Introduction

The Sports Council for Wales (trading as Sport Wales) are committed to protecting your privacy and personal information. This policy (together with our terms of website use, and any other documents referred to in them) sets out the basis upon which we collect, use, and protect your personal data. Please read the following carefully to understand our practices regarding your personal data and how we will process it. 

By using our services (including visiting this website) you acknowledge the information set out in this policy. This policy is provided for transparency and does not rely on your consent as a legal basis for processing unless expressly stated. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is SPORTS COUNCIL FOR WALES, Sophia Gardens, Cardiff, CF11 9SW. Registration number: Z5769715

How we use your information

Sport Wales uses your personal information differently based on how we work with you. You can find out more about how we use your information in each situation by following the links below. 

Sport Wales’ Data Protection Principles

This privacy notice applies to:

  • Members of our centres;
  • Individuals who stay at one of our centres or participates in a course or activity;
  • Individuals involved with sports associations and sports clubs;
  • Individuals who use our website;
  • Individuals who purchase goods via our website;
  • Individuals who apply for grants;
  • Individuals who feature in our articles and/or newsletters;
  • Individuals who contact us with an enquiry or complaint;
  • Individuals captured on our CCTV system;
  • Individuals who subscribe to our newsletters/updates;
  • Individuals who engage with us on social media;
  • Individuals who participate in one of our surveys or questionnaires;
  • Any other individuals who may use our services. 

In the sections below, when referring to the individuals listed above, we use the terms “you” or “your”.

Our Approach to Privacy

We take your privacy extremely seriously and want you to feel confident that your personal information is safe in our hands.

We will only use your personal information in accordance with data protection law applicable to England and Wales from time to time.

Sport Wales acts as the data controller in respect of the personal data described in this policy. Essentially, this means that we will be making decisions about how we want to use your personal information and why.

Below, we summarise the main rules that apply to us under data protection law when we use your personal information:

  1. We must be upfront about how we intend to use your personal information and must use your personal information fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly.
  2. We must only use your personal information if we have a legal basis to do so under data protection law. 
  3. We must only use certain types of sensitive personal information (such as information relating to your health, racial or ethnic origin or religion) if we can also satisfy one of the conditions for processing this type of information set out in data protection law.
  4. We are only permitted to share your personal information with others in certain circumstances and if we take steps to ensure that your personal information will be secure.
  5. Generally speaking, we must only use your personal information for the specific purposes we have told you about. If we want to use your personal information for other purposes, we need to contact you again to tell you about this.
  6. We must not hold more personal information than we need for the purposes we have told you about and must not retain your personal information for longer than is necessary for those purposes (this is known as the “retention period”). We must also dispose of any information that we no longer need securely.
  7. We must ensure that we have appropriate security measures in place to protect your personal information.
  8. We must act in accordance with your rights under data protection law.
  9. We must not transfer your personal information outside the United Kingdom unless certain safeguards are in place. One such safeguard is that the personal data is only transferred to a country that has been approved by the United Kingdom as having an acceptable level of data protection law.

Engaging with us on Social Media

Any social media posts or comments you send to us (on the Sport Wales Facebook page, for instance) will be shared under the terms of the relevant social media platform (e.g. Facebook, Twitter, Instagram) on which they're written and could be made public. Other people, not us, control these platforms. We are not responsible for this kind of sharing. 

Before you make any remarks or observations about anything, you should review the terms and conditions and privacy policies of the social media platforms you use. That way, you'll understand how they will use your information, what information relating to you they will place in the public domain, and how you can stop them from doing so if you're unhappy about it.

Information we may collect from you

We may collect, use, store and transfer different types of personal data about you depending on how you interact with and use our website and our services. This includes: 

  • Identity Data includes the first name, last name, any previous names, username or similar identifier, marital status, title, date of birth and gender (where provided);
  • Contact Data includes billing address, delivery address, email address and telephone numbers;
  • Financial and Transaction Data includes bank account, payment card details, and details about payments to and from you and other details of products and services you have purchased from us;
  • Membership and participation data includes membership details and account information for individuals and families, booking and attendance records for stays, courses or activities, details of facilities used and cancellation and feedback information;
  • Technical and usage data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website;
  • Communications data includes records of correspondence with you (including emails, calls, messages and social media interactions), details of enquiries, complaints or requests and responses to surveys, questionnaires and feedback forms;
  • Marketing and communications preferences includes your preferences in receiving marketing from us and our third parties and your communication preferences. You are entitled to opt-out of receiving marketing materials from us at any time;
  • Grant and funding data includes information provided in grant applications, supporting documents and evidence, records of decisions and equality and monitoring information (such as ethnicity, disability and gender, where provided); 
  • Sport sector engagement data includes your role or involvement in a sports club, association or organisation, your contact and organisational details, and information relating to your participation in sport programmes or initiatives; 
  • Content and publicity data includes your name and association with sport, images, video recordings and other media, and personal stories or other information you provide for articles, newsletters or promotional materials; 
  • Recruitment and employment data includes, where you apply for a role with us, your education, qualifications and employment history, your skills, experience and professional memberships, references and background information, right to work documentation, and interview notes and assessment records; 
  • Special category personal data includes more sensitive personal data such as health and medical information (for example, to support participation in activities or athlete services), racial or ethnic origin, religious or philosophical beliefs, trade union membership, sexual orientation and disability information. We only collect and use this type of data where permitted by law, including where necessary for reasons of substantial public interest, health or social care purposes, or with your explicit consent, as permitted under data protection law; 
  • Criminal offence data includes, in limited circumstances (for example, as part of recruitment), information about criminal convictions or offences, including Disclosure and Barring Service (DBS) checks, where this is appropriate and permitted by law; 
  • Athlete support data includes, for individuals using services provided by the Welsh Institute of Sport, training and competition information, coaching and support team details, performance data, medical, nutritional and wellbeing information, and video footage and imagery used for performance analysis; 
  • CCTV data includes images and footage captured by CCTV systems at our facilities; 
  • Vehicle data includes vehicle registration numbers where required for access to our facilities; 
  • Aggregated and anonymised data includes statistical or research data derived from personal data, which does not directly identify you.

How we collect your personal data 

We use different methods to collect data from and about you including through: 

  • Your interactions with us. You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: 
    • submit forms to us; 
    • make enquiries; 
    • purchase our products or make a booking for our services; 
    • become a member of Sport Wales; 
    • request marketing to be sent to you; 
    • enter a competition, promotion or survey; or
    • give us feedback or contact us. 
  • Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other storage and access technologies (such as pixels, tags, scripts or similar technologies). Further information about the cookies we use and the purposes for which we use them can be found in our Cookies Policy.
  • In some limited circumstances, we may use certain technologies without consent where this is permitted by law (for example, where they are strictly necessary for the operation of the website or used for limited analytics). We keep this under review in line with applicable legal requirements and guidance.
  • Third parties or publicly available sources. We may receive personal data about you from third parties as set out below: 
    • Technical Data is collected from analytics providers (such as Google), which may be based outside the UK. This data may also be collected through cookies and similar technologies provided by third-party service providers (such as website hosting, embedded content, or social media platforms), where you have given consent. 

In some cases, you are required to provide personal data in order for us to deliver our services or comply with legal obligations. 

If you do not provide the personal data we request, we may not be able to provide certain services, process your requests, or enter into or perform a contract with you. 

Where providing personal data is optional, we will make this clear at the point of collection.

Children’s use of our website

We recognise that children may access and use our website.

We do not knowingly collect personal data from children for purposes other than those set out in this policy, such as enabling the website to function properly and to understand how it is used (for example, through analytics and cookies).

Where our website uses cookies or similar technologies that require consent, this consent is obtained from the user of the device. We take reasonable steps to ensure that information about our use of cookies and personal data is presented in a clear and accessible way so that it can be understood by all users, including children.

We do not generally require parental consent for the use of cookies or similar technologies on our website. However, where we process children’s personal data in other contexts (for example, participation in programmes or activities), we will take appropriate steps to ensure that such processing is fair and lawful, which may include seeking consent from a parent or guardian where required. 

We take into account regulatory guidance on children’s data and design our communications and processing activities to be fair, clear and appropriate for younger users.

We keep our approach to children’s data under review and take steps to ensure that their personal data is appropriately protected.

How will we use your personal data? 

Under data protection law, we must have a lawful basis for using your personal data. Depending on the circumstances, we rely on one or more of the following:

  • Contract – where we need to perform a contract with you or take steps at your request before entering into a contract; 
  • Legal obligation – where we need to comply with a legal or regulatory obligation; 
  • Public task – where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us as a public body; 
  • Legitimate interests – where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (we will assess our legitimate interest prior to any reliance on this legal basis on a case by case basis in line with UK GDPR) ; 

Consent – where you have given us permission to use your personal data. Where we rely on consent, you are free to withdraw it at any time. Where possible, you may do so using the same method by which consent was given. Refusing or withdrawing consent will not result in any detriment to you unless the processing is necessary to provide a service you have requested. Further information about these lawful bases can be provided on request.

We use your personal data for the purposes set out below:

PurposePersonal data usedLawful basis
Operating and administering our website, including improving website functionality and user experienceTechnical and usage data 

Public task; 

Legitimate interests in operating, maintaining and improving the website. 

For details regarding the information we collect via cookies, please see our Cookie Policy

Providing goods and services (including purchases made through our website)Identity, contact, financial and transaction dataPerformance of a contract; legal obligation for financial / tax records; 
legitimate interests for administration, record-keeping and enforcing terms
Managing bookings, stays, courses, activities and access to facilitiesIdentity, contact, participation data and vehicle data (where required)Performance of a contract
Managing memberships and use of our facilitiesIdentity, contact, membership and payment dataPerformance of a contract; legitimate interests for service improvement and administration
Ensuring health and safety in our facilities and activitiesIdentity, contact and health data

Vital interests where necessary to protect someone’s health/safety;


 legitimate interests/public task depending on context

Communicating with individuals in the sport sector (clubs, associations and organisations)Identity, contact and sport sector engagement data

Public task / exercise of official authority; 


legitimate interests for general administration and relationship management where appropriate

Supporting and promoting participation in sport (including use of images)Identity, contact and content and publicity data

Public task / exercise of official authority. 

Where we intend to collect and use images or video of you for this purpose, or otherwise process special category data, we will ask for your explicit consent to do so. 

Administering grants and funding programmesIdentity, contact, grant and funding data and equality information

Public task / exercise of official authority; 


legal obligation where grant governance requires it

Where special category data is to be processed in connection with this purpose, such as for the monitoring of equality and data  we may rely on substantial public interest. In other instances, we will ask for your explicit consent. 

Sending newsletters and marketing communicationsIdentity, contact and marketing and communications preferences

Consent (for newsletter subscriptions); 


legitimate interests for related information (where applicable)

Handling enquiries, complaints and correspondenceIdentity, contact and communications data

Legitimate interests in complaint handling and dispute resolution; 


legal obligation where applicable; 

establishment/exercise/defence of legal claims

Conducting surveys and improving our servicesTechnical and usage data, communications data and aggregated and anonymised data

Legitimate interests in evaluating and improving services; 


consent (where participation is optional and framed that way)

Recruitment and employment processesIdentity, contact, recruitment and employment data and (where appropriate) criminal offence data

Taking steps before entering into a contract; 


legal obligation; 


legitimate interests in recruitment administration

Where criminal offence data is collected for this purpose, it will be processed in accordance with Article 10 UK GDPR with reliance upon the employment, social, security, and social protection authority provided by Schedule 1 of the Data Protection Act 2018. 

Supporting athletes through the Welsh Institute of Sport (including performance and medical support)Identity, athlete support data and health data

We will ask for your consent, and  where special category data is collected in connection with this purpose, such consent will be explicit.

We may also rely on 
public task when processing non-special category data in respect of  some service arrangements.

Security, fraud prevention and legal compliance (including CCTV)Identity, transaction, CCTV data and incident-related data

Public task; 

substantial public interest in preventing/detecting unlawful acts; 


legitimate interests in site security (where applicable)

We do not carry out solely automated decision-making that produces legal or similarly significant effects on individuals.

For more information about how we use cookies, please see our Cookie Policy.

Special category personal data

Certain personal data we collect is treated as a special category to which additional protections apply under data protection law. The type of special category personal data we may process from time to time includes: 

  • data revealing your racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, or membership of a trade union; and
  • data concerning your health, sex life, or sexual orientation. 

Where we rely on your consent to process special category personal data, we will ask for your explicit consent. For instance, this could include instances where you agree to participate in our promotional content and share sensitive information about yourself when doing so. 

However, in limited circumstances, we may rely on a different lawful basis to process your special category personal data. These lawful bases may include: 

  • employment, social security, and social protection (where authorised by law);
    • for instance, during our recruitment processes;
  • legal claims or judicial acts 
  • reasons of substantial public interest (where authorised by law)
    • for instance, to monitor equality and diversity for the purposes of identifying or keeping under review the existence or absence of equality or opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained; 
  • health or social care (where authorised by law); or 
  • public health (where authorised by law). 

In all cases, we will ensure that we have an appropriate lawful basis for processing your personal data in accordance with data protection law. 

Who we share your personal data with

We share personal data with third parties where this is necessary for the purposes set out in the above section ‘How will we use your personal data?”.

Service providers

We share personal data with third party service providers who help us deliver our services and perform our contracts with you. This may include:

  • payment service providers; 
  • delivery and logistics providers; and
  • providers who support the delivery of our services, programmes or facilities. 

IT and systems providers

We use third party providers to support our IT systems and infrastructure. This includes: 

  • website hosting providers;
  • cloud storage providers; 
  • software and system providers; and
  • analytics and search engine providers that help us improve our website. 

Cyber security providers

We may share personal data with third party services providers who provide cyber security services to help protect our digital systems, network, and data held. 

Such providers may process data automatically, or with the assistance of artificial intelligence, in accordance with their own policies. 

Marketing and communications providers

We may share personal data with third parties who assist us with marketing and communications, including creating and delivering communications on our behalf.

Professional advisers

We may share personal data with our professional advisers, including lawyers, accountants and auditors, where necessary for the provision of professional advice or in connection with legal claims.

Regulators, authorities and law enforcement

We may share personal data with courts, regulators, public authorities and law enforcement bodies where: 

  • we are required to do so by law; 
  • it is necessary to comply with a legal obligation;
  • it is necessary to prevent or detect crime; or
  • it is necessary for the establishment, exercise or defence of legal claims. 

Other disclosures

We may also share personal data where necessary to: 

  • protect our rights, property or safety, or that of others; or
  • manage disputes, complaints or claims. 

Safeguards

We require all third parties to respect the security of your personal data and to process it in accordance with the law. Where third parties process personal data on our behalf, we put in place appropriate contracts and data processing agreements to ensure that your personal data is protected and only used for specified purposes.

Further information

The identity of our service providers may change from time to time. If you would like further information about the third parties we share data with, please contact us using the details set out in this policy.

We do not sell your personal data

We do not sell your personal data to third parties. 

International transfers

We may transfer your personal data to countries outside the United Kingdom.

Countries outside the UK may have different data protection laws which may not provide the same level of protection for personal data.

Where we transfer your personal data outside the UK, we will ensure that appropriate safeguards are in place to protect your personal data, in accordance with data protection law. These may include:

  • transferring personal data to countries that have been recognised by the UK as providing an adequate level of protection (known as “adequacy regulations”); or
  • using legally approved contractual safeguards, such as the UK International Data Transfer Agreement or the International Data Transfer Addendum to the European Commission’s standard contractual clauses.

We will only transfer personal data outside the UK where it is lawful to do so.

If you would like further information about any transfers of your personal data outside the UK, please contact us using the details set out in this policy.

How long we keep your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

In determining how long to retain personal data, we consider:

  • the nature, amount and sensitivity of the personal data; 
  • the purposes for which we process it; 
  • the potential risk of harm from unauthorised use or disclosure; and 
  • applicable legal or regulatory requirements.

Retention periods

We retain personal data for the following periods: 

  • Website usage data – typically retained for up to 12 months for analytics and website improvement purposes; 
  • Purchase and transaction data (including goods and services) – retained for up to 6 years to comply with legal and contractual obligations and to deal with any disputes; 
  • Membership data – retained for the duration of the membership and for up to 2 years after it ends; 
  • Bookings, stays, courses and activities – retained for up to 6 years after the relevant activity; 
  • Grant applications and funding records – typically retained for up to 5 years, or up to 21 years where the grant relates to property or buildings; 
  • Enquiries and complaints – retained for as long as necessary to resolve the matter and for a reasonable period afterwards in line with our internal retention policies; 
  • Marketing data and newsletter subscriptions – retained for up to 12 months or until you opt out, whichever is sooner; 
  • Recruitment data – retained for as long as necessary for the recruitment process and, where appropriate, for a reasonable period afterwards in line with our internal retention policies; 
  • Athlete support data – retained for as long as necessary to provide support services and in accordance with applicable legal and professional requirements; 
  • CCTV footage – typically retained for up to 30 days, unless required for an investigation or legal proceedings, in which case it may be retained for longer.
  • Images and media – retained for a period of up to 7 years (please note that material published in print, broadcast, or third-party media may remain in circulation after withdrawal.

When we no longer need your data

When personal data is no longer required, we will securely delete it. 

In some circumstances, we may retain personal data for longer periods where necessary to:

  • Comply with legal or regulatory obligations; 
  • Establish, exercise or defend legal claims; or
  • Carry out research or statistical analysis (in which case the data will be anonymised where possible). 

Keeping your personal data secure 

We have appropriate technical and organisational measures in place to protect your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We limit access to your personal data to those employees, agents, contractors and other third parties who have a genuine business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected personal data breach. Where required, we will notify you and any applicable regulator of a personal data breach in accordance with data protection law.

We regularly review and update our security measures to ensure that your personal data remains protected.

Your rights include: 

Access

You have the right to request a copy of the personal data we hold about you. 

Correction

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. 

Erasure

You have the right to request that we delete your personal data in certain circumstances. 

Restriction

You have the right to request that we restrict the use of your personal data in certain circumstances. 

Data portability

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to have that data transferred to another organisation where technically feasible. 

Objection

You have the right to object to the processing of your personal data where we are relying on a legitimate interest or public task, and to object at any time to your personal data being used for direct marketing. 

Withdraw consent

Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. 

Exercising your rights

If you wish to exercise any of your rights, please contact us using the details set out in this policy. 

We may need to request specific information from you to help us confirm your identity before responding to your request. 

We will respond to your request within the timeframes required by data protection law. 

In most cases, you will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse to comply with a request if it is clearly unfounded, repetitive or excessive.

Further information

For more information about your rights, you may find it helpful to visit the Information Commissioner’s Office (ICO) website.

How to complain

If you have any concerns about how we use your personal data, we encourage you to contact us in the first instance using the details set out in this policy. We have an internal process for handling complaints about how we use personal data and will investigate your concerns and respond within a reasonable timeframe. We may ask you for further information to assist in investigating your complaint and will inform you of the outcome. 

You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues.

You can contact the ICO using the details below:

•    Website: https://ico.org.uk/make-a-complaint 

•    Telephone: 0303 123 1113 

We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO.

How to contact us

If you have any questions about this privacy policy or how we use your personal data, or if you wish to exercise your rights, please contact us using the details below:

Email: DPO@sport.wales

Address: National Centre, Sophia Gardens, Cardiff, CF11 9SW

Telephone: +44 (0)29 2033 8259

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy.

If you have any questions about this policy or how we handle your personal data, you can contact the DPO using the contact details above.

Changes to this privacy policy

We may update this privacy policy from time to time. When we make significant changes, we will take appropriate steps to inform you, such as by publishing the updated policy on our website.

We recommend that you check this page periodically to stay informed about how we use your personal data.

Third party links

Our website contains links to third party websites. We are not responsible for their privacy practices. Please review their privacy policies before providing any personal data. 

Do you need extra help? 

If you would like this policy in another format, please contact us (see ‘How to contact us’ above).