Summary of how we use your data
- The FA uses your personal data to review and assess your application to join England Supporters Travel Club (“ESTC”).
- Data is shared with the UK Football Policing Unit for the purposes of checking your suitability to join the ESTC.
- Where we rely on your consent, such as for sending you marketing information relating to match tickets or the England teams and their commercial partners, you can withdraw this consent at any time.
This policy describes how The Football Association Limited (also referred to as "The FA", "we" or "us") will make use of your data when you apply to join the ESTC.
It also describes your data protection rights, including a right to object to some of the processing which The FA carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
What information do we collect?
We collect and process personal data about you when you interact with us and our websites, and when you apply to join the ESTC. This includes:
- your name, username and password;
- your age/date of birth;
- your home address, email address and phone number;
- your payment details, including billing and credit card details;
- your marketing preferences, including any consents you have given us;
- information related to the browser or device you use to access our website;
- your passport number and expiry date; and
- your place of birth.
What information do we receive from third parties?
Sometimes, we receive information about you from third parties. In particular: the UK Football Policing Unit who provide us, where relevant, with any information which may mean you are unsuitable to join the ESTC.
How do we use this information, and what is the legal basis for this use?
We process this personal data for the following purposes:
- To fulfil a contract, or take steps linked to a contract: this is relevant where you apply to join the ESTC. This includes:
- verifying your identity;
- taking payments;
- communicating with you; and
- providing customer services.
- As required by The FA to conduct our business and pursue our legitimate interests, in particular:
- to ensure that you meet the eligibility criteria to become a member of the ESTC;
- to re-check that the information you have provided to us is accurate before you travel to an England away fixture;
- we monitor use of our websites and online services, and use your information to help us monitor, improve and protect our products, content, services and websites, both online and offline;
- we use information you provide to personalise our website, products or services for you;
- if you provide a credit or debit card as payment, we also use third parties to check the validity of the sort code, account number and card number you submit in order to prevent fraud (see data sharing below);
- we monitor customer accounts to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law;
- we use information you provide to investigate any complaints received from you or from others, about our website or our products or services;
- we will use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and
- we use data on some individuals to invite them to take part in market research.
- Where you give us consent:
- we will send you direct marketing in relation to our relevant products and services, or other products and services provided by us, our affiliates and carefully selected partners;
- we place cookies and use similar technologies in accordance with our Cookies Policy and the information provided to you when those technologies are used; and
- on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.
- For purposes which are required by law:
- where we need parental consent to provide online services to children under 13. However, most of our websites are not designed for children under 13; and
- in response to requests by government or law enforcement authorities conducting an investigation.
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.
Who will we share this data with, where and when?
When you apply to join the ESTC, we will share your data with the UK Football Policing Unit for vetting purposes to ensure that you are able to join the ESTC.
Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.
Personal data will also be shared with third party service providers, who will process it on behalf of The FA for the purposes identified above.
Specific personal data (name, FAN number and attendance history) is made available to other registered users of the ESTC by way of search functionality. Such data is viewable only when accessing the ESTC platform as a registered user, as part of the personalized service provided by the ESTC.
What rights do I have?
You have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format.
In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where it would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in both the GDPR and in the Data Protection Act 2018. We will inform you of relevant exemptions we rely upon when responding to any request you make.
To exercise any of these rights, you can get in touch with us – or our data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred. This is likely to be the Information Commissioner’s Office in the UK.
In order to vet and consider your application the provision of the information required is mandatory: if relevant data is not provided, then we will not be able to consider your application.
How do I get in touch with you, or your data protection officer?
If you wish to make a data privacy request, you can do so via our online form, which can be found here. We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, you can get in touch at email@example.com or by writing to: Data Protection Officer, Wembley Stadium, PO Box 1966, London, SW1P 9EQ.
How long will you retain my data?
Where we process registration data, we do this for as long as you are an active user of our sites and for 4 years after this.
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
Where we process personal data in connection with taking a payment from you, we keep the data for 6 months from your last interaction with us.
Where your data is held on FA systems, then at the end of the retention periods set out above, we will not irrevocably delete your information for another 3 months – your data will be held in an inactive form for this time to ensure that any consequential links across our systems remain intact in the event that your data is removed in a particular location.