CARDIFF CITY FC COMMUNITY FOUNDATION PRIVACY NOTICE
WHEN DOES THIS NOTICE APPLY?
This privacy notice explains how Cardiff City FC Community Foundation ("The Foundation ") uses personal data that you provide or which The Foundation collects and holds about you when you use its official websites and/or other services. The Foundation is the data controller of this information for the purposes of this notice.
The Foundations Data Protection Officer is Su Osborne who is contactable by email at DPO@cardiffcityfc.org.uk or by writing to:
Cardiff City FC Community Foundation
The Foundation’s websites and services include:
- The Official Cardiff City FC Community Foundation Website at www.cardiffcityfcfoundation.org.uk
- The official Cardiff City FC Community Foundations social media pages on Facebook, Twitter, Instagram, LinkedIn and Vimeo; (together the "Foundation Official Websites").
WHAT TYPES OF PERSONAL DATA DO WE COLLECT AND PROCESS?
Information we hold about you may include any one or more of the following types of data:
Account information: When you register to use, purchase or engage with any of The Foundation's services, the minimum information we will usually ask you to provide is your name, email address, country of residence, telephone number, and year of birth. We may also ask you for additional information depending on the nature of our interaction with you. This may be through the `Contact Us' form on our Website, through application forms for vacancies or from details you provide when you sign up for one of our programmes.
Transactional information: When you purchase services from The Foundation’s official websites, we will keep a record of your transaction, including what you purchased and when, and any information you provide to us to fulfil the transaction. This may include your name, billing information and telephone number. We will not keep payment card information, except for the last four digits of your payment card number which we keep in case there are any payment disputes, or we need to issue a refund. We will ensure that, when handling any information about you relating to a transaction, we comply with the applicable regulations of the Payment Card Industry. When you register to take part in events or fundraise for us, we will keep a record of your name, age, email address, postal address, telephone number and relevant health information to ensure that we can understand and evaluate any risks of you taking part in the activity.
Where you purchase services on behalf of a third party (for example, where you book onto a soccer school or other service provided by The Foundation) we will usually take details of the participants attending the school, course or service, in addition to the transactional information described above. This is in order that we may administer the provision properly and use your details for the other purposes described in this policy.
Information you provide to us in response to a survey: We may occasionally contact you to ask for your feedback on The Foundation’s services or services provided by a third-party affiliate on our behalf so that we can make them better and more relevant.
Information you provide to us in response to a job advertisement, where you contact us about a potential role at The Foundation or where you volunteer with The Foundation: We regularly advertise open positions on the Vacancies page of our website at www.cardiffcityfcfoundation.org.uk/vacancies
Information from other companies: We may use publicly available postal address lists and the edited electoral roll to ensure that the information we hold about you is accurate, or we may use this information, together with general market research information (for example, demographic information), to add to and enhance our database. We may also be provided with information from Cardiff City FC, Cardiff & Vale College, Careers Wales and our partner primary and secondary schools.
Donations and Gift Aid: When you fundraise or donate to The Foundation, we currently collect and process information which can include the following:
- Name, title, gender, and date of birth.
- Contact details including postal address, email address, phone number and links to social media accounts.
- Your occupation and/or workplace.
- Your interests.
- Family and spouse/partner details and your relationships to other supporters.
- Records of donations and Gift Aid status, where applicable (as required by HMRC).
- Records of communications sent to you by the Foundation or received from you.
- Records of your volunteering activity on behalf of the Foundation.
- Information about your wealth.
- Where you have left us a legacy, any information regarding next of kin with which you may have provided us to administer this.
- Links to media articles about you.
- Information on your engagement with Foundation events.
- Information to help us improve the effectiveness of our communications with you including tracking whether the emails we send are opened and which links are clicked within a message, and tracking interactions with our website and/or social media adverts (via cookies).
We sometimes may need to collect sensitive personal information regarding your health or fitness, when relevant, such as for participation in an event where we need this information to ensure we provide safe and appropriate facilities for you.
The Foundation does not store any credit/debit card details and is fully PCI-DSS compliant.
When you are using our secure online donation pages, your donation is processed by a third-party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
Information you provide to us in order to take part in an activity: In order to take part in the Foundation’s activities you may need to provide data such as name, date of birth, address, ethnicity, gender and relevant medical information. We will also collect data on attendance and performance.
In most cases, you are not obliged to provide any personal data to us, but in some cases we may not be able to provide services to you unless you provide certain minimum information. By way of example only, where you intend to make a purchase from The Foundation, we may need to obtain and process certain information about you in order to enter into and perform the contract of sale with you.
THE PURPOSES FOR WHICH WE USE YOUR INFORMATION
The legal basis under which The Foundation will process your personal data is one or more of the following:
- To allow us to enter into and/or perform our contract with you*.
- To enable us to comply with legal obligations**;
- To pursue legitimate interests of our own or those of third parties (provided that your interests and fundamental rights do not override those interests) ***; and/or
- With your consent. For the avoidance of doubt, we will only use your information for marketing purposes (where such consent is necessary) where we have your consent****.
Further details of how we will process your personal information are listed below. We have indicated by asterisks the legal basis on which we are processing or will process your personal information.
Contract performance* / **: The Foundation may use account information and transactional information data, as necessary, to carry out or perform any contract which you may have entered into with us, including contracts for the purchase of courses and any other services, merchandise and other products. We also use this information to communicate with you and handle your enquiries regarding these contracts. If you order The Foundation’s products or services for another person we may ask you for their personal information and we will use this to provide the services you have ordered. Please ensure that you have their permission for us to process this data before providing it to The Foundation.
Legal obligations**: The Foundation retains records of all of its financial transactions with you in order to comply with its legal obligations to maintain adequate accounting records. The Foundation may use (and disclose) the information it holds about you in order to comply with any investigative demand, court order, or a request for cooperation from a law enforcement or other government agency.
Recruitment/engagement***: If you apply for a job, register to be a volunteer or apply for a work experience placement with The Foundation we may use your information for the purposes of recruitment and selection, corresponding with you and for equal opportunities monitoring.
Marketing where it is in our legitimate interest*** We may also market to you with fundraising appeals, news and offers from The Foundation, which we think may be of interest to you, and conduct related surveys, or analytics, where it is in our legitimate interest, and where your consent is not necessary. This can apply to individuals (e.g. analytics) but also to contacting data subjects who work for businesses. For more information about our Legitimate Interests Assessment please contact us as outlined above.
Marketing with your consent (where consent is necessary)****: If you have consented to it (where consent is necessary) The Foundation may contact you electronically or by telephone with fundraising appeals, news and offers from The Foundation and its affiliates.
You have the right to withdraw your consent at any time, by emailing DPO@cardiffcityfc.org.uk.
Building profiles of supporters or potential supporters where it is in our legitimate interest***. The Foundation relies upon donations to fund its work. To enable us to fundraise appropriately and effectively, using our legitimate interests, we will research individuals and organisations to help us identify suitable major donors, corporate partners and charitable trusts. This research helps us to identify individuals or organisations who have the capacity to make substantial donations, who appear to have an interest in supporting our cause and who may be able to help us to raise funds through volunteer support for our appeals, events or partnership opportunities. We appreciate that you expect us to conduct such processing in an efficient and professional manner whilst taking your right to privacy into account. We are careful to ensure information collated is not excessive or intrusive and is sourced reliably and appropriately.
Any research is undertaken using only credible, publicly available information. This may include sources such as Companies House, the Electoral Register, the internet, national and local press and social media sites such as LinkedIn – to help us to understand more about you as an individual and your ability to support the Foundation, including financially. We will only use these where the data has been deliberately made public. We may also use appropriate third-party sources to identify and inform professional approaches to prospective donors, partners and volunteers.
We may on occasion use contractually bound trusted third parties to automate this research and assess the giving capacity of donors and supporters (sometimes known as ‘wealth screening’). Certain information obtained in these ways may, at our discretion, be appended to the individual records we hold on our database. These organisations are required to comply with data protection laws and should they process your information they are only allowed to do so in strict compliance with our instructions and data protection laws and regulations. You will always have the right to opt-out of this processing.
We may also use publicly available sources to carry out due diligence on significant donors in line with the Foundation’s Gift Acceptance Policy and to meet Anti -Money Laundering Regulations.
Other purposes***: The Foundation will analyse the information it holds about you to identify trends and preferences about its customers and to get a more detailed and informed picture of how its customers are using The Foundation's services. We do this to make better strategic decisions about The Foundation and its services so that we can improve the way we market and provide products and services to you and Cardiff City FC supporters generally. The Foundation may also use online usage information about you to administer and improve the function and content of The Foundation’s Official Website, including to ensure that content is presented in the most effective manner for you and your device and browser, to allow you to participate in interactive features when you choose to do so and to keep our online services safe and secure. The Foundation may also use the information it holds about you if required to protect the rights, property, or safety of The Foundation’s, stakeholders/ beneficiaries or others.
The Foundation will not carry out any automated decision-making using the information it holds about you.
Special Categories of Personal Data: We require explicit consent to process Special Categories of Data which is collected voluntarily. This data is collected in accordance with all of our standard Data Protection processes and anonymised immediately where possible. This may include personal data revealing racial or ethnic origin, religious or philosophical beliefs, data concerning your health and/or your states of physical or mental health or personal data concerning your sexual orientation.
The Foundation may collect these special categories of personal data for the purposes of better understanding our supporter/customer/stakeholder fan base, identifying ways to improve communication to all areas of our supporters/customers/stakeholder fan base and maintaining The Foundation’s commitment to equality and diversity as it relates to all those who engage with The Foundation. The table below sets out examples of the categories of personal data and the groups of people which may be relevant to this area.
Category of personal data
Groups of people (in relation to a category of personal data)
Personal data revealing racial or ethnic origin
People of different racial or ethnic origins
Personal data revealing religious or philosophical beliefs
People holding different religious or philosophical beliefs
Data concerning health
People with different states of physical or mental health
Personal data concerning an individual's sexual orientation
People of different sexual orientation
You can opt-out of The Foundation’s processing of your special categories of personal data at any time by either opting out of any communication sent to you or notifying the Data Protection Officer (details below). The Foundation takes the security of this information extremely seriously and all appropriate safeguards are in place to ensure security is effective. We will retain this data in accordance with our Data Retention Policies as outlined in this document.
DISCLOSURE OF YOUR INFORMATION
Affiliates: Information held by The Foundation may be used by affiliates of The Foundation for the purposes set out in this policy, where you have consented to this. Our affiliates include the Cardiff City Football Club. This may include providing them with your personal information so that they can provide you with information about their products and services that may interest you, where you have consented to this.
Sponsors and partners: The Foundation does not share your personal data with our sponsors and partners, but we may: (i) share aggregated/anonymised information which is based on this information with existing and potential sponsors and partners; and (ii) if you have consented to the same, send you information about the products and services of our partners and sponsors in our marketing communications.
The Foundation’s suppliers and sub-contractors: The Foundation may share your information with suppliers and sub-contractors from time to time in order that they can process it on The Foundation's behalf for the purposes set out in this privacy notice. However, where we do so we will put in place suitable measures in order to protect your information. These third parties may include (but may not be limited to): (i) IT service providers (such as hosting providers); (ii) mailing houses or document storage companies; (iii) delivery services; (iv) analytics and search engine providers; (v) credit reference agencies; (vi) payment processing companies; and/or (vii) e-commerce platform providers.
The Foundation’s Funders: The Foundation may share your information with funders who have provided finance to The Foundation in order to deliver services to the local community or to run a particular programme.
Disclosures for legal reasons: The Foundation may also disclose the information it holds about you to those persons that have a reasonable need to know such information, such as Professional Bodies, Government Organisations or if required by law, if it believes in good faith that this is necessary: (i) to establish, exercise or enforce its legal rights, including contractual rights; (ii) to defend itself against a legal claim; (iii) report a crime or prevent a crime (iv) to prevent harm to any individual or any property (including intellectual property, for example, if you misuse images or videos or any other content The Foundation makes available to you); (iv) to satisfy our statutory and/or regulatory obligations relating to safeguarding; or (v) to prevent fraud (for example, payment card fraud) or for credit risk reduction.
Business transfer: If The Foundation sells or buys any business or assets, your personal data may be disclosed to the prospective seller or buyer of such business or assets so that they can carry out due diligence in respect of the sale or purchase, but only if The Foundation has taken reasonable steps to ensure the security and confidentiality of that information. If The Foundation (or substantially all of its assets) is acquired by a third party, personal data held about donors or users of its goods, products or services will be one of the transferred assets.
HOW DO WE KEEP YOUR INFORMATION SECURE?
The Foundation is committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure of personal data, we have put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information we collect. We regularly perform testing of these procedures and have appropriate information recovery and data breach procedures in the event that we encounter any difficulties.
HOW LONG DO WE KEEP YOUR INFORMATION?
The Foundation will retain your personal data for as long as necessary for the purposes it is collected as set out in this policy and for any longer period necessary for it to comply with statutory retention obligations and/or for the purposes of defending or making legal claims. Examples of some of our retention periods are set out below:
The Foundation stores:
- its financial transactions with you for at least seven years in order to comply with its obligations to maintain adequate accounting records.
- its contracts with you for six years after the end of your Foundation interaction so that it has appropriate evidence in place if there is a claim for breach of contract made within the statutory limitation periods.
- job applications and CVs will be deleted after 90 days in case other suitable opportunities arise.
- your account information until you close or delete your account/profile (at which point we would also delete any information from other companies or market research which we have appended to your account/profile).
- any market research we have undertaken (and which is not appended to your user account) for at least 3 years. Note that we will retain aggregated market research information (by which you cannot be identified) on an ongoing basis for internal purposes; and save as set out above, the information you post online and/or online usage information for 3 years if it is on The Foundation’s Official Websites.
If any information falls into more than one category then the longer storage period will apply.
You have several rights under applicable data protection laws (unless an exemption applies), which we have summarised below. These rights can be exercised by contacting The Foundation using the details given below in this policy.
You have the right to:
- ask us not to process your personal data for direct marketing purposes.
- request access to personal information held about you and a copy of it.
- obtain, without undue delay, the rectification of inaccurate or incomplete personal data.
- obtain, without undue delay, erasure of your personal data in certain circumstances, for example if The Foundation's processing of your personal data is no longer necessary for the purpose for which we collected it.
- restrict the processing of your personal data in certain circumstances rather than having it erased.
- object to the processing of personal data in certain circumstances.
- receive personal data, which you have provided to The Foundation, in a structured, commonly used and machine-readable format and transmit that personal data to another data controller or have The Foundation do so on your behalf where technically feasible.
- be informed about any use of your personal data to make automated decisions about you, and to obtain meaningful information about the logic involved, as well as the significance and the envisaged consequences of this processing; and
- lodge a complaint about the way in which your personal data is being used to a supervisory authority.
- withdraw consent for the processing of your personal data at any time, wherever consent is the lawful basis
PARENTAL CONSENT / SUPERVISION
One of the Foundation's primary aims is to engage with participants and young persons in the community. We are keen to ensure that when we interact with participants and young person’s we do so responsibly. We would therefore ask that parents and guardians supervise their participants when they are online and that participants under 18 do not submit personal information or content to The Foundation, make purchases of The Foundation's products or services, or take part in The Foundation’s events, without the consent of their parent or guardian. The Foundation reserves the right to take reasonable measures in order to verify the existence and/or validity of parental consent.
Where we do need to hold personal information of under 18’s for the performance of the contract being undertaken, we will always do so with specific parental consent. More information about this can be found by contacting us on the details above.
HOW CAN YOU CONTACT US?
If you would like to contact The Foundation about this notice or any of the legal rights outlined in it, you can contact the DPO in the first instance by email at DPO@cardiffcityfc.org.uk or write to:
Cardiff City FC Community Foundation
Capital Retail Park
In either case, your correspondence should be marked for the attention of the Data Protection Officer.
If you are unhappy with the way in which your personal data has been processed you may contact us in the first instance by email at firstname.lastname@example.org and if not satisfied you can contact the Information Commissioner's Office. Further information can be found at the Information Commissioner's Office website here https://ico.org.uk/your-data-matters/
Fundraising is a key part of the Foundations work, and we are committed to working in a transparent, ethical, responsible and honest way. To reflect this commitment, we are a member of the Fundraising Regulator and committed to the Regulator’s Code of Practice. However, should you have a complaint about any of our fundraising activity, please email email@example.com .
CHANGES TO OUR PRIVACY NOTICE