When we refer to the “site” or “our site”, this includes:
Personal data means any information about an individual from which that individual can be identified.
We collect, use, store and transfer some personal data of our participants [and their parents or guardians], and other Club members.
You provide information about yourself when you register with the Club, and by filling in forms at an event or online, or by corresponding with us by phone, e-mail or otherwise.
Where we need to collect personal data to fulfil Club responsibilities and you do not provide that data, we may not be able honour or administer your membership.
Information we may collect:
• Contact and identity data including name, date of birth, postal address, email address, phone number, social media name or handle and Hartlepool United FC membership and season ticket holder status, which may be added to and changed by you over time (Identity Data)
• Payment information such as bank account and credit/debit card details (Payment Data)
• Details of payments made (and received) by you in connection with purchases of tickets, products and services, and the details of those purchases (Transaction Data)
• Disability, access and health requirements that you may have (Health Data)
• Technical data concerning your use of our site and communications you receive from us (Technical Data), which may include the type and version of your web browser or device, time zone setting and location of that web browser or device, browser plug-in types and versions deployed by the web browser or device, parts of the site that you access and your internet protocol (IP) address, as well as information as to how you interact with communications we send to you
• Data we collect to create a profile of you, based on multiple criteria such as your location, demography, age and Technical Data, including data on perceived or inferred interests and lifestyle obtained from third parties (Profile Data)
• Your preferences for the marketing you wish to receive from us and third parties and your communication preferences (Marketing and Communications Data)
Some of your personal data may be shared with us by third parties such as:
o Analytics providers (e.g. Google)
o Advertising services and networks
o Social media services (e.g. Facebook and Twitter)
o Payment Data: payment services providers
o Transaction Data: ticketing services providers
o Identity and Contact Data and Marketing and Communications Data : Pools PlayerHD / POOLS TV
We also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data may be derived from your personal data but is put together in an aggregated and anonymous manner (so that it cannot be associated with any of your Identity and Contact Data or other personal data) and does not constitute personal data for legal purposes. For example, we may anonymise and aggregate your Profile Data or Technical Data with that of others and (a) use it for internal management purposes, (b) share it with current or prospective business partners, and (c) use it to target offers that are made to fans through the site.
Other than Health Data (see above), we do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) except with your explicit consent.
Why we need your personal data
We will only use personal data for any purpose for which it has been specifically provided.
The reason we need participants’ and members’ personal data is to be able to run the football club and arrange matches; to administer memberships, and provide the membership services you are signing up to when you register with the club. Our lawful basis for processing your personal data is that we have a contractual obligation to you as a participant or member to provide the services you are registering for.
How do we use your personal data, and what is our legal basis for doing so?
These are the legal bases we have for holding and processing your personal data:
• Contract: To enter into or perform a contract with you
• Legitimate Interest: For our (or third parties’) legitimate interests, as long as they aren’t overridden by your interests and rights
• Consent: Your consent
• Obligation: To comply with our legal obligations
And here is how we use your personal data, and our relevant legal basis (Our basis) for doing so:
If you register with or make a purchase from us, you provide us with Identity and Contact Data. That Identity and Contact Data may be supplemented over time with other information, such as Transaction Data, Health Data and additional or updated Identity and Contact Data. We use this information to maintain your registration with our site and administer our relationship with you. Our basis: Contract and Legitimate Interest (to remind you of the lapse or impending lapse of your registration, membership or season ticket).
If you purchase a ticket, membership, season ticket, or any other product or service from us, we will use your Identity and Contact Data and Payment Data (and sometimes prior Transaction Data) to process the purchase, deliver it to you, receive payment for it, process any refund that may be owed to you and tell you about other related products and services.
Our basis: Contract and Legitimate Interest (to receive payment of sums owed to us and to advise our customers how to maximise the value of their purchases). [Note that we do not store your complete Payment Data – this is held by payment service providers. We do, however, store the last four digits of your payment card number, which are retained to assist in the resolution of queries concerning payments.]
We will also use Identity and Contact Data, Payment Data and Transaction Data to monitor purchases with the objective of helping to prevent fraud.
Our basis: Legitimate Interest (fraud-prevention).
When dealing with us about your visit to our stadium or another a venue, you may provide Health Data, which is used to help ensure your safety.
Our basis: Contract, Obligation and protection of your vital interests.
From time to time, you may participate in a survey or provide us with feedback or otherwise engage with us in ways that, in combination with other data we hold, may be included in your Profile Data. In using the site, we and our service providers will also collect Technical Data. We use Profile Data and Technical Data to make our products and services, including our site, better and more relevant to you, and to enable us to create content that is more suited to you and send you more relevant communications.
Our basis: Legitimate Interest (making our products and services and their marketing more specific to you).
Where you opt to receive marketing communications from Hartlepool United Football Club, we will use your relevant Marketing and Communications Data to communicate that marketing to you.
Our basis: Consent and Legitimate Interest (marketing our products and services to you).
We retain records of our financial transactions and contracts with you in order to maintain adequate accounting records and meet legal requirements.
Our basis: Obligation.
Our basis: Contract, Obligation and Legitimate Interest (in maintaining a compliant relationship with you).
We will only use your personal data for the above purposes, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. We may process your personal data without your knowledge or consent where this is required or permitted by law.
Whom will we share your personal data with ?
We will share your personal data with various third parties, but always for the uses referred to above. These third parties are businesses that provide services such as:
• Ticketing services
• Payment services
• Mailing and delivery services
• Website hosting
• Messaging and SMS push communications services
• Social media platforms
• Online and offline marketing services
• Research and profiling services
• Official Hartlepool United FC Club Partners
• Football governing bodies and competition organisers – the National League and Football Association.
We may also share your personal data with others where to do so is mandated by applicable law.
Your Marketing and Communications Data will only be shared with a third party for the purpose of them directly marketing to you where you have consented to that marketing.
If we transfer your personal data outside the European Economic Area (EEA) to a country that does not provide a similar level of legal protection to that provided by the United Kingdom’s data protection laws, we put in place legally appropriate safeguards to require the protection of your personal data. You can request details of those safeguards by contacting our INFORMATION OFFICER.
How long will be keep your personal data for?
We keep your personal data for as long as is necessary:
• to address relevant legal, tax or accounting requirements, including potential claims by and against us
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of that data, the purposes for which we process it, whether we can achieve those purposes through other means, as well as legal, taxation and accounting requirements.
You can request more details of how we apply these criteria by contacting the Club. When the need to keep your personal data ends, we either delete or anonymise it.
How do we keep your personal data secure?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Your legal rights
Under the law, you have the right to:
• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of your personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete your personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with a legal or regulatory obligation. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; or (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
• Withdraw consent to the processing of your personal data, or to profiling by means of your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact the Club by email to the address specified below. You will not have to pay a fee to exercise any of your legal rights as specified above. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the relevant personal data (or to exercise any of your other legal rights). This is a security measure we take to help avoid your personal data being disclosed to a person who has no right to receive it.
We may also contact you to ask you for further information in relation to your request to help speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
• Email address: firstname.lastname@example.org and use “Privacy” in the email subject line
• Postal address: GDPR, Hartlepool United FC, Victoria Park, Clarence Road, Hartlepool, TS24 8BZ.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so would request that you contact us in the first instance.
We are a registered data controller in the United Kingdom and our registration number is: Hartlepool United Football Club Company Z5213944. Please see the Information Commissioner’s Office (ICO) website (www.ico.org.uk) ‘Register of Data Controllers’ for further information.