The EFL is committed to protecting the privacy and security of your personal data. ‘Personal data’ is essentially information from which an individual person can be identified.
This privacy notice (“Notice”) describes how we collect and use personal information about you in a range of circumstances. You should read this Notice together with any other privacy information which may be provided on the specific occasions when personal data about you is collected by the EFL. This Notice supplements any other notices and is not intended to override them.
The Notice is set out in sections so you can click through to the specific areas you want to know. The detail is in each section, along with a quick read summary where relevant:
In brief… the EFL is the organiser of various football competitions in the United Kingdom, and has 72 member clubs. For further details about the EFL and its group companies, click here. Details of our Data Protection Officer can be found below.
The EFL organises and administers the Sky Bet EFL, Carabao Cup and Checkatrade Trophy along with certain other competitions and events from time to time. Click here for company information about the EFL and other companies in the EFL group. References to “we”, “us” and “our” in this Notice are all references to the EFL.
Where personal data is collected for the purposes set out in this Notice, the EFL will usually be a ‘data controller’ under data protection law applicable in the EU (“Data Protection Law”). That means we decide the purposes and manner in which your data is used – as set out in this Notice. Sometimes however, we may only be using your personal information as directed by other organisations in which case that organisation will tell you why and how your data is used.
Contact details for the EFL’s Data Protection Officer can be found in the “Who can you contact for further details?” section below.
This Notice does not apply where another privacy notice or policy of ours applies to your specific circumstances. This may include, for example, in the circumstances set out in this section.
Job Applicants & Staff
This Notice does NOT apply where you are applying for work with us, in which case the Candidate Privacy Notice will apply. A separate Staff Privacy Notice will apply, if you are successful.
Players & Regulated Persons
In brief…information which identifies you, contact information, financial or transactional information, data which builds a profile about you, and/or information about your communications with us. We use safeguards for any collection of children’s data.
We may collect, use, store and transfer different kinds of personal data about you. For the purpose of this Notice we have grouped these together as follows:
Special Categories of Personal Data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We generally limit our collection of this information – see below for further information.
If you fail to provide personal data
Receipt of services, products, opportunities or fulfilment of other obligations we may owe to you might require you to provide specific types of information. Where you fail to provide that information, we may not be able to enter or perform the relevant contract or specific obligation we have, or allow you to engage in the opportunity.
We understand that children and young people, including those under 13 years of age (“minors”), may interact with us. Minors may need their parent or guardian’s permission to use or access certain facilities, opportunities or receive certain information from us. Minors may also be asked to confirm they have that permission, and we reserve the right to verify parental or guardian consent, where required.
We try not to make a minor's participation in activities with us contingent on the minor disclosing any more personal information than is reasonably necessary in order to do so. We do not actively market to minors or use (or pass to any third party) personal information on persons known to be minors for any commercial purposes, without proper consent.
Other age restrictions may apply to certain products, services or opportunities we make available from time to time.
In brief… through direct interactions with you or your organisation, shared platforms and databases, others in the football industry, and relevant third parties and publicly available sources. Some data passes through our contractors systems before coming to us.
We use different methods to collect data about you, including through:
We may also supplement the information collected with other information that we obtain from our dealings with you or which we receive from other organisations such as our group companies.
In brief… To deliver or receive services, products or opportunities to or from you or your organisation; run our events and competitions; take or make payments; make relevant publications or announcements; manage and improve our operations; communicate with you; protect and enforce our legal rights or those of others; marketing (only where you have agreed for electronic direct marketing); administer, analyse and improve our operations. We process special categories of data only where the law allows.
Several legal grounds apply to our use of your data, depending on which of the above purposes we use it for. These may include where: we need to perform any contract with you; we need to comply with legal requirements; you consent; or where necessary for our legitimate interests, but balanced against your rights.
We use information about you for the following purposes:
We take our obligations to safeguard vulnerable people seriously, including youth players and other children. We do this by collecting/accessing and analysing records of incidents and allegations of abuse, exploitation or inappropriate conduct, and preventative measures by reference to the law and our rules and regulations. We may collect and process personal data (including from public sources) without your knowledge where this is required and/ or permitted by law.
We also operate CCTV at our office premises for security purposes (see below).
Processing for these purposes will usually be necessary (i) for our legitimate interests in running our business and systems in a secure manner, protecting rights and property (including intellectual property), and preventing or tackling illegal activity or (ii) to comply with a legal obligation.
We only do this through email, sms, automated phone calls or online direct messaging (such as using any direct private message facility i.e. social media messaging) where you have agreed, so this is on the basis of your consent. You can change your mind or adjust your preferences any time afterwards either in your personal profile page (also known as a ‘preference centre’) which is accessible from all of our emails, or emailing us at email@example.com. We will also stop sending these in direct response to any other express communication from you asking to do so.
We may use tools to measure the effectiveness of our communications, including whether you open, delete, or access links contained in the communications, and the browser, app or general device type used.
We may also process your personal data for other reasons, in compliance with the above rules, where this is required or permitted by law. Where we reasonably consider that we need to process your personal data for another reason that is compatible with the original purpose set out in this Notice we will do so. If that is ever the case and you wish to get an explanation as to how processing for any new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so. In some circumstances, this may require your consent.
In the occasional circumstances where we require special categories of personal data or that relating to criminal convictions, this will only be in accordance with Data Protection Law and therefore usually if:
We may also collect special categories of personal data to be held in an anonymised form detached from your other data so does not reveal your identity. For example, if we carry our equal opportunities or similar inclusion based surveys from time to time.
In relation to any CCTV at our premises, visitors are made aware of this by appropriate signage. Cameras are located in communal areas only where necessary for the above security purposes and not in any area which would have a disproportionate intrusion on your privacy. Footage is subject to restricted access and personnel controls, stored on our secure systems and deleted at regular intervals in accordance with standard industry practice.
In brief… usually in the European Economic Area (EEA) or US but always in a manner that ensures proper security. We will only keep the minimum amount of information for as long as we need it for the purpose(s) in this Notice.
We are committed to protecting the security of your personal data, which we generally hold in secure data centres in the European Economic Area (EEA) or process through US based organisations.
In relation to personal data sent to the US, we usually check whether the Privacy Shield applies – that ensures a similar level of protection to personal data shared within the EEA. See https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en, for further details.
Some organisations to which we may disclose your personal information may be situated outside of the EEA. Whenever we transfer your personal data out of the EEA, we take reasonable steps to ensure that your information is still properly protected. This may include safeguards such as checking the relevant countries have been deemed to provide an adequate level of protection for personal data by the European Commission, or using contractual provisions to ensure your information is properly protected (certain contracts are approved by the European Commission).
We will keep the personal data you have provided only for as long as we reasonably require to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means. This is in addition to any applicable legal requirements. Details of specific retention periods for different aspects of your personal data are available on request by contacting us at firstname.lastname@example.org.
For legal reasons we may have to keep basic information about our customers and suppliers (including Contact, Identity, Financial and Transaction Data) for up to seven years after they cease being customers – this is particularly for any relationship subject to payments or contract (if any).
We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
We have put in place appropriate operational, technical and security measures to reduce the risk of your personal data from being accidentally lost, used or accessed in an unauthorised way. This includes use of encryption where relevant in our and our third party service providers systems. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
If we have given you a password to access certain facilities we make available, you must keep the password safe and make sure you use secure devices, apparatus and software.
In brief… other companies in the EFL group; new owners of our business; selected contractors who help us fulfil our operations (including logistics, communications and event services; payment processing, hosting and other technical providers); affiliates in the football industry; commercial partners and sponsors of the EFL; legal bodies and vetting or compliance database operators.
We may disclose your information to third parties as follows:
We do not allow our third-party service providers to use your personal data for their own purposes unless they have legal grounds to do so;
We may have to share your personal data with the parties above for the purposes set out in this Notice. In some circumstances, there may be other lawful reasons for the third party to use your data in accordance with any privacy notice they make available to you.
We may also provide Aggregated Data to third parties. Certain details such as your name, organisation or image may be made available in relevant publications or announcements we lawfully make.
In brief… Access or object to use of your data; have your data corrected, erased, transferred or used only in a restricted way; complain to us or the Information Commissioner; withdraw consent to use of your data. Some rights are only available in limited circumstances.
Under the Data Protection Laws you may have the following rights in relation to your personal data in certain circumstances:
All requests set out in this section or other queries relating to this Notice should be addressed to the EFL, see the “Who can you contact for further details?” section below for contact details. Please note we may not always be able to comply with your request due to our legitimate interests or other legal reasons. If applicable, these will be notified to you in response to a relevant request.
You will not usually have to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive (or we may refuse to comply with your request in these circumstances).
For security reasons, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). We may also ask you for further information in relation to your request.
If you have any concerns about how we use your data you also have the right to raise this with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (https://ico.org.uk). However we will always try to help with any concerns so ask that you contact us in the first instance.
In brief… Yes we like to ensure you are up to date about our use of your personal data. If we update this Notice we will notify you, unless the changes are minor.
We may need to update this Notice, and minor changes will be posted on this page so you should check back from time to time. Significant changes will be notified to you.
This Notice was last updated on 11 May 2018.