Gomersal & Cleckheaton Football Club (“the Club”, “we”, “our”, “us”) is committed to protecting personal data and processing it responsibly, transparently, and in compliance with the UK General Data Protection Regulation (UK GDPR).
This policy applies to all members, officers, committee members, volunteers, contractors, coaches, managers, and anyone else acting on behalf of the Club who may access or process personal data in any capacity.
Purpose
This policy outlines how the Club manages personal data lawfully and fairly and clarifies the responsibilities of individuals handling such data. It supports our commitment to:
- Building and maintaining trust with players, parents, and members
- Ensuring data is only used for appropriate, football-related purposes
- Meeting legal and ethical responsibilities in line with UK GDPR and safeguarding requirements
Defintions
- Personal Data: Any information that can identify an individual (e.g. name, contact details)
- Processing: Any operation performed on personal data (collecting, storing, sharing, deleting, etc.)
- Data Subject: The person whose data is being processed
- Data Controller: The Club – responsible for determining how and why data is processed
- Data Processor: Anyone acting on behalf of the Club (e.g. volunteers or coaches)
See the ICO – Key Definitions for further details.
What Data We Handle
We process personal data relating to:
- Players and their parents/guardians (current, former, and prospective)
- Volunteers, coaches, managers, referees, officials, and committee members
- Suppliers, service providers, FA and League officials
Data may be collected through registration forms, communications, event participation, or via third-party systems (e.g. the FA’s Whole Game System).
Legal Basis for Processing
We process personal data under the following lawful bases:
- Contractual obligation – e.g. to administer Club membership or roles
- Legitimate interes – e.g. for general Club operations and communication
- Consent – e.g. for use of medical data or photos
- Legal duty – e.g. for safeguarding or insurance purposes
Failure to provide required data may affect participation in Club activities or roles.
Responsibilities
- Individuals acting on behalf of the Club must process data lawfully, securely, and only for Club-related purposes
- Personal data should not be shared without valid justification
- Any concerns about misuse or unauthorised access should be raised immediately
The Club Management Committee is responsible for overall compliance. All queries should be directed to the Club Secretary.
Data Retention & Security
- Personal data will be retained only for as long as necessary
- Data will typically be deleted within 12 months of the end of an individual's relationship with the Club (unless required longer by law)
- Access is restricted to authorised individuals and secured through appropriate measures (e.g. password protection, limited-access folders, secure systems)
Breach Reporting
Any actual or suspected data breach must be reported immediately to the Club Secretary. The Club will investigate and follow appropriate procedures, including reporting to the ICO if required.
Last updated: June 2025. This notice is reviewed annually.