Customer Privacy Notice

3rd June

West Bromwich Albion Football Club Limited (the Club) respects the privacy of all fans and other customers and everyone else associated with them.  We will collect and use personal data responsibly and in ways that are consistent with our obligations and your rights under the law.

This Privacy Notice explains how the Club uses and protects your personal data, as well as your rights in respect of it, how to exercise your rights and how to contact us. More information about how the Club processes personal data in general can be found in our Privacy Policy at https://www.wba.co.uk/privacy-policy.  

Information about other people 

If you provide information to us about any other people, you must give them a copy of this Privacy Notice so that they understand how their information will be used.  You should only provide information about them if you are authorised to do so.

Changes to this Privacy Notice

Privacy laws and practice are constantly developing and we aim to meet high standards.  Our policies and procedures are, therefore, under continual review. We may, from time to time, update our Privacy Notice.  If we want to make any significant changes to the way in which we will use your personal data we will contact you and, if required, seek your consent.

About Us

Unless we say otherwise, the Club is the data controller in respect of all personal data we obtain about you.  This means that we are responsible for ensuring that we do so in full compliance with data protection and all other related privacy laws. 

You can contact us as follows:

Address: West Bromwich Albion Football Club, The Hawthorns, West Bromwich, West Midlands B71 4LF 

Phone:                       0121 524 3470

Email address:         dataprotection@wbafc.co.uk             

If you have any questions or concerns about how we are handling your personal data, you can direct them to Club’s HR Department at dataprotection@wbafc.co.uk or you can make a complaint to the Information Commissioner’s Office (www.ico.org.uk).

Security

We take the security of personal data seriously.  We use security technology, including firewalls, password protection and encryption to safeguard information and have procedures in place to ensure that our paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage.  We have processes in place to deal with a data breach in the unlikely event one should occur.

We only use third party service providers where we are satisfied that they provide adequate security for your personal data.

Categories of personal data that we process

The personal data we process may very depending on the goods or services you are getting and whether they are paid for or free.  You should expect the following types of personal data to be processed for our purposes and the Club is the controller of this data.

Personal details

Title, name, any ‘known as’ name and personal pronoun

Contact details such as address, email address and phone number

Relationship with others you book or purchase for or who have booked or purchased for you

Age / date of birth

Photograph (where you hold a myalbion account and/or it is required to provide a product/service to you)

myalbion account details

Social media identifiers

Disability / health conditions / dietary preferences (if applicable)

Medical passport / certificate / pass or vaccine certificate (if applicable)

Travel certificate / confirmation (if applicable)

Vehicle registration number (if applicable)

 

 

 

 

History 

Products and services you have asked us to provide (and whether we have done so)

Products and services others have asked us to provide for you (and whether we have done so)

Key events (birthday, celebratory events, key work projects)

How you are known to the Club

Details of any feedback you provide

Details of any incident involving you or someone else in your party

 

 

Diversity and inclusion (where relevant)

Marital status

Age / date of birth

Religious beliefs

Gender / Gender reassignment

Ethnicity

Sexual orientation

Political opinions

Disability / health conditions / pregnancy and maternity

 

Preferences

Details of any consents and preferences chosen

 

Safeguarding information

Safeguarding concerns (including information about concerns raised, details of those persons involved, witness details, welfare reports, actions recommended and taken)

 

 

 

 

Payment details

Details of payments received and declined and any refunds given

 

 

The Club does not usually receive any payment card details. Instead, we use a PCI compliant service provider (such as Secutix / Adyen for ticketing and Optomony for merchandising) to process payments.  

Certain personal data is designated as ‘special category data’ in law, which means it has special protection.  This includes: information about health, race or ethnicity, genetic and biometric data and information concerning a person’s sex life or sexual orientation.  

Sources of personal data

You

Someone else who has made a booking or purchase for you (if applicable)

Other clubs you are associated with (for example, if you or purchase a ticket as an ‘away ‘fan or you  purchase one for someone else) 
Our own records or those from club affiliates such as the albion foundation

 

Our sponsors or partners where they provide goods or services for you 

 

 

 

Stakeholders in anti-corruption matters including other sports organisations, the Gambling Commission, betting operators and sports related integrity units

Social media

Insurers

Police and other law enforcement agencies

Statutory Agencies (e.g. Children Services or Adult Services)

Entities or individuals that book events that you are to attend at the Club

Legal and other professional advisers

Regulators

 

Automated decisions using personal data

We do not normally take any solely automated decisions.

Sponsor and partner programmes

The Club teams up with a variety of sponsors and commercial partners each of which bring value to the game and many of them are happy to make offers and opportunities available to you so that you can also benefit from them being in the WBA family.

You can view an up-to-date list of club sponsors & partners by clicking the link.

Purposes for which we process personal data and the legal basis for doing so

We process personal data for a number of purposes, which are:

 

Purpose

Legal basis

Administration.  Administration of any requests you make of us such as to purchase tickets, set up a myalbion account, to purchase items from our shop, to provide wba.tv , send you newsletters, administer competitions and prize draws. 

 

Personal data
Consent or
It is necessary to fulfil the contract that you (or someone booking or making a purchase for you) are going to enter into or have entered into with us and/or
It is necessary for compliance with a legal obligation and/or
It is necessary for our legitimate interests which are to ensure staff meet the Club’s policies and objectives and managing its business effectively and meet any requirements set by football governing bodies and

 

and, in addition for ‘special category’ personal data
Explicit consent or
It is necessary for carrying out obligations and exercising the individual’s rights or those of the Club in the field of employment and/or 
It relates to personal data that are manifestly made public by you and/or
It is necessary for insurance purposes and/or
It is necessary for the establishment, exercise or defence of legal claims

 

Match and event administration and security.  Includes match / event admission, match / event security, dealing with incidents. obtaining insurance

 

 

Direct marketing.  Including creating a personal profile for you and maintaining details of your preferences. This may include offers from club sponsors & partners and  club affiliates

 

Commercial activities. Administration and carrying out Club commercial activities including those that have been specifically agreed with you / the person who has booked / purchased for you (asapplicable). This may include offers from club sponsors & partners and  club affiliates

 

Health and welfare. Dealing with any medical issues, injuries, allergies, special needs and mental health concerns, providing physical and emotional support

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Personal data
It is necessary to fulfil the contract that you are going to enter into or have entered into with us and/or
It is necessary for our legitimate interests which are to ensure are able to effectively perform their duties and meet insurance requirements

 

and, in addition for ‘special category’ personal data
Explicit consent or
It relates to personal data that are manifestly made public by you and/or
It is in your vital interests or the vital interests of another person and/or
It is necessary for the purposes of preventative medicine, medical diagnosis or the provision of health or social care or treatment and/or
It is necessary for the establishment, exercise or defence of legal claims

 

Safeguarding matters.  Administration of support in safeguarding children and adults at risk Including dealing with safeguarding concerns raised/suspected.

 

Personal data
It is necessary for compliance with a legal obligation; and/or
It is necessary for our legitimate interests and those of others to ensure the safety of all persons that are involved with or come into contact with the Club and to preserve the reputation of the Club 

 

and, in addition for ‘special category’ personal data
Explicit consent or
It is necessary to protect an individual from neglect or physical, mental or emotional harm or to protect the physical, mental or emotional well-being of an individual
It relates to personal data that are manifestly made public by you and/or
It is necessary for the establishment, exercise or defence of legal claims

 

Anti-corruption and fraud. Monitoring, compliance and enforcement 

 

 

 

 

 

 

 

 

 

 

 

 

for personal data and ‘special category’ personal data
It is in our legitimate interests and those of other sports to preserve standards in sport and
It relates to personal data that are manifestly made public by you and/or
It is necessary for the prevention or detection of an unlawful act and/or
It is necessary for the prevention of fraud and/or 
It is necessary for the establishment, exercise or defence of legal claims

 

Diversity and inclusion monitoring.Diversity monitoring and compliance(such as in respect of ethnicity, gender, race, age and disability) and providing equal opportunities

 

 

 

 

personal data 
It is necessary for compliance with a legal obligation and/or
It is necessary for our legitimate interests which are to ensure we meet the Club’s objectives and requirements set by football governing bodies 

 

and, in addition for ‘special category’ personal data
Explicit consent or
It is necessary for the purposes of equality of opportunity and/or
Is necessary for the establishment, exercise or defence of legal claims

 

Quality and improvement monitoring

 

 

personal data 
It is necessary for our legitimate interests and those of others which are to ensure effective administration of Club activities and to ensure they meet the Club’s objectives and the requirements set by football governing bodies and it is in our legitimate interests to maintain records.

 

and, in addition for ‘special category’ personal data
Explicit consent or
It is necessary for scientific or historical research or statistical purposes and/or
It is necessary to protect the integrity of sport and/or
Is necessary for the establishment, exercise or defence of legal claims

 

Record keeping. Maintaining Club records including historical records of resources, incidents and compliance

 

Reputation. Club reputationmanagement

 

Publicity. Publicity and media activity

 

 

 

 

 

 

 

Security. Including maintaining security and safety at our stadium and other premises 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

personal data 
It is necessary for compliance with a legal obligation and/or
It is necessary for our legitimate interests and those of others which are to ensure effective safety of players, staff, fans and others at our offices, training grounds and match and other venues

 

and, in addition for ‘special category’ personal data
Explicit consent or
It relates to personal data that are manifestly made public by you and/or
It is necessary for insurance purposes and/or
It is necessary for the establishment, exercise or defence of legal claims

 

Legal matters.  Including dealing with legal claims and dispute.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Personal data
It is necessary to fulfil the contract that you are going to enter into or have entered into with us and/or
It is necessary for compliance with a legal obligation; and/or
It is necessary for our legitimate interests which are to ensure we manage the Club’s business effectively

 

and, in addition for ‘special category’ personal data
Explicit consent or
It relates to personal data that are manifestly made public by you and/or
It is necessary for the establishment, exercise or defence of legal claims

 

Who we may disclose your personal data to

You 

Your agent / representative(s)

Family members

Emergency contacts

Football governing bodies such as The FA, EFL and English Premier League, UEFA, FIFA 

The Club’s owner(s) and shareholders

Professional staff (including external medical professionals if applicable)

Relevant service providers that provide services for the Club for example, if you book a DJ as part of a wedding package

The world at large via Club websites, social media, brochures, match day programmes. press / media releases, newsletters and publicity materials

The media / press / broadcasters

Media agencies

 

 

Stakeholders in anti-corruption matters including other sports organisations, the Gambling Commission, betting operators and sports related integrity units

Fans and club members (where relevant)

club sponsors & partners

Disciplinary panels

club affiliates  such as the albion foundation

Complainants

Insurers

HM Revenue & Customs

Local authorities and relevant agencies regarding safeguarding

Police and other law enforcement agencies

Statutory agencies (e.g. Children Services or Adult Services)

Professional advisers

Regulators

Courts or tribunals

Government agencies (where we have a legal obligation to do so)

 

 

Location of your personal data

In most cases, we normally keep your personal data within the United Kingdom or the European Economic Area.  However, some of our services providers (such as those providing technology services to the Club) use facilities in other countries and this may mean your personal data is held in these other countries. We may also transfer personal data to our owners who may be in other countries.

Wherever we transfer your personal data outside of the United Kingdom, we will take proper care to ensure that it is protected in accordance with this Privacy Notice and applicable privacy laws.

Where we use service providers that provide their services in countries that are not deemed to have an adequate level of protection for personal data, we will normally use the United Kingdom approved ‘Standard Contractual Clauses’ as the legally accepted mechanism to allow the transfer and protect your data protection rights.

How long we keep your personal data for
The duration for which we keep personal data depends on your relationship with us.  The normal expectation is detailed below. 

General records

Normally for 6 years after you cease to be involved with the Club or 6 years after our last contact with you (whichever is longer)

Safeguarding and anti-corruption data and sanctions

At least 7 years after the incident and may be longer, potentially indefinitely, where there is a continued risk or where statutory or other official guidance requires otherwise.  

After this time period we will securely delete your personal data or anonymise / pseudonymise it unless we have a legal basis for keeping it.

In the unlikely event that there is a complaint or incident which involves or affects you, we may keep your personal data for 6 years after the matter is resolved. 
Your legal rights in respect of your personal data

You have a number of legal rights over your personal data which are:

RightExplanation
accessYou have the right to receive a copy of the personal data that we hold about you.  We will need proof of identity and proof of authority if the request comes from someone other than you.  This will ensure we only provide information to the correct person.  
withdraw consent to direct marketingYou can exercise this right at any time.  Just send an email to dataprotection@wbafc.co.uk and we will take care of this for you.
If you have opted-in to receive information from or about The Albion Foundation, you can contact them separately at data.protection@albionfoundation.co.uk to opt-out of their direct marketing communications.    
withdraw consent to other processing  Where the only legal basis for our processing your personal data is that we have your consent, you can withdraw that consent at any time, and we will have to stop processing your personal data.  Please note, this does not mean that processing carried out before you withdrew your consent is unlawful.
rectification If you think any of the personal data we hold about you is inaccurate – please contact us at dataprotection@wbafc.co.uk and we will check and, if necessary, amend our records.
restrictionIn limited circumstances you may be able to require us to restrict our processing of your personal data.  For example, if you think what we hold is inaccurate and we disagree, we may restrict what we do with your personal data until the accuracy has been verified.
erasureIn some circumstances, for example, where we have no legal basis for keeping your personal data, you may be entitled to require us to delete it.
objectionWhere our processing is based on it being in our legitimate interests, you may be entitled to object to us processing it.
portabilityWhere you have provided personal data to us electronically, you may be entitled to require us to provide that data to you electronically or to transmit it to someone else.
complainIf you have any concerns or complaints about how we are handling your personal data we would prefer you to get in touch with us directly so that we can try to resolve the You can also contact the Information Commissioner’s Office at www.ico.org.uk.

 

Some of these legal rights are subject to exceptions which means that we may be entitled, or required, to refuse to comply with a request

 

Click here to view a pdf version of the Customer Privacy Notice.