- visit our website (regardless of where you visit it from);
- purchase tickets from us;
- join or renew your Scotland Supports Club membership;
- sign up to receive marketing communications from us; or
- book on any training course or event which we provide.
In this privacy notice, “Data Protection Legislation” means all applicable legislation which relates to the protection of individuals with regards processing personal data, including the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679, and the Privacy and Electronic Communication Regulations 2003.
IMPORTANT INFORMATION AND WHO WE ARE
- Purpose of this privacy notice
THE SCOTTISH FOOTBALL ASSOCIATION LIMITED which has its registered office at Hampden Park, Glasgow G42 9AY with Company Number SC005453 is the controller and responsible for your personal data (referred to as the “Scottish FA", "we", "us" or "our" in this privacy notice).
We have notified the Information Commissioner’s Office that we are a data controller under registration number Z7099905. This means that we are responsible for deciding how we hold and use personal information about you. We are required under Data Protection Legislation to notify you of the information contained in this privacy notice. Our contact details are set out at section 15 below.
INFORMATION THAT WE COLLECT FROM YOU
- What is personal data?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data from which an individual can no longer be identified (anonymous data).
- What personal data do we collect from you?
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity Data: includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender;
- Contact Data: includes billing address, delivery address, email address and telephone numbers;
- Financial Data: includes bank account and payment card detail;
- Transaction Data: includes details about payments to and from you and other details of products, tickets and services you have purchased from us;
- Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website;
- Profile Data: includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses;
- Competition Entry Data: includes your name, address and email address and any other information you provide when entering a competition;
- Ticket Purchase and Scotland Supporters’ Club Data: includes your supporter account or ticket purchase account details (as applicable), your attendance and non-attendance at matches, your photo image for use on your ID card, whether you have been convicted or are being investigated for any criminal offence, particularly in relation to football related offences, such as football banning orders;
- Usage Data: includes information about how you use our website, products and services and your attendance at matches;
- Equal Opportunity Data: includes information on your gender, sexual orientation, ethnicity, age, religion, and any disability that you may have;
- Marketing and Communications Data: includes your preferences in receiving marketing from us and our third parties and your communication preference;
- CCTV Data: including video images of you from CCTV and body worn cameras which we deploy in and around match venues; and
HOW IS YOUR PERSONAL DATA COLLECTED?
We use different methods to collect data from and about you including through:
- Direct interactions: You may give us your Identity, Contact, Financial Data, Ticket Purchase and Scotland Supporters’ Club data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- purchase tickets or merchandise on our website, or any other products or services (for example, training courses) which we offer;
- fill in any forms on our website;
- create an account on our website, including when you sign up to become a member of the Supporters’ Club or create a ticket purchase account;
- subscribe to our service or publications;
- request marketing to be sent to you;
- register to receive or download information, newsletters or other documentation;
- submit a nomination or vote in respect of any awards;
- sign up to attend any events or courses;
- enter a competition, promotion or survey;
- when you attend or do not attend football matches using the tickets purchased from us; and/or
- give us some feedback.
- Automated technologies or interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see paragraph 8 below for more information.
- CCTV: We maintain an extensive CCTV system throughout Hampden Park and the surrounding areas. This is primarily for reasons of public safety and for the prevention and detection of crime. Footage is always handled in accordance with the Data Protection Legislation, and in particular is only held for a limited period of time before it is automatically deleted (please see paragraph 7 below for more details). Where it is necessary, we may share personal data obtained by our CCTV systems with the police or other relevant organisation for the purposes of investigating crime and/or prosecuting offenders. Please contact us at firstname.lastname@example.org if you would like to know more about how our CCTV systems operate.
- Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below:
- Contact, Financial and Transaction Data from JD Sports where you have purchased any merchandise through our website which has been fulfilled by JD Sports;
- Technical Data from analytics providers; advertising networks; and search information providers.
- Contact, Financial and Transaction Data from providers of technical, payment, ticketing and delivery services;
HOW WE USE YOUR PERSONAL DATA
- What processing grounds do we rely on?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where you have provided us with your consent to send you marketing communications;
- Where we need to perform the contract we are about to enter into or have entered into with you (for example, to provide you with any products and/or services which you have requested);
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (for example, undertaking analysis and research for the purposes of improving our website user experience); and
- Where we need to comply with a legal or regulatory obligation (for example, equal opportunities monitoring).
Please note that we may process your personal information without your knowledge or consent, where this is required or permitted by law. Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email. You have the right to withdraw consent to marketing at any time by contacting us.
We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us by emailing email@example.com if you need details about the specific legal ground we are relying on to process your personal data.
- How do we use your information?
We use your information:
- to enable us to supply you with the goods, services and information which you have requested and/or purchased;
- to analyse the information we collect so that we can administer, support and improve and develop our business and the services we offer;
- to contact you in order to send you details of our goods and services (for example, details of upcoming matches) which may be of interest to you;
- to provide you with access to certain parts of our site;
- for all other purposes consistent with the proper performance of our operations and business;
- to contact you for your views on our products and services;
- to enable us to assess whether or not you are eligible to become a member of the supporter’s club;
- to help us with understanding more about how our website and services are used;
- to ensure the safety of all those attending football matches and for the purposes of preventing crime;
- to monitor operational and safety related incidents;
- for the prevention and detection of crime and fraud, to apprehend and prosecute offenders, and provide evidence to take civil action in the courts;
- to help provide a safer environment for our staff;
- to determine whether you should be awarded with any loyalty points (if you are a member of the Scottish Supporters’ Club);
- to ensure that you are not breaching the terms and conditions of your Scottish Supporter’s Club membership;
- to prevent fraud; and
- for all other purposes consistent with the proper performance of our operations, including promoting equal opportunities.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will explain the legal basis which allows us to do so.
DISCLOSURE OF YOUR INFORMATION
- Disclosure to selected third parties
- Transferring data outside of the EEA
We may need to transfer your information outside of the European Economic Area (EEA) to service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the EEA, such as the USA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
We may also hold your personal information for longer where it is necessary to do so for the management of any active or potential legal proceedings, to resolve or defend claims, and for the purpose of making any necessary remediation payments.
We retain most CCTV footage for a period of 30 days before it is securely destroyed. Where we have saved particular footage related to an incident, legitimate request or claim we retain that footage for as long as is necessary to fulfil the purposes for which it has been retained.
A “cookie” is a piece of software that attaches to the hard drive of your computer and remembers information about the configuration of your computer. You can choose not to accept cookies from our website. We use a number of cookies on our website, including cookies provided by Google Analytics and Facebook.
We use the following categories of cookies on our websites:
- Strictly necessary: These cookies are essential for certain features of our websites to work (for example, when you make payments to us for purchasing goods or services). These cookies do not record identifiable personal information and we do not need your consent to place these cookies on your device. Without these cookies some services you have asked for cannot be provided.
- Performance: These cookies are used to collect anonymous information about how you use our websites. This information is used to help us improve our websites and understand how effective our adverts are. In some cases we use trusted third parties to collect this information for us but they only use the information for the purposes explained.
- Functionality: These cookies are used to provide services or remember settings to enhance your visit for example text size or other preferences. The information these cookies collect is anonymous and does not enable us to track your browsing activity on other websites.
- Targeting and Advertising: These cookies are used by trusted third parties to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. Information contained in these cookies is anonymous and doesn't contain your personal information. To find out more about cookies used for targeting and advertising follow youronlinechoices.com and www.networkadvertising.org or contact us for further information about the trusted third parties we use.
- Managing our cookies: If you would prefer to restrict, block or delete cookies from us and our third party advertisers, or any other website, you can use your browser to do this. Each browser is different, so check the "Help" menu of your particular browser to learn how to change your cookie preferences. If you choose to disable all cookies we cannot guarantee the performance of our websites and some features may not work as expected. Please contact us for details of the specific cookies which we use on our website.
For further information on cookies and how to disable them, please refer to www.allaboutcookies.org.
- Marketing by us
We may use your Identity, Contact, Technical, Usage, Competition Entry Data, Ticket Purchase and Scotland Supporters’ Club data and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us:
- if you have given us your express consent to receive marketing communications, or
- if you have purchased goods, services, tickets or a Scotland Supporters’ Club membership from us and, in each case, you have not opted out of receiving that marketing.
Where you have given us your express consent, we will send marketing communications to you on behalf of our third party sponsors and partners.
- Third party marketing
We will get your express opt-in consent before we share your personal data with any company outside the Scottish FA group of companies for marketing purposes.
We are committed to providing you with information on products and offers which are relevant to you. If you have consented to receiving marketing we will therefore use your email address to promote our adverts to you on Facebook, Google and/or other social media channels. These adverts may appear on your Facebook newsfeed if you have a Facebook account linked to an email address that has been provided to us. If you no longer wish to receive the advertisements detailed above you can unsubscribe at any time by contacting us at firstname.lastname@example.org.
Please note, you may receive adverts from us which are not connected to having provided us with your email address. An example of this may be when Facebook uses the information provided by users in accordance with its privacy and cookies policies to advertise. We cannot accept responsibility for any such advertisements.
- Opting out
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, you may still receive messages from us for non-marketing purpose, for example, service messages providing important announcements regarding a match which you have purchased tickets for
THIRD PARTY WEBSITES
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further policy to you. Please be aware that the transmission of information via the internet is not always completely secure. Although we will do our best to protect your personal data, we cannot guarantee the complete security of your data transmitted to us electronically; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to restrict unauthorised access. All credit/debit card data taken through our website is encrypted in accordance with industry standards, including PCI-DSS.
Under Data Protection Legislation, you are entitled to exercise the following rights over your personal data:
- Right to object: You can object to our processing of your information.
- Access to your personal information: You can request access to a copy of your information that we hold, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge.
- Right to withdraw consent: If you have given us your consent to use your information to send you marketing emails, you can withdraw your consent at any time or by clicking the "unsubscribe" link in any marketing email which you receive.
- Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.
- Erasure: You can ask us to delete your information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
- Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.
- Restriction: You can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.
- Make a complaint: You can make a complaint about how we have used your information to us by contacting us, or to a supervisory authority - for the UK this is the Information Commissioner's Office, at https://ico.org.uk/.
If you would like to exercise any of your rights above, please contact us by email to email@example.com.
CHANGES TO THIS POLICY
YOUR DUTY TO INFORM US
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us
If you have any questions about this privacy notice, including any requests to exercise your legal rights or making a complaint to us about how we have used your personal data, please contact us by emailing firstname.lastname@example.org, or by writing to us at "The Scottish Football Association, Hampden Park, Glasgow, G42 9AY".
Download the UEFA EURO 2020 App