Privacy Portal - Supporters - International Data Transfers

How do we use your data?​

There may be many reasons why an international transfer of personal data is​ necessary, however this would typically be:​

• Services are provided internationally, meaning data needs to be transferred to​ those countries for the service to be delivered.​

A supplier’s operation is based internationally, meaning that data held by the​ supplier would be processed in their country of origin.​

• Data is hosted internationally. As data can be accessed online globally, one of​ the most common purpose for international data transfer is related to where electronic data is physically stored.​

What are the safeguards?​

Safeguards in respect of international data transfers are not technical controls but legal or contractual protections of your information rights. This ensures that you continue to have a level of protection essentially equivalent to that under the UK GDPR.​

​The specific safeguards are dependent upon the country data is transferred to, and the nature of the data. Generally, the safeguards are:​

• Adequacy – this is the term used for countries which have a level of data protection essentially equivalent to UK GDPR. Adequacy has been granted to:​
• the European Economic Area (the EU and EFTA countries),​
• Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.​
• Japan (private sector only)​
• Canada (limitations apply)​
• Standard Contractual Clauses (“SCCs”) - The SCCs contain contractual obligations on data exporters (which would be Everton) and data importers (the international suppliers or sub-contractors). The SCCs preserve your information rights which can be directly enforced against Everton and the data importer.​
• Derogations – the GDPR derogations are a limited set of circumstances which permit international data transfers in the absence of other safeguards. These would most commonly be:​
• Explicit Consent – Everton can transfer your personal data if you consent, having been informed of the risks.​
• Contract – this derogation may apply if personal data needs to be transferred for a contract between you and Everton, or for a contract between Everton and a third party, which is in your interests. This may include Everton booking accommodation for international trips.​

​

There are other safeguards under UK GDPR, however such additional safeguards are not routinely used or applicable to Everton services.​

Is consent required?​

Your consent is only required if the transfer safeguard is explicit consent. Everton do need to inform you of the transfer and the associated risks; these are outlined in this document. There must be a lawful basis (“purpose”) to process your information, however consent is only one of the available purposes.​

What other safeguards are there?​

In addition to the legal protections to your rights, Everton will also apply technical protections to your personal data. The technical safeguards are appropriate to the level of data and risk of the transfer; however, this will include:​

• Encryption.​
• Access controls.​
• Data minimization.​
• Due diligence on suppliers and sub-processors.​

Does this affect information rights?​

Your information rights should not be adversely affected by an international data transfer.​

What is the legal requirement being met for this activity?​

Transfers of personal data to third countries or international organisations – Article 44 – 49 UK GDPR.​

Where can I find more information​

More information about your rights and how we use personal data is available from  https://www.evertonfc.com/privacy-portal/ ​