General Data Protection Regulation (GDPR) Overview

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection framework that sets out guidelines and rules to govern the processing of personal data within the European Union (EU) and the European Economic Area (EEA). Enforced since May 25, 2018, GDPR aims to enhance individuals’ control over their personal information and harmonise data protection laws across EU member states. It introduces robust principles governing organisations’ collection, storage, processing, and sharing of personal data, emphasising transparency, user consent, and heightened data security measures. GDPR grants individuals greater rights over their data, such as the right to access, rectify, and erase their personal information and know how their data is being used. Non-compliance with GDPR can result in significant fines, making it imperative that businesses adhere to its principles to ensure the privacy and rights of data subjects are respected.

Why GDPR is Important: Protecting Your Privacy and Empowering Users

At Footy Contacts, we prioritise the protection of your privacy and the empowerment of our users. The General Data Protection Regulation (GDPR) is not just a set of rules but a crucial framework designed to safeguard your personal data in the digital age. Here’s why GDPR is of paramount importance on our platform:

• Enhanced User Control: GDPR grants our valued users greater control over their personal data. You have the right to know what information is collected, how it’s used, and to have a say in these processes.
• Transparency and Trust: By adhering to GDPR principles, we commit to transparency in our data practices. This fosters trust between us and our users, ensuring a clear understanding of how your data is handled.
• Legal Compliance: GDPR is not just a recommendation; it’s a legal requirement. Ensuring GDPR compliance is not only ethical but also a legal obligation that reinforces our commitment to responsible data management.
• User Rights Protection: GDPR champions your rights as a user. Whether it’s the right to access your data, rectify inaccuracies, or even request its deletion, GDPR empowers you to control the fate of your personal information.
• Data Security: GDPR mandates robust security measures to protect your data from unauthorised access, breaches, and misuse. Our commitment to GDPR compliance ensures the implementation of stringent security protocols.
• Global Standard: While initially an EU regulation, GDPR has become a global standard for data protection. Even if you’re not an EU resident, you benefit from the gold standard of data privacy practices.
• Avoidance of Penalties: Non-compliance with GDPR can result in severe financial penalties. By following GDPR guidelines, we mitigate the risk of penalties and demonstrate our commitment to ethical and lawful data processing.
• User Confidence in Digital Interactions: In an era where digital interactions are integral, GDPR instills confidence in users. Knowing that their data is handled responsibly encourages users to engage more freely with our platform.
• Future-Proofing Data Practices: As technology evolves, so do data risks. GDPR provides a framework that adapts to these changes, ensuring that our data practices remain ethical, responsible, and future-proof.

By prioritising GDPR compliance, we uphold the principles of privacy, transparency, and user empowerment. Your trust is paramount to us, and GDPR is a key instrument in our commitment to providing a secure and trustworthy platform for all your football-related needs.

GDPR Terminology Glossary

• Personal Data:
  
  Definition: Any information related to an identified or identifiable natural person.
  
  
  
  Example: Names, addresses, email addresses, IP addresses, and biometric data.
  
  
• Definition: Any information related to an identified or identifiable natural person.
• Example: Names, addresses, email addresses, IP addresses, and biometric data.
• Data Subject:
  
  Definition: An identified or identifiable individual to whom personal data relates.
  
  
  
  Example: Website users, customers, employees.
  
  
• Definition: An identified or identifiable individual to whom personal data relates.
• Example: Website users, customers, employees.
• Data Controller:
  
  Definition: The entity determining the purposes, conditions, and means of processing personal data.
  
  
  
  Example: A company or organization.
  
  
• Definition: The entity determining the purposes, conditions, and means of processing personal data.
• Example: A company or organization.
• Data Processor:
  
  Definition: An entity processing personal data on behalf of the data controller.
  
  
  
  Example: Cloud service providers, IT support companies.
  
  
• Definition: An entity processing personal data on behalf of the data controller.
• Example: Cloud service providers, IT support companies.
• Processing:
  
  Definition: Any operation performed on personal data, including collection, storage, and sharing.
  
  
  
  Example: Analyzing customer preferences, storing employee records.
  
  
• Definition: Any operation performed on personal data, including collection, storage, and sharing.
• Example: Analyzing customer preferences, storing employee records.
• Consent:
  
  Definition: Freely given, specific, informed, and unambiguous indication of the data subject’s agreement to data processing.
  
  
  
  Example: Opting in to receive marketing emails.
  
  
• Definition: Freely given, specific, informed, and unambiguous indication of the data subject’s agreement to data processing.
• Example: Opting in to receive marketing emails.
• Privacy by Design:
  
  Definition: Integrating data protection measures into the development of systems, products, and processes.
  
  
  
  Example: Implementing privacy features in software development.
  
  
• Definition: Integrating data protection measures into the development of systems, products, and processes.
• Example: Implementing privacy features in software development.
• Data Breach:
  
  Definition: A security incident where personal data is accessed, disclosed, or destroyed without authorization.
  
  
  
  Example: Unauthorized access to a database containing customer information.
  
  
• Definition: A security incident where personal data is accessed, disclosed, or destroyed without authorization.
• Example: Unauthorized access to a database containing customer information.
• Data Portability:
  
  Definition: The right for data subjects to receive and transfer their personal data between different data controllers.
  
  
  
  Example: Moving personal data from one social media platform to another.
  
  
• Definition: The right for data subjects to receive and transfer their personal data between different data controllers.
• Example: Moving personal data from one social media platform to another.
• Right to be Forgotten:
  
  Definition: The right for data subjects to request the deletion of their personal data.
  
  
  
  Example: Deleting online accounts and associated personal information.
  
  
• Definition: The right for data subjects to request the deletion of their personal data.
• Example: Deleting online accounts and associated personal information.
• Data Protection Officer (DPO):
  
  Definition: An individual or entity appointed to ensure GDPR compliance and act as a point of contact for data protection issues.
  
  
  
  Example: A designated staff member within an organization.
  
  
• Definition: An individual or entity appointed to ensure GDPR compliance and act as a point of contact for data protection issues.
• Example: A designated staff member within an organization.
• Privacy Impact Assessment (PIA):
  
  Definition: An assessment of how a particular processing operation may impact the privacy of individuals.
  
  
  
  Example: Evaluating the privacy implications of implementing a new customer database.
  
  
• Definition: An assessment of how a particular processing operation may impact the privacy of individuals.
• Example: Evaluating the privacy implications of implementing a new customer database.
• Supervisory Authority:
  
  Definition: An independent public authority responsible for monitoring the application of GDPR.
  
  
  
  Example: Information Commissioner’s Office (ICO) in the UK.
  
  
• Definition: An independent public authority responsible for monitoring the application of GDPR.
• Example: Information Commissioner’s Office (ICO) in the UK.
• Sensitive Personal Data:
  
  Definition: Special categories of personal data requiring extra protection.
  
  
  
  Example: Health records, religious beliefs, biometric data.
  
  
• Definition: Special categories of personal data requiring extra protection.
• Example: Health records, religious beliefs, biometric data.
• Data Erasure:
  
  Definition: The right for data subjects to request the deletion of their personal data when it is no longer necessary for the original purpose.
  
  
  
  Example: Removing customer data after the termination of a service contract.
  
  
• Definition: The right for data subjects to request the deletion of their personal data when it is no longer necessary for the original purpose.
• Example: Removing customer data after the termination of a service contract.

Who can you email?

Email marketing within the football industry is subject to the Privacy and Electronics Communications Regulations (PECR). While the UK GDPR broadly governs personal data processing, PECR specifically addresses email marketing. Although there is an upcoming replacement for PECR in the form of the ePrivacy Regulation, its implementation has been delayed, and a definitive date has yet to be set.

Licensed (Bought-in) Data:

In the realm of email addresses, whether corporate or belonging to a sole trader/partnership employee, it constitutes personal data, and the UK GDPR applies to its processing. Distinctions between sole traders/partnerships and corporate entities emerge when considering PECR.

PECR outlines permissions required for marketing emails. Generally, prior consent is necessary for sending marketing emails. However, in a B2B environment, there’s an exemption for employees of corporate entities, allowing marketing emails to be sent without prior consent.

In the email context, “B2B marketing” excludes sole traders and partnerships. Consent is essential for emailing sole traders and partnerships, treating them similarly to consumers. When licensing third-party data, caution is crucial to ensure the supplier only provides emails for B2B marketing.

Corporate employees’ email addresses can be licensed for third-party email campaigns. Legitimate interests can be invoked to process this personal data, provided specific criteria are met:

1. A corporate is defined as a limited company, public limited company, limited liability partnership, or government department, allowing emails without prior consent (e.g., joe.bloggs@examplelimited.com).
2. Employees of corporates must have the option to easily unsubscribe or opt-out from receiving email marketing.
3. The recipient can purchase the promoted product or service in a professional capacity.
4. The sender must identify itself and provide contact details.

Footy Contacts holds one of the football industry’s largest, legally compliant email feeds. The emails provided for third-party direct marketing by Footy Contacts are corporate emails and align with the requirements of the UK GDPR.

Corporate Bodies

Any existing customer or prospect categorised as a corporate body (limited company, public limited company, limited liability partnership, or government department) can be emailed using the legitimate interest route.

When emailing a corporate, it’s essential to:

a) Provide the option to unsubscribe easily,

b) Ensure the promoted product or service can be professionally purchased and

c) Identify the company and provide contact details.

Maintaining a ‘do not email’ list for businesses opting out is advisable for good practice and business sense.

Further guidance on legitimate interest can be found on the ICO’s website.

Sole Traders and Partnerships

For non-corporate entities like sole traders and partnerships, two options exist for emailing:

A) Soft Opt-In: Email existing customers who bought a similar product in the past without opting out from marketing messages. Include an opt-out option in each message and identify the company with contact details.

B) Explicit Consent: Email existing customers or prospects who have specifically consented to receive emails, typically by ticking an opt-in box. Include an opt-out option in each message and identify the company with contact details

Footy Contacts’ Role as Data Controller and Processor

1. Data Controller and Processor Dual Role:

• Footy Contacts functions as both a data controller and processor, acquiring data as a controller and communicating with prospects as a processor.

2. GDPR Compliance as Data Controllers:

• Footy Contacts ensures compliance as a data controller, managing collected data in accordance with GDPR standards.

3. Guidance for Users:

• Users have the option to exclude EU citizens from their prospecting lists, aiding compliance efforts and preventing inadvertent communication.

4. User Transparency and Consent:

• Users engaging with EU citizens must be transparent about data intentions, obtain consent, and provide opt-out options in communications.

As GDPR evolves, Footy Contacts remains dedicated to compliance, with ongoing efforts to adapt to changes in laws and regulations. Users are encouraged to familiarise themselves with GDPR and seek additional support if needed, emphasising Footy Contacts’ commitment to responsible and lawful data practices.