The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and represents a reshaping of the data protection landscape. GDPR helps to protect the personal data of those involved in rugby by requiring better governance and transparency. Organisations holding personal data, including constituent bodies, referee societies and clubs, need to give information to people about what they do with those people’s data, why, and for how long.
Summary of how Burgess Hill RFC and the RFU use your data
• Burgess Hill RFC uses your personal data to manage and administer your membership and your involvement with its teams and club, and to keep in contact with you for these purposes.
• Some data is shared with the RFU, who use your data to regulate, develop and manage the game.
• Data (player names and RFU numbers) are also shared with other clubs for the organisation of matches, tournaments and festivals as required.
• Where we or the RFU rely on your consent, such as any consent we seek for email marketing, you can withdraw this consent at any time.
• Amongst the data we collect from you may be medical (including injury) information. We will hold this where you (or your parent) have given consent, so that we can ensure we are aware of your condition and can that you are supported appropriately.
• Where you work in a particular role within the game, you may be required to undergo a Disclosure & Barring Service check using the RFU’s DBS system. The result of this check will be put into your Game Management Service (GMS) record.
What does this policy cover?
This policy describes how Burgess Hill RFC (also referred to as “the Club”, “we” or “us”) will make use of the data we handle in relation to our members and players, including our use of the Game Management System (“GMS”) provided by the Rugby Football Union (“RFU”). The policy also describes the RFU’s use of data on GMS. It also describes your data protection rights, including a right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
What information do we collect?
We collect and process personal data from you or your parent when you join and when we carry out annual renewals of your membership. This includes:
• your name
• your gender,
• your date of birth,
• your RFU ID (as assigned in GMS)
• your home address, email address and phone number;
• your passport and NI details, where we have to check your eligibility or ability to work for us;
• your type of membership and involvement in particular teams, or any key role you may have been allocated, such as Chair, Safeguarding Lead, Membership Secretary etc.;
• your payment and/or bank account details, where you provide these to pay for membership;
• your marketing preferences, including any consents you have given us;
• your medical conditions or disability, where you provide this to us with your consent (or your parent’s consent) to ensure we are aware of any support we may need to provide to you.
Some information will be generated as part of your involvement with us, in particular data about your performance, involvement in particular matches in match reports and details of any disciplinary issues or incidents you may be involved in on and off the pitch, such as within health and safety records.
What information do we receive from third parties?
Sometimes, we receive information about you from third parties. For example, if you are a child, we may be given information about you by your parents.
We may receive information relating to your existing registrations with other clubs or rugby bodies or disciplinary history from the RFU through GMS. Additionally, for certain role holders or those working with children, we may receive information from the Disclosure and Barring Service and RFU on the status of any DBS check you have been required to take.
How do we use this information, and what is the legal basis for this use?
We process this personal data for the following purposes:
• To fulfil a contract, or take steps linked to a contract: this is relevant where you make a payment for your membership and any merchandise, or enter a competition. This includes:
• taking payments;
• communicating with you;
• providing and arranging the delivery or other provision of products, prizes or services;
• As required by the Club to conduct our business and pursue our legitimate interests, in particular:
• we will use your information to manage and administer your membership and your involvement with its teams and club, and to keep in contact with you for these purposes;
• we will also use data to maintain records of our performances and history, including match reports, score lines and team sheets;
• we may choose to send you promotional materials and offers by post or by phone, or by email where we want to send you offers relating to similar products and services that you have already bought
• we use data of some individuals to invite them to take part in market research;
• Where you give us consent:
• we may send you direct marketing or promotional material by email;
• we may handle medical or disability information you or your parent provides to us, to ensure we support you appropriately;
• on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.
• For purposes which are required by law:
• we maintain records such as health and safety records and accounting records in order to meet specific legal requirements;
• we ensure, where you will work with children, that you have undergone an appropriate DBS check – this is also carried out with your consent.
• where you hold a role at the Club requiring us to check your right to work, we may process information to meet our statutory duties;
• we may respond to requests by government or law enforcement authorities conducting an investigation.
How does the RFU use any of my information?
The RFU provides GMS, but make its own use of the following information:
• your name;
• your gender;
• your date of birth;
• your RFU ID (as assigned in GMS);
• your home address, email address and phone number; and
• your type of membership and involvement in particular teams at the Club, or any key role you may have been allocated, such as Chair, Safeguarding Lead, Membership Secretary etc.
The RFU uses this information as follows:
• As required by the RFU to conduct its business and pursue its legitimate interests, in particular:
• communicating with you or about you where necessary to administer Rugby in England, including responding to any questions you send to the RFU about GMS;
• administering and ensuring the eligibility of players, match officials and others involved in English rugby – this may involve the receipt of limited amounts of sensitive data in relation to disabled players, where they are registered for a disabled league or team, or in relation to anti-doping matters;
• maintaining records of the game as played in England, in particular maintaining details of discipline and misconduct;
• monitoring use of GMS, and using this to help it monitor, improve and protect its content and services and investigate any complaints received from you or from others about GMS;
• maintaining statistics and conducting analysis on the make-up of rugby’s participants;
• ensuring compliance with the current RFU Rules and Regulations including those on the affiliation of clubs, referee societies, constituent bodies and other rugby bodies, and registration of players; and
• communicating with you to ask for your opinion on RFU initiatives.
• For purposes which are required by law:
• The RFU will ensure, where you will work with children and where this is required, that you have undergone an appropriate DBS check – this is also carried out with your consent.
• The RFU may respond to requests by government or law enforcement authorities conducting an investigation.
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below in the “How do I get in touch with you or the RFU?” section.
Who will we share this data with, where and when?
Some limited information may be shared with other stakeholders in rugby, such as other clubs, Constituent Bodies, referee societies, league organisers, so that they can maintain appropriate records and assist us in organising matches and administering the game. Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our or the RFU’s legitimate interests in compliance with applicable laws. Personal data will also be shared with third party service providers, who will process it on our behalf for the purposes identified above. Such third parties include the RFU as the provider of GMS and providers of Pitchero- the club’s website host. Where information is transferred outside the UK and/or EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor's Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request.
What rights do I have?
You have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format. In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing). These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. You have the same rights for data held by the RFU for its own purposes on GMS. To exercise any of these rights, you can get in touch with us– or, as appropriate, the RFU or its data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to the applicable data protection authority where you live, work or where you believe a breach may have occurred. This is the Information Commissioner’s Office in the UK. Much of the information listed above must be provided on a mandatory basis so that we can make the appropriate legal checks and register you as required by RFU Rules and Regulations. We will inform you which information is mandatory when it is collected. Some information is optional, particularly information such as your medical information. If this is not provided, we may not be able to provide you with appropriate assistance, services or support.
How do I get in touch with you or the RFU?
We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, you can get in touch at membership@bhrfc.co.uk or by writing to Burgess Hill Rugby Club, Povey’s Close, Burgess Hill, West Sussex, RH15 9TA .
If you have any concerns about how the RFU process your data, you can get in touch at legal@rfu.com or by writing to The Data Protection Officer, Rugby Football Union, Twickenham Stadium, 200 Whitton Road, Twickenham TW2 7BA.
How long will you retain my data?
We process the majority of your data for as long as you are an active member and for 1 year after this unless you specifically request us to remove your data more quickly.
Where we process personal data for marketing purposes or with your consent, we process the data unless you ask us to stop, when we will only process the data for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future. Where we process personal data in connection with performing a contract or for a competition, we keep the data for 6 years from your last interaction with us. We will retain information held to maintain statutory records in line with appropriate statutory requirements or guidance. The RFU will maintain records of individuals who have registered on GMS, records of DBS checks and the resulting outcomes and other disciplinary matters for such period as is set out in the RFU’s Data Retention Schedule. Records of your involvement in a particular match, on team sheets, on results pages or in match reports may be held indefinitely both by us and the RFU in order to maintain a record of the game.
Policy Date: 22 May 2023
Club Safeguarding officer: safeguarding@bhrfc.co.uk
Club Safeguarding Assistant: safeguardingassistant@bhrfc.co.uk
1. Commitment
1.1 Burgess Hill Rugby Football Club (“the Club”) holds personal data about members of the Club at senior, junior and minis level including all levels of membership ("Members").
1.2 The Club is committed to ensuring that any personal data is dealt with properly and securely however it is collected, recorded and used, whether on paper, computer or recorded on any other material.
1.3 The Club regards the lawful and correct treatment of personal data as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals. To this end, the Club fully endorses and adheres to all applicable data protection and privacy legislation, regulations and guidance ("Data Protection Legislation"). From 25 May 2018 onwards this will be Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR") and the Privacy and Electronic Communications (EC Directive) Regulations and any guidance or codes of practice issued by the European Data Protection Board or Information Commissioner from time to time (all as amended, updated or re-enacted from time to time).
2. Policy
2.1 The aim of this policy is to set out how the Club seeks to protect personal data and ensure that the Club’s governing body (“the Committee”), sub committees and other working parties formed from time to time, volunteers, and where appropriate Members to whom tasks might be delegated are clear about the purpose and principles of data protection and to ensure that they have guidelines and procedures in place which are consistently followed.
3. Definition Of Data Protection
In this policy:
3.1 Data is information which is stored electronically, on a computer, or in certain paper-based filling systems.
3.2 Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with Data Protection Legislation. The Club is the data controller of all personal data used in pursuing its objects in accordance with its rules.
3.3 Data subjects include all living individuals about whom the Club holds personal data. All data subjects have legal rights in relation to their personal information.
3.4 Data users are those entities and individuals described in clause 2.1 above whose work involves processing personal data. Data users must protect the data they handle in accordance with this policy at all times.
3.5 Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in the Club's possession), such as contractors and suppliers, Members and their partners, and members of affiliated organisations. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about the person, their actions and behaviour.
3.6 Processing data means obtaining, recording, holding or doing anything with data, such as organising, using, altering, retrieving, disclosing or deleting it.
3.7 Sensitive personal data means personal data about an individual's race or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health conditions, sexual life, criminal offences or related proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned, although it is unlikely that the Club will collect such data.
4. Compliance
4.1 Anyone processing personal data must comply with Data Protection Legislation. To comply with the law, personal data must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
4.2 The Club will observe the following principles in respect of the processing of personal data:
4.2.1 personal data will be processed fairly and lawfully;
4.2.2 personal data will only be processed for limited purposes and in an appropriate way;
4.2.3 personal data processed for a specific purpose will be adequate, relevant and not excessive for that purpose;
4.2.4 personal data will be accurate and up to date;
4.2.5 personal data will not be held any longer than is necessary;
4.2.6 personal data will be processed in line with data subjects’ rights;
4.2.7 personal data will be kept secure against loss or misuse; and
5. Scope
5.1 Failure to adhere to Data Protection Legislation is unlawful and could result in legal action being taken against the Club or its volunteers with potential substantial fines.
5.2 The principles apply to personal data and the Club’s Members to whom duties are delegated by the Club or any of the Club’s committees who process or use any personal information in the course of their duties will ensure that these principles are followed at all times.
6. Responsiblity
6.1 During the course of their duties with the Club, volunteers (the definition of which embraces all Club Committee members) may be required to deal with information such as the names/addresses/phone-numbers/e-mail addresses of Members, Members' partner's names, suppliers and/or other members of the Club.
6.2 Volunteers may be told or overhear sensitive information while working for the Club. Data Protection Legislation gives specific guidance on how this information should be dealt with. In short, to comply with the law, personal data must be collected and used fairly, stored safely, and not disclosed to any other person unlawfully.
6.3 The Club will regard any unlawful breach of any provision of Data Protection Legislation by any volunteer as a serious matter which could result in disciplinary action. Any volunteer or Member who breaches this policy statement will be subject to the Club’s disciplinary procedure. Any such breach could also lead to criminal prosecution.
7. Fair And Lawful Processing
7.1 Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
7.2 For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in Data Protection Legislation. These include, among other things, the data subject's consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal condition to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met. When processing personal data as data controller in the course of its activities, the Club will ensure those requirements are met.
8. Notifying Data Subjects
8.1 If the Club collects personal data from data subjects, the Club will inform them about:
8.1.1 The purpose or purposes for which the Club intends to process that personal data.
8.1.2 The types of third parties, if any, with which the Club will share or to which the Club will disclose that personal data.
8.1.3 The means, if any, with which data subjects can limit the Club's use and disclosure of their personal data.
8.2 If the Club receives personal data about a data subject from other sources, the Club will provide the data subject with the information as soon as possible thereafter.
8.3 The Club will also inform data subjects whose personal data it processes that it is the data controller with regard to that data and who to contact in this regard.
9. Adequate, Relevant And Non-Excessive Processing
The Club will only collect personal data to the extent that it is required for the specific purpose notified to the data subject.
10. Processing In Line With Data Subjects' Rights
The Club will process all personal data in line with data subjects' rights as set out in further detail in the Club's privacy notices.
11. Security
The Club will take appropriate measures against unlawful or unauthorised processing or personal data, and against the accidental loss of, or damage to, personal data.
12. Dealing With Subject Access Requests
12.1 Data subjects must make a formal request for information it holds about them. This must be made in writing.
12.2 When receiving telephone enquiries, the Club will only disclose personal data it holds on its systems if the following conditions are met:
12.2.1 The Club will check the caller's identity to make sure that information is only given to a person who is entitled to it.
12.2.2 The Club will suggest that the caller put their request in writing if it is not sure about the caller's identity and where their identity cannot be checked.
12.3 The Club Chairman will escalate any request as appropriate for assistance in difficult situations. Staff should not be pressured into disclosing personal information.
13. Procedures
The following procedures have been developed in order to ensure that the Club meets its responsibilities in terms of data protection in respect of all data subjects.
13.1 Internal Data Records
13.1.1 Process- The Club uses personal data for a variety of purposes in order to perform its obligations to Members to comply with legal obligations or otherwise in pursuit of its legitimate social, civic and ceremonial interests. The data is stored and processed for the following purposes:
• Registration
• Reporting on Emergency or Health & Safety issues
• Providing such information to the Rugby Football Union
• Application for membership forms
• The day to day management of tasks and responsibilities
• Social events
This list is not exhaustive and the Club may undertake additional processing in line with the purposes set out above. The Club will update this policy in that case to reflect any notable changes in the purposes for which it processes any personal data.
13.1.2 Access- The contact details of Members (at all levels etc.) will only be made available to appropriate other Members and volunteers. Any other information supplied on application is maintained in secure filing cabinets and is not accessed during the day to day running of the Club.
13.1.3 Contact details of Members and volunteers will not be passed on to anyone outside the Club without their explicit consent unless required by law.
13.1.4 Accuracy- The Club will take reasonable steps to keep personal data up to date and accurate.
13.1.5 Storage- Personal data is kept in the GMS system, the Pitchero system and in limited instances in paper-based systems where required for specific use
13.1.6 Every effort is made to ensure that paper-based data is stored in organised and secure systems.
13.1.7 Use of photographs- Where practicable, the Club will seek consent from individuals and in respect of Mini and Junior Members their legal guardian before displaying photographs in which they appear. Members are asked for photograph consent as part of the GMS joining process and this information is recorded and stored in the GMS system. The Club will remove any photograph if a complaint is received. This policy also applies to photographs published on the Club’s website, or in any other Club printed material.
13.2 External Data Records
13.2.1 Purpose- The Club processes an element of personal data for individuals other than those referred to above (such as names, addresses, and phone numbers). This data is obtained, stored and processed solely to assist the Committee and sub committees in the efficient running of Club’s activities.
13.2.2 Consent- Personal data is collected via e-mail and via other methods such as application forms. During this initial contact, the data subject is given an explanation of how this information will be used as appropriate and will be directed to the applicable privacy policy on the Club's website. In respect of Mini/Junior registration the legal guardian will be asked to tick a box affirming that they have understood.
13.2.3 Personal data will not be passed on to anyone outside the organisation without explicit consent from the data subject unless there is a legal duty of disclosure under other legislation, in which case the Honorary Secretary will discuss and agree disclosure with the Chairman or Club’s designated representative or representatives.
13.2.4 Access - Only the Club’s Committee, the Chairman and if appropriate the Club’s designated representative or representatives (which may constitute a specific subcommittee of the Club) will normally have access to personal data. Such persons are made aware of the data protection policy and their obligation not to disclose personal data to anyone who is not supposed to have it.
13.2.5 Information supplied is maintained in secure filing paper and electronic systems and is only accessed by those individuals involved in the delivery of the service.
13.2.6 Information will not be passed on to anyone outside the organisation without their explicit consent, excluding statutory bodies e.g. the Inland Revenue which require this information and save where required by law.
13.2.7 Individuals will be supplied with a copy of any of their personal data held by the Club if a request is made in accordance with the applicable rules.
13.2.8 Accuracy- The Club will take reasonable steps to keep personal data up to date and accurate.
13.2.9 Storage- Personal data is kept in paper-based systems and on the Club’s database on its password-protected computer system.
13.2.10 Every effort is made to ensure that paper-based data is stored in organised and secure systems.
13.2.11 Use of photographs- Where practicable, the Club will seek consent from individuals and in respect of Mini and Junior Members their legal guardian before displaying photographs in which they appear. Members are asked for photograph consent as part of the GMS joining process and this information is recorded and stored in the GMS system. The Club will remove any photograph if a complaint is received. This policy also applies to photographs published on the Club’s website, or in any other Club printed material
14. Retention Of Data
14.1 No documents will be stored for longer than is necessary. The Club will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.
14.2 All documents containing personal data must be disposed of securely in accordance with the data protection principles.
14.3 Any questions or concerns about the interpretation or operation of this policy statement should in the first instance be discussed between the Chairman or a designated Club representative.
15. Monitoring And Review
15.1 The Club will monitor the effectiveness of this policy regularly considering its suitability, adequacy and effectiveness. As a minimum this policy will be reviewed annually.
Welcome to our website.
If you continue to browse and use this website, you are agreeing to comply with and be bound by the following terms and conditions of use, which together with our privacy policy govern Burgess Hill RFC’s relationship with you in relation to this website. If you disagree with any part of these terms and conditions, please do not use our website. The term Burgess Hill RFC, BHRFC, or 'us' or 'we' refers to Burgess Hill Rugby Football Club, the owner of the website. The term 'you' refers to the user or viewer of our website.
The use of this website is subject to the following terms of use:
• The content of the pages of this website is for your general information and use only. It is subject to change without notice.
• This website uses cookies to monitor browsing preferences.
• Neither we nor any third parties provide any warranty or guarantee as to the accuracy, timeliness, performance, completeness or suitability of the information and materials found or offered on this website for any particular purpose.
• You acknowledge that such information and materials may contain inaccuracies or errors and we expressly exclude liability for any such inaccuracies or errors to the fullest extent permitted by law.
• Your use of any information or materials on this website is entirely at your own risk, for which we shall not be liable. It shall be your own responsibility to ensure that any products, services or information available through this website meet your specific requirements.
• This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.
• All trade marks reproduced in this website which are not the property of, or licensed to, the operator are acknowledged on the website.
• Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.
• The site should not be used in any way that will violate or infringe any laws or regulations or the rights of any person
• The site should be used for any form of discussion, which is unlawful, harassing, libellous, defamatory, abusive, threatening, harmful, vulgar, obscene, profane, sexually oriented or pornographic, racially offensive or which otherwise includes objectionable material
• From time to time this website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website(s). We have no responsibility for the content of the linked website(s).
We will be entitled at our discretion to remove anything which in our opinion does not comply with these terms and conditions in any way. We will not be liable for doing this. However, for the avoidance of doubt, we will not be required to monitor use of or access to the Site generally.
These terms and conditions are governed by and will be construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with these terms and conditions shall be subject to the non-exclusive jurisdiction of the English courts.