2 About Us
3 Management Responsibility
4 Information we collect and what we do with it
5 Data Relating to Children
6 Fair and Lawful Processing
7 Personal Information and the Internet
8 Data Accuracy and Updates
9 Data Enrichment
10 Electronic Marketing
11 Data Retention
12 Information Rights
13 Access to Data
16 Information Disclosures
17 Information Sharing
18 Transfers of Information outside Europe
19 Information Security Arrangements
20 Data Processing Equipment and Media
21 Destroying Data, Media, and Equipment
23 Training and Awareness
24 Information Risk Management
25 Audit and Management Reporting
27 How to Contact Us
1.5 We can be contacted by using the contact details at section 27.
2.1 We operate Everton Football Club, arrange football matches, manage the stadium facilities; operate a range of supporter services, including ticketing and marketing, and are responsible for operating a range of core services that enable us and other members of the wider Everton Football Club group of companies to run efficiently.
2.2 We recognise our responsibilities as a provider of services which involve the processing of personal information and we take great care to protect the personal information that we process. We operate and maintain a comprehensive information governance management system comprising several policies and procedures, a record keeping system, document management system, internal audits and periodic external audits.
2.3 We are registered as a data controller in the United Kingdom and our registration number is Z5476849. Refer to the Information Commissioner’s Office (ICO) website www.ico.org.uk ‘Register of Data Controllers’ for further information.
3.1 The Chief Executive Officer has overall responsibility for our privacy and data protection compliance. The Head of ICT is responsible for the application of our privacy and data protection arrangements. The Club’s Governance Committee is chaired by the Finance Director and is responsible for monitoring the privacy and data protection (’PDP’) record keeping system; ensuring our day-to-day work practices conform to the high standards we expect; and for reporting through the Head of ICT to the Chief Executive Officer the standards maintained regarding our information governance.
4.1 We collect a wide variety of personal information from a wide range of sources in order to run our business activities. We maintain a register of data collection activities and perform periodic reviews of our data collection activities and processes in order to test that they conform to our expectations. We aim to only collect information that is necessary for us to perform our business operations efficiently and effectively. We periodically review our data collection arrangements.
4.2 We aim to provide any person whose information we are collecting with sufficient information so that they know who is collecting their information and what we intend to do with it. If this information is not obvious from the data capture mechanism, we may choose to provide this information in the form of a Privacy Statement or Fair Processing Notice on or linked to a data capture form.
4.3 Below are listed some of the data sources we use, the nature of the data we collect and the reasons why we collect and process it.
4.4 Customer Data. In order to provide the services that we are engaged to provide by our customers (such as selling tickets to football matches) we collect, store and use personal information disclosed to us via the Club’s websites, telephone conversations, shops and premises. The data that we collect for these purposes includes names and addresses, dates of birth, contact information such as phone numbers and email addresses and financial information such as credit/debit card information. Where appropriate we also collect details of any disability or health needs you may have to help ensure your safety. We use this information primarily to process ticket purchases and for stadium safety management during events. We also use this information to undertake marketing activities such as building a profile of our customers. We share most of this data with other members of the Everton Football Club group, including Everton Lottery and Everton in the Community so that they can also build a profile of their customers. We also share some of this data with third parties including our Club sponsors and commercial partners to allow them to carry out marketing activities with the Club. We will not share your personal information or use it to contact you if you ask us not to. However, we sometimes share this information with other third parties for the purposes of crime prevention and the prosecution of offenders. Information of this nature is recorded and stored in specialist database systems.
4.5 Financial Information. We use your financial information to process payments for products and services that are purchased from us and for fraud detection and prevention. We maintain an appropriate accreditation under the PCIDSS (Payment Card Industry Data Security Standard) in order to apply high standards of information governance for financial information that we process.
4.6 Employee Data. As an employer we collect and process information about applicants for jobs and details about the people that we employ. In the case of some of our employees such as football players we collect medical information and location data. Some of this information is used to monitor the players’ medical condition and athletic performance.
Other Data Collection
4.7 We use ‘cookies’ on our web sites that allow us to recognise returning system users and customise their experience. Cookies can collect and use data. Please see section 14 below for full details of the type of cookies we use, why and how we obtain your consent to use them.
4.8 We operate CCTV systems at our stadium which collect data to help us to maintain a safe environment within the stadium during events. We also use the CCTV information for the purposes of security and crime prevention.
4.9 We operate a policy of call recording of both inbound and outbound calls to allow us to monitor and review calls for training purposes and for the purpose of handling customer complaints.
4.10 We employ third parties to provide some Club’ branded services including catering and retail operations. We expect the providers of such services to share with us any information that they collect while operating such services to allow us to build up a picture of the products and services that each customer buys.
4.11 We use the entire collected data set to analyse customer behaviour to help us to improve our products and services, to build a profile for each customer, and to predict customer interest/behaviour.
5.1 We know that the Club is attractive to children and young people and that we collect and process their personal information through the course of our activities. We attempt to collect date of birth information on data capture forms to allow us to identify young people and to treat data relating to young people and adults separately. We encourage young people to obtain the consent of their parents or legal guardian before submitting their personal information to us.
6.1 Our policy is to process personal information in a fair, transparent and lawful manner.
6.2 In general, we aim to only process personal information with the consent of the data subject. In most cases people will complete a data collection form and submit it to us. We aim to provide sufficient information regarding how we will use the data at the point data is collected to allow the person who is completing the form to make an informed choice whether or not to give us their personal information.
6.3 In exceptional circumstances we may process personal information without the consent of the data subject and will rely on the exemptions set out in the Data Protection Act 1998 (‘the Act’) that allow for this or on our legitimate interests to process personal information as a business. In the latter case we would always seek to consider our interests with the rights of individuals in order to make a balanced judgement whether to process personal information without the consent of a data subject.
7.1 Everton operates a number of websites some of which facilitate fans of the Club to interact with each other socially. This may allow them to exchange views and opinions about the Club and each other. We require all users of our websites to register with us before they are allowed to use our social media facilities and in doing so agree to a code of use which sets out appropriate standards of behaviour. The information that we collect from web registrants is used to maintain a list of registered users. We monitor the information that is shared in Everton chat forums and take appropriate action against users who are not conforming to the code of use.
7.2 Information including personal information that is posted on the Everton website is publically disclosed. As such we strongly advise website users to think carefully about information that they post.
7.3 We will endeavour to remove any information from our websites requested by website users if 1) it relates to them and was not posted by them; 2) it was posted by them; or 3) it is deemed to be inappropriate by us.
8.1 It is our policy to expect those who provide us with their personal information to keep us informed of any changes to the information that we may hold about them. If data subjects bring inaccuracies to our attention we will apply corrections to the data that we hold about them.
9.1 On occasions we attempt to enrich the data that we have collected through our own activities with information from other sources to help us to more accurately profile our customers and prospects.
10.1 We maintain a computer-based preference centre system to manage the contact preferences of our customers in order to satisfy our obligations under the Privacy and Electronic Communications Regulations 2011. We operate several customer touch points and the preference centre is designed to maintain a set of master preferences for email, telephone, and mail marketing.
10.2 Where you have given your consent, we will use the information you provide to send you information and offers relating to, and/or from, the Club, the Club’s commercial partners and group companies. A full list of the Club’s commercial partners is available on our website.
10.3 Each data collection activity will normally contain a mechanism for customers to opt out of the Club contacting them with club marketing information. Customers may change their preferences by contacting us at via the contact details at section 27 below.
11.1 We maintain a Data Retention Policy in which our retention periods are defined – in general we retain personal information for as long as is necessary to fulfil the purposes for which it was collected and/or in order to comply with our legal obligations. Once personal information passes its retention deadline it is deleted and destroyed in accordance with our Data Destruction Policy.
12.1 We are aware of the rights of individuals as set out in the Act and in general of the right to fair processing of their information and we aim to uphold those rights in the processing that we undertake and in our approach to information governance.
12.2 You have the right to:
• see a copy of the information that we hold about you;
• ask that the information we hold about you is corrected;
• ask that we stop sending you marketing information; and
• request that we remove your personal information from our database.
12.3 We apply a policy of levying a fee for any request from you to see a copy of the information that we hold about you (known as a subject access request), this is currently £10.00. For further information about our information governance regime or to exercise any of your information rights please write to us as set out at the address below.
13.1 We control access to data on a need-to-know basis to ensure that our employees and agents only have access to the information that they need to perform their job/function. Employees are required to sign an Acceptable Use Policy before they are allowed to use the Club’s IT assets and process the Club’s data.
14.1 In common with many other website operators, we may use standard technology called 'cookies' on the Club websites. Cookies are small pieces of information that are stored by the browser on a computer's hard drive and they are used to record how people use and navigate websites.
14.3 We use the following categories of cookies on the Club websites:
· Category 1: Strictly Necessary Cookies
These cookies are essential in order to enable you to move around the Club websites and use its features. Without these cookies, services you have asked for such as remembering your login details or shopping basket items cannot be provided.
· Category 2: Performance Cookies
These cookies collect anonymous information on how people use the Club websites. For example, we use Google Analytics cookies to help us understand how customers arrive at the Club websites, browse or use the Club websites and highlight areas where we can improve areas such as navigation, shopping experience and marketing campaigns. The data stored by these cookies never shows personal details from which your individual identity can be established.
- Category 3: Functionality Cookies
These cookies remember choices you make such as the country you visit the Club websites from, language and search parameters such as size, colour or product line. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.
- Category 4: Targeting or Advertising Cookies
- Category 5: Social Media Cookies
These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. The cookies are usually placed by third party advertising networks. They remember the websites you visit and that information is shared with other parties such as advertisers. For example, we use third party companies such as addthis.com, LiveRail and adtech to provide you with more personalised adverts when visiting other websites.
14.4 Most browsers automatically accept cookies, but you can usually change your browser to prevent cookies being stored. Please note, if you do turn cookies off this will limit the service that we are able to provide to you and may affect your visitor experience.
14.5 For further information on cookies and how to switch them off see: www.allaboutcookies.org.
15.1 Where we use third parties to process personal information we do so only within the framework of a written agreement setting out the responsibilities and obligations of each party. We undertake appropriate due diligence prior to appointing any sub processors which may involve us inspecting their data processing site and arrangements. We require all of our sub processors to maintain a high level of governance in respect of any data that we are responsible for.
16.1 We are sometimes asked to disclose personal information as a one-off exercise and we maintain a policy on information disclosures. In the case of a data subject requesting information about themselves we may treat this as a subject access request and we will follow our subject access request procedure.
16.2 Where we are requested to disclose personal information by third parties (e.g. a public authority) we will follow our Third Party Disclosures Policy.
16.3 It is our policy to log all information disclosure requests that we receive.
17.1 We routinely share some of the information that we collect with third parties and maintain an Information Sharing Policy. A privacy risk assessment process is maintained to enable us to objectively consider information sharing requests. Information sharing is only carried out under the scope of an information sharing agreement binding on all relevant parties.
17.2 In general, most of the Club’s general personal information is shared amongst other members of the wider Everton Football Club group, including Everton Lottery and Everton in the Community. Sensitive personal information is generally not shared unless there is a compelling and lawful reason to share such information.
17.3 Some information that we collect is shared with external third parties such as Club sponsors and commercial partners for them to present relevant offers to you.
18.1 As a matter of policy we aim to not to transfer any personal information that we are processing outside of the European Union unless (i) it is to a territory approved by the European Commission, (ii) it is to an organisation in the United States of America which is Safe Harbor accredited, or (iii) we have satisfied ourselves that the person with whom we are sharing information is able to uphold privacy and data protection principles to at least the same standard as the United Kingdom. We have a process for assessing the risk posed to the privacy of our data subjects of any overseas processing. The physical location of our data assets is recorded in our Data Asset register.
19.1 We maintain an Information Security Policy (the ‘InfoSec Policy’) which sets out the measures that we use to protect personal data that we are processing and the privacy of our data subjects. The InfoSec Policy sets out technical measures that are deployed to identify, classify and protect data and assets, access controls used to restrict access to information, testing arrangements, incident logging and management reporting.
20.1 We maintain an asset log of all of our IT equipment including network devices, servers, and PCs, and we also maintain an asset log of our data assets (e.g. key individual databases). We only use equipment of an appropriate specification and quality. We maintain appropriate technical measures to protect data that we process both in respect of storage and transit as set out in our Information Security Policy.
21.1 Once data is no longer required we ensure that it is securely and permanently deleted. We maintain a Data Destruction Policy which specifies the method(s) that we use to destroy data.
21.2 When storage media becomes retired it is securely destroyed. Our Data Destruction Policy sets out the method(s) that we may use to clean and destroy storage media.
21.3 When computers and other data processing equipment is no longer required we ensure that it is appropriately disposed of in accordance with our IT and Data Asset Management Policy and Procedures.
22.1 We maintain a policy of logging and investigating all information security incidents and near misses. Our Information Incident Policy and Procedure sets out the scope of what we log, how we investigate issues, and the circumstances under which we might report or notify any third parties about such issues. Our aim is to learn from these issues in order to enable us to continually improve our information handling.
23.1 We undertake regular staff training about data protection and privacy. All new employees receive data protection training as part of their induction and all other staff are required to attend periodic refresher training. We maintain records of all training that we undertake. We also undertake regular data protection and privacy awareness activities to keep the matter front of mind for all of our staff.
24.1 We have a policy of applying a risk assessment process to any major decisions we are considering that affect the data we are processing (e.g. changing supplier or major platform functionality). We maintain a log of privacy impact assessments.
25.1 Our Information Audit and Management Reporting Policy sets out the scope of the internal and external audits that we undertake to monitor compliance with the Act, and conformance with our own work practices to our policies. We undertake periodic internal audits and an annual external audit using a specialist data protection consulting firm. All audit reports are logged and maintained in a register – audit actions are logged, actioned, and verified as complete. The Head of ICT is responsible for the application of our privacy and data protection arrangements.
Head of ICT
Everton Football Club
Liverpool L4 4EL
Tel: 0151 556 1878
Email: Click the following link http://www.evertonfc.com/functional/contact-us