Privacy Notice

Harrogate Town AFC Privacy Notice

At Harrogate Town, we are committed to protecting your personal information. We have published this privacy notice to ensure that you are fully aware of what personal information we collect from you, how we use it, who we share it with and what your rights are.

This privacy notice answers the following questions – please click on the links below to take you directly to the answers to each question.


1.0 Who are we?

"We", "our" or "us" means Harrogate Town AFC Limited (“Harrogate Town”). Our company number is 02523873. Our registered office is at Quay Point, Lakeside, Doncaster, DN4 5PL. We are the controller of your personal information. This means that we are responsible for deciding how we collect, store and use personal information about you. If you have any questions about this privacy notice or how we use your personal information, please contact our Data Protection Officer at [email protected]

2.0 What personal information do we collect and use and what is our legal basis for using it

Please note: where you have given us consent to use your personal information you can withdraw your consent at any time by clicking the unsubscribe button in any email correspondence we send to you or by contacting our Data Protection Officer [email protected]

2.1 Personal information from online customers and customers who visit our
ground

If you browse our website

Personal information we collect: We use both essential and non-essential cookies on our website which collect information from you such as your browsing patterns and information about the device you are using.

How we use your personal information: To inform our marketing and future business strategies. Full details of how we use cookies can be found in our cookies policy.

Legal basis for using your personal information: Information collected via essential cookies: we will use your personal information on the basis that it is in our legitimate interests to do so. We consider that this use is
If you choose to create a #MyTownPass

Personal information we collect: Your full name, phone number, email address.

How we use your personal information: To set up and administer your #MyTownPass account.

Legal basis for using your personal information: You have given us consent. If you choose to sign up to receive news, online content, marketing, deals and behind the scenes footage

Personal information we collect: Your full name, email address, contact telephone number and any marketing preferences which you might have provided to us.

How we use your personal information: To send you news, online content, marketing, deals (including details of upcoming events) and behind the scenes footage which we think you might be interested in. We may tailor the information and offers we send to you to ensure that the information and offers we are sending are relevant. For example, if you are interested in our upcoming fixtures and tickets we may tailor the information we send to you to reflect this

Legal basis for using your personal information: You have given us consent.

If you use our online store to purchase tickets

Personal information we collect: Your full name, date of birth, email address, contact telephone number, gender (optional) and payment details

How we use your personal information: To deal with the purchase of tickets using Flowte (acting as a data processor on our instruction). If you use our online store to buy a season ticket we will also collect a photo of you to ensure that it is you using the ticket

Legal basis for using your personal information: It is necessary for the performance of our contract with you.

If you use our online store to purchase merchandise

Personal information we collect: Your full name, date of birth, email address, contact telephone number, address, and payment details.

How we use your personal information: To deal with your purchase.

Legal basis for using your personal information: It is necessary for the performance of our contract with you.

If you contact our customer care team

Personal information we collect: Your full name, email address, contact telephone number, postcode and details of your enquiry or issue.

How we use your personal information: To access your account (if you have one) and to respond to you and to investigate, consider and deal with any enquiry or issue you have raised. In order to ensure that you receive our best customer service, we will retain previous conversations which we have had with you.

Legal basis for using your personal information: It is in our legitimate interests to run our business.

If you contact us to book our pitch or our 1919 Venue

Personal information we collect: Your full name, contact details, payment details and any additional relevant details related to access, use and catering (e.g. dietary requirements if these are relevant)

How we use your personal information: To arrange and manage the booking. Where you agree to book one of our venues and provide us with your email address we will use this information to send you information about our facilities, venues and upcoming events which we think you might be interested in unless you choose to optout of receiving this information.

Legal basis for using your personal information: It is necessary for the performance of our contract with you, or something we consider proportionate to do.

If you access our WiFi

Personal information we collect: Your full name and email address.

How we use your personal information: To provide you with access to our WiF

Legal basis for using your personal information: It is in our legitimate interests to control access to our WiFi and to be able to manage the security of our systems and detect if there has been any misuse on our systems.

If you access our WiFi and choose to sign up to receive news, exclusive online content, deals and behind the scenes footage

Personal information we collect: Your full name and email address, and any marketing preferences which you have provided to us when you sign up to access our WiFi.

How we use your personal information: To send you news, online content, marketing, deals (including details of upcoming events) and behind the scenes footage which we think you might be interested in. We may tailor the information and offers we send to you to ensure that the information and offers we are sending are relevant. For example, if you are interested in our upcoming events at our Ground we may tailor the information we send to you to reflect this.

Legal basis for using your personal information: You have given us consent.

If you attend our ground

Personal information we collect: We use CCTV cameras to capture images.

How we use your personal information: We collect, store and use these images for security and prevention/detection of crime, for the safety of our people at our Ground and in certain circumstances to verify information (e.g. to establish facts in relation to health and safety incidents or employment issues).

Legal basis for using your personal information: It is in our legitimate interests as a business to be able to keep our premises secure, to keep our employees and visitors safe and to verify important information. We will only use this personal information in order to maintain the security of our premises, to keep our employees and visitors safe or when using the images to verify information. This will only be done where we have cause. In addition we have put up notices informing visitors that we use CCTV, we restrict access to the images to authorised staff and we keep the personal information obtained for only a limited period of time up to 35 days.

Other personal information we collect

Personal information we collect: Personal information you have provided or we have collected.

How we use your personal information: For the purposes of bringing or defending any legal proceedings or meeting any legal or compliance obligations we have.

Legal basis for using your personal information: it is necessary for the performance of our contract with you (where it relates to a contract we have in place) or that it is in our legitimate interests as a business to be able to bring or defend any legal proceedings.

2.2 Personal Information from suppliers

Information we collect direct from suppliers

Personal information we collect: Your name, name of company of business you work for, contact details including your email address, phone number and address, and bank details of you or the business you work for (as applicable).

How we use your personal information: • To negotiate and conclude contracts for the purchase of goods and/or services from you or the business you work for • To set up you or the business you work for as one of our suppliers; • To manage the ongoing contract, including ordering, delivery, invoicing and payment; • To manage our ongoing projects which you are engaged to work on; ensure compliance with legal obligations such as record keeping obligations • To deal with any disputes

Legal basis for using your personal information: Our legitimate interests as a business to use this information to administer the contract and project which you are engaged to carry out for us. We only use your personal information for matters which relate directly to your supplier relationship with us. We do not use them outside the business context.

If you or the business you work for contracts with Strata Homes Limited to provide goods and/or services to Harrogate Town, Strata will give us

Personal information we collect: Your name, name of company of business you work for, contact details including your email address, phone number and address.

How we use your personal information: • To set up you or the business you work for as one of our suppliers • To manage the ongoing contract, including ordering, delivery, invoicing and payment • To manage our ongoing projects which you are engaged to work on • To ensure compliance with legal obligations such as record keeping obligations

Legal basis for using your personal information: To be able to contact you to discuss and manage the ongoing performance of a contract for the purchase of goods and/or services entered into with the business you work for. We only use your contact details for matters which relate directly to our relationship with the company you work for. We do not use them outside the business context.

2.3 Personal information about our Player Development Centre (PDC) and soccer camp attendees

Information we collect when a player registers to attend PDC or soccer camp​

Personal information we collect: full name; • date of birth; • home address; • next of kin and emergency contact details; • GP’s details (including name and contact details); and • school year. • grassroots football club contact details We will also collect, store and/or use more sensitive personal information which will include the player’s religion and cultural information and details of any medical conditions

How we use your personal information: To introduce the player to the academy, have someone to contact in the event of an emergency, assign them to the correct age group, and to minimise event / training clashes with grassroots football events. We will use more sensitive personal information to respect any dietary requirements and/or any religion or spiritual practice. We will use the medical information to provide medical attention or to notify medical professionals of any medical requirements in the event of an accident or emergency which requires urgent medical treatment.

Legal basis for using your personal information: Our legitimate interests to know who they are and implement the most appropriate coaching, support and safety measures for the player. Our legal basis for collecting, storing and/or using the religion and cultural information is that the player or their parent/guardian has given us their consent where this can be given. Our legal basis for using the medical information is that the player or their parent/guardian has given us their consent where this can be given or vital interests where consent is not possible.

Personal information about parents or guardians of a player

Personal information we collect: • full name; • home address; • telephone number; • email address; and • details of the payment details such as your bank account, card number and sort code which we use to make payment. • details of a secondary emergency contact name and their telephone number.

How we use your personal information: 

Legal basis for using your personal information: Our legitimate interests to a dminister the running of our PDC and summer camps and to take payment for them and to have contact details of a parent/guardian.

Other information we collect when players attend the PDC or a soccer camps

Personal information we collect: We may take photographs or videos of players during training, competitions and tournaments.

How we use your personal information: We will put these on our website to promote and celebrate the activities of the Club. We may also use them for training purposes. Training videos will not be published and will be used just with the players.

Legal basis for using your personal information: The player or their parent/guardian has provided consent for this on our Soccer Camp Information and Consent Form

2.4 Personal information about students and prospective students on our educational programmes, for example BTEC

Information we may collect from you and relevant third parties e.g. institutions providing a reference

Personal information we collect: • identification and contact details e.g. full name, date of birth, home address, email address, phone number; • information that evidences your family relationships e.g. birth certificate; • unique student number; • where appropriate, diversity and background information; • information about your student and academic life, including, courses you have completed, exam results; • information relating to your education and employment history e.g. schools attended, places worked; • information about both academic and extracurricular activities e.g. where this is applicable to assessing your place on the course; • records of communications between you and us; • records of attendance; • details of financial transactions e.g. for courses, products and services we have provided; We may also collect the following special categories of personal data where it is necessary for the purposes set out in this Notice: • information concerning your health, relevant medical conditions, dietary needs, disabilities, and learning support needs; • certain criminal convictions; and, • information about your racial or ethnic origin; religion or similar beliefs; and sexual orientation.

How we use your personal information: • administration of your application to the course including to evaluate your suitability for admission and to determine any support requirements/arrangements to enable you to study; • admission, registration and administration of your studies; • production of student photo ID cards and administration of security; • course assessment; • administration of complaints and appeals, disciplinary hearings, and similar; • administration of your social and sporting activities; • provision of support services e.g. careers advice; • consideration and granting of awards, scholarships, prizes; • administration of placements with partner institutions or organisations; • administration of Harrogate Town’s regulations and policies; • organisation of events and services (including where applicable after you complete your course); and, • the provision of products that you have requested or ordered from us.

Legal basis for using your personal information: We will process your personal data either in ways you have consented to, or because it is otherwise necessary for a lawful purpose. Your personal data will also be processed because it is necessary for Harrogate Town’s legitimate interests or the legitimate interests of a third party. This will always be weighed against your rights, interests and expectations. In addition to the above, Harrogate Town may process types of personal data that the law considers to fall into a special category (such as race, religion, health, sexual life) or criminal records information. This will be under the following circumstances: • where you have provided your explicit consent; • where such processing is necessary for the establishment, exercise or defence of legal claims or the prevention or detection of crime; • where it is necessary for statistical or research purposes; • where it is in your vital interests to do so e.g. an emergency.

t2.5 Personal information from permanent or temporary employees (N.B. professional football employees have a separate privacy notice), contractors and volunteers

2.5.1 Personal information about permanent / temporary employees and contractors

2.5.1.1 Information we collect before you start your employment

We collect, store and use the following personal information: your full name, address (including postcode), date of birth, national insurance number, email address, home telephone number, mobile telephone number, passport number, gender, bank details, drivers licence (if applicable), a copy of your P45, details of any right to work documents, details of your two referees (name, position, employer details and contact details), previous experience, details of your current employer and role, education, training and qualifications, and two emergency contacts for you (name, their relationship to you and contact phone numbers and
email address).

We may also collect, store and use “special categories” of more sensitive personal information as part of the ‘Personal Health and Capability Declaration which could include information about your health, including any medical condition or disability where this relates to your capability to perform your role.

2.5.1.2 Information we collect when you start your employment

In addition to the personal information above, we will also put together other personal information about you and store it on our internal files. This will include information about your role, salary (including any bonus you have been awarded), job specification, and location.

2.5.1.3 Information we collect during your employment

We will collect, store and use the following personal information during the course of your employment including: details of any absences you take, notes from any performance meetings, notes from any disciplinary meetings we have with you, and training records. We also collect, store and/or use your personal information to monitor access to our premises, security, health and safety and timekeeping via door access controls and CCTV. We will retain CCTV images for a period of up to 35 days. We will also collect more sensitive categories of personal information which will include information about any return to work notifications, parental leave forms, maternity/paternity/adoption information, photographs, any criminal convictions you give us details of, and any further medical information which you provide to us.

2.5.1.4 Information we receive from other sources

We collect, store and use personal information given to us by third parties such as your referees. This will include details of your employment history and references from your former employees. 

Should you answer ‘yes’ to any part of the Personal Health and Capability Declaration and complete the more detailed form as part of the new starter process, we will obtain the opinion of an independent Occupational Health specialist. The Occupational Health specialist will review your form and advise us of your fitness to work and recommend appropriate, reasonable adjustments in the workplace, should this be required.

2.5.2 Personal information we collect about our volunteers

2.5.2.1 Information we collect before you start as a volunteer

We collect, store and use the following personal information: your full name, home address, contact details, role applied for, education, experience, training and qualifications (UKCC Level 2 coaching qualification in Football, FA Emergency Aid, and FA Safeguarding Certificate), details of your two referees (name, position, and contact details), driving licence information, and work eligibility. We will also collect more sensitive categories of personal information which will include information about any criminal convictions you give us details of, and any further medical information which you provide to us.

2.5.2.2 Information we collect during your volunteering

We will collect, store and use the following personal information during the course of your coaching with us including: details of any absences you take, notes from any disciplinary meetings we have with you, and training records.

We also collect, store and/or use your personal information to monitor access to our premises, security, health and safety and timekeeping via door access controls and CCTV. We will retain CCTV images for a period of up to 35 days.

2.5.2.3 Information we receive from other sources

We collect, store and use personal information given to us by third parties such as your referees. This will include details of your experience and references from your referees.

2.5.3 How we use the personal information we collect about you and our legal basis for using it

We have set out below how we use your personal information. In addition, we have set out our legal basis to use your personal information as we need to tell you this under data protection law.

2.5.3.1 Information used for contract purposes

We will collect, store and use your personal information for the purpose of administering your contract with us.

If you are an employee, contractor, or volunteer we will use your personal information to:
• arrange for our employment, contractor or volunteer contract and new starter pack to be sent out to you and administer them;
• set the terms on which you work for us (including any flexible working arrangements and any volunteer work);
• set you up as an employee, contractor or volunteer on our systems;
• administer the contract we have entered into with you;
• keep a record of absence;
• carry out disciplinary and grievance proceedings.

If you are an employee or contractor, we will also use your personal information to:
• pay you (including expenses) where applicable;
• administer and provide your contractual benefits;
• liaise with your pension provider where applicable;
• process your holiday requests;
• keep a record of any maternity/paternity/adoption/parental leave,where applicable;
• deal with any notice to leave and to make arrangements relating to your leaving; and
• review hours worked.

If you are an employee or contractor, we will also use your personal information to:
• set up and administer apprenticeship schemes, where applicable;
• arrange for and administer education, training and development requirements;
• arrange for and administer internal recruitment, promotion and changes of roles; and
• carry out performance reviews and manage performance.

We collect, store, and use your personal information for the purposes set out above on the legal basis that it is necessary for performance of your employment, contractor or volunteer contract with us.

2.5.3.2 Information we use to run the business

We will collect, store and use your personal information for the purpose of running the business.

If you are an employee, contractor, or volunteer we will use your personal information to:
• set up an employee, contractors or volunteers directory;
• set up email communications;
• deal with legal disputes involving you, or other employees, workers, contractors, and

volunteers including accidents at work;
• investigate, pursue or defend a legal claim;
• keep our network and systems secure;
• provide references; and
• investigate and deal with whistleblowing issues or compliance matters.

If you are an employee, or contractor we will use your personal information to:
• create photographic security passes;
• arrange insurance;
• carry out business management and planning, including accounting and auditing; and
• carry out utilisation reporting (e.g. reviewing the profitability of a project by looking at how long jobs take as part of that project)

If you are an employee we will use your personal information to:
• create internal records e.g. meeting notes, records of training, time spent on projects, attendance at meetings or training, leavers and new starters; and
• analyse our data analytics studies to review and better understand employee retention and attrition rates.

The legal basis for the purposes set out above is that it is in our legitimate interests as a business to be able to use your personal information in this way to run our business and to enable you to carry out your role. We believe that this is a proportionate use of your personal information as you will see from how we use your personal information the uses are those which any well run business would ordinarily use and we will limit the personal information to that which is necessary in accordance with our General Personal Data Protection Policy (a copy of which is available on our SharePoint site.)

2.5.3.3 Information used for job performance evaluations:

We will collect, store and use your personal information for the purpose of evaluating your job performance.

If you are an employee, contractor, or volunteer we will use your personal information to:
  Keep a record of employee, contractors or volunteers skills;
• assess qualifications for a particular job or task, including decisions about promotions;
• keep a record of course completion;
• carry out job evaluation meetings; and
• make decisions about your continued role as an employee, contractor or volunteer.

If you are an employee we will use your personal information to:
• carry out annual performance reviews;
• make decisions about salary reviews and pay, where applicable;
• offer professional psychological support, where applicable;
• record individual development plans; and
• plan for succession.

Our legal basis for the purposes set out above is that it is in our legitimate interests as a business to ensure that you are capable of carrying out your role, facilitate training where necessary and assist with career progression. We consider that this is a proportionate use of your personal information as the process is designed to provide you with feedback on your performance and ensure that opportunities for development are given to all employees and the path for career progression is clear and transparent throughout the business. When carrying out the processing listed above we will limit the personal information to that which is
necessary in accordance with our General Personal Data Protection Policy (a copy of which is available on our SharePoint site.)

2.5.3.4 Information used for compliance

We will collect, store and use your personal information for compliance purposes.

If you are an employee, contractor, or volunteer we will use your personal information to:
• comply with health and safety obligations;
• prevent and detect criminal activity and fraud;
• facilitate whistleblowing; and
• comply with any other legal or regulatory requirements.

If you are an employee or contractor we will use your personal information to:
• comply with our employment obligations e.g. to check you are legally entitled to work in the UK;
• provide appropriate reasonable adjustments for employees or contractors;
• carry out audits to comply with legal requirements;
• carry out general legal reporting e.g. reporting to Companies House; and
• comply with tax and national insurance obligations.

If you are a volunteer we will use your personal information to:
• carry out DBS checks (if you are one of our academy coaches); and
• ensure child welfare and safeguarding.

Our legal basis for the purposes set out above is that we need to collect, store and/or use your personal information to meet our legal obligations.

2.5.3.5 Information used for monitoring

We will collect, store and use your personal information for the purpose of monitoring your use of our information and communication systems to ensure compliance with our company policies/compliance issues. Our legal basis for this use it that it is necessary for performance of your employment, contractor or volunteer contract with us.

We will collect, store and use your personal information for the purposes of monitoring access to our premises, security, health and safety and timekeeping via door access controls and CCTV. Our legal basis for this use is that it is in our legitimate interests as a business. We consider that it is in our legitimate interests to ensure that our premises are secure, that  people on site comply with health and safety requirements and that employees, contractors or volunteers are working during contracted hours.

We consider that this use of your personal information is proportionate because we limit our use of personal information to that which is necessary for the monitoring and do not carry out continuous monitoring of your behaviour.

More detail of how we use our IT and communication systems is set out in our Communications Policy (a copy of which is available on our SharePoint site.)

2.5.4 How we use your sensitive personal information and our legal basis for using

If you are an employee or contractor we will use the sensitive personal information to:
• investigate and report any Health and Safety incidents;
• monitor your sickness to manage absence and administer benefits;
• assess your fitness to work (relating to both physical or mental health); and
• assess your disability status to provide appropriate reasonable adjustments in the workplace.

If you are a volunteer we will use the sensitive personal information to:
• carry out DBS checks.

Our legal basis for the above purposes are as set out above and if you are an employee or contractor, on the additional condition that it is necessary for the purposes of carrying out our obligations in the field of employment law, and if you are a volunteer, on the additional condition that it is necessary for the purposes of safeguarding children.

3.0 Can we change the purpose for which we use your personal information?

We will only use your personal information for the purposes set out above unless another purpose we want to use it for is compatible with those original purposes. If we change the purpose for which we are using your personal information and you would like an explanation as to how the new purpose is compatible with the original purpose please contact our Data Protection Officer at [email protected] If we would like to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do this. 

4.0 How long will we keep your personal information?

We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal tax or accounting requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is no possible we will securely store your personal information and isolate it from further processing until deletion is possible.

Further details about our retention periods can be found in Appendices 1, 2 and 3 of this Notice. Please contact our Data Protection Officer at [email protected] if you would like any further information about our retention periods. If a dispute arises between us, we will keep your personal information for the purposes of responding to and dealing with this dispute and this may mean that we keep your personal information for longer.

5.0 Who will we share your personal information with?

We may share your personal information with trusted third parties from time to time. We will not, however, share your personal information with a third party for them to market to you unless we have your consent to do this. We do not sell any personal information to any third party so that they can send you their marketing material. We will only share your personal information with third parties where it is reasonable to do so.

IT Suppliers: We use reputable third parties to provide us with our IT systems (including our CRM system and website) and support for them. They may access your personal information to the extent that they need to in order to provide their services and deal with any issues.

With a company that we merge with or transfer our business assets to: In the event that we sell all or part of our business, or merge with another company, we may transfer personal information that we have collected as described in this notice, along with our other business assets, to the company that we are selling to or merging with.

Professional Advisors: We may also share your personal information with our professional advisors (including lawyers, insurers and/or insurance brokers) to take advice e.g. in connection with any complaint or claim which you (or the company you work for) make and to complete yours (or the company you work for) purchase, tribunals, enforcing the terms of our agreements.

With entities, companies or individuals outside our group for legal reasons: We will share your personal information with entities, companies or individuals outside our group where this is necessary to comply with any law, rule, regulation, legal procedure or governmental request that is applicable to us. We may also share your personal information with the police or other law enforcement organisations where we are required or permitted to do so.

5.1 Additional entities we share personal information with from online customers and customers who visit out ground

We have set out below the third parties we may share your personal information with. If we do this, we will put in place a contract with them which controls how your personal information may be used and which requires that your personal information is treated in accordance with data protection laws:

Card Payment Processor: If you are a customer and you purchase a product on our website, we will share your personal information with payment processing companies and/or Direct Debit providers who process our card payments to ensure that your payments are completed securely.

Delivery companies: In order to complete an order, we may share your personal information with appointed delivery service providers in order to deliver the products you have ordered.

Marketing and Media Companies: We may use reputable third parties such as Mailchimp to send out our marketing material. They may access your personal information to the extent that they need to in order to provide their services.

Sponsors and Partners: If you have consented to receiving it, we may send you, in our marketing communications, information about products and services provided by our existing partners.

5.2 Additional entities we share personal information with from suppliers

We will only share the personal information that you give us with the following third parties and for the following reasons:

With Strata Homes Limited: We may share your personal information with Strata Homes Limited in order to administer payment for goods and/or services.

5.3 Additional entities we share personal information with from employees, contractors and volunteers

We will only share the personal information that you give us with the following third parties and for the following reasons:

With customers, suppliers, players, academy players and their parents where you deal with or have contact with them: We will share relevant personal information with our customers, suppliers, players, academy players and their parents where you have contact or dealings with them as part of your role e.g. where you are their contact point for their purchase or coaching session, or where you deal with any issues or complaints which they might have.

With companies who assist with our employer obligations: We will share your personal information with our third party providers who support us in administering our employer obligations such as HR180 making payroll payments, managing maternity, adoption, paternity and parental leave and our grievance or disciplinary procedures, Aviva Workplace Pensions enrolling you on a workplace pension scheme (where applicable).

With HR180 limited for human resources: We will share your personal information with HR180, an HR company that we have outsourced our HR services to, including payroll. We will only provide HR180 with the information necessary to enable them carry out their services to us.

5.4 Additional entities we share personal information with about our Player

Development Centre (PDC) and soccer camp attendees We may share your personal information with the people set out below. We will not, however, share your personal information with a third party for them to market to you unless we have your consent to do this:

Card Payment Processor: If you are paying for the PDC or soccer camp by credit or debit card, we may share your personal information with the company which processes our card payments to ensure that your payments are completed securely.

Marketing and Media Companies: We may use reputable third parties such as Mailchimp to send out our marketing material. They may access your personal information to the extent that they need to in order to provide their services.

5.5 Additional entities we share personal information with obtained from CCTV

We will only share the personal information that you give us with the following third parties and for the following reasons:

With companies who assist us with providing security for our premises: We use reputable third parties to assist us with providing security to our UK sites. They may access your personal information to the extent they need to in order to perform their role.

With law enforcement agencies for safety and security purposes: In the event of an investigation, we may share CCTV recordings with the law enforcement agencies in order to verify identity and, if criminal behaviour is involved, take appropriate action.

5.6 Additional entities we share personal information with about students and prospective students on our educational programmes

Educational institutions who share the administration or jointly run courses with Harrogate Town.

Prospective employers or other organisations who request a reference for you.

6.0 Do we transfer your personal information outside the UK/EEA?

European Economic Area (“EEA”) countries are all EU Member countries together with Iceland, Liechtenstein and Norway. We store your personal information in the United Kingdom or in countries within the EEA. We only transfer your personal information outside the EEA 

where our third party service providers e.g. Mailchimp who we share personal information with (as set out above) are based outside the EEA.

We only transfer your personal information outside the EEA where we have a legal basis for doing so and where we require that your personal information is protected to the same standard as it would be protected in the EEA. We do this by entering into data sharing agreements with the recipients of your personal information based outside the EEA which comply with the EU Commission’s standard clauses for the transfer of personal information.

7.0 How do we keep your personal information secure?

We have put in place appropriate physical, electronic and organisational procedures to safeguard and secure the information we collect to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties (see above) who have a business need-to-know.

We have put procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally requiredto do so.

Our security procedures mean that we may request proof of identity before we are able to disclose personal information to you.

8.0 What rights do you have over your personal information?

You have a number of other rights over your personal information, which are:
1) the right to ask us what personal information we have about you and to have a copy of your personal information from us;
2) the right to ask us to correct any errors in your personal information;
3) the right to object to our legitimate interests, profiling activities and marketing communications;
4) the right to ask us to provide you with a copy of the personal information you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit that personal information to another entity where: (i) we are using your personal information on the basis of your consent or on the basis that it is necessary to perform a contract with you; and (ii) the use we are making of your personal information is carried out by automated means;
5) the right to ask us to delete your personal information where: (i) we don’t need your personal information anymore; (ii) you withdraw your consent to our use of your personal information and we have no other legal basis to keep your personal information; (iii) you have asked us to review and explain our legitimate interests to you and we don’t actually have a valid legitimate interest to do what we are doing; (iv) our use of your personal information is illegal; (v) we have to delete your personal information to comply with our legal obligations;
6) the right to ask us to restrict the use that we are making of your personal information where: (i) you don’t think the personal information we have about you is correct, so that we can check if it is correct; (ii) what we are doing with your personal information is illegal but you would rather we stop using your personal information rather than delete it; (iii) we don’t need your personal information anymore, but you need us to keep it so that you can exercise any legal rights; and (iv) you have asked us to review and explain our legitimate interests to you, so that we can check whether we actually have a valid legitimate interest to do what we are doing;
7) where our use of your personal information is based on your consent, the right to withdraw your consent at any time by contacting our Data Protection Officer at [email protected] ; and
8) the right to make a complaint at any time to the Information Commissioner’s Office (ICO), (the UK regulator for data protection issues. See www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO and so, if you are happy to do so, please contact our Data Protection Officer at [email protected] .

9.0 Does this privacy notice cover websites you link to from our website?

Links within our website to other websites, such as Facebook, Instagram and Twitter, are not covered by this privacy notice. You should review the privacy information on those other websites to find out how they may use your personal information.

10.0 How will you tell me about changes to this privacy notice?

We keep our privacy notice under regular review. Any changes we make to our privacy notice in the future will be posted on this page and if the changes will have an effect on you or the way we use your personal information we will bring them to your attention by email where appropriate. Please check back frequently to see any updates or changes to our privacy notice. This privacy notice was last updated 10 March 2021.

11.0 How can you contact us?

If you have any questions about this privacy notice or about the ways we use your personal information, please contact our Data Protection Officer at [email protected] or Harrogate Town AFC Limited, CNG Stadium, Harrogate, North Yorkshire, HG2 7SA

APPENDIX 1 Further details about retention periods

Appropriate retention of data is necessary for our operational performance and in some cases is required to fulfil statutory or other regulatory requirements.

However, the retention of data can lead to unnecessary and excessive use of electronic or physical storage space, and indefinite retention of personal data can breach the General Data Protection Regulation (2018). Harrogate Town AFC looks to ensure that records and documents are preserved in line with business and legislative requirements and that data is not retained for any longer than necessary.

Data Archiving

The rules on data archiving vary according to the format of a data record, as set out below.

Automated Electronic Records Archive: Documents, Email, Multimedia Non-statutory electronic records stored on personal drives that have not been accessed for 2 years will be automatically transferred to an electronic archive. Statutory records will be excluded from this process if they are stored in the designated departmental statutory records folder. Archived files may be accessed in read-only format through the Archive (R:\) drive until they are subsequently removed from the system, 7 years after their creation.

Physical Records Archive: Physical statutory records which are older than 2 years and don’t need to be accessed on a day-to-day basis must be archived. The records will be archived within the Harrogate Town AFC offices.

Electronic Records Retention & Disposal: Documents, Email, Multimedia

See appendix 2 for the retention rules that apply to all Harrogate Town AFC documents, email and multimedia. Non-Statutory Records - Schedules A-E.

See appendix 3 for the statutory records retention and disposal schedule.

Appendix 2 Retention rules that apply to all Harrogate Town AFC documents, email and multimedia. Non-Statutory Records - Schedules A-E.

Schedule: A

Description: Non-statutory shared Personal Drive Data

Status: Live

Archive & Disposal Policy: Automatically archived if not accessed for 2 years

Schedule: B

Description: Archive (R:\) data

Status: Archive

Archive & Disposal Policy: Automatically disposed of 7 years after it was originally created

Schedule: C

Description: Temporary Storage Area (Scratch Area)

Status: Live

Archive & Disposal Policy: Automatically disposed of if not accessed for 30 days

Schedule: D

Description: Email data (emails only)

Status: Live

Archive & Disposal Policy: Mailbox items automatically disposed of 2 years after they were created, sent or received. All sent and received mailbox items also logged and archived separately for 5 years
 *  Deleted Items folder contents automatically cleared after 30 days

 *  Archive - Mailbox items automatically disposed from the archive 5 years after they were sent or received

Schedule: E

Description: Multimedia data

Status: Live

Archive & Disposal Policy: Automatically disposed of 3 years after it was created (unless flagged otherwise by the data controller)

APPENDIX 3 Statutory Records Retention and Disposal Schedule

Corporate Governance

1 Records on establishment and development of the organisation’s legal framework and governance - 6 years after end of life of organisation - Corporate Governance
2 Board papers and minutes - 6 years after end of life of organisation - Corporate Governance
3 Management papers and minutes - 6 years after end of financial year - Corporate Governance
4 Subject Access Requests (requests and responses) -  6 years from response - Corporate Governance
5 Litigation with third parties - 6 years after settlement of case - Corporate Governance
6 Provision of legal advice - 6 years from date of advice - Corporate Governance
7 Audit reports - 6 years from completion - Corporate Governance
8 Fraud Investigations - completion or 5 years after award completion (whichever is later) - Corporate Governance
9 Strategic plan, business plan, risk plans  - 6 years from completion - Corporate Governance

Data Protection

10 Consent (where unstructured data) including images/media – exact timeframes will be detailed in the photography/video sharing policy - 6 years after consent expired -  Data Protection Officer
11 Privacy notices and index -  6 years after end of life of organisation - Data Protection Officer
12 Record of Processing Activities - 6 years after end of life of organisation - Data Protection Officer
13 Subject Access Requests - 6 years after end of life of organisation - Data Protection Officer
14 Subject Access Request case data 90 days after the SAR case is closed - Data Protection Officer

Financial Management

15 Financial records -  6 years after date of signing of accounts or, as applicable, 5 years after award completion (whichever is later) -  Finance Director/ General Manager
16 Property acquisition (purchase, donation, rental, transfer) Deeds and certificates -  6 years after end of ownership/asset liability period - Finance Director/ General Manager  
17 Property leases -  15 years after expiry -  Finance Director/ General Manager
18 General contracts and agreements -  6 years after contract termination - Finance Director/ General Manager
19 Unsuccessful tender documents -  1 year after tender awarded - Finance Director/ General Manager

Human Resources Management

20 Job applications and interview records for unsuccessful applicants -  6 months after interview -  General Manager
21 Payroll records – salaries and other payments through payroll -  6 years - General Manager/ Payroll
22 Payroll records - Maternity, Paternity, Adoption and SSP records - 3 years after end of the tax year  - Company
23 Pension details - name, National Insurance number, opt-in notice and joining notice. (Kept by Nest Pensions) 6 years after effective date - Company
24 Pension details – opt-out (Kept by Nest Pensions) 4 years after opt out - Company
25 A summary of record of service e.g. name, position, dates of employment - pay 6 years after end of employment - Company
26 Timesheets, pay records and supporting documents such as contracts and contractual letters for employees charged to awards 5 years after payment of award balance -  General Manager
27 Evidence of right to work -  2 years after end of employment - General Manager
28 All other HR documents -  1 year after end of employment - General Manager
29 Medical information about participants -  8 years after last attendance - General Manager

Donations/Supporters

30 Individual Giving supporter financial and banking data (excluding payment card details) -  12 months after end of regular gift - General Manager
31 Payment card data -  Immediately after transaction -  Finance Director

Safeguarding

32 Child welfare concerns referred to a local authority -  6 years after referral -  Safeguarding Manager
33 Child welfare concerns not referred to a local authority -  1 year after child ceases to be associated with Plan - Safeguarding Manager
34 Concerns about an adult relating to child safeguarding - 10 years - Safeguarding Manager
35 DBS check outcome -  1 year after end of relationship with HTAFC - Safeguarding Manager

For any other type of record, or if you have any questions, please contact the Data Protection 

Next annual review due 07/03/2022


HTAFC-Privacy-Notice