Many activities the GFA carries out are subject to dedicated privacy policies. For the avoidance of doubt, these will be provided on appropriate sites or forms you visit and/or complete.
Summary of GFA’s use of your data
The GFA uses your personal data to
allow you to use the features in GFA content;
to administer your online and offline relationships with the GFA;
to manage the safety and security of our venues and events;
to comply with the GFA’s legal obligations; and
to provide you with the GFA products, services and other offerings.
Please note that some of this information will be provided by you, and others will be generated by the GFA or provided by third parties.
Our websites may provide interactive features that engage with social media sites, platforms and/or outlets. If you use these social media features, these sites will send us personal data about you.
Where we rely on your consent, such as for direct marketing purposes, or to place cookies, you can withdraw this consent at any time.
What information do we collect?
The GFA collect and process personal data about you when you interact with us and our websites, when you purchase goods and services from us, where you visit our venues, when we carry out market research and when you enter our commercial and football competitions.
This will typically be provided directly by you, and may include information you provide on registration or in the process of a purchase, such as your name, address, email address, marketing preferences and payment details. The details provided by you will be made clear in forms you complete or will be provided directly by you in surveys, in purchasing tickets, in entering competitions or in volunteering information in communications or content you provide us.
What information do we generate or receive from third parties?
We may generate or collect information about you. In an online context, much of this is set out in our Cookies. In an offline context, we may particularly collect information about you through our CCTV cameras, in completing health and safety records or by keeping access records of our sites.
At times, we may receive information about you from third parties. For example, if you log in to a site or application using ‘Facebook Connect’ you will be asked if you wish to share information from your Facebook account with us. If you use a ‘like’ or a ‘share’ button for a features on our sites or applications, then the third party will share information with us.
Additionally, if you participate in activities on non-GFA sites or applications, such as participating in a Facebook application, you may allow us to have access to personal data held by Facebook, or other site or application owners.
At times, we will receive relevant information from third party ticketing sites, to manage your purchases. We also receive information about individual that the police or other sports stakeholders recommend or require us to ban from our grounds. We may also obtain information about you from third part demographic providers, which we may use to help better understand our uses and send them appropriate offers and information.
If we provide online services to a child where we need parental consent for this, we may ask for a parent’s email address, in order to ask for consent.
Where you are participating in a GFA event or competition, we may receive information about you from other GFA Personnel, team member or official responsible for entering you or your team into our Competition. This will typically involve basic biographical information, including your contact email address.
How do we use this information, and when is the legal basis for this use?
We process this personal data for the following purposes:
to fulfil a contract, take steps linked to a contract (which is relevant where you make a purchase from us or enter a competition we run, and which includes:
verifying your identity;
communication with you;
administer a Competition (where relevant); and
providing customer services and arranging the delivery or other provision of products, prizes or services);
as required by the GFA to conduct our business and pursue our legitimate interests, in particular:
we will use your information to provide products and services you have requested and to respond to any comments or complaints you may send us;
we monitor use of our venues, websites and online services, and use our information to help us monitor, improve and protect our venues, product, content, services and websites, both online and offline;
we use information you provide to personalise our website, products or services for you;
if you provide a credit or debit card as payment, we also use third parties to check the validity of the sort code, account number and card number you submit in order to prevent fraud (see data sharing below);
we process data you provide when you enter your team into a GFA event or Competition that we can administer that Competition, communicate with you and ensure eligibility. If this involves sensitive personal data, such as information about disability used to ensure eligibility for a disabled Competition, we do this to ensure the integrity of our Competition;
we use CCTV and other security measures to enforce our ticketing conditions, protect the safety of those at our venue, provide evidence in relation to incidents taking place within our venues and to prevent and detect unlawful activity. This latter purposes is our legal basis to the extent that any CCTV footage or other record kept by the GFA involves holding information about you relating to actual or alleged criminal activity;
we use information you provide as well as information which we have collected about you to investigate any complaints received from you or from others, about our website and venues or our products or services;
we will use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and
we use data of some individuals to invite them to take part in market research;
where you give us consent:
we will send you direct marking in relation to our relevant products and services, or other products and services provided by us and carefully selected partners and sponsors;
we place cookies and use similar technologies in accordance with our policy on cookies (per the below) and the information provided to you when those technologies are used; and
on other occasions where we ask you for consent, we will use the data for the purposes which we explain at that time;
for purposes which are required by law:
where we are required to hold or collect personal data to meet legal requirements on such, such as keeping health and safety records, details of purchases or ensuring banned fans are not given access to our venues;
where we need parental consent to provide online services to children under 13. However, most of our websites are not designed for children under 13; and
where in response to requests by government or law enforcement authorities conducting an investigation.
Withdrawing consent or otherwise objecting to direct marketing
Whenever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above.
In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests.
You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting use using the details set out below.
What cooking and/or tracking technologies does the GFA use?
When you visit one of our websites, we may also collect, process and use information about you and your use of the website, including any forums you visit and how you arrived at our site. Such information may be collected through “traffic data” and may entail the use of “cookies” or other tracking technologies, IP addresses or other numeric codes used to identify your computer and/or device.
By accessing GFA applications from Apple IOS and Android devices, you consent to cookies being stored to your device (and other tracking technologies being used to read data from your device) for the following purposes:
keeping you logged in;
ensuring that an appropriate version of content is presented; and
analytics and advertising.
Many of these cookies and technologies are essential to the operation of the application. It is not currently possible to opt out or remove these cookies (or prevent use of these technologies) from the device without deleting the application.
Who will we share this data with, where and when?
We will share you data with relevant third parties for the purposes set out above, in particular we will share details of fans or participants with other football stakeholders, other footballing governing bodies and the police where this is necessary to enforce stadium or travel bans. We will also share data with third parties holding events at our venues as necessary to ensure that your attendance is appropriately managed and we will share appropriate data with third party ticketing providers as necessary to manage our ticketing processes.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.
Personal data with also be shared with third party service providers, who will process it on behalf of the GFA for the purposes identified above. Such third parties include providers of website hosting, security services, maintenance, call centre operations and identity checking. Some of our suppliers may be separate data controllers, such as market research organisations, and may provide you with their own privacy notice where appropriate.
Where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor’s Processing Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request by contacting us using the details set out below.
Where data is transferred outside the EEA due to your purchase of tickets to a game taking place outside the EEA, this data is transferred as necessary to facilitate your travel and fulfil your contract.
What rights do I have?
You have the right to ask for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured machine-readable format.
In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirements, or where we are using the data for direct marketing).
These rights may be limited, for example if fulfilling your request would reveal personal data about person, where it would infringe the rights of a third party (including our rights), or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in both the GDPR and in the Data Protection Act 2004. We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights, you can get in touch with us – or our data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred. In Gibraltar, this is likely to be the Gibraltar Regulatory Authority.
Data that is mandatory is indicated on relevant forms that you complete. Where provision of data is mandatory, if relevant data is not provided, then we will not be able to fulfil your requests, make a purchase or otherwise engage with the GFA. All other provision of your information is optional.
How do I get in touch with you, or your data protection officer?
We hope that we can satisfy queries you may have above the way we process your data. If you have any concerns about how we process your data, or would like to opt out of direct marketing, you can contact us on firstname.lastname@example.org or by writing to: Gibraltar Football Association, 01b World Trade Center, Gibraltar GX11 1AA.
How long will you retain my data?
Where we process data in connection with your registration to use the GFA, we do this for as long as you are an active user of our sites and for five seasons after this.
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in the future.
You will have the opportunity to unsubscribe from emails, SMS, newsletters and other promotional communications, promotion of events, products and services of the Event Promoter at any time. For more information contact us on email@example.com
Where we process personal data in connection with performing a contract or for a Competition, we keep the data for seven years from your last interaction with us or from when the contract ends.
Where we process CCTV footage, we hold this for a month, unless we have been asked to extract footage, in which case this is held for ten years from the data it is extracted.
Where we process personal data to meet legal requirements, we hold this for as long as the law requires.
We hold information relating to visitors to our venues for a month.
Where your data is held on GFA system, then at the end of the retention periods set out above, we will not irrevocably delete your information for another three months. Your data will be held in an inactive form for this time to ensure that any consequential link across our systems remain intact in the event that your data is removed in a particular location.