Privacy Policy

GFC takes your privacy very seriously.

This Privacy Notice sets out how we use and look after the personal information we collect from you. We are the data controller, responsible for the processing of any personal data you give us. We take reasonable care to keep your information secure and to prevent any unauthorised access to or use of it.

What personal data we hold on you

Personal data means any information about an individual from which that individual can be identified. We collect, use, store and transfer some personal data of our participants [and their parents or guardians], and other League members.

You provide information about yourself and your members when you register with the GFC, and by filling in forms at an event or online, or by corresponding with us by phone, e-mail or otherwise.

The information you give us may include name, date of birth, address, e-mail address, phone number, gender, and the contact details of a third party in the case of emergency. We may also ask for relevant health information, which is classed as special category personal data, for the purposes of health, wellbeing, welfare and safeguarding. Where we hold this data, it will be with the explicit consent of the participant or, if applicable, the participant’s parent or guardian.

Where we need to collect personal data to fulfil our responsibilities and you do not provide that data, we may not be able honour or administer your registration.

Why we need your personal data

We will only use personal data for any purpose for which it has been specifically provided.

The reason we need participants’ and members’ personal data is to be able to run GFC and arrange matches; to administer registration of players and provide the services you are signing up to when you register with GFC. Our lawful basis for processing this personal data is that we have a contractual obligation to anyone as a participant or member to provide the services they are registering for.

Who we share your personal data with

When you register with GFC, your information, if you are a coach or volunteer will be or if you are another participant may be entered onto the Whole Game System database, which is administered by the FA. We also pass your information to the County FA/ FA for affiliation purposes.

We may share personal data with selected third parties, suppliers and sub-contractors such as, coaches or match organisers. Third-party service providers will only process your personal data for specified purposes and in accordance with our instructions.

We may disclose personal information to third parties to comply with a legal obligation; or to protect the rights, property, or safety of our participants, members or affiliates, or others.

GFC’s data processing may require personal data to be transferred outside of the Bailiwick of Guernsey. Where GFC does transfer personal data overseas it is with the sufficient appropriate safeguards in place to ensure the security of that personal data.

How long we hold your personal data

We keep personal data on our participants while they continue to be a participant or are otherwise actively involved with GFC. We will delete this data 12 months after a participant has left or otherwise ended their registration or affiliation, or sooner if specifically requested and we are able to do so. We may need to retain some personal data for longer for legal or regulatory purposes. The personal data that is stored on Whole Game System is subject to the FA’s privacy policy, so we advise you to review that policy together with this notice. If anyone would like their personal data to be deleted from Whole Game System, then please contact us.

Your rights regarding your personal data

As a data subject, participants may have the right at any time to request access to, rectification or erasure of their personal data; to restrict or object to certain kinds of processing of their personal data, including direct marketing; to the portability of their personal data and to complain to the Guernsey data protection supervisory authority about the processing of their personal data.

As a data subject, participants are not obliged to share their personal data with GFC. If they choose not to share their personal data we may not be able to register them with GFC.

We may update this Privacy Notice from time to time and will inform you to any changes in how we handle personal data.

If participants have any questions about this Privacy Notice, then please contact a board member.


Data Protection Policy

About this Policy

1.1 This Policy is to help GFC deal with data protection matters internally. A copy should be given
(or made available) to all staff members, volunteers and others who come into contact with
personal data during the course of their involvement with GFC.
1.2 GFC handles personal data about current, former, and on occasion prospective players [and
their parents or guardians], employees, volunteers, board members, referees, coaches,
managers, contractors, third parties, suppliers, and any other individuals that we communicate
with including supporters.
1.3 In your official capacity with GFC, you may process personal data on our behalf and we will
process personal data about you. We recognise the need to treat all personal data in an
appropriate and lawful manner, in accordance with the EU General Data Protection Regulation
2016/679 (GDPR).
1.4 Correct and lawful treatment of this data will maintain confidence in GFC and protect the rights
of players and any other individuals associated with GFC. This Policy sets out our data
protection responsibilities and highlights the obligations of GFC, which means the obligations
of our employees, committee, volunteers, members, and any other contractor or legal or natural
individual or organisation acting for or on behalf of GFC.
1.5 You are obliged to comply with this policy when processing personal data on behalf of GFC,
and this policy will help you to understand how to handle personal data.
1.6 GFC will be responsible for ensuring compliance with this Policy. Any questions about this
Policy or data protection concerns should be referred to a board member.
1.7 We process employee, volunteer, member, referee, coach, manager, contractor, board
members, supplier and third party personal data for administrative and GFC management
purposes. Our purpose for holding this personal data is to be able to contact relevant individuals
on GFC business and our legal basis for processing your personal data in this way is the
contractual relationship we have with you. We will keep this data for 12 months after the end of
your official relationship with GFC, unless required otherwise by law and / or regulatory requirements. If you do not provide your personal data for this purpose, you will not be able to carry out your role or the obligations of your contract with GFC.

2. What we need from you

2.1 To assist with our compliance with GDPR we will need you to comply with the terms of this
policy. We have set out the key guidance in this section but please do read the full policy carefully.
2.2 Please help us to comply with the data protection principles (set out briefly in section 3 of this
policy and in further detail below):
2.2.1 please ensure that you only process data in accordance with our transparent
processing as set out in our Privacy notice;
2.2.2 please only process personal data for the purposes for which we have collected it (i.e.
if you want to do something different with it then please speak to a board member first);
2.2.3 please do not ask for further information about players and / or members and / or staff
and / or volunteers without first checking with a board member;
2.2.4 if you are asked to correct an individual’s personal data, please make sure that you can
identify that individual and, where you have been able to identify them, make the
relevant updates on our records and systems;
2.2.5 please comply with our retention periods listed in our Privacy Notice and make sure
that if you still have information which falls outside of those dates, that you
delete/destroy it securely;
2.2.6 please treat all personal data as confidential. If it is stored in electronic format, then
please consider whether the documents themselves should be password protected or
whether your personal computer is password protected and whether you can limit the
number of people who have access to the information. Please also consider the
security levels of any cloud storage provider (and see below). If it is stored in hard copy
format, then please make sure it is locked away safely and is not kept in a car overnight
or disposed of in a public place;
2.2.7 if you are looking at using a new electronic system for the storage of information, please
talk to a board member first so that we can decide whether such a system is
appropriately secure and complies with GDPR;
2.2.8 if you are planning on sharing personal data with anybody new or with a party outside
the GFC then please speak to a board member before doing so who will be able to
check that the correct contractual provisions are in place and that we have a lawful
basis to share the information;
2.2.9 if you receive a subject access request (or you think somebody is making a subject
access request for access to the information we hold on them) then please tell a board
member as soon as possible because we have strict timelines in which to comply;
2.2.10 if you think there has been a data breach (for example you have lost personal data or
a personal device which contains personal data or you have been informed that a
coach has done so, or you have sent an email and open copied all contacts in) then
please speak to a board member who will be able to help you to respond.
If you have any questions at any time, then please just ask a board member. We are here to

3. Data protection principles

3.1 Anyone processing personal data must comply with the enforceable principles of data
protection. Personal data must be:
3.1.1 processed lawfully, fairly and in a transparent manner;
3.1.2 collected for only specified, explicit and legitimate purposes;
3.1.3 adequate, relevant and limited to what is necessary for the purpose(s) for which it is
3.1.4 accurate and, where necessary, kept up to date;
3.1.5 kept in a form which permits identification of individuals for no longer than is necessary
for the purpose(s) for which it is processed;
3.1.6 processed in a manner that ensures its security by appropriate technical and
organisational measures to protect against unauthorised or unlawful processing and
against accidental loss, destruction or damage;
3.2 We are responsible for and must be able to demonstrate compliance with the data protection
principles listed above.

4. Fair and lawful processing

4.1 This Policy aims to ensure that our data processing is done fairly and without adversely
affecting the rights of the individual.
4.2 Lawful processing means data must be processed on one of the legal bases set out in the
GDPR. When special category personal data is being processed, additional conditions must be

5. Processing for limited purposes

5.1 GFC collects and processes personal data. This is data we receive directly from an individual
and data we may receive from other sources.
5.2 We will only process personal data for the purposes of GFC as instructed by the board
members, the County FA or the FA, or as specifically permitted by the GDPR. We will let
individuals know what those purposes are when we first collect the data or as soon as possible

6. Consent

6.1 One of the lawful bases on which we may be processing data is the individual’s consent.
6.2 An individual consents to us processing their personal data if they clearly indicate specific and
informed agreement, either by a statement or positive action.
6.3 Individuals must be easily able to withdraw their consent at any time and withdrawal must be
promptly honoured. Consents should be refreshed every season.
6.4 Explicit consent is usually required for automated decision-making and for cross-border data
transfers, and for processing special category personal data. Where children are involved then
the consent must be in writing from parent/guardian
6.5 Where consent is our legal basis for processing, we will need to keep records of when and how
this consent was captured.
6.6 Our Privacy Notice sets out the lawful bases on which we process data of our players and

7. Notifying individuals

7.1 Where we collect personal data directly from individuals, we will inform them about:
7.1.1 the purpose(s) for which we intend to process that personal data;
7.1.2 the legal basis on which we are processing that personal data;7.1.3 where that legal basis is a legitimate interest, what that legitimate interest is;
7.1.4 where that legal basis is statutory or contractual, any possible consequences of failing
to provide that personal data;
7.1.5 the types of third parties, if any, with which we will share that personal data, including
any international data transfers;
7.1.6 their rights as data subjects, and how they can limit our use of their personal data;
7.1.7 the period for which data will be stored and how that period is determined;
7.1.8 any automated decision-making processing of that data and whether the data may be
used for any further processing, and what that further processing is.
7.2 If we receive personal data about an individual from other sources, we will provide the above
information as soon as possible and let them know the source we received their personal data
7.3 We will also inform those whose personal data we process that we, GFC, are the data controller
in regard to that data, and which individual(s) in GFC are responsible for data protection.

8. Adequate, relevant and non-excessive processing

8.1 We will only collect personal data that is required for the specific purpose notified to the
8.2 You may only process personal data if required to do so in your official capacity with GFC. You
cannot process personal data for any reason unrelated to your duties.
8.3 GFC must ensure that when personal data is no longer needed for specified purposes, it is
deleted or anonymised.

9. Accurate data

We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy
of any personal data at the point of collection and at the start of each season. We will take all reasonable
steps to destroy or amend inaccurate or out-of-date data.

10. Timely processing

We will not keep personal data longer than is necessary for the purpose(s) for which they were collected.
We will take all reasonable steps to destroy or delete data which is no longer required, as per our
Privacy Notice.

11. Processing in line with data subjects’ rights

11.1 As data subjects, all individuals have the right to:
11.1.1 be informed of what personal data is being processed;
11.1.2 request access to any data held about them by a data controller;
11.1.3 object to processing of their data for direct-marketing purposes (including profiling);
11.1.4 ask to have inaccurate or incomplete data rectified;
11.1.5 be forgotten (deletion or removal of personal data);
11.1.6 restrict processing;
11.1.7 data portability; and
11.1.8 not be subject to a decision which is based on automated processing.
11.2 GFC is aware that not all individuals’ rights are absolute, and any requests regarding the above
should be immediately reported to a board member.

12. Data security

12.1 We will take appropriate security measures against unlawful or unauthorised processing of
personal data, and against the accidental loss of, or damage to, personal data.
12.2 We have proportionate procedures and technology to maintain the security of all personal data.
12.3 Personal data will only be transferred to another party to process on our behalf (a data
processor) where we have a GDPR-compliant written contract in place with that data
12.4 We will maintain data security by protecting the confidentiality, integrity and availability of the
personal data.
12.5 Our security procedures include:
12.5.1 Entry controls. Any stranger seen in entry-controlled areas should be reported.
12.5.2 Secure desks, cabinets and cupboards. Desks and cupboards should be locked if
they hold personal data.
12.5.3 Methods of disposal. Paper documents should be shredded. Digital storage devices
should be physically destroyed.
12.5.4 Equipment. Screens and monitors must not show personal data to passers-by and
should be locked when unattended. Excel spreadsheets will be password protected.
12.5.5 Personal Devices. Anyone accessing or processing GFC’s personal data on their own
device, must have and operate a password only access or similar lock function, and
should have appropriate anti-virus protection. These devices must have GFC’s
personal data removed prior to being replaced by a new device or prior to such
individual ceasing to work with or support GFC.

13. Disclosure and sharing of personal information

13.1 We share personal data with the FA, and with applicable leagues using Whole Game System.
13.2 We may share personal data with third parties or suppliers for the services they provide and
instruct them to process our personal data on our behalf as data processors. Where we share
data with third parties, we will ensure we have a compliant written contract in place incorporating
the minimum data processer terms as set out in the GDPR, which may be in the form of a
supplier’s terms of service.
13.3 We may share personal data we hold if we are under a duty to disclose or share an individual’s
personal data in order to comply with any legal obligation, or in order to enforce or apply any
contract with the individual or other agreements; or to protect our rights, property, or safety of
our employees, players, other individuals associated with GFC or others.

14. Transferring personal data to a country inside or outside the EEA

We may transfer any personal data we hold to a country inside or outside the European Economic Area
(EEA), provided that one of the appropriate safeguards applies.

15. Reporting a personal data breach

15.1 In the case of a breach of personal data, we may need to notify the applicable regulatory body
and the individual.
15.2 If you know or suspect that a personal data breach has occurred, inform a member of the
committee immediately, who may need to escalate to the League as appropriate. You should
preserve all evidence relating to a potential personal data breach.

16. Dealing with subject access requests

16.1 Individuals may make a formal request for information we hold about them. Anyone who
receives such a request should forward it to the board immediately, and where. Nobody should
feel bullied or pressured into disclosing personal information.
16.2 When receiving telephone enquiries, we will only disclose personal data if we have checked
the caller's identity to make sure they are entitled to it.

17. Accountability

17.1 GFC must implement appropriate technical and organisational measures to look after personal
data, and is responsible for, and must be able to demonstrate compliance with the data
protection principles.
17.2 GFC must have adequate resources and controls in place to ensure and to document GDPR
compliance, such as:
17.2.1 providing fair processing notice to individuals at all points of data capture;
17.2.2 training committee and volunteers on the GDPR, and this Data Protection Policy; and
17.2.3 reviewing the privacy measures implemented by GFC.
18. Changes to this policy
We reserve the right to change this policy at any time. Where appropriate, we will notify you by email.