Summary of how we use your data
· By booking on to an CFA education course, you will be redirected to one of the CFA’s web-based educational administration systems used to manage your online learning profile. Some information contained in your registration, particularly your name and contact details, may be provided by using the details you registered when setting up your CFA number (“FAN”).
· Setting up a profile is typically captured when you register for a FAN and your learning profile is then created using those registration details, although occasionally your profile will be captured through paper or offline forms and the data uploaded from other CFA systems onto your learning profile.
· Data may be provided by you, The CFA or a County CFA on your behalf. Depending on the course you undertake, information may be shared between The CFA, County FAs and/or your club in order to facilitate your learning. Data may also be shared with 1st4Sport Qualifications, your tutors, other associations and other relevant partners including, without limitation, parents and clubs. Further, in the case of the Level 5 medical course, your information is shared with the Royal College of Surgeons. More details on what is collected and what is shared with who is set out in this policy.
· If you are booking a third party on to an CFA education course, you must make sure they are aware of this, and direct them to view this policy. Where given an appropriate email address, The CFA will take steps to ensure individuals are aware of their registration and are provided with this policy.
· You might be asked to place sensitive data into the system in order to allow The CFA to carry out diversity monitoring. This is held and processed by The CFA on an anonymous basis, but you can choose not to provide this information. Limited sensitive data is also collected if you are registered with a disability.
· Some information stored in our educational administration systems, for example regarding the date you passed a course, may be retained indefinitely in order to maintain a record of your qualifications.
This policy describes how The Football Association Limited (“The CFA”) and County Football Associations (“County FAs”) will make use of your data when collected on The CFA’s educational administration systems.
This policy describes your data protection rights, including a right to object to some of the processing which any of the data controllers mentioned above carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
What information do we collect?
The CFA or your County CFA will collect and process personal data about you when you interact with us to book a course. This will include:
· your FAN and password;
· your name, date of birth and gender;
· your contact details, including email address, phone number and physical address as provided by you or your parent;
· details of whether you have completed any mandatory or recommended checks or training, such as, first aid and safeguarding, and when these expire;
· details on your qualifications;
· disability information (if applicable); and
· learning difficulties (if applicable);
This may include:
· current and previous club affiliations and teams – this could include information on whether you are or have been registered to a disabled team;
· your role within the Club; and
· dietary requirements.
Please note that you might be asked to place sensitive data into the system in order to allow The CFA to carry out diversity monitoring. However, this information is stored and then processed by The CFA anonymously.
What information do we receive from third parties?
Sometimes we receive information about you from third parties. In particular:
· Where you are a player or participant, your initial registration information may be entered into the system by a club official at your current club or by an official at your County CFA, although this information will initially be collected from you.
· Where you are working or volunteering for a club, information may be initially entered into the system by a club official.
· Information about whether you have completed relevant training or courses may also be provided by third parties, in particular course tutors.
How do various parties use this information, and what is the legal basis for this use?
Depending on the educational course you undertake, we process this personal data for the following purposes:
· As required by The CFA to conduct our business and pursue our legitimate interests, in particular:
o processing your application and ensuring the eligibility of course attendees – this may involve the receipt of and provision of limited amounts of sensitive data in relation to attendees with any learning difficulties or attendees with disabilities;
o communicating with you where necessary to administer the educational courses and providing you with support, including communicating to you about other education courses that may benefit your learning;
o administering and assessing the performance of course attendees, making decisions on progression and providing appropriate training and courses to improve performance;
o maintaining records of the courses undertaken and qualifications gained;
o if you provide a credit or debit card as payment, checking the validity of the sort code, account number and card number you submit through a third party in order to prevent fraud (see data sharing below);
o complying with the current CFA Handbook and CFA and County CFA rules and regulations on education requirements, and ensuring compliance with any league rules on education requirements;
o monitoring use of The CFA’s web-based educational administration systems, and using your data to help monitor, improve and protect the content, and investigate any complaints received from you or from others about how the systems have been used; and
o communicating with you to ask for your opinion on CFA initiatives.
Your leagues and clubs may use this information for the following purposes:
· As required by your club and/or league to administer its club and teams, in particular:
o communicating with you or about you where necessary to administer the educational courses, such as inputting information to register you as a course attendee;
o administering and ensuring the eligibility of players – this may involve the receipt of and provision of limited amounts of sensitive data in relation to attendees with any learning difficulties or attendees with physical disabilities;
o administering and assessing the performance of players and club officials, making decisions on progression and identifying appropriate training and courses to improve performance;
o maintaining records of the courses undertaken, outcomes and qualifications gained; and
o complying with the current CFA Handbook and CFA and County CFA rules and regulations on education requirements, and ensuring compliance with any league rules one education requirements.
Your County CFA will use this information for the following purposes:
· As required by your County CFA to conduct its business and pursue its legitimate interests, in particular:
o communicating with you or about you where necessary to administer the educational courses and providing you with support, such as informing you of upcoming courses;
o communicating with you to ask for your opinion on County CFA initiatives;
o administering and ensuring the eligibility of players and club officials involved in courses conducted by the County CFA – this may involve the receipt of limited amounts of sensitive data in relation to course attendees with learning difficulties or attendees with physical disabilities;
o maintaining records of the courses undertaken, outcomes and qualifications gained;
o if you provide a credit or debit card as payment, checking the validity of the sort code, account number and card number you submit through a third party in order to prevent fraud (see data sharing below); and
o complying with the current CFA Handbook and CFA and County FA rules and regulations on education requirements, and ensuring compliance with any league rules on education requirements.
· Where you give your consent:
o The CFA will send you direct marketing in relation to its relevant products and services, or other products and services provided by The CFA
· For purposes which are required by law:
o In response to requests by government or law enforcement authorities conducting an investigation.
Withdrawing consent or otherwise objecting to direct marketing
Wherever The CFA relies on your consent, you will always be able to withdraw that consent, although it may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, The CFA and County FAs are able to send you direct marketing without your consent, where they rely on their legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling that The CFA or your County CFA carries out for direct marketing, at any time. You can do this by contacting the relevant organisation using the details set out below.
How is data shared, where and when?
Information about your performance and progress reports made about you and by you may be shared by your tutor with The CFA and your County FA.
In certain circumstances, The CFA and your County CFA will also share information about you in respect of the courses that you have enrolled on, participated in or completed. This information may be shared with other football associations and other relevant partners including, without limitation, parents and clubs.
If applicable, The CFA will also share your data with 1st4Sport Qualifications. 1st4Sport Qualifications are the awarding organisation for all CFA Level 1, 2 and 3 coaching qualifications. Information is shared with 1st4Sport Qualifications in order for them to award eligible qualifications.
For Level 5 medical courses, The CFA will share your data with the Royal College of Surgeons who may provide you with the requisite medical support and advice.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of the parties’ legal or legitimate interests in compliance with applicable laws.
Personal data will also be shared with third party service providers, who will process it on behalf of the controllers for the purposes identified above. Such third parties include providers of payment processing and suppliers of certificates and official documents such as coaching cards.
Where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to adequacy decision by the EU Commission, data is adequately protected by EU commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor’s Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request to firstname.lastname@example.org.
What rights do I have?
You have the right to ask any of the relevant data controllers for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format.
In addition, you can object to the processing of your personal data in some circumstances (in particular, where one of the data controllers doesn’t have to process the data to meet a contractual or other legal requirement, or where it is using the data for direct marketing).
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where it would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in both the GDPR and in the Data Protection Act 2018. We will inform you of relevant exemptions we rely upon when responding to any request you make.
In some instances, you will need to contact more than one of the data controllers to ensure your rights are met, as they may have access to different data and have different reasons for holding the data. As the main provider of the system, The CFA will be in the best position to provide you with a number of these rights, particularly access to all information held about you in Participant and to correct any underlying data connected to your FAN.
To exercise any of these rights, you can get in touch with your club or league, as relevant, using the contact details set out in Full-Time. You can also get in contact with The CFA – or its data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred. This is likely to be the Information Commissioner’s Office in Cyprus.
If your course requires the provision of first aid and/or safeguarding information this is mandatory. If relevant data is not provided, then we will not be able to process your booking as we cannot ensure safety, welfare and eligibility and manage and respect the game’s disciplinary processes. All other provision of your information is optional. If you fail to provide optional contact information, this might mean that we cannot inform you of important changes or get in contact with you to seek your opinion.
How do I get in touch with The CFA, or its data protection officer?
The CFA hopes that it can satisfy queries you may have about the way it and your County CFA processes your data. If you have any concerns about how your data is processed, or would like to opt out of CFA direct marketing or profiling, you can get in touch at email@example.com or by writing to CFA, Acheon 10, Engomi, 2413,Nicosia,Cyprus.
Which County CFA is my data controller?
The data controllers for your information are The CFA, and any County CFA you register as your main or affiliate County.
How long will you retain my data?
The CFA retains all information relating to learners for as long as you are enrolled on a course, and for 7 years after this. Details regarding any qualifications you have gained or the date you passed a course are retained indefinitely in accordance with The CFA’s legitimate interests set out above.
You can contact The CFA if you no longer wish to participate in any courses, and you can change your details by logging in to your profile.
Where any of the parties process personal data for marketing purposes or with your consent, it will process the data until you ask it to stop and for a short period after this (to allow it to implement your requests). It will also keep a record of the fact that you have asked it not to send you direct marketing or to process your data indefinitely so that it can respect your request in future.
Where your data is held on CFA systems, then at the end of the retention periods set out above, we will not irrevocably delete your information for another 3 months – your data will be held in an inactive form for this time to ensure that any consequential links across our systems remain intact in the event that your data is removed in a particular location.