What does this policy cover?
This policy describes how The Football Association Limited, Wembley National Stadium Limited, and National Football Centre Limited (collectively referred to as “The FA Group”, “we” or “us”) will make use of your data on The FA Group’s website and during your interaction with The FA Group online and offline, including purchasing tickets for England games, data we may process in connection with the running of competitions, data we may process if you attend our tours or games, data we may handle if you supply or partner with The FA Group or data we use to send you direct marketing.
It also describes your data protection rights, including a right to object to some of the processing which The FA Group carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
Summary of how we use your data
- The FA Group uses your personal data to allow you to use the features in FA content, to administer your online and offline relationships with The FA Group, to manage the safety and security of our venues and events, to comply with The FA Group’s legal obligations and to provide you with FA products, services and other offerings. Some of this information will be provided by you, and others will be generated by The FA Group or provided by third parties.
- Our websites may provide interactive features that engage with social media sites, such as Facebook and Twitter. If you use these features, these sites will send us personal data about you.
- Where we rely on your consent, such as for direct marketing purposes, or to place cookies, you can withdraw this consent at any time.
What information do we collect?
We collect and process personal data about you when you interact with us and our websites, when you purchase goods and services from us, where you visit our venues, when we carry out market research and when you enter our commercial and football competitions. This will typically be provided directly by you, and may include information you provide on registration or in the process of a purchase, such as your name, address, email address, marketing preferences and payment details. The details being provided by you will be made clear in forms you complete or will be provided directly by you in surveys, in purchasing tickets, in entering competitions or in volunteering information in communications or content you provide us.
What information do we generate or receive from third parties?
We may generate or collect information about you ourselves. In an online context, much of this is set out in our Cookies section. In an offline context, we may particularly collect information about you through our CCTV cameras, via telephone calls to and from Club Wembley and The FA Customer Engagement Team, in completing health and safety records or by keeping access records of our sites.
Sometimes, we receive information about you from third parties. For example, if you login to a site or app using Facebook Connect you will be asked if you wish to share information from your Facebook account with us. If you use a “like” or a “share” button for a feature on our sites or apps, then the third party will share information with us. If you participate in activities on non-FA sites or apps – such as participating in a Facebook application – you may allow us to have access to personal data held by Facebook, or other site or app owners. We sometimes will receive relevant information from third party ticketing sites, such as Ticketmaster, to manage your purchases. We also receive information about individuals that the police or other sports stakeholders recommend or require us to ban from our grounds. We may also obtain information about you from third party demographics providers, which we may use to help us better understand our users and send them appropriate offers and information.
If we provide online services to a child where we need parental consent for this, we may ask for a parent’s email address, in order to ask for consent. We may also require confirmation that the parent/guardian is 18 or over.
Where you are participating in an FA event or competition, we may receive information about you from another team member or official responsible for entering you or your team into our competition. This will typically involve basic biographical information, including your contact email address.
How do we use this information, and what is the legal basis for this use?
We process this personal data for the following purposes:
To fulfil a contract, or take steps linked to a contract: this is relevant where you make a purchase from us or enter a competition we run. This includes:
- verifying your identity;
- taking payments;
- communicating with you;
- administer the competition (where relevant); and
- providing customer services and arranging the delivery or other provision of products, prizes or services.
- As required by The FA Group to conduct our business and pursue our legitimate interests, in particular:
- we will use your information to provide products and services you have requested and to respond to any comments or complaints you may send us;
- we monitor use of our venues, websites and online services, and use your information to help us monitor, improve and protect our venues, products, content, services and websites, both online and offline. We record calls made to and from Club Wembley and The FA Customer Engagement Team and use this information for training and monitoring purposes and to provide evidence in relation to any membership disputes or complaints;
- we use information you provide to personalise our website, products or services for you;
- if you provide a credit or debit card as payment, we also use third parties to check the validity of the sort code, account number and card number you submit in order to prevent fraud (see data sharing below);
- we process data you provide when you enter your team into an FA event or competition so that we can administer that competition, communicate with you and ensure eligibility. If this involves sensitive personal data, such as information about disability used to ensure eligibility for a disabled competition, we do this to ensure the integrity of our competition;
- we use CCTV and other security measures to enforce our ticketing conditions, protect the safety of those at our venues, provide evidence in relation to incidents taking place within our venues and to prevent and detect unlawful activity. This latter purpose is our legal basis to the extent that any CCTV footage or other record kept by The FA Group involves holding information about you relating to actual or alleged criminal activity;
- we use information you provide as well as information which we have collected about you to investigate any complaints received from you or from others, about our website and venues or our products or services;
- we will use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation or to other relevant regulators, such as the Gambling Commission or other governing bodies, to law enforcement bodies or to employers where appropriate); and
- we use data of some individuals to invite them to take part in market research.
- Where you give us consent:
- we will send you direct marketing in relation to our relevant products and services, or other products and services provided by us and carefully selected partners and sponsors;
- we place cookies and use similar technologies in accordance with our Cookies Policy (see below) and the information provided to you when those technologies are used; and
- on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.
- For purposes which are required by law:
- where we are required to hold or collect personal data to meet legal requirements on us, such as keeping health and safety records, details of purchases or ensuring banned fans are not given access to our venues;
- where we need parental consent to provide online services to children under 13. However, most of our websites are not designed for children under 13; and
- where in response to requests by government or law enforcement authorities conducting an investigation.
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.
What cookies and/or tracking technologies does The FA Group use?
When you visit one of our websites, we may also collect, process and use information about you and your use of the website, including any forums you visit and how you arrived at our site. Such information may be collected through “traffic data” and may entail the use of “cookies” or other tracking technologies, IP addresses or other numeric codes used to identify your computer. For more information on Cookies please click on the link to our Cookies Policy.
Who will we share this data with, where and when?
We will share your personal data between The FA Group companies (as listed above) as necessary to provide the products and services you have requested, to maintain a single customer view across The FA Group and to fulfil any of the other purposes set out above.
We will share your data with relevant third parties for the purposes set out above, in particular we will share details of fans or participants with other football stakeholders such as the Premier League and English Football League, other footballing governing bodies and the police where this is necessary to enforce stadium or travel bans. We will also share information with relevant third parties, such as employers, law enforcement bodies, governing bodies or the Gambling Commission where this is the appropriate outcome of an investigation which we have carried out or following a request which we have received. We will also share data with third parties holding events at our venues as necessary to ensure that your attendance is appropriately managed and we will share appropriate data with third party ticketing providers as necessary to manage our ticketing processes.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.
Personal data will also be shared with third party service providers, who will process it on behalf of The FA Group for the purposes identified above. Such third parties include providers of website hosting, marketing suppliers, security services, maintenance, call centre operations and identity checking. Some of our suppliers may be separate data controllers, such as market research organisations, and may provide you with their own privacy notice where appropriate.
Where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor’s Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request by contacting us using the details set out below. Where data is transferred outside the EEA due to your purchase of tickets to a game taking place outside the EEA, this data is transferred as necessary to facilitate your travel and fulfil your contract.
What rights do I have?
You have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format.
In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where it would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in both the GDPR and in the Data Protection Act 2018. We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights, you can get in touch with us – or our data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred. This likely to be the Information Commissioner’s Office in the UK.
Data that is mandatory is indicated on relevant forms that you complete. Where provision of data is mandatory, if relevant data is not provided, then we will not be able to fulfil your requests to register, make a purchase or otherwise engage with The FA Group. All other provision of your information is optional.
How do I get in touch with you, or your data protection officer?
If you wish to make a data privacy request, you can do so via our online form, which can be found here. We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, you can get in touch at email@example.com or by writing to: Data Protection Officer, Wembley Stadium, PO Box 1966, London, SW1P 9EQ.
Which FA entity is my data controller, and which affiliates might my data be shared with?
The data controller for your information is as follows:
Wembley National Stadium Limited
Includes processing in relation to ticket sales and your attendance at events at Wembley Stadium, including your attendance on tours, processing in relation to suppliers of Wembley National Stadium Limited and processing of CCTV footage and data handled by our Wembley security teams.
It also includes processing in relation to the following sites:
National Football Centre Limited
Processing that takes place in relation to the National Football Centre at St George’s Park, such as making bookings for experiences, hospitality or tours of St George’s Park, CCTV footage at St George’s Park and data in relation to suppliers to St George’s Park and processing of data collected through http://sgpcrm.thefa.com/
The Football Association Limited
How long will you retain my data?
Where we process data in connection with your registration to use The FA Group sites, we do this for as long as you are an active user of our sites and for 5 seasons after this.
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.
Where we process personal data in connection with performing a contract or for a competition, we keep the data for 7 years from your last interaction with us or from when the contract ends.
Where we process CCTV footage, we hold this for a month, unless we have been asked to extract footage, in which case this is held for 10 years from the date it is extracted.
Where we process information from recorded calls, we hold this for six months from the date of the call, unless we extract information from calls to provide evidence in relation to any membership disputes or complaints in which case this is held for 5 years from the date it is extracted.
Where we process personal data to meet legal requirements, we hold this for as long as the law requires.
We hold information relating to visitors to our venues for a month.
Where your data is held on FA Group systems, then at the end of the retention periods set out above, we will not irrevocably delete your information for another 3 months – your data will be held in an inactive form for this time to ensure that any consequential links across our systems remain intact in the event that your data is removed in a particular location.
What other FA Group privacy policies are in place?
For other FA Group privacy policies that may be more relevant to you please visit the below link: