Privacy Policy
Company Number
3419514 (Registered in England & Wales)
Company Information: Welsh Rugby Union Limited
Registered Office
Welsh Rugby Union Limited
Principality Stadium
Westgate Street
Cardiff
CF10 1NS
Company Information: Millennium Stadium plc
Company Number
3176906 (Registered in England & Wales)
Registered Office
Millennium Stadium plc
Principality Stadium
Westgate Street
Cardiff
CF10 1NS
About Principality Stadium Plc
Principality Stadium plc is a wholly owned subsidiary of the Welsh Rugby Union Limited.
The Articles of Association of Principality Stadium plc provide that there can be a maximum of 11 Directors and that the ordinary shareholder (Welsh Rugby Union Limited) has the right to appoint a maximum of 6 Directors, whilst the special shareholder (Cardiff City Council) can appoint a maximum of 5 Directors.
THE WELSH RUGBY UNION GROUP
PRIVACY NOTICE
Last Updated 24th May 2018
INTRODUCTION
We respect the privacy of every person who visits or registers with or submits personal information through our Sites and we are further committed to ensuring a safe online experience. We also respect the privacy of every person who uses the products and services that we make available (from the Sites or otherwise), or who engages with us, whether as a player, as an official or otherwise, in our capacity as the governing body of rugby union in Wales.
1 PURPOSE OF THIS PRIVACY NOTICE
This privacy notice (“Privacy Notice”) explains to data subjects in the European Economic Area (“EEA”) our approach to any personal information that we might collect from you or which we have obtained about you from a third party and the purposes for which we process your personal information. This Privacy Notice also sets out your rights in respect of our processing of your personal information.
This Privacy Notice also informs you of the nature of the personal information about you that is processed by us and how you can request that we delete it, update it, transfer it and/or provide you with access to it.
This Privacy Notice is intended to assist you in making informed decisions when using the Sites and our products and services. Please take a moment to read and understand it. It should be read in conjunction with our Website Terms and Conditions .
This Privacy Notice only applies to the use of your personal information obtained by us; it does not apply to personal information collected during your communications with third parties.
2 ABOUT US
This document applies to individuals in who use our websites, at wru.wales, principalitystadium.wales, wrugamelocker.wales and cardiffconferences.co.uk and our mobile applications (including The Official WRU App, the WRU Ref App and the WRU Clubs App) the WRU online player registration portal and any other website or application which we may make available from time to time (“Sites”) and any of the products and services made available by the WRU Group. References to the WRU Group include (without limitation) The Welsh Rugby Union, Principality Stadium, Principality Stadium Experience, WRU Supporters Club, WRU Debentures and Principality Stadium Tours, which are operated by the following companies in our Group:
• The Welsh Rugby Union Limited
• Millennium Stadium Experience Limited
• Millennium Stadium Plc
The Sites and the products and services made available through the Sites and otherwise are provided by the companies which comprise the WRU Group.
The data controller responsible for your personal information will be one of the companies listed above, depending on the nature of your engagement and/or which products and services you are receiving. In certain circumstances, two or more companies may be joint data controllers. References to the terms “we” or “us” in this document are therefore references to any or all of the companies comprising the WRU Group, as applicable.
3 HOW TO CONTACT US
If you have any questions about this Privacy Notice or want to exercise your rights set out in this Privacy Notice, you can:
• Send us an email at: info@wru.wales
• Call us on: 08442 491 999
• Write to us at: Legal Affairs Team, Principality Stadium, Westgate Street, Cardiff, Wales CF10 1NS
4 PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
Our primary reasons for collecting personal information from you are: (i) to fulfil the duties bestowed upon us in our capacity as the governing body of rugby union in Wales; (ii) to provide the products and services you have requested; (iii) to verify your identity (where applicable); (iv) to help us improve our Sites and our products and services and develop and market new products and services; (v) to carry out requests made by you on the Sites; (vi) to investigate or settle enquiries, complaints or disputes; (vii) to comply with applicable law, court order, other judicial process and the requirements of regulators; (viii) to enforce our agreements with you; (ix) to protect the rights, property and safety of us or third parties, including our members and users of the Sites; (x) to provide support for the provision of our products and services; (xi) to carry out recruitment activities; and (xii) to use as otherwise required or permitted by law.
We may collect and process the following personal information from you in the following circumstances:
i) Site visitors: If you browse our Sites, contact us with an enquiry through our Sites or register an account with our Sites, we may collect and process: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) information relating to your interactions with our Sites; (vi) your demographic information such as post code, preferences and interests; and (vii) any information you volunteer which is relevant to the provision of the products and services you have requested.
ii) Memberships and Debentures: If you purchase one of our membership packages, through our Sites or otherwise, or are a Debenture holder, we may collect and process: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) your payment details; (vi) information relating to your interactions with our Sites; (vii) your demographic information such as post code, preferences and interests; and (viii) any information you volunteer which is relevant to your membership.
iii) Purchasers of match and event tickets, stadium tour tickets and merchandise: If you purchase match or event tickets, stadium tour tickets or merchandise, whether from our Sites or in our physical stores, we may collect and process: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) your payment details; (vi) information relating to your interactions with our Sites; (vii) your demographic information such as post code, preferences and interests; and (viii) any information you volunteer which is relevant to the provision of the tickets and/or merchandise you have purchased.
iv) Rugby players, Exiles players, match officials and club officials: If you are involved in Welsh rugby in your capacity as a player, match official or club official, we may collect and process the following personal information: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) your biographical information; (vi) information about your match performance and your personal and professional conduct where relevant to your involvement in rugby union in Wales; (vii) your likeness; (viii) your image; (ix) your voice; (x) your statements; (xi) any personal information contained in any form of personal identification, such as a passport; (xii) your payment details; (xiii) any information you volunteer which is relevant to our relationship with you or your club; and (xiv) special categories of personal information (including without limitation information revealing racial or ethnic origin and information concerning physical and mental health) and personal information relating to criminal convictions and offences.
v) Individuals who work for our corporate partners/sponsors: Corporate organisations are not data subjects, although any individuals who work for them are. If you work for one of our corporate partners or a corporate sponsor and you are engaging with us on behalf of your organisation, whether through our Sites or otherwise, we may collect and process: (i) your name and title; (ii) your job title; (iii) your contact information (including telephone number, postal address and/or email address); (iv) any personal information contained in any form of personal identification; (v) your payment details; and (vi) any information you volunteer which is relevant to our relationship with your organisation.
vi) Job applicants: If you apply for a job with us, we may collect and process: (i) your name and title; (ii) your current job title; (iii) your contact information (including telephone number, postal address and/or email address); (iv) personal information concerning your education, qualifications and employment history; and (v) any other personal information which appears in your curriculum vitae or which is relevant to your potential recruitment, which may include special categories of personal information (including without limitation information revealing racial or ethnic origin and information concerning physical and mental health) and information relating to criminal convictions and offences.
vii) Individuals whose personal information may be processed by us as a result of our providing products and services to others (including our corporate partners/sponsors) and/or in connection with the fulfilment of our duties as the governing body of rugby union in Wales: We will process a variety of different personal information depending on the nature of the products and services we are providing and any requirements and responsibilities relating to our governance and regulation of rugby union in Wales. The following is a non-exhaustive list which is reflective of the varied nature of the personal information processed in connection with our business activities and our regulatory remit:
• If you are a rugby player, match official or club official, we may collect and process any of the personal information about you referred to in the “Rugby players, match officials and club officials” section above in connection with any complaint, match incident or other professional conduct issue we may investigate.
• If you attend a Welsh rugby union match, a rugby match involving the Wales national team or any event held at the Principality Stadium, we may collect or receive and process personal information about you in connection with any complaint, incident or other matter we may investigate. Such personal information may include: (i) your name and title; (ii) your date of birth; (iii) your gender; (iv) your contact information (including telephone number, postal address and/or email address); (v) your biographical information; (vi) your physical description; (vii) your likeness; (viii) your image; (ix) your voice; (x) your statements; (xi) any personal information contained in any form of personal identification; (xii) your payment details; (xiii) any information you volunteer which is relevant to our investigation and our relationship with you as a member or otherwise; and (xiv) special categories of personal information (including without limitation information revealing racial or ethnic origin and information concerning physical and mental health) and personal information relating to criminal convictions and offences.
• If you work for one of our corporate partners/sponsors, we may receive and process any of the personal information about you referred to in the “Individuals who work for our corporate partners/sponsors” section above in connection with the conduct of our relationship with that corporate partner or sponsor and the provision of any products and services to them.
viii) Suppliers (including subcontractors and individuals associated with our suppliers and subcontractors) to The WRU and/or MSP: We collect and process personal information about our suppliers in order to manage the relationship, to receive services from our suppliers and, where relevant, to provide products and services to our customers and members.
ix) Visitors to the Principality Stadium and/or to any other premises of The WRU and/or MSP: We have security measures in place at the Principality Stadium and our other premises, including CCTV, body cams and building access controls. There are signs in place showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft). We require visitors to our offices to sign in at reception and keep a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need-to-know basis (e.g. to look into an incident).
In particular, we use your personal information for the following purposes:
i) Fulfilment of our commercial products and services.
We collect and maintain personal information that you voluntarily submit to us during your use of the Sites and when you purchase products and/or services from us or use our products and/or services, whether through the Sites or otherwise.
Your access to and use of our Sites, including any restricted members’ area, is subject to our Website Terms and Conditions . Certain products and services we offer through the Sites or otherwise are also subject to specific terms and conditions which shall apply to your purchase and use of such products and services.
ii) Site account registration: If you register for an account on our Sites, we will use your personal information to process your account registration. Once you are registered, we will process your personal information to identify you when you log into secure areas of our Sites. We will also use your personal information so that we can administer your account with us and contact you about your account.
iii) Membership purchases: If you purchase a membership package or debenture, through the Sites or otherwise, we will use your personal information to process your membership application and registration. Once you are registered, we will process your personal information to identify you when you log into secure members’ areas of our Sites. We will also use your personal information so that we can administer your membership and contact you about your membership from time to time (including to send you our members’ newsletter and other membership benefits by email and to contact you about the renewal of your membership).
iv) Purchases of match and event tickets, stadium tour tickets and merchandise: We use your personal information so that we can fulfil the supply of tickets and merchandise you have ordered from our Sites or our physical stores and to process any returns and/or refunds.
v) Corporate hospitality events: If you book a corporate event or box at Principality Stadium on behalf of your organisation, or in a personal capacity, we use your personal information to process and administer your organisation’s booking. If you are attending an event, we may process your personal information in order to identify you when you attend.
What is our legal basis?
It is necessary for us to use your personal information to perform our obligations in accordance with any contract that we may have with you or it is in our legitimate interest or a third party’s legitimate interest to use personal information in such a way to ensure that we provide the products and services you have requested in an effective and efficient way.
We have a legal obligation and a legitimate interest to ensure we have contact details of all individuals attending Principality Stadium in order to support the relevant Government authorities and the NHS Track and Trace scheme.
In order to support the safe re-introduction of spectator sporting events in Wales, Public Health Wales will be evaluating the Summer Internationals to be played at Principality Stadium in July 2021. Your personal data may therefore be shared with Public Health Wales and linked to routine data on COVID-19 test results for the purposes of evaluating the events. You may also be contacted and asked if you would be willing to take part in a quick on-line survey. Public Health Wales is a NHS Trust and data will be held in accordance with the General Data Protection Regulations and the usual NHS information governance conditions. For further information on how Public Health Wales uses your data, please see the Public Health Wales privacy notice: https://phw.nhs.wales/use-of-site/privacy-notice.
Governance and regulatory duties.
a) We use your personal information for the purposes of fulfilling our regulatory role as the governing body of rugby union in Wales. In particular, but without limitation, we process your personal information for the following purposes:
• To administer and maintain registrations in respect of Welsh rugby union players, Exiles players and match officials;
• To manage the administration of Welsh rugby union at a club, regional and international level; and
• To administer disciplinary proceedings in relation to players, match officials and club officials under the auspices of the Welsh Rugby Union Disciplinary Panel.
b) What is our legal basis?
It is necessary for us to use your personal information to perform our obligations in accordance with any contract that we may have with you or it is in our legitimate interest, and the legitimate interest of Welsh rugby union players, match officials, clubs and the people of Wales, to use your personal information in such a way to ensure the effective and efficient governance, regulation and administration of Welsh rugby union and to protect and uphold its reputation and integrity.
General enquiries.
a) We accept enquiries by email, telephone and post. When you make an enquiry, we will use your personal information to enable us to manage and respond to your enquiries and requests.
b) What is our legal basis?
It is in our legitimate interest to use your personal information in such a way to ensure that we provide a good standard of customer service to you.
Your feedback about our performance and our products and services.
a) From time to time, we may invite you to provide feedback about us and our products and services in the form of online or postal surveys. We will use your personal information in any feedback you provide to help us improve the quality of service provided by our staff. We also use your feedback to monitor our performance as the governing body of rugby union in Wales as well as the quality of the products and services we offer and to assist with the selection of future product and service lines.
b) What is our legal basis?
It is in our legitimate interest to use the personal information provided by you in your feedback for the purposes described above.
User insight and analysis.
a) We analyse your contact details with other personal information that we observe about you from your interactions with our Sites, with our email communications to you and with our products and services.
Where you have given your consent (where lawfully required), we use cookies, log files and other technologies to collect personal information from the computer hardware and software you use to access the Sites, or from your mobile device. This includes the following:
• An IP address to monitor Site traffic and volume;
• A session ID to track usage statistics on our Sites; and
• Information regarding your personal or professional interests, demographics, experiences with our products and services and contact preferences.
Our web pages and emails may contain cookies, web beacons and pixel tags (“Tags”). Tags allow us to track receipt of an email to you, count users who have visited a web page or opened an email and collect other types of aggregated information. Once you click on an email that contains a Tag, your contact information may subsequently be cross-referenced to the source email and/or the relevant Tag.
In some of our email messages, we use a “click-through URL” linked to certain websites administered by us or on our behalf. We may track click-through data to assist in determining interest in particular topics and measure the effectiveness of these communications.
This information is used to create insights about our visitors’ browsing habits on our Sites. Where we have your consent to do so, we will also use your location data for insight and analysis purposes.
By using this information, we are able to measure the effectiveness of our content and how visitors use our Sites and our products and services. This allows us to learn what pages of our Sites are most attractive to our visitors, which parts of our Sites are the most interesting and what kind of features and functionalities our visitors and clients like to see.
We also use this information to help us with the selection of future product and service lines and website design and to remember your preferences.
We may also use this information for marketing purposes (see the “Marketing Activities” section below for further details).
b) What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required. Please see our Cookie Policy, detailed below, for further details.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information in such a way to ensure that we provide good quality products and services to you and our other visitors and clients.
We will only use your location data for insight and analysis purposes where we have your consent to do so.
Marketing activities.
We carry out the following marketing activities using your personal information:
o Postal marketing.
We use your name and address to send you marketing communications by post. Such communications will include information about the products, services, events, offers and promotions we offer from time to time.
Our postal marketing will include personalised and non-personalised postal marketing. Personalised marketing is marketing which has been specifically tailored to you. For example, our personalised postal marketing will feature products, services, events, offers and/or promotions that we think are most likely to appeal to you based on our understanding of your interests. Non-personalised marketing is marketing about our products, services, events, offers and promotions generally and is not tailored to any particular individual.
Where we are sending you personalised postal marketing, we also use information that we observe about you from your interactions with our Sites, with our email communications to you and/or with our products and services in order to decide what sort of personalised marketing communications to send you. Please see the “User Insight and Analysis” section above for more details about the personal information collected and how it is collected.
What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised information may be subject to other laws where your consent is required. Please see our Cookie Policy detailed below for further details.
Where your personal information is not in an anonymous form, which will be the case with your postal address, it is in our legitimate interest to use your personal information for marketing purposes.
We will only use your location data where we have your consent to do so.
o Email marketing.
We use your name and email address to send you marketing communications by email, where you have consented to receive such marketing communications or where we have another lawful right to do so. Such communications will include information about the products, services, events, offers and promotions we offer from time to time.
Our email marketing will include personalised and non-personalised email marketing. Personalised marketing is marketing which has been specifically tailored to you. For example, our personalised email marketing will feature our products, services, events, offers and/or promotions that we think are most likely to appeal to you based on our understanding of your interests. Non-personalised marketing is marketing about our products, services, events, offers and promotions generally and is not tailored to any particular individual.
Where we are sending you personalised email marketing, we will also use information that we observe about you from your interactions with our Sites, with our email communications to you and/or with our products and services in order to decide what sort of personalised marketing communications to send you. Please see the “User Insight and Analysis” section above for more details about the personal information collected and how it is collected.
What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required. Please see our Cookie Policy detailed below for further details.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information for marketing purposes.
We will only send you marketing communications by email where you have consented to receive such communications, or where we have another lawful right to do so.
We will only use your location data where we have your consent to do so.
o Online and social media remarketing.
We use your email address to serve you with advertising on online services (including on social media channels) operated by Facebook, Instagram, Google, and such other similar platforms as we may utilise from time to time, (“Online Platforms”) where you are a registered user of such services.
Our online and social media remarketing will include personalised and non-personalised remarketing. Personalised marketing is marketing which has been specifically tailored to you. For example, our personalised remarketing will feature our products, services, events, offers and/or promotions that we think are most likely to appeal to you based on our understanding of your interests. Non-personalised marketing is marketing about our products, services, events, offers and promotions generally and is not tailored to any particular individual.
Where we are undertaking personalised remarketing, we also use information that we observe about you from your interactions with our Sites, with our email communications to you and/or with our products and services in order to decide what sort of personalised online advertising to serve to you. Please see the “User Insight and Analysis” section above for more details about the personal information collected and how it is collected.
What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required. Please see our Cookie Policy detailed below for further details.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information for marketing purposes.
o Online and social media insight.
Where you are a registered user of an Online Platform we will use your email address in an encrypted format to enable that Online Platform to find other registered users of their services who share similar interests to you based on:
• Information that we observe about you from your interactions with our Sites, with our email communications to you and/or with our products and services (see the “User Insight and Analysis” section above for more details of the information collected and how it is collected); and
• The information Facebook, Instagram and/or Google hold about you.
We do this using Facebook Lookalike Audiences and/or Google Similar Audience (as applicable). This activity is subject to the privacy choices you have elected to make on such services.
What is our legal basis?
Where your personal information is completely anonymised, we do not require a legal basis to use it as the personal information will no longer constitute personal information that is regulated under data protection laws. However, our collection and use of such anonymised personal information may be subject to other laws where your consent is required. Please see our Cookie Policy detailed below for further details.
Where your personal information is not in an anonymous form, it is in our legitimate interest to use your personal information for marketing purposes.
Prize draws, prize competitions and other promotions.
a) From time to time, we may run prize draws, prize competitions and other promotions on our Sites and/or on our social media accounts, including the “WRU Lottery”. For the purposes of administering such promotions, we may process your name, contact details (including email address, postal address and/or telephone number, as applicable), social media handle (if relevant), payment details (if relevant), the name of your rugby club (if relevant) and any other personal information volunteered by you in your promotion entry.
What is our legal basis?
b) It is necessary for us to use your personal information to perform our obligations in accordance with any contract that we may have with you (e.g. the terms and conditions applicable to the promotion to which you may be asked to agree as a condition of entry) or it is in our legitimate interest to use your personal information to enable you to participate in any prize draws, prize competitions and other promotions.
Recruitment.
a) We use your personal information for recruitment purposes, in particular, to assess your suitability for any position for which you may apply at The WRU, whether such application has been received by us online, by email or by hard copy and whether submitted directly by you or by a third party recruitment agency on your behalf.
We also provide an online “Contact Human Resources” form on our Sites which you can use to contact our Human Resources Department with any employment-related enquiries you may have. This form allows you to submit your name, email address and details of your enquiry, which we will process in order to respond to you.
We also use your personal information for the purposes of reviewing The WRU’s equal opportunity profile in accordance with applicable legislation. The WRU does not discriminate on the grounds of gender, race, ethnic origin, age, religion, sexual orientation, disability or any other basis covered by local legislation. All employment-related decisions are made entirely on merit.
b) What is our legal basis?
Where we use your personal information in connection with recruitment, it will be in connection with us taking steps at your request to enter into a contract we may have with you or it is in our legitimate interest to use personal information in such a way to ensure that we can make appropriate and informed recruitment decisions.
We will not process any special (or sensitive) categories of personal information or personal information relating to criminal convictions or offences except where we are able to do so under applicable legislation or with your explicit consent.
Business administration and legal compliance.
a) We use your personal information for the following business administration and legal compliance purposes:
• To comply with our legal obligations;
• To enforce our legal rights;
• To protect the rights of third parties; and
• In connection with a business transition such as a merger, reorganisation, acquisition by another company, or sale of all or a portion of our assets.
b) What is our legal basis?
Where we use your personal information in connection with a business transition, to enforce our legal rights or to protect the rights of third parties, it is in our legitimate interest to do so. For all other purposes described in this section, it is our legal obligation to use your personal information to comply with any legal obligations imposed on us, such as a court order.
We will not process any special (or sensitive) categories of personal information or personal information relating to criminal convictions or offences except where we are able to do so under applicable legislation or with your explicit consent.
Any other purposes for which we wish to use your personal information that are not listed above, or any changes we propose to make to the existing purposes, will be notified to you using the contact details that we hold for you.
5 HOW WE OBTAIN YOUR CONSENT
Where our use of your personal information requires your consent, you can provide such consent:
• At the time we collect your personal information following the instructions provided; or
• By informing us by email, post or telephone using the contact details set out in the “How to Contact Us” section above.
6 OUR USE OF COOKIES AND SIMILAR TECHNOLOGIES
Our Sites may use certain cookies, web beacons, pixel tags, log files and other technologies. Please see our Cookie Policy detailed below to find out more about the cookies and other technologies we use, the purposes for which we use them and how to manage, block or delete them.
7 THIRD PARTY LINKS AND SERVICES
Our Sites contains links to third party websites and services. When you use a link to go from our Sites to another website or you request a service from a third party, this Privacy Notice no longer applies.
Your browsing of and interactions with any other websites, or your dealings with any third party service provider, is subject to that website’s or third party service provider’s own rules and policies.
We do not monitor, control or endorse the privacy practices of any third parties.
We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you deal with and to contact them if you have any questions about their respective privacy notices and practices.
This Privacy Notice does not apply to these third party websites and third party service providers. It applies solely to personal information collected by us through our Sites, through the supply of our products and services and/or in connection with our business operations and through the exercise of our duties as the governing body of rugby union in Wales.
8 SHARING DATA
We will only share personal information with others when we are legally permitted to do so. When we share personal information with others, we put contractual arrangements and security mechanisms in place to protect the personal information and to comply with our data protection, confidentiality and security standards.
When processing your personal information we may need to share it with third parties as follows:
i) Other organisations within our group of companies: We may share personal information with other organisations within our group of companies where necessary for administrative purposes or where those organisations assist us in the provision of our products and services or in the fulfilment of our duties as the governing body of rugby union in Wales.
ii) Third-party digital advertising platforms: We may share personal information with third party digital advertising platforms in order to carry out online and social media marketing and remarketing and online and social media insight. In addition, we may share historical sales data with third party digital advertising platforms who will target specific users with messages they think may be of interest.
iii) Third-party organisations that provide applications/functionality, data processing or IT services: We use third parties to support us in providing our products services and to help provide, run and manage our internal IT systems. Such third parties may include, for example, providers of information technology, cloud based software as a service providers, identity management, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal information may be stored in any one of them.
iv) Credit card companies and other payment providers: We may share personal information with third parties who assist us with the processing of card payments and refunds.
v) Delivery and courier companies: We use third-party delivery companies and couriers to help deliver the products that our customers and members order from our Sites, such as tickets, merchandise and membership packs, as well as our postal marketing.
vi) Third-party email marketing and CRM specialists: We share personal information with specialist suppliers who assist us in managing our marketing database and sending out our email marketing communications to our subscribers.
vii) Third-party organisations that assist us with the administration of our promotions: We may share personal information with specialist suppliers who assist us in administering our competitions, prize draws and other promotions.
viii) Recruitment agencies and related organisations: We may share your personal information with external recruiters, third party providers that undertake background checks on our behalf and other entities within our group of companies.
ix) Auditors, lawyers, accountants and other professional advisers: We share personal information with professional services firms who advise and assist us in relation to the lawful and effective management of our organisation and in relation to any disputes we become involved in.
x) Law enforcement or other government and regulatory agencies: We may share personal information with law enforcement or other government and regulatory agencies or other third parties as required by, and in accordance with, applicable law or regulation.
xi) Rugby union and other governing and regulatory bodies: We may share personal information with other rugby union national governing bodies as well as with other regulatory organisations, including, without limitation, World Rugby, the Sports Councils, the World Anti-Doping Agency and the Health and Safety Executive.
xii) Other third parties: Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal information, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal information where we are permitted to do so in accordance with applicable law or regulation
This list is non-exhaustive and there may be circumstances where we need to share personal information with other third parties in order to provide our products and services and carry out our regulatory duties as effectively as we can.
9 TRANSFERS OUTSIDE THE EEA
Where necessary in order to deliver our services or to fulfil our role our role as the organisation responsible for the governance and regulation of Welsh rugby union, we will occasionally transfer personal information to countries outside the EEA. When doing so, we will comply with our legal and regulatory obligations in relation to the personal information including having a lawful basis for transferring personal information and putting appropriate safeguards in place to ensure an adequate level of protection for the personal information.
Some of our third party providers may be located in the USA and their use of your personal information is governed by the EU-U.S. Privacy Shield.
10 COOKIES POLICY
Like many other websites, we use “cookies” to help us gather and store information about visitors to some of our Sites.
A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer’s hard disk so that the website can remember who you are.
A cookie will typically contain the name of the domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number.
Types of cookies which may be used on this website:
• Preference Cookies – At your request we may place a cookie to remember your preferences so that you do not need to re-enter your details (country/age and language preferences) on our gateway page. This is not suitable if you share your computer with someone else.
• Social Sharing Cookies – This is a cookie that identifies you with social networking sites such as Facebook and Twitter and allows interaction between your activity on social networking sites and on our website through your direction, and makes your transition between the sites more seamless.
• Site Analytics – We use analytics tools to help analyse use of our website. These analytical tool use ‘cookies’, which are text files placed on your computer, to collect standard internet log information and visitor behaviour information in an anonymous form. The information generated by the cookie about your use of the website (including your IP address) is transmitted to the relevant analytics tool provider. This information is then used to evaluate visitors’ use of the website and to compile statistical reports on website activity.
• Session Cookies – We use session cookies, which are temporary cookies that cookies aid the user journey around the site, and will remember preferences you have selected during the session. These cookies are deleted as soon as you leave the site.
• Content Management Cookies – These are cookies required by the site for the content management system to work.
• Template Preference Cookies – These cookies are necessary for mobile sites and enable the site to look and feel the way it is intended to.
How Do I Disable/Enable Cookies?
• You have the ability to accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our site if cookies are disabled.
There are a number of ways to manage cookies. Please refer to your browser instructions or help screen to learn more about these functions. For example, in Internet Explorer, you can go to the Tools/Internet options/Security and Privacy Tabs to adapt the browser to your expectations. If you use different computers in different locations you will need to ensure that each browser is adjusted to suit your cookie preferences.
• You have the ability to accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our site if cookies are disabled. There are a number of ways to manage cookies. Please refer to your browser instructions or help screen to learn more about these functions. For example, in Internet Explorer, you can go to the Tools/Internet Options/Security and Privacy tabs to adapt your browser to your expectations. If you use different computers in different locations, you will need to ensure that each browser is adjusted to suit your cookie preferences.
Some modern browsers have a feature that will analyse website privacy policies and allow a user to control their privacy needs. These are known as ‘P3P’ features (Privacy Preferences Platform).
You can easily delete any cookies that have been installed in the cookie folder of your browser. For example, if you are using Microsoft Windows Explorer:
• open ‘Windows Explorer’
• click on the ‘Search’ button on the tool bar
• type “cookie” into the search box for ‘Folders and Files’
• select ‘My Computer’ in the ‘Look In’ box
• click ‘Search Now’ Double click on the folders that are found
• ‘Select’ any cookie file
• hit the ‘Delete’ button on your keyboard
If you are not using Microsoft Windows Explorer, then you should select ‘cookies’ in the ‘Help’ function for information on where to find your cookie folder.
11 HOW LONG WE KEEP YOUR PERSONAL INFORMATION
We will normally retain your personal data for as long as you use our services and for up to three years after your last use of our services or your last interaction with us (for example, the last time you opened an electronic communication from us, visited one of our websites, played for a local rugby club or purchased a ticket for an event at Principality Stadium). We may then destroy such personal data without further notice or liability.
However, in some circumstances we will retain your personal data for a different time period, including:
i) we will retain recorded CCTV footage at Principality Stadium in accordance with applicable legislation, unless we are required to retain it for longer (for example, if we are investigating an incident, or have been asked to retain specific CCTV footage for a longer period by government or law enforcement officials); and
ii) we will retain your personal data for longer if we believe we may need it in order to respond to any claims, to protect our rights or the rights of a third party, and we will retain your personal data for longer if we are required to retain them in order to comply with applicable laws;
iii) if any personal information is only useful for a short period (e.g. for a specific marketing campaign), we may delete it at the end of that period.
We will always retain your personal data in accordance with data protection law and never retain your personal data for longer than is necessary.
If you have opted out of receiving marketing communications from us, we will need to retain certain personal information indefinitely so that we know not to send you marketing communications again.
12 CONFIDENTIALITY AND SECURITY OF YOUR PERSONAL INFORMATION
We are committed to keeping the personal information you provide to us secure and we will take reasonable precautions to protect your personal information from loss, misuse or alteration.
We have implemented information security policies, rules and technical measures to protect the personal information that we have under our control from:
• Unauthorised access;
• Improper use or disclosure;
• Unauthorised modification; and
• Unlawful destruction or accidental loss.
All our employees and data processors (i.e. those who process your personal information on our behalf, for the purposes listed above) who have access to and are associated with the processing of personal information are obliged to respect the confidentiality of the personal information of all users of our Sites and our products and services.
13 PERSONAL INFORMATION OF CHILDREN UNDER 18
We process personal information relating to children under the age of 18 in connection with our regulatory duties, for example in relation to the registration of players. Please see the “Governance and Regulatory Duties” section above for more information.
Our Sites and the commercial products and services that we offer are not specifically targeted at children under 18, although we appreciate that they may appeal to children. If you are under 18, we ask that you obtain your parent’s or guardian’s consent before submitting personal information to us or requesting any products or services from us.
If you are a parent or guardian of a child under 18, please ensure that you supervise your child’s use of our Sites and our products and services and ensure they obtain your consent before submitting any personal information to us or requesting any products or services from us.
For the purpose of safeguarding the rights, interests and freedoms of children, we may ask you to verify your age in order to continue using our Sites and/or any of our products and services you may have requested.
14 HOW TO ACCESS YOUR INFORMATION AND YOUR OTHER RIGHTS
You have the following rights in relation to the personal information we hold about you:
Your right of access.
If you ask us, we will confirm whether we are processing your personal information and, if so, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may charge a reasonable fee for producing those additional copies.
Your right to rectification.
If the personal information we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have shared your personal information with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we’ve shared your personal information with so that you can contact them directly.
Your right to erasure.
You can ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or where you withdraw your consent (where applicable). If we have shared your personal information with others, we will let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
Your right to restrict processing.
You can ask us to block or suppress the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us processing it. It won’t stop us from storing your personal information, though. We will tell you before we lift any restriction. If we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
Your right to data portability.
You have the right, in certain circumstances, to obtain personal information you have provided to us (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer it to a third party of your choice.
Your right to object.
You can ask us to stop processing your personal information, and we will do so, if we are:
• Relying on our own or someone else’s legitimate interest to process your personal information, except if we can demonstrate compelling legal grounds for the processing;
• Processing your personal information for the purposes of personalised direct marketing; or
• Processing your personal information for the purposes of non-personalised direct marketing.
Your rights in relation to automated decision-making and profiling.
You have the right not to be subject to a decision when it is based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for the entering into, or the performance of, a contract between you and us.
Your right to withdraw consent.
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time. You can exercise your right of withdrawal by contacting us using our contact details in the “How to Contact Us” section above or by using any other opt-out mechanism we may provide, such as an unsubscribe link in an email.
Your right to lodge a complaint with the supervisory authority.
If you have a concern about any aspect of our privacy practices, including the way we have handled your personal information, please contact us using the contact details provided in the “How to Contact Us” section above. You can also report any issues or concerns to the Information Commissioner’s Office (ICO). You can find details about how to report a concern on the ICO website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113.
15 CHANGES TO THIS PRIVACY NOTICE
We reserve the right to change our Privacy Policy from time to time. Any such changes will be posted on this page so that we can keep you informed about how we process your personal data. We recommend that you consult this page frequently so that you are aware of our latest Privacy Policy and can update your preferences if necessary. Your continued use of our services shall constitute your acceptance of any revised Privacy Policy.