Data Protection Policy


1. Policy Statement 1

2. About this Policy 1

3. Definition of Data Protection Terms 2

4. Data Protection Principles (GDPR) 3

5. Fair, Lawful and Transparent Processing 4

6. Processing for Limited Purposes 4

7. Notifying Data Subjects 5

8. Collection for Specified, Explicit and Legitimate Purposes


9. Adequate, Relevant and Non-Excessive Processing 6

10. Accurate Data 6

11. Storage Limitation 6

12. Data Security 6

13. Transferring Personal Data to a Country Outside the EEA


14. Disclosure and Sharing of Personal Information 8

15. Dealing with Subject Access Requests 8

16. Changes to this Policy 9

APPENDIX 1: Data Processing Activities 10

APPENDIX 2: Conditions for Processing Personal Data 11

APPENDIX 3: Conditions for Processing Special Categories of Personal Data


APPENDIX 4: Rights of Data Subjects 13

APPENDIX 5: European Economic Areas & the US 14


1.1 Everyone has rights with regard to the way in which their personal data is

handled. During the course of our activities we will collect, store and process

personal data about our staff, customers, suppliers and other third parties,

and we recognise that the correct and lawful treatment of this data will

maintain confidence in the organisation and will provide for successful

business operations.

1.2 Data users are obliged to comply with this policy when processing personal

data on our behalf. Any breach of this policy may result in disciplinary action.

1.3 This policy has been drafted in line with the General Data Protection



2.1 The types of personal data that Swansea City AFC may be required to handle

include information about employees, current, past and prospective suppliers

and customers and others that we communicate with. The personal data,

which may be held on paper or on a computer or other media, is subject to

certain legal safeguards specified in the General Data Protection Regulations

(“the GDPR”) (and whilst still in force and until repeal and replacement the

Data Protection Act 1998 (“the Act”)) and other associated regulations.

2.2 This policy and any other documents referred to in it sets out the basis on

which we will process any personal data we collect from data subjects, or that

is provided to us by data subjects or other sources.

2.3 This policy does not form part of any employee's contract of employment and

may be amended at any time.

2.4 This policy sets out rules on data protection and the legal conditions that must

be satisfied when we obtain, handle, process, transfer and store personal


2.5 Responsibilities:

(a) The Chairman, Huw Jenkins, has ultimate responsibility for ensuring

that Swansea City AFC meets its legal obligations in respect of data

protection. However, the Chief Finance Officer, Gareth Davies,

oversees data protection day to day.

(b) The Data Protection Officer, Rebeca Storer, is responsible for:


(i) Reviewing all data protection policies and procedures

(ii) Keeping the board and senior management updated with all

data protection responsibilities, risks and issues.

(iii) Arranging data protection training and guidance

(iv) Handling any data protection questions and queries

(v) Dealing with subject access requests and data breach


(vi) Ensuring all company processing operations are sufficiently

secure and compliant with all legislation

(vii) Ensuring accuracy and integrity of data

(c) Staff are responsible for ensuring that they handle data as set out in

this policy and the Data Security Policy, reading guidance notes

distributed to them and ensuring they understand the requirements

therein and that they make themselves fully accountable for their



3.1 Data is information which is stored electronically, on a computer, or in certain

paper-based filing systems.

3.2 Data subjects for the purpose of this policy include all living individuals about

whom we hold personal data. A data subject need not be a UK national or

resident. All data subjects have legal rights in relation to their personal


3.3 Personal data means any information relating to an identified or identifiable

natural person ('data subject'); an identifiable natural person is one who can

be identified, directly or indirectly, in particular by reference to an identifier

such as a name, an identification number, location data, an online identifier or

to one or more factors specific to the physical, physiological, biometric,

genetic, mental, economic, cultural or social identity of that natural person;

3.4 Data controllers are the people who or organisations which determine the

purposes for which, and the manner in which, any personal data is

processed. They are responsible for establishing practices and policies in line

with the GDPR. We are the data controller of all personal data used in our

business for our own commercial purposes.


3.5 Data users are those of our employees whose work involves processing

personal data. Data users must protect the data they handle in accordance

with this data protection policy and any applicable data security procedures at

all times.

3.6 Data processors include any person or organisation that is not a data user

that processes personal data on our behalf and on our instructions.

Employees of data controllers are excluded from this definition but it could

include suppliers which handle personal data on Swansea City AFC’s behalf.

3.7 Processing is any activity that involves use of the data. It includes obtaining,

recording or holding the data, or carrying out any operation or set of

operations on the data including organising, amending, retrieving, using,

disclosing, erasing or destroying it. Processing also includes transferring

personal data to third parties.

3.8 Special Categories of Personal Data includes information about a person's

racial or ethnic origin, political opinions, religious or similar beliefs, trade union

membership, physical or mental health or condition or sexual life, or about the

commission of, or proceedings for, any offence committed or alleged to have

been committed by that person, the disposal of such proceedings or the

sentence of any court in such proceedings. Special Categories of Personal

Data can only be processed under strict conditions, including a condition

requiring the express permission of the person concerned.


Article 5 of the GDPR requires that personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to


(b) collected for specified, explicit and legitimate purposes and not further

processed in a manner that is incompatible with those purposes; further

processing for archiving purposes in the public interest, scientific or historical

research purposes or statistical purposes shall not be considered to be

incompatible with the initial purposes;

(c) adequate, relevant and limited to what is necessary in relation to the

purposes for which they are processed;

(d) accurate and, where necessary, kept up to date; every reasonable step

must be taken to ensure that personal data that is inaccurate, having regard

to the purposes for which they are processed, are erased or rectified without


(e) kept in a form which permits identification of data subjects for no longer

than is necessary for the purposes for which the personal data is processed;

personal data may be stored for longer periods insofar as the personal data


will be processed solely for archiving purposes in the public interest, scientific

or historical research purposes or statistical purposes subject to

implementation of the appropriate technical and organisational measures

required by the GDPR in order to safeguard the rights and freedoms of


(f) processed in a manner that ensures appropriate security of the personal

data, including protection against unauthorised or unlawful processing and

against accidental loss, destruction or damage, using appropriate technical

or organisational measures.


5.1 The GDPR is not intended to prevent the processing of personal data, but to

ensure that it is done fairly and without adversely affecting the rights of the

data subject.

5.2 For personal data to be processed lawfully, they must be processed on the

basis of one of the legal grounds set out in the GDPR. These include, among

other things, the data subject's consent to the processing, or that the

processing is necessary for the performance of a contract with the data

subject, for the compliance with a legal obligation to which the data controller

is subject, or for the legitimate interest of the data controller or the party to

whom the data is disclosed. When a special category of personal data is

being processed, additional conditions must be met. When processing

personal data as data controllers in the course of our business, we will ensure

that those requirements are met.

5.3 To ensure fair and transparent processing of personal data we, as the data

controller, shall provide the data subject with the following information:

(a) The period of time that the data will be stored;

(b) The right to rectification, erasure, restriction, objection;

(c) The right to data portability;

(d) The right to withdraw consent at any time;

(e) The right to lodge a complaint with a supervisory authority;

(f) The consequences of the data subject failure to provide data;

(g) The existence of automated decision-making and the anticipated

consequences for the data subject.


6.1 In the course of our business, we collect and process the personal data set

out in Appendix 1. This data will include data we receive directly from a data


subject (for example, by completing forms or by corresponding with us by

mail, phone, email or otherwise) and data we receive from other sources

(including, for example, business partners, sub-contractors in technical,

payment and delivery services, credit reference agencies and others).

6.2 We will only process personal data for the specific purposes set out in

Appendix 1 or for any other purposes specifically permitted by the GDPR. We

will notify those purposes to the data subject when we first collect the data or

as soon as possible thereafter.


7.1 If we collect personal data directly from data subjects, we will inform them


(a) The purpose or purposes for which we intend to process that

personal data.

(b) The types of third parties, if any, with which we will share or to which

we will disclose that personal data.

(c) The means, if any, with which data subjects can limit our use and

disclosure of their personal data.

7.2 Where personal data has not been obtained directly from the data subject, we

shall advise the data subject of the following:

(a) The identity and contact details of the controller and their


(b) The contact details of the Data Protection Officer;

(c) The purposes, as well as the legal basis of the processing;

(d) The categories of personal data concerned;

(e) The recipients of the personal data, where applicable;

(f) The fact that the controller intends to transfer personal data to a third

country and the existence of adequacy conditions.

7.3 We will also inform data subjects whose personal data we process that we

are the data controller with regard to that data, and who the Data Protection

Officer is.


Any personal data collected will be collected for a specified, explicit and

legitimate purpose and not further processed in a manner that is incompatible

with those purposes.


Further processing for archiving purposes in the public interest, scientific or

historical research purposes or statistical purposes shall not be considered to

be incompatible with the initial purposes.


We will only collect personal data to the extent that it is required for the

specific purpose notified to the data subject.


We will ensure that personal data we hold is accurate and kept up to date.

We will take every reasonable step to ensure that personal data that is

inaccurate, having regard to the purposes for which they are processed, are

erased or rectified without delay.


11.1 We shall keep personal data in a form which permits identification of data

subjects for no longer than is necessary for the purposes for which the

personal data is processed.

11.2 Personal data may be stored for longer periods insofar as the personal data

will be processed solely for archiving purposes in the public interest, scientific

or historical research purposes or statistical purposes subject to

implementation of the appropriate technical and organisational measures.


12.1 We will take appropriate security measures against unlawful or unauthorised

processing of personal data, and against the accidental loss of, or damage to,

personal data.

12.2 We will put in place procedures and technologies to maintain the security of

all personal data from the point of collection to the point of destruction.

Personal data will only be transferred to a data processor if he agrees to

comply with those procedures and policies, or if he puts in place adequate

measures himself.

12.3 We will maintain data security by protecting the confidentiality, integrity and

availability of the personal data, defined as follows:

(a) Confidentiality means that only people who are authorised to use

the data can access it.


(b) Integrity means that personal data should be accurate and suitable

for the purpose for which it is processed.

(c) Availability means that authorised users should be able to access

the data if they need it for authorised purposes.

12.4 Security procedures include:

(a) Entry controls. Any stranger seen in entry-controlled areas should

be reported.

(b) Secure lockable desks and cupboards. Desks and cupboards

should be kept locked if they hold confidential information of any

kind. (Personal information is always considered confidential.)

(c) Methods of disposal. Paper documents should be shredded. Digital

storage devices should be physically destroyed when they are no

longer required.

(d) Equipment. Data users must ensure that individual monitors do not

show confidential information to passers-by and that they log off from

their PC when it is left unattended.


13.1 Some companies we engage with to improve the services we provide will be

based outside of the European Economic Area (“EEA”). Should this be the

case, the transfer of personal data outside the EEA will become necessary,

provided that one of the following conditions applies:

(a) The country to which the personal data are transferred ensures an

adequate level of protection for the data subjects' rights and


(b) The data subject has given their consent.

(c) The transfer is necessary for one of the reasons set out in the

GDPR, including the performance of a contract between us and the

data subject, or to protect the vital interests of the data subject.

(d) The transfer is legally required on important public interest grounds

or for the establishment, exercise or defence of legal claims.

(e) The transfer is authorised by the relevant data protection authority

where we have adduced adequate safeguards with respect to the

protection of the data subjects' privacy, their fundamental rights and

freedoms, and the exercise of their rights.

13.2 In the event of clause 13.1 being activated, personal data we hold will also be

processed by staff operating outside the EEA who work for us or for one of

our suppliers. That staff may be engaged in, among other things, the


fulfilment of contracts with the data subject, the processing of payment details

and the provision of support services.


14.1 We share personal data we hold with any member of our group, which means

our subsidiaries, our ultimate holding company and its subsidiaries, as

defined in section 1159 of the UK Companies Act 2006.

14.2 We may also disclose personal data we hold to third parties:

(a) In the event that we sell or buy any business or assets, in which case

we may disclose personal data we hold to the prospective seller or

buyer of such business or assets.

(b) If we or substantially all of our assets are acquired by a third party, in

which case personal data we hold will be one of the transferred


14.3 If we are under a duty to disclose or share a data subject's personal data in

order to comply with any legal obligation, or in order to enforce or apply any

contract with the data subject or other agreements; or to protect our rights,

property, or safety of our employees, customers, or others. This includes

exchanging information with other companies and organisations for the

purposes of fraud protection and credit risk reduction.


15.1 Data subjects must make a formal request for information we hold about

them. This must be made in writing. Employees who receive a written request

should forward it to the Data Protection Officer immediately.

15.2 When receiving telephone enquiries, we will not disclose personal data until

the identity of the data subject has been verified. Verification will involve:

(a) The data subject will be required to complete the relevant Subject

Access Request form, and;

(b) Provided Identity Documents e.g. passport, driving licence etc.

15.3 Our employees will refer a request to the Data Protection Officer for

assistance in difficult situations. Employees should not be bullied into

disclosing personal information.



We reserve the right to change this policy at any time. Where appropriate, we

will notify data subjects of those changes by mail or email.



Type of


Type of data


Purpose of which data is held and





personal data



Communicating with Employee and right to work

checks. Communicating with customers.

6 years


relating to



Recruitment, administering and managing

employment where it is or may be affected by

health. This includes obtaining, holding and

using records of absence and sickness, medical

and occupational health reports and certificates,

making adjustments to your working

arrangements, making decisions on your

capacity for work and continuing employment,

providing insurance benefits.

6 years (or

in the case

of a player,

as long as

they are


with the



relating to

gender, race

and ethnic


Employee /

Customer /



Ethnic monitoring, ensuring equal opportunity

(such data is held anonymously). Information

may also be apparent on photographs and

CCTV which is operated for security reasons.







relating to


offences and




Recruitment and managing employment in the

light of any criminal offence or alleged offence,

making decisions on continuing employment e.g.

DBS checks

3 years



personal data

Employee /

interviewee /


Original purpose for obtaining data e.g. CVs

6 months



by the Club



Employee For salary payment purposes

If employed

by the

Club, for



and until








For security and health and safety reasons.

30 days

unless for



Credit Card


Customers For hospitality bookings






Marketing purposes – opt-in option

Unsubscribe option

3 years



Article 6 of the General Data Protection Regulations

Article 6 of the GDPR requires personal data to be processed fairly and lawfully, and,

not to be processed unless one of the conditions (below) is met.

6(1)(a) Consent of the data subject

6(1)(b) Processing is necessary for the performance of a contract with the

data subject or to take steps to enter into a contract

6(1)(c) Processing is necessary for compliance with a legal obligation

6(1)(d) Processing is necessary to protect the vital interests of a data subject

or another person

6(1)(e) Processing is necessary for the performance of a task carried out in

the public interest or in the exercise of official authority vested in the


6(1)(f) Necessary for the purposes of legitimate interests pursued by the

controller or a third party, except where such interests are overridden

by the interests, rights or freedoms of the data subject.

In practice this means that organisations must:

a) Have legitimate grounds for collecting and using personal data

b) Not use the data in ways that have unjustified adverse effects on the


c) Be transparent about how it is intended to use the data by providing

appropriate privacy notices when collecting personal data

d) Handle personal data only in ways they would reasonably expect

e) Make sure no unlawful activities are carried out with the data



Article 9 of the General Data Protection Regulations

Article 9 of the GDPR sets out the legal bases available for processing special

categories of personal data:

9(2)(a) Explicit consent of the data subject, unless reliance on consent is

prohibited by EU or Member State law

9(2)(b) Processing is necessary for carrying out obligations under employment,

social security or social protection law, or a collective agreement

9(2)(c) Processing is necessary to protect the vital interests of a data subject or

another individual where the data subject is physically or legally incapable

of giving consent

9(2)(d) Processing carried out by a not-for-profit body with a political,

philosophical, religious or trade union aim provided the processing relates

only to members or former members (or those who have regular contact

with it in connection with those purposes) and provided there is no

disclosure to a third party without consent

9(2)(e) Processing relates to personal data manifestly made public by the data


9(2)(f) Processing is necessary for the establishment, exercise or defence of

legal claims or where courts are acting in their judicial capacity

9(2)(g) Processing is necessary for reasons of substantial public interest on the

basis of Union or Member State law which is proportionate to the aim

pursued and which contains appropriate safeguards

9(2)(h) Processing is necessary for the purposes of preventative or occupational

medicine, for assessing the working capacity of the employee, medical

diagnosis, the provision of health or social care or treatment or

management of health or social care systems and services on the basis of

Union or Member State law or a contract with a health professional

9(2)(i) Processing is necessary for reasons of public interest in the area of public

health, such as protecting against serious cross-border threats to health

or ensuring high standards of healthcare and of medicinal products or

medical devices

9(2)(j) Processing is necessary for archiving purposes in the public interest, or

scientific and historical research purposes or statistical purposes in

accordance with Article 89(1)



Articles 12 – 22 of the General Data Protection Regulations give rights to individuals

in respect of the personal data that organisations hold about them. These include:

 The right to be informed

 The right to access

 The right to rectification

 The right to erasure

 The right to restrict processing

 The right to data portability

 The right to object

 Rights in relation to automated decision making and profiling

The right of subject access is a wide-ranging and unless a relevant exemption

applies an individual is entitled to see their personal data contained in all locations,


 Appraisal records

 Minutes of meetings

 Emails stored on any systems in the workplace

 References received from third parties

 Disciplinary records

 Sickness records

 Performance review notes

 Interview notes

Individuals are only entitled to see their own personal data and are not entitled to

receive any information which relates to anyone else.

For Data Subject requests (apart from amendments to personal data and Subject

Access Requests) made in person, over the phone or via email the following form will

need to be completed. Identification will be requested. The request will be allocated a

number which the individual will be provided with for future reference. Once the

request has been processed, only the lower section of this form will be retained.

All requests will be monitored and fulfilled by the Data Protection Officer and

processed within 48 hours.

For those who use the unsubscribe option on an email received from the Club, the

request will be processed within 24 hours.



There are no restrictions on the transfer of personal data to EEA countries.

These are currently:

Austria Greece Norway

Belgium Hungary Poland

Bulgaria Iceland Portugal

Croatia Ireland Romania

Croatia Italy Slovakia

Czech Republic Latvia Slovenia

Denmark Liechtenstein Spain

Estonia Lithuania Sweden

Finland Luxembourg

France Malta

Germany Netherlands

The European Commission has decided certain countries have an adequate level of

protection for personal data. Currently, the following countries are considered as having

adequate protection

Andorra Guernsey New Zealand

Argentina Isle of Man Switzerland

Canada Israel Uruguay

Faroe Islands Jersey

Personal data sent to the United States of America under the ‘Privacy Shield’ is considered by

the European Commission to be adequately protected.

When a US company is certified under the Privacy Shield, they agree to follow the 7

principles of data handling:

1. Notice

2. Choice

3. Accountability for Onward Transfer

4. Security

5. Data Integrity and Purpose Limitation

6. Access

7. Recourse, Enforcement and Liability