THE SCOTTISH FA PRIVACY NOTICE AND USE OF YOUR PERSONAL INFORMATION THROUGH COMMUNITY PARTNERSHIP PROGRAMMES

1. INTRODUCTION

The Scottish Football Association (Scottish FA) respects your privacy and is committed to protecting your personal data, being transparent about how it handles your personal information, ensuring the security of your personal information and to meeting its data protection obligations. This Privacy Notice will inform you about how we look after your personal data, your privacy rights, and how the law protects it. The Scottish FA collects and processes personal information, or personal data, relating to its participants to manage our relationship. This personal information may be held by the Scottish FA on paper or in electronic format.

In this Privacy Notice, “Data Protection Legislation” means all applicable legislation which relates to the protection of individuals with regards processing personal data, including the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679, and the Privacy and Electronic Communication Regulations 2003.

This privacy notice applies to all Community Development Partner Programme Participants. It is non-contractual and does not form part of any existing agreements

2. IMPORTANT INFORMATION AND WHO WE ARE

a) Purpose of this privacy notice

The purpose of this privacy notice is to make you aware of how and why we will collect and use your personal information both during your participation in community programmes with the

Scottish FA. We are required under data protection law to notify you of the information contained in this privacy notice.

It is important that you read this privacy policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.

b) Controller

THE SCOTTISH FOOTBALL ASSOCIATION LIMITED which has its registered office at Hampden Park, Glasgow G42 9AY with Company Number SC005453 is the controller and responsible for your personal data. When we talk about “we,” “our,” or “us” in this Notice, we are referring to The Scottish FA. Please address any correspondence for the attention of the Data Protection Officer or e-mail [email protected].

We have notified the Information Commissioner’s Office that we are a data controller under registration number Z7099905. This means that we are responsible for deciding how we hold and use personal information about you.

We are required under Data Protection Legislation to notify you of the information contained in this privacy notice. Our contact details are set out at section 14 below.

c) Data Collection Principles

We will comply with Data Protection Legislation. This says that the personal data we hold about you must be:

1. Used lawfully, fairly and in a transparent way;

2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;

3. Relevant to the purposes we have told you about and limited only to those purposes.

4. Accurate and kept up to date;

5. Kept only as long as necessary for the purposes we have told you about; and

6. Kept securely

3. HOW WE COLLECT INFORMATION ABOUT YOU

We obtain your personal data in different ways:

• Directly from you for example when you fill out participation or registration forms;

• We may collect information about you from other sources for example Club Secretaries and Coaches participating in programmes and

• From Community Partners who are conducting or participating the programmes.

4. INFORMATION WE COLLECT AND HOLD ABOUT YOU

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data from which an individual can no longer be identified (anonymous data).

We may collect, store, and use the following categories of personal data about you:

a. Coaches

- Forename - Surname - Email address - Contact number - PVG number b. Participants

- Forename - Surname - Date of birth - Gender

5. HOW WE USE YOUR PERSONAL DATA

The Scottish FA needs to keep and process information about you for the purposes of your participation in the Community Programmes. The information we hold and process will be used for our management, administration and statistical analysis. We will keep and use it to enable us to track distinct participation and we will then use these numbers to pass the relevant statistics to the Scottish Government and UEFA, your personal data will not be shared. We will use your data lawfully and appropriately during your involvement with our Partners and for a period of time after the event. We will only use your personal data when the law allows us to.

This includes using information to enable us:

• to manage our relationship with you effectively, lawfully and appropriately for your participation in Community Development events;

• to perform the contract which we have entered into with you and our Partners;

• to comply with any legal or regulatory requirements,

• to pursue the legitimate interests of the Scottish FA and your interests and fundamental rights do not override those interests; and

• to protect our legal position in the event of legal proceedings.

If you do not provide the data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision.

6. OUR LEGAL GROUNDS For PROCESSING YOUR DATA

Our legal grounds for the processing of your personal information are:

• your consent, where you have agreed to us using personal information; or

• the processing is necessary for the performance of a contract with us to which you are party or in order to take steps at your request prior to entering into a contract with us; or

• the processing is necessary for compliance with a legal obligation to which we are subject; or

• the processing is necessary for the purposes of our legitimate interests or those of a third party, such as financial interests, operational and administrative interests, ensuring security, health and safety, maintaining our relationship with you, optimising and understanding the use of our site, research and statistical analysis.

7. YOUR RIGHTS UNDER THE DATA PROTECTION LEGISLATION

As the participant you have various rights in respect of the personal data we hold about you. If you wish to exercise any of these rights, or for more information about the rights, please contact us by emailing [email protected].

• Access to personal data: The participant can request access to a copy of the personal data that we hold about them, along with information about why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge.

• Right to object: You can object to our processing of the participant's personal data where we are relying on a legitimate interest (or the legitimate interests of a third party) to process the personal data and there is something about their particular situation which makes the participant want to object to processing on these grounds.

• Consent: In the majority of circumstances, we won't need consent to use the participant's personal data as we will be using it only to fulfil our obligations. There are limited circumstances where we may ask for the participant's consent to process their information. Where the participant have given consent, they can withdraw it at any time.

• Rectification: The participant can ask us to change or complete any inaccurate or incomplete personal data held about them.

• Erasure: The participant can ask us to delete their personal data where it is no longer necessary for us to use it, or where we have no lawful basis for keeping it. Where we are required by law to keep certain information, we will be unable to delete such information.

• Portability: The participant can ask us to provide them or a third party with some of the personal data that we hold about them in a structured, commonly used, electronic form, so it can be easily transferred to a third party.

• Restriction: The participant can ask us to restrict the personal data we use about them where they have asked for it to be erased or where they have objected to our use of it.

• No automated-decision making: Everyone has a right to challenge a decision made by automated decision-making, which takes place when an electronic system uses personal data to make a decision without human intervention. The Scottish FA does use any automated decision making as part of its School of Football

If you would like to exercise any of your rights above, please contact us by email to [email protected]. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.

If you believe that we have not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues, at https://ico.org.uk/.

8. INTERNATIONAL TRANSFERS

Your data will not be transferred outside of the EEA.

9. DATA RETENTION

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

We may also hold your personal information for longer where it is necessary to do so for the management of any active or potential legal proceedings, to resolve or defend claims, and for the purpose of making any necessary remediation payments.

10. SECURITY

The data is held securely in the Scottish FA Live system where we limit access to your personal information to those employees who have a business need to know in order to perform their job, duties and responsibilities.

The Scottish FA has put in place measures to protect the security of your personal information. We have internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way.

The Scottish FA also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.

11. MARKETING

We will not send any direct marketing emails to any of the participants without consent and shall only send "service" emails where required for the purposes of providing important information about the events and such emails that are necessary for the purposes of fulfilling our contract with the participant, or where it is in our legitimate interests to send such "service" emails.

Where you consent to receive direct marketing emails from us we use that information to tell you about the information you’ve asked us to tell you about. We don't share email lists with other organisations and businesses.

We use a third party provider, MailChimp, to deliver our newsletters and marketing emails. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter and marketing mails. For more information, please see MailChimp’s privacy notice.

You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails or by emailing our data protection officer at [email protected]

12. DISCLOSURE OF YOUR INFORMATION

The information you provide to us will be treated as confidential. However, we may disclose your information to other third parties where required by law or where it is necessary to administer our relationship with you.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

For this purpose statistical data will be shared with the Scottish Government and UEFA, no personal data will be shared. We may share Club contact data with the relevant partners for our programmes where necessary or where we have a legitimate interest in doing so.

13. CHANGES TO OUR PRIVACY NOTICE

We keep this document under regular review. When revised, we will place an updated version on our intranet and our external website. Regularly reviewing these pages ensures you are always aware of what personal information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

14. CONTACT US

If you have any questions about this fair processing notice, including any requests to exercise your legal rights or making a complaint to us about how we have used your personal data, please contact us by:

Email at [email protected], or

Writing to us at

Data Protection Officer, The Scottish Football Association, Hampden Park, Glasgow, G42 9AY.

APPENDIX TO PRIVACY NOTICE