Legal and Privacy
Company Information
Company Information: Welsh Rugby Union Limited
Company Number
3419514 (Registered in England & Wales)
Registered Office
Welsh Rugby Union Limited
Principality Stadium
Westgate Street
Cardiff
CF10 1NS
Company Information: Millennium Stadium PLC
Company Number
3176906 (Registered in England & Wales)
Registered Office
Millennium Stadium plc
Principality Stadium
Westgate Street
Cardiff
CF10 1NS
About Millennium Stadium PLC
Millennium Stadium plc is a wholly owned subsidiary of the Welsh Rugby Union Limited.
The Articles of Association of Millennium Stadium plc provide that there can be a maximum of 11 Directors and that the ordinary shareholder (Welsh Rugby Union Limited) has the right to appoint a maximum of 6 Directors, whilst the special shareholder (Cardiff City Council) can appoint a maximum of 5 Directors.
Privacy Notice
The Welsh Rugby Union Group
Last Updated 12th August 2019
INTRODUCTION
This document applies to individuals in the European Economic Area (“EEA”) who use our websites, at wru.wales, principalitystadium.wales, wrugamelocker.wales and cardiffconferences.co.uk and our mobile applications (including The Official WRU App, the WRU Ref App and the WRU Clubs App) the WRU online player registration portal and any other website or application which we may make available from time to time (“Sites”) and any of the products and services made available by the WRU Group. References to the WRU Group include (without limitation) The Welsh Rugby Union, Principality Stadium, Principality Stadium Experience, WRU Supporters Club, WRU Debentures and Principality Stadium Tours, which are operated by the following companies in our Group:
• The Welsh Rugby Union Limited
• Millennium Stadium Experience Limited
• Millennium Stadium Plc
We respect the privacy of every person who visits or registers with or submits personal information through our Sites and we are further committed to ensuring a safe online experience. We also respect the privacy of every person who uses the products and services that we make available (from the Sites or otherwise), or who engages with us, whether as a player, as an official or otherwise, in our capacity as the governing body of rugby union in Wales.
1 PURPOSE OF THIS PRIVACY NOTICE
This privacy notice (“Privacy Notice”) explains to data subjects in the EEA our approach to any personal information that we might collect from you or which we have obtained about you from a third party and the purposes for which we process your personal information. This Privacy Notice also sets out your rights in respect of our processing of your personal information.
This Privacy Notice also informs you of the nature of the personal information about you that is processed by us and how you can request that we delete it, update it, transfer it and/or provide you with access to it.
This Privacy Notice is intended to assist you in making informed decisions when using the Sites and our products and services. Please take a moment to read and understand it. It should be read in conjunction with our Website Terms and Conditions .
This Privacy Notice only applies to the use of your personal information obtained by us; it does not apply to personal information collected during your communications with third parties.
2 ABOUT US
The Sites and the products and services made available through the Sites and otherwise are provided by the companies which comprise the WRU Group.
The data controller responsible for your personal information will be one of the companies listed above, depending on the nature of your engagement and/or which products and services you are receiving. In certain circumstances, two or more companies may be joint data controllers. References to the terms “we” or “us” in this document are therefore references to any or all of the companies comprising the WRU Group, as applicable.
3 HOW TO CONTACT US
If you have any questions about this Privacy Notice or want to exercise your rights set out in this Privacy Notice, you can:
• Send us an email at: info@wru.wales
• Call us on: 08442 491 999
• Write to us at: Legal Affairs Team, Principality Stadium, Westgate Street, Cardiff, Wales CF10 1NS
4 HOW WE COLLECT AND RECEIVE PERSONAL INFORMATION
We collect and receive personal information using different methods:
i) Personal information you provide to us
You may give us your personal information directly. This will be the case when, for example, you contact us with enquiries, complete forms on our Sites, subscribe to receive our marketing communications or provide feedback to us.
ii) Personal information we collect from you automatically
When you access and use our Sites, we will automatically collect certain technical information about your equipment , browsing actions and patterns. We collect this personal information by using cookies and other similar technologies (see the “Our Use of Cookies and Similar Technologies” section below ).
iii) Personal information received from third parties
From time to time, we will receive personal information about you from third parties. Such third parties may include rugby union clubs, other rugby union national governing bodies and other regulatory organisations, including World Rugby, the Sports Councils, the World Anti-Doping Agency and the Health and Safety Executive. We may also receive personal information from analytics providers, payment providers, transport providers and third parties that provide services to us so that we can operate our Sites and provide our services. We may also receive personal information (which may include sensitive personal information relating to criminal convictions and offences) from the Disclosure and Barring Service in relation to our recruitment and safeguarding activities (see the relevant sections below for more information).
5 PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
Our primary reasons for collecting personal information from you are: (i) in the case of the WRU, to fulfil the duties bestowed upon us in our capacity as the governing body of rugby union in Wales; (ii) to provide the products and services you have requested; (iii) to verify your identity (where applicable); (iv) to help us improve our Sites and our products and services and develop and market new products and services; (v) to carry out requests made by you on the Sites; (vi) to investigate or settle enquiries, complaints or disputes; (vii) to comply with applicable law, court order, other judicial process and the requirements of regulators; (viii) to enforce our agreements with you; (ix) to protect the rights, property and safety of us or third parties, including our members and users of the Sites; (x) to provide support for the provision of our products and services; (xi) to carry out recruitment activities; and (xii) to use as otherwise required or permitted by law.
We may collect and process the following personal information from you in the following circumstances:
i) Site visitors: If you browse our Sites, contact us with an enquiry through our Sites or register an account with our Sites, we may collect and process: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) information relating to your interactions with our Sites; (vi) your demographic information such as post code, preferences and interests; and (vii) any information you volunteer which is relevant to the provision of the products and services you have requested.
ii) Memberships and Debentures: If you purchase one of our membership packages, through our Sites or otherwise, or are a Debenture holder, we may collect and process: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) your payment details; (vi) information relating to your interactions with our Sites; (vii) your demographic information such as post code, preferences and interests; and (viii) any information you volunteer which is relevant to your membership.
iii) Purchasers of match and event tickets, stadium tour tickets and merchandise: If you purchase match or event tickets, stadium tour tickets or merchandise, whether from our Sites or in our physical stores, we may collect and process: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) your payment details; (vi) information relating to your interactions with our Sites; (vii) your demographic information such as post code, preferences and interests; and (viii) any information you volunteer which is relevant to the provision of the tickets and/or merchandise you have purchased.
iv) Rugby players, Exiles players, coaches, match officials and club officials: If you are involved in Welsh rugby in your capacity as a player, coach, match official or club official or otherwise, and whether professionally or otherwise, we may collect and process the following personal information: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) your biographical information; (vi) information about your match performance and your personal and professional conduct where relevant to your involvement in rugby union in Wales; (vii) your likeness; (viii) your image; (ix) your voice; (x) your statements; (xi) any personal information contained in any form of personal identification, such as a passport; (xii) your payment details; (xiii) any information you volunteer which is relevant to our relationship with you or your club; and (xiv) special categories of personal information (including without limitation information revealing racial or ethnic origin and information concerning physical and mental health) and personal information relating to criminal convictions and offences.
v) Individuals who work for our corporate partners/sponsors: Corporate organisations are not data subjects, although any individuals who work for them are. If you work for one of our corporate partners or a corporate sponsor and you are engaging with us on behalf of your organisation, whether through our Sites or otherwise, we may collect and process: (i) your name and title; (ii) your job title; (iii) your contact information (including telephone number, postal address and/or email address); (iv) any personal information contained in any form of personal identification; (v) your payment details; and (vi) any information you volunteer which is relevant to our relationship with your organisation.
vi) Job applicants: If you apply for a job with us, we may collect and process: (i) your name and title; (ii) your current job title; (iii) your contact information (including telephone number, postal address and/or email address); (iv) personal information concerning your education, qualifications and employment history; and (v) any other personal information which appears in your curriculum vitae or which is relevant to your potential recruitment, which may include special categories of personal information (including without limitation information revealing racial or ethnic origin and information concerning physical and mental health) and information relating to criminal convictions and offences.
vii) Individuals whose personal information may be processed by us as a result of our providing products and services to others (including our corporate partners/sponsors) and/or in connection with the fulfilment of our duties as the governing body of rugby union in Wales: We will process a variety of different personal information depending on the nature of the products and services we are providing and any requirements and responsibilities relating to our governance and regulation of rugby union in Wales. The following is a non-exhaustive list which is reflective of the varied nature of the personal information processed in connection with our business activities and our regulatory remit:
• If you are a rugby player, coach, match official or club official, or otherwise involved in the game of rugby union in Wales, we may collect and process any of the personal information about you referred to in the “Rugby players, match officials and club officials ” section above in connection with any complaint, match incident or other professional conduct issue we may investigate.
• If you attend a Welsh rugby union match, a rugby match involving the Wales national team or any event held at the Principality Stadium, we may collect or receive and process personal information about you in connection with any complaint, incident or other matter we may investigate. Such personal information may include: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) your biographical information; (vi) your physical description; (vii) your likeness; (viii) your image; (ix) your voice; (x) your statements; (xi) any personal information contained in any form of personal identification; (xii) your payment details; (xiii) any information you volunteer which is relevant to our investigation and our relationship with you as a member or otherwise; and (xiv) special categories of personal information (including without limitation information revealing racial or ethnic origin and information concerning physical and mental health) and personal information relating to criminal convictions and offences.
• If you work for one of our corporate partners/sponsors, we may receive and process any of the personal information about you referred to in the “Individuals who work for our corporate partners/sponsors” section above in connection with the conduct of our relationship with that corporate partner or sponsor and the provision of any products and services to them.
viii) Suppliers (including subcontractors and individuals associated with our suppliers and subcontractors) to The WRU and/or MSP: We collect and process personal information about our suppliers in order to manage the relationship, to receive services from our suppliers and, where relevant, to provide products and services to our customers and members.
ix) Visitors to the Principality Stadium and/or to any other premises of The WRU and/or MSP IN THE eea: We have security measures in place at the Principality Stadium and our other premises, including CCTV, body cameras and building access controls. There are signs in place showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft). We require visitors to our offices to sign in at reception and keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need-to-know basis (e.g. to look into an incident).
In particular, we use your personal information for the following purposes:
i) Fulfilment of our commercial products and services.
We collect and maintain personal information that you voluntarily submit to us during your use of the Sites and when you purchase products and/or services from us or use our products and/or services, whether through the Sites or otherwise. We may collect and process your personal information whether you are interacting with us on your own behalf or on behalf of any organisation you represent.Your access to and use of our Sites, including any restricted members’ area, is subject to our Website Terms and Conditions . Certain products and services we offer through the Sites or otherwise are also subject to specific terms and conditions which shall apply to your purchase and use of such products and services. If you click on one of the social media links on our Sites, or otherwise interact with our social media accounts, such as on Facebook or Instagram, we may receive information relating to such interaction and to your own social media accounts.
ii) Site account registration: If you register for an account on our Sites, we will use your personal information to process your account registration. Once you are registered, we will process your personal information to identify you when you log into secure areas of our Sites. We will also use your personal information so that we can administer your account with us and contact you about your account.
iii) Membership purchases: If you purchase a membership package or debenture, through the Sites or otherwise, we will use your personal information to process your membership application and registration. Once you are registered, we will process your personal information to identify you when you log into secure members’ areas of our Sites. We will also use your personal information so that we can administer your membership and contact you about your membership from time to time (including to send you our members’ newsletter and other membership benefits by email and to contact you about the renewal of your membership).
iv) Purchases of match and event tickets, stadium tour tickets and merchandise: We use your personal information so that we can fulfil the supply of tickets and merchandise you have ordered from our Sites or our physical stores and to process any returns and/or refunds.
v) Corporate hospitality events: If you book a corporate event or box at Principality Stadium on behalf of your organisation, or in a personal capacity, we use your personal information to process and administer your organisation’s booking. If you are attending an event, we may process your personal information in order to identify you when you attend, and for related record-keeping purposes. If relevant, we may collect and process any dietary requirements you may have. You may also feature in photographs taken at our events and such photographs may appear in publications we send to our members and/or publish on our Sites or in print.
vi) Contributions to our Sites and publications: If you write an article or blog for us or contribute in any other way to publications we send to our members and/or publish on our Sites or in print, we may use your personal information (such as your name and the name of your organisation) to credit you for your contribution. If you provide photographs or other images in support of your article or blog, we may publish one or more of those images alongside your article or blog.
What is our legal basis?
It is necessary for us to use your personal information to perform our obligations in accordance with any contract that we may have with you or it is in our legitimate interest or a third party’s legitimate interest to use personal information in such a way to ensure that we provide the products and services you have requested in an effective and efficient way.
Governance and regulatory duties.
a) We use your personal information for the purposes of fulfilling our regulatory role as the governing body of rugby union in Wales. In particular, but without limitation, we process your personal information for the following purposes:
• To administer and maintain registrations in respect of Welsh rugby union players, Exiles players and match officials;
• To manage the administration of Welsh rugby union at a club, regional and international level;
• To administer drug and alcohol testing in accordance with our obligations under applicable laws and regulations;
• To administer disciplinary proceedings in relation to players, match officials and club officials under the auspices of the Welsh Rugby Union Disciplinary Panel; and
• To comply with our safeguarding responsibilities, which require us to protect the safety, wellbeing and freedoms of children and others involved in the game of rugby in Wales and to ensure the suitability of those who work with them in coaching and similar roles.
Sometimes our governance and regulatory duties referred to above involve the processing of certain sensitive categories of personal information. This may include special categories of personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, personal information concerning a person’s physical and mental health, sex life or sexual orientation, as well as genetic and biometric data (such as urine or blood samples). It may also include personal information relating to criminal convictions and offences.
b) What is our legal basis?
It is necessary for us to use your personal information to perform our obligations in accordance with our legal obligations or any contract that we may have with you or it is in our legitimate interest, and the legitimate interest of Welsh rugby union players, match officials, clubs and the people of Wales, to use your personal information in such a way to ensure the effective and efficient governance, regulation and administration of Welsh rugby union and to protect and uphold its reputation and integrity.
Where our governance and regulatory duties involve the processing of special categories of personal information and/or information relating to criminal offences, our lawful basis for processing is as set out in the “Special Categories of Personal Information and Personal Information Relating to Criminal Offences ” section below.
General enquiries.
a) We accept enquiries by email, telephone and post. When you make an enquiry, we will use your personal information to enable us to manage and respond to your enquiries and requests.
b) What is our legal basis?
It is in our legitimate interest to use your personal information in such a way to ensure that we provide a good standard of customer service to you.
Your feedback about our performance and our products and services.
a) From time to time, we may invite you to provide feedback about us and our products and services in the form of online or postal surveys. We will use your personal information in any feedback you provide to help us improve the quality of service provided by our staff. We also use your feedback to monitor our performance as the governing body of rugby union in Wales as well as the quality of the products and services we offer and to assist with the selection of future product and service lines.
b) What is our legal basis?
It is in our legitimate interest to use the personal information provided by you in your feedback for the purposes described above.
User insight and analysis.
a) We analyse your contact details with other personal information that we observe about you from your interactions with our Sites, with our email communications to you and with our products and services.
Where you have given your consent (where lawfully required), we use cookies, log files and other technologies to collect personal information from the computer hardware and software you use to access the Sites, or from your mobile device. This includes the following:
• An IP address to monitor Site traffic and volume;
• A session ID to track usage statistics on our Sites; and
• Information regarding your personal or professional interests, demographics, experiences with our products and services and contact preferences.
Our web pages and emails may contain cookies, web beacons and pixel tags (“Tags”). Tags allow us to track receipt of an email to you, count users who have visited a web page or opened an email and collect other types of aggregated information. Once you click on an email that contains a Tag, your contact information may subsequently be cross-referenced to the source email and/or the relevant Tag.
In some of our email messages, we use a “click-through URL” linked to certain websites administered by us or on our behalf. We may track click-through data to assist in determining interest in particular topics and measure the effectiveness of these communications.
This information is used to create insights about our visitors’ browsing habits on our Sites. Where we have your consent to do so, we will also use your location data for insight and analysis purposes.
By using this information, we are able to measure the effectiveness of our content and how visitors use our Sites and our products and services. This allows us to learn what pages of our Sites are most attractive to our visitors, which parts of our Sites are the most interesting and what kind of features and functionalities our visitors and clients like to see.
We also use this information to help us with the selection of future product and service lines and website design and to remember your preferences.
We may also use this information for marketing purposes (see the “Marketing Activities” section below for further details).
b) What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required. Please see our Cookie Policy, detailed below, for further details.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information in such a way to ensure that we provide good quality products and services to you and our other visitors and clients.
We will only use your location data for insight and analysis purposes where we have your consent to do so.
Marketing activities.
We carry out the following marketing activities using your personal information:
o Postal marketing.
We use your name and address to send you marketing communications by post. Such communications will include information about the products, services, events, offers and promotions we offer from time to time.
Our postal marketing will include personalised and non-personalised postal marketing. Personalised marketing is marketing which has been specifically tailored to you. For example, our personalised postal marketing will feature products, services, events, offers and/or promotions that we think are most likely to appeal to you based on our understanding of your interests. Non-personalised marketing is marketing about our products, services, events, offers and promotions generally and is not tailored to any particular individual.
Where we are sending you personalised postal marketing, we also use information that we observe about you from your interactions with our Sites, with our email communications to you and/or with our products and services in order to decide what sort of personalised marketing communications to send you. Please see the “User Insight and Analysis” section above for more details about the personal information collected and how it is collected.
What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised information may be subject to other laws where your consent is required. Please see our Cookie Policy detailed below for further details.
Where your personal information is not in an anonymous form, which will be the case with your postal address, it is in our legitimate interest to use your personal information for marketing purposes.
We will only use your location data where we have your consent to do so.
o Email marketing.
We use your name and email address to send you marketing communications by email, where you have consented to receive such marketing communications or where we have another lawful right to do so. Such communications will include information about the products, services, events, offers and promotions we offer from time to time.
Our email marketing will include personalised and non-personalised email marketing. Personalised marketing is marketing which has been specifically tailored to you. For example, our personalised email marketing will feature our products, services, events, offers and/or promotions that we think are most likely to appeal to you based on our understanding of your interests. Non-personalised marketing is marketing about our products, services, events, offers and promotions generally and is not tailored to any particular individual.
Where we are sending you personalised email marketing, we will also use information that we observe about you from your interactions with our Sites, with our email communications to you and/or with our products and services in order to decide what sort of personalised marketing communications to send you. Please see the “User Insight and Analysis” section above for more details about the personal information collected and how it is collected.
What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required. Please see our Cookie Policy detailed below for further details.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information for marketing purposes.
We will only send you marketing communications by email where you have consented to receive such communications, or where we have another lawful right to do so.
We will only use your location data where we have your consent to do so.
o Online and social media remarketing.
We use your email address to serve you with advertising on online services (including on social media channels) operated by Facebook, Instagram, Google, and such other similar platforms as we may utilise from time to time, (“Online Platforms”) where you are a registered user of such services.
Our online and social media remarketing will include personalised and non-personalised remarketing. Personalised marketing is marketing which has been specifically tailored to you. For example, our personalised remarketing will feature our products, services, events, offers and/or promotions that we think are most likely to appeal to you based on our understanding of your interests. Non-personalised marketing is marketing about our products, services, events, offers and promotions generally and is not tailored to any particular individual.
Where we are undertaking personalised remarketing, we also use information that we observe about you from your interactions with our Sites, with our email communications to you and/or with our products and services in order to decide what sort of personalised online advertising to serve to you. Please see the “User Insight and Analysis” section above for more details about the personal information collected and how it is collected.
What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required. Please see our Cookie Policy detailed below for further details.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information for marketing purposes.
o Online and social media insight.
Where you are a registered user of an Online Platform we will use your email address in an encrypted format to enable that Online Platform to find other registered users of their services who share similar interests to you based on:
• Information that we observe about you from your interactions with our Sites, with our email communications to you and/or with our products and services (see the “User Insight and Analysis” section above for more details of the information collected and how it is collected); and
• The information Facebook, Instagram and/or Google hold about you.
We do this using Facebook Lookalike Audiences and/or Google Similar Audiences (as applicable). This activity is subject to the privacy choices you have elected to make on such services.
What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required. Please see our Cookie Policy detailed below for further details.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information for marketing purposes.
Prize draws, prize competitions and other promotions.
a) From time to time, we may run prize draws, prize competitions and other promotions on our Sites and/or on our social media accounts, including the “WRU Lottery”. For the purposes of administering such promotions, we may process your name, contact details (including email address, postal address and/or telephone number, as applicable), social media handle (if relevant), payment details (if relevant), the name of your rugby club (if relevant) and any other personal information volunteered by you in your promotion entry. Our promotions may be subject to separate terms and conditions which you may be required to accept as a condition of entry.
What is our legal basis?
b) It is necessary for us to use your personal information to perform our obligations in accordance with any contract that we may have with you (e.g. the terms and conditions applicable to the promotion to which you may be asked to agree as a condition of entry) or it is in our legitimate interest to use your personal information to enable you to participate in any prize draws, prize competitions and other promotions.
Recruitment.
a) We use your personal information for recruitment purposes, in particular, to assess your suitability for any position for which you may apply at The WRU, whether such application has been received by us online, by email or by hard copy and whether submitted directly by you or by a third party recruitment agency on your behalf. We also use your personal information to communicate with you about the recruitment process, to keep records about our recruitment process and to comply with our legal and regulatory obligations in relation to recruitment.
We will process any personal information about you that you volunteer when you apply for a job with us. We may also process your personal information obtained from any third parties we work with in relation to our recruitment activities, including without limitation, recruitment agencies, background check providers, credit reference agencies and your referees. Such information may also include special categories of personal information (such as information about your health, any medical conditions and your health and sickness records) and information relating to criminal convictions and offences if that information is relevant to the role you are applying for.
We also provide an online “Contact Human Resources” form on our Sites which you can use to contact our Human Resources Department with any employment-related enquiries you may have. This form allows you to submit your name, email address and details of your enquiry, which we will process in order to respond to you.
We also use your personal information for the purposes of reviewing The WRU’s equal opportunity profile in accordance with applicable legislation. This involves the processing of certain special categories of personal information, such as personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, personal information concerning a person’s physical and mental health, sex life or sexual orientation. The WRU does not discriminate on the grounds of gender, race, ethnic origin, age, religion, sexual orientation, disability or any other basis covered by local legislation. All employment-related decisions are made entirely on merit.
b) What is our legal basis?
Where we use your personal information in connection with recruitment, it will be in connection with us taking steps at your request to enter into a contract we may have with you or it is in our legitimate interest to use personal information in such a way to ensure that we can make appropriate and informed recruitment decisions.
We will not process any special (or sensitive) categories of personal information or personal information relating to criminal convictions or offences except where we are able to do so under applicable legislation or with your explicit consent (see the “Special Categories of Personal Information and Personal Information Relating to Criminal Offences ” section below for further information).
Receipt of services from suppliers.
a) If we have engaged you or the organisation you represent to provide us with products or services (for example, if you or the organisation you represent provide us with services such as IT support or financial advice), we will collect and process your personal information in order to manage our relationship with you or the organisation you represent, to receive products and services from you or the organisation you represent and, where relevant, to provide our services to others.
The personal information we collect from you may include your name, job title, contact information (including email address, telephone number and postal address), bank account or other payment details and any other personal information you volunteer which is relevant to our relationship with you or the organisation you represent.
b) What is our legal basis?
It is necessary for us to use your personal information to perform our obligations in accordance with any contract that we may have with you or the organisation you represent or it is in our legitimate interest to use personal information in such a way to ensure that we have an effective working relationship with you or the organisation you represent and are able to provide our services to you and others in an effective way.
Business administration and legal compliance.
a) We use your personal information for the following business administration and legal compliance purposes:
• To comply with our legal obligations;
• To enforce our legal rights;
• To protect the rights of third parties; and
• In connection with a business transition such as a merger, reorganisation, acquisition by another company, or sale of all or a portion of our assets.
b) What is our legal basis?
Where we use your personal information in connection with a business transition, to enforce our legal rights or to protect the rights of third parties, it is in our legitimate interest to do so. For all other purposes described in this section, it is our legal obligation to use your personal information to comply with any legal obligations imposed on us, such as a court order.
We will not process any special (or sensitive) categories of personal information or personal information relating to criminal convictions or offences except where we are able to do so under applicable legislation or with your explicit consent.
Any other purposes for which we wish to use your personal information that are not listed above, or any changes we propose to make to the existing purposes, will be notified to you using the contact details that we hold for you.
6 IF YOU FAIL TO PROVIDE YOUR PERSONAL INFORMATION
Where we are required by law to collect your personal information, or we need to collect your personal information under the terms of a contract we have with you, and you fail to provide that personal information when we request it, we may not be able to perform the contract we have or are trying to enter into with you. This may apply where you do not provide the personal information we need in order to provide the services you have requested from us or to process an application for employment with us. In this case, we may have to cancel your application or the provision of the relevant services to you, in which case we will notify you.
7 HOW WE OBTAIN YOUR CONSENT
Where our use of your personal information requires your consent, you can provide such consent:
• At the time we collect your personal information following the instructions provided; or
• By informing us by email, post or telephone using the contact details set out in the “How to Contact Us” section above.
8 OUR USE OF COOKIES AND SIMILAR TECHNOLOGIES
Our Sites may use certain cookies, web beacons, pixel tags, log files and other technologies. Please see our Cookie Policy detailed below to find out more about the cookies and other technologies we use, the purposes for which we use them and how to manage, block or delete them.
9 THIRD PARTY LINKS AND SERVICES
Our Sites contains links to third party websites and services. When you use a link to go from our Sites to another website or you request a service from a third party, this Privacy Notice no longer applies.
Your browsing of and interactions with any other websites, or your dealings with any third party service provider, is subject to that website’s or third party service provider’s own rules and policies.
We do not monitor, control or endorse the privacy practices of any third parties.
We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you deal with and to contact them if you have any questions about their respective privacy notices and practices.
This Privacy Notice does not apply to these third party websites and third party service providers. It applies solely to personal information collected by us through our Sites, through the supply of our products and services and/or in connection with our business operations and through the exercise of our duties as the governing body of rugby union in Wales.
10 SHARING PERSONAL INFORMATION
We will only share personal information with others when we are legally permitted to do so. When we share personal information with others, we put contractual arrangements and security mechanisms in place to protect the personal information and to comply with our data protection, confidentiality and security standards.
When processing your personal information we may need to share it with third parties as follows:
i) Other organisations within our group of companies: We may share personal information with other organisations within our group of companies where necessary for administrative purposes or where those organisations assist us in the provision of our products and services or in the fulfilment of our duties as the governing body of rugby union in Wales.
ii) Third-party organisations that provide applications/functionality, data processing or IT services: We use third parties to support us in providing our products services and to help provide, run and manage our internal IT systems. Such third parties may include, for example, providers of information technology, cloud based software as a service providers, identity management, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal information may be stored in any one of them. We also share your personal information with third party service providers to assist us with insight analytics. These providers are described in our Cookie Policy .
iii) Credit card companies and other payment providers: We may share personal information with third parties who assist us with the processing of card payments and refunds.
iv) Delivery and courier companies: We use third-party delivery companies and couriers to help deliver the products that our customers and members order from our Sites, such as tickets, merchandise and membership packs, as well as our postal marketing.
v) Event partners and suppliers: When we run events, we will share your personal information with third-party services providers that are assisting us with the operation and administration of that event. If we are running an event in partnership with other organisations, we will share your personal information with such organisations for use in relation to the event.
vi) Third-party email marketing and CRM specialists: We share personal information with specialist suppliers who assist us in managing our marketing database and sending out our email marketing communications and membership related communications.
vii) Third-party organisations that assist us with the administration of our promotions: We may share personal information with specialist suppliers who assist us in administering our competitions, prize draws and other promotions.
viii) Recruitment agencies and related organisations: We may share your personal information with external recruiters, third party providers that undertake background checks on our behalf and other entities within our group of companies.
ix) Auditors, lawyers, accountants and other professional advisers: We share personal information with professional services firms who advise and assist us in relation to the lawful and effective management of our organisation and in relation to any disputes we become involved in.
x) Law enforcement or other government and regulatory agencies: We may share personal information with law enforcement or other government and regulatory agencies or other third parties as required by, and in accordance with, applicable law or regulation.
xi) Rugby union and other governing and regulatory bodies: We may share personal information with other rugby union national governing bodies as well as with other regulatory organisations, including, without limitation, World Rugby, the Sports Councils, the World Anti-Doping Agency and the Health and Safety Executive.
xii) Other third parties: Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal information, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal information where we are permitted to do so in accordance with applicable law or regulation
This list is non-exhaustive and there may be circumstances where we need to share personal information with other third parties in order to provide our products and services and carry out our regulatory duties as effectively as we can.
11 TRANSFERS OUTSIDE THE EEA
Where necessary in order to deliver our services or to fulfil our role our role as the organisation responsible for the governance and regulation of Welsh rugby union, we will transfer personal information to countries outside the UK and EEA.
Non-EEA countries do not have the same data protection laws as the UK and the EEA. In particular, non-EEA countries may not provide the same degree of protection for your personal information, may not give you the same rights in relation to your personal information and may not have a data protection supervisory authority to help you if you have any concerns about the processing of your personal information. However, when transferring your personal information outside the EEA we will comply with our legal and regulatory obligations in relation to the personal information including having a lawful basis for transferring personal information and putting appropriate safeguards in place to ensure an adequate level of protection for the personal information.
We will take reasonable steps to ensure the security of your personal information in accordance with applicable data protection laws.
When transferring your personal information outside the UK and EEA, we will ensure that we have a lawful basis for the transfer. Our lawful basis will be either consent (i.e. we may ask for your consent to transfer your personal information outside the UK and EEA at the time you provide your information) or one of the following safeguards:
• Adequacy decisions: We may transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission. For further details, see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
• Model clauses: Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal information the same protection it has in Europe. For further details, see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
• EU-U.S. Privacy Shield: Where we have partners or suppliers based in the US, we may transfer personal information to them if they are registered with the EU-U.S. Privacy Shield, which requires them to provide similar protection to personal information shared between the EEA and the U.S. For further details, see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en
• Please contact us if you would like further information on the specific mechanisms used by us when transferring your personal data outside the UK and EEA.
12 COOKIES POLICY
Like many other websites, we use “cookies” to help us gather and store information about visitors to some of our Sites.
A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer’s hard disk so that the website can remember who you are.
A cookie will typically contain the name of the domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number.
Types of cookies which may be used on this website:
• Preference Cookies – At your request we may place a cookie to remember your preferences so that you do not need to re-enter your details (country/age and language preferences) on our gateway page. This is not suitable if you share your computer with someone else.
• Social Sharing Cookies – This is a cookie that identifies you with social networking sites such as Facebook and Twitter and allows interaction between your activity on social networking sites and on our website through your direction, and makes your transition between the sites more seamless.
• Site Analytics – We use analytics tools to help analyse use of our website. These analytical tool use ‘cookies’, which are text files placed on your computer, to collect standard internet log information and visitor behaviour information in an anonymous form. The information generated by the cookie about your use of the website (including your IP address) is transmitted to the relevant analytics tool provider. This information is then used to evaluate visitors’ use of the website and to compile statistical reports on website activity.
• Session Cookies – We use session cookies, which are temporary cookies that cookies aid the user journey around the site, and will remember preferences you have selected during the session. These cookies are deleted as soon as you leave the site.
• Content Management Cookies – These are cookies required by the site for the content management system to work.
• Template Preference Cookies – These cookies are necessary for mobile sites and enable the site to look and feel the way it is intended to.
How Do I Disable/Enable Cookies?
• You have the ability to accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our site if cookies are disabled.
There are a number of ways to manage cookies. Please refer to your browser instructions or help screen to learn more about these functions. For example, in Internet Explorer, you can go to the Tools/Internet options/Security and Privacy Tabs to adapt the browser to your expectations. If you use different computers in different locations you will need to ensure that each browser is adjusted to suit your cookie preferences.
• You have the ability to accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our site if cookies are disabled. There are a number of ways to manage cookies. Please refer to your browser instructions or help screen to learn more about these functions. For example, in Internet Explorer, you can go to the Tools/Internet Options/Security and Privacy tabs to adapt your browser to your expectations. If you use different computers in different locations, you will need to ensure that each browser is adjusted to suit your cookie preferences.
Some modern browsers have a feature that will analyse website privacy policies and allow a user to control their privacy needs. These are known as ‘P3P’ features (Privacy Preferences Platform).
You can easily delete any cookies that have been installed in the cookie folder of your browser. For example, if you are using Microsoft Windows Explorer:
• open ‘Windows Explorer’
• click on the ‘Search’ button on the tool bar
• type “cookie” into the search box for ‘Folders and Files’
• select ‘My Computer’ in the ‘Look In’ box
• click ‘Search Now’ Double click on the folders that are found
• ‘Select’ any cookie file
• hit the ‘Delete’ button on your keyboard
If you are not using Microsoft Windows Explorer, then you should select ‘cookies’ in the ‘Help’ function for information on where to find your cookie folder.
13 HOW LONG WE KEEP YOUR PERSONAL INFORMATION
We will normally retain your personal data for as long as you use our services and for up to three years after your last use of our services or your last interaction with us (for example, the last time you opened an electronic communication from us, visited one of our websites, played for a local rugby club or purchased a ticket for an event at Principality Stadium). We may then destroy such personal data without further notice or liability.
However, in some circumstances we will retain your personal data for a different time period, including:
i) we will retain recorded CCTV footage at Principality Stadium in accordance with applicable legislation, unless we are required to retain it for longer (for example, if we are investigating an incident, or have been asked to retain specific CCTV footage for a longer period by government or law enforcement officials); and
ii) we will retain your personal data for longer if we believe we may need it in order to respond to any claims, to protect our rights or the rights of a third party, and we will retain your personal data for longer if we are required to retain them in order to comply with applicable laws;
iii) if any personal information is only useful for a short period (e.g. for a specific marketing campaign), we may delete it at the end of that period.
We will always retain your personal data in accordance with data protection law and never retain your personal data for longer than is necessary.
If you have opted out of receiving marketing communications from us, we will need to retain certain personal information indefinitely so that we know not to send you marketing communications again.
14 CONFIDENTIALITY AND SECURITY OF YOUR PERSONAL INFORMATION
We are committed to keeping the personal information you provide to us secure and we will take reasonable precautions to protect your personal information from loss, misuse or alteration.
We have implemented information security policies, rules and technical measures to protect the personal information that we have under our control from:
• Unauthorised access;
• Improper use or disclosure;
• Unauthorised modification; and
• Unlawful destruction or accidental loss.
All our employees and data processors (i.e. those who process your personal information on our behalf, for the purposes listed above) who have access to and are associated with the processing of personal information are obliged to respect the confidentiality of the personal information of all users of our Sites and our products and services.
15 PERSONAL INFORMATION OF CHILDREN UNDER 18
We process personal information relating to children under the age of 18 in connection with our regulatory duties, for example in relation to the registration of players and our safeguarding activities. Please see the “Governance and Regulatory Duties” section above for more information.
Our Sites and the commercial products and services that we offer are not specifically targeted at children under 18, although we appreciate that they may appeal to children. If you are under 18, we ask that you obtain your parent’s or guardian’s consent before submitting personal information to us or requesting any products or services from us.
If you are a parent or guardian of a child under 18, please ensure that you supervise your child’s use of our Sites and our products and services and ensure they obtain your consent before submitting any personal information to us or requesting any products or services from us.
For the purpose of safeguarding the rights, interests and freedoms of children, we may ask you to verify your age in order to continue using our Sites and/or any of our products and services you may have requested.
16 SPECIAL CATEGORIES OF PERSONAL INFORMATION AND PERSONAL INFORMATION RELATING TO CRIMINAL OFFENCES
Sometimes our processing activities involve the processing of certain categories of sensitive personal information. This includes special categories of personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, personal information concerning a person’s health, sex life or sexual orientation, as well as genetic data and biometric data (such as urine or blood samples). It also includes personal information relating to criminal convictions and offences.
Where our processing activities involve the processing of special categories of personal information or personal information relating to criminal convictions or offences, we rely on the following lawful bases to legitimise our processing:
• You have given your explicit consent to the processing for one or more specified purposes;
• The processing is necessary to enable us to comply with our legal obligations;
• The processing is necessary for the purposes of carrying out obligations and exercising rights (ours or yours) in the field of employment and social security and social protection laws, as authorised under applicable law;
• The processing is necessary to protect the vital interests of an individual where that individual is physically or legally incapable of giving consent;
• The processing is necessary for the establishment, exercise or defence of legal claims; or
• The processing is necessary for reasons of substantial public interest, including without limitation, processing necessary for the purposes of: (i) monitoring equality of opportunity or treatment; (ii) preventing or detecting unlawful acts; (iii) safeguarding children and individuals at risk; (iv) insurance matters; (v) eliminating anti-doping in sport; and (vi) maintaining standards of behaviour in sport and the integrity of the game.
17 HOW TO ACCESS YOUR INFORMATION AND YOUR OTHER RIGHTS
You have the following rights in relation to the personal information we hold about you:
Your right of access.
If you ask us, we will confirm whether we are processing your personal information and, if so, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may charge a reasonable fee for producing those additional copies.
Your right to rectification.
If the personal information we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have shared your personal information with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we’ve shared your personal information with so that you can contact them directly.
Your right to erasure.
You can ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or where you withdraw your consent (where applicable). If we have shared your personal information with others, we will let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
Your right to restrict processing.
You can ask us to block or suppress the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us processing it. It won’t stop us from storing your personal information, though. We will tell you before we lift any restriction. If we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
Your right to data portability.
You have the right, in certain circumstances, to obtain personal information you have provided to us (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer it to a third party of your choice.
Your right to object.
You can ask us to stop processing your personal information, and we will do so, if we are:
• Relying on our own or someone else’s legitimate interest to process your personal information, except if we can demonstrate compelling legal grounds for the processing;
• Processing your personal information for the purposes of personalised direct marketing; or
• Processing your personal information for the purposes of non-personalised direct marketing.
Your rights in relation to automated decision-making and profiling.
You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for the entering into, or the performance of, a contract between you and us.
Your right to withdraw consent.
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time. You can exercise your right of withdrawal by contacting us using our contact details in the “How to Contact Us” section above or by using any other opt-out mechanism we may provide, such as an unsubscribe link in an email.
Your right to lodge a complaint with the supervisory authority.
If you have a concern about any aspect of our privacy practices, including the way we have handled your personal information, please contact us using the contact details provided in the “How to Contact Us” section above. You can also report any issues or concerns to the Information Commissioner’s Office (ICO). You can find details about how to report a concern on the ICO website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113.
18 CHANGES TO THIS PRIVACY NOTICE
We reserve the right to change our Privacy Policy from time to time. To ensure that you are always aware of how we use your personal information we will update this Privacy Notice from time to time to reflect any changes to our use of your personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. We will notify you by email of any significant changes. However, we encourage you to review this Privacy Notice periodically to be informed of how we use your personal information.