What does this notice cover?
This notice describes how Brighton and Hove Albion Football Club Limited (also referred to as "The Club ", "we" or "us") will make use of your data on our websites and during your interaction with the Club online and offline, including purchasing tickets for our games, using our applications, buying items in our online shop, data we may process if you attend our games, data we may handle if you supply or partner with the Club or data we use to send you direct marketing.
It also describes your data protection rights, including a right to object to some of the processing which the Club carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
Summary of how we use your data
The Club uses your personal data to allow you to use the features in Club content, to administer your online and offline relationships with the Club, to manage the safety and security of our venues and events, to comply with the Club's legal obligations and to provide you with Club products, services and other offerings. Some of this information will be provided by you, and others will be generated by the Club or provided by third parties.
Our websites may provide interactive features that engage with social media sites, such as Facebook and Twitter. If you use these features, these sites will send us personal data about you.
We place our own cookies on other sites, and we use information obtained from these cookies and other tracking technologies to personalise content and advertising and to make our content function better.
Where we rely on your consent, such as for direct marketing purposes, or to place cookies, you can withdraw this consent at any time.
What information do we collect?
We collect and process personal data about you when you interact with us and our websites, and when you purchase goods and services from us. This will typically be provided directly by you, and may include information you provide on registration or in the process of your purchase, such as your name, address, email address, marketing preferences and payment details. The details being provided by you will be made clear in forms you complete or will be provided directly by you in surveys, in purchasing tickets or in volunteering information in communications or content you provide us.
What information do we generate or receive from third parties?
We may generate or collect information about you ourselves. In an online context, much of this is set out in our Cookies section. In an offline context, we may particularly collect information about you through our CCTV cameras, in completing health and safety records or by keeping access records of our sites.
Sometimes we receive information about you from other third parties. For example, if you login to a site or app using Facebook Connect you will be asked if you wish to share information from your Facebook account with us. If you use a "like", "follow" or a "share" button for a feature on our sites or apps, then the third party will share information with us. If you participate in activities on other sites or apps, such as participating in a Facebook application, you may allow us to have access to personal data held by Facebook, or other site or app owners. We also receive information about individuals that the police or other sports stakeholders recommend or require us to ban from our ground. We may also obtain information about you from third-party demographics providers, which we may use to help us better understand our users and send them appropriate offers and information.
If we provide online services to a child where we need parental consent for this, we may ask for a parent's email address in order to ask for consent.
How do we use this information, and what is the legal basis for this use?
We process this personal data for the following purposes:
- To fulfil a contract, or take steps linked to a contract. This is relevant where you make a purchase from us or enter a competition we run. This includes:
- verifying your identity;
- taking payments;
- communicating with you; and
- providing customer services and arranging the delivery or other provision of products, prizes or services.
- As required by the Club to conduct our business and pursue our legitimate interests, in particular:
- use social media tools to send you direct marketing messages, or to identify relevant groups and audiences to help target our other marketing activities;
- we will use your information to provide products and services you have requested, and respond to any comments or complaints you may send us;
- we monitor use of our venues, websites and online services, and use your information to help us analyse, monitor, improve and protect our venues, products, content, services and websites, both online and offline. This may include the use of information you provide, and information we receive from demographics providers;
- we use information you provide to personalise our website, products or services for you;
- if you provide a credit or debit card as payment, we also use third parties to check the validity of the sort code, account number and card number you submit in order to prevent fraud (see data sharing below);
- we use CCTV and other security measures to enforce our ticketing conditions, protect the safety of those at our venues, provide evidence in relation to incidents taking place within our venues and to prevent and detect unlawful activity. This latter purpose is our legal basis to the extent that any CCTV footage or other record kept by the Club involves holding information about you relating to actual or alleged criminal activity;
- we use information you provide and that has been collected about you to investigate any complaints received from you or from others about our website and venues or our products or services;
- we send some marketing based on our legitimate interests, where this relates only to similar products and services to those you have bought or considered previously and where we have given you an opportunity to opt out, or where we send you any postal marketing;
- we will use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and
- we use data of some individuals to invite them to take part in market research.
- Where you give us consent:
- we will send you direct marketing in relation to our relevant products and services or other products and services provided by us and carefully selected partners and sponsors;
- we place cookies and use similar technologies in accordance with our Cookies Policy (see below) and the information provided to you when those technologies are used; and
- on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.
- For purposes which are required by law:
- where we are required to hold or collect personal data to meet legal requirements on us, such as keeping health and safety records, details of purchases or ensuring banned fans are not given access to our venues;
- where we need parental consent to provide online services to children under 16. However, most of our websites and marketing are not designed for children under 16; and
- where in response to requests by government or law enforcement authorities conducting an investigation.
Relying on our legitimate interests
We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests, which we have described above. You can obtain information on any of our balancing tests by contacting us using the details set out later in this notice.
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt out of direct marketing or profiling we carry out for direct marketing at any time. You can do this by following the instructions in the communication where this is an electronic message or by contacting us using the details set out below.
What cookies and/or tracking technologies does the Club use?
When you visit one of our websites, we may also collect, process and use information about you and your use of the website, including any forums you visit and how you arrived at our site. Such information may be collected through "traffic data" and may entail the use of "cookies" or other tracking technologies, IP addresses or other numeric codes used to identify your computer.
Who will we share this data with, where and when?
We will share your data with relevant third parties for the purposes set out above. In particular we will share details of fans or participants with other football stakeholders such as the FA, Premier League and EFL, and the police where this is necessary to enforce stadium bans.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.
Personal data will also be shared with third-party service providers, who will process it on behalf of the Club for the purposes identified above. Such third parties include providers of website hosting, security services, maintenance, call centre operations and identity checking.
Where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor's Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request. Where data is transferred outside the EEA due to your purchase of tickets to a game taking place outside the EEA, this data is transferred as necessary to facilitate your travel and fulfil your contract.
What rights do I have?
You have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format.
In addition, you can object to the processing of your personal data in some circumstances (in particular where we don’t have to process the data to meet a contractual or other legal requirement or where we are using the data for direct marketing).
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information that we are required by law to keep or have compelling legitimate interests in keeping.
To exercise any of these rights, you can get in touch with us – or our data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred. This is likely to be the Information Commissioner’s Office in the UK.
Data that is mandatory is indicated on relevant forms that you complete. Where provision of data is mandatory, if relevant data is not provided, then we will not be able to fulfil your requests to register, make a purchase or otherwise engage with the Club. All other provision of your information is optional.
How do I get in touch with you?
We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, or would like to opt out of direct marketing, you can get in touch at firstname.lastname@example.org or by writing to Data Protection, The American Express Community Stadium, Village Way, Falmer BN7 5SH. You can also use the preference centre in MyAlbion account if you sign in to make changes to your marketing preferences, or from the link at the bottom of Club emails sent to you.
How long will you retain my data?
We process registration data for as long as you are an active user and for 6 years after this. We will also, where you have consented to marketing, continue to send you marketing whilst you are an active user. An active user is a fan that has opened an email from us or bought something from us within the last 3 seasons. We will also remove you from our marketing lists where you have not engaged in the previous 3 seasons.
If you choose to opt out of marketing, we will remove you from our lists but keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.
Where we process personal data in connection with performing a contract or for a competition, we keep the data for 6 years from your last interaction with us.
We keep information relating to our suppliers and partners for at least 6 years following the contract, although we may hold it longer where required by law, such as for accounting purposes.
Where we process CCTV footage, we hold this for a month.
Where we process personal data to meet legal requirements, we hold this for as long as the law requires – for example, we hold health and safety accident records for 7 years.
Effective Date: This Privacy Notice was updated 17 May 2018 and is effective as of that date.