provide an absolute ‘right to be forgotten’. You have the right to have us erase your personal data and to prevent further processing under specific circumstances:
- Where your personal data is no longer required in relation to the purpose for which it was originally collected and processed.
- When you withdraw your consent to processing.
- When you object to the processing and there is no overriding legitimate Interest for us continuing the processing.
- When your personal data has to be erased in order for us to comply with a legal obligation.
- When your personal data is processed in relation to the offer of information services to a child.
The Federation of Sports and Play Associations Limited deletes or anonymises your information upon request, subject to the exceptions described below:
- If there is an unresolved issue relating to your account, such as an outstanding invoice.
- If it is necessary to retain certain information for our legitimate business interests, such as fraud prevention.
- If we are required to retain information by applicable law; and/or in aggregated and/or anonymised form.
We will retain enough information ‘breadcrumb data’ to allow us to demonstrate to a supervisory body (if required to do so) that we received and acted upon your request to erasure.
5. How can you restrict the processing of your data? (Right to restrict processing)
You have the right to ‘block’ or suppress the processing of your personal data. When you restrict the processing of personal data, we will not process it further but we will retain just enough information to ensure that your restriction is respected in future.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data.
6. How can you transfer your data? (Right for data portability)
- The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
- It allows you to move, copy or transfer your personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- It enables you to take advantage of applications and services which can use this data to find you a better deal, or to help you understand your spending habits.
- Your right to data portability applies when:
- You have provided your personal data to a company, brand or organisation ‘controller’.
- The processing of your data is based on your ‘consent’ or for the performance of a contract.
- The processing is carried out by automated means.
When applicable a copy of your data will be supplied in either .xls or .csv format.
7. How can you object about the use of your personal data? (Right to object)
You have the right to object to our use of your personal data, including:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
- Direct marketing (including profiling).
- Processing for purposes of scientific/historical research and statistics.
8. What are your rights relating to Profiling & Decision Making?
The General Data Protection Regulation (GDPR) makes provisions on:
- Automated individual decision-making (making a decision solely by automated means without any human involvement).
- Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
- The GDPR applies to all automated individual decision-making and profiling.
- The GDPR has additional rules to protect you if we are carrying out solely automated decision-making that has legal or similarly significant effects on you.
We will only carry out this type of decision-making where the decision is:
- Necessary for the entry into or performance of a contract.
- Authorised by Union or Member state law applicable to us or to our customers (controllers).
- Based on your explicit consent.
We identify whether any of our processing falls under this principle and if so we will:
- Provide you with information about the nature of the processing.
- Provide you with simple ways to request human intervention or challenge our decision.
- Carry out regular checks to make sure that our systems are working as intended.
How long do we keep your information? (Data Retention)
The ‘data retention’ principle requires that we retain personal data for no longer than is necessary for the purpose we obtained it for.
The data protection regulation does not set out any specific minimum or maximum periods for retaining your personal data, however the personal data that Rethink Media processes for any purpose or purposes is not kept for longer than is necessary for that purpose or those purposes. The Federation of Sports and Play Associations Limited will:
- Continue to review the length of time we keep your personal data.
- Consider the purpose or purposes we hold your personal data for in deciding whether (and for how long) to retain it.
- Securely delete your personal data that is no longer needed for its original purpose or purposes.
- Update, archive or securely delete your personal data if it goes out of date.
We will notify you before we make changes to this policy and give you the opportunity to review and comment on the revised policy before continuing to use our Services.
If you wish to make a formal request or complaint concerning your personal data, you can email our data protection officer at [email protected] or by writing to: The Data Protection Officer, The Federation of Sports and Play Associations Limited, Federation House, First Floor, Unit 64, Sixth Street, Stoneleigh Park, Kenilworth, Warwickshire, England, CV8 2LG.
- ‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ‘Restriction of Processing’ means the marking of stored personal data with the aim of limiting their its processing in the future.
- ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- ‘Processor’ means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.
- ‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
- ‘Third Party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.