The Sports Council for Wales (trading as Sport Wales) are committed to protecting your privacy and personal information. This policy (together with our terms of website use, and any other documents referred to in them) sets out the basis upon which we collect, use, and protect your personal data. Please read the following carefully to understand our practices regarding your personal data and how we will process it.
By using our services (including visiting this website) you acknowledge the information set out in this policy. This policy is provided for transparency and does not rely on your consent as a legal basis for processing unless expressly stated. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is SPORTS COUNCIL FOR WALES, Sophia Gardens, Cardiff, CF11 9SW. Registration number: Z5769715
Sport Wales uses your personal information differently based on how we work with you. You can find out more about how we use your information in each situation by following the links below.
This privacy notice applies to:
In the sections below, when referring to the individuals listed above, we use the terms “you” or “your”.
We take your privacy extremely seriously and want you to feel confident that your personal information is safe in our hands.
We will only use your personal information in accordance with data protection law applicable to England and Wales from time to time.
Sport Wales acts as the data controller in respect of the personal data described in this policy. Essentially, this means that we will be making decisions about how we want to use your personal information and why.
Below, we summarise the main rules that apply to us under data protection law when we use your personal information:
Any social media posts or comments you send to us (on the Sport Wales Facebook page, for instance) will be shared under the terms of the relevant social media platform (e.g. Facebook, Twitter, Instagram) on which they're written and could be made public. Other people, not us, control these platforms. We are not responsible for this kind of sharing.
Before you make any remarks or observations about anything, you should review the terms and conditions and privacy policies of the social media platforms you use. That way, you'll understand how they will use your information, what information relating to you they will place in the public domain, and how you can stop them from doing so if you're unhappy about it.
We may collect, use, store and transfer different types of personal data about you depending on how you interact with and use our website and our services. This includes:
We use different methods to collect data from and about you including through:
In some cases, you are required to provide personal data in order for us to deliver our services or comply with legal obligations.
If you do not provide the personal data we request, we may not be able to provide certain services, process your requests, or enter into or perform a contract with you.
Where providing personal data is optional, we will make this clear at the point of collection.
We recognise that children may access and use our website.
We do not knowingly collect personal data from children for purposes other than those set out in this policy, such as enabling the website to function properly and to understand how it is used (for example, through analytics and cookies).
Where our website uses cookies or similar technologies that require consent, this consent is obtained from the user of the device. We take reasonable steps to ensure that information about our use of cookies and personal data is presented in a clear and accessible way so that it can be understood by all users, including children.
We do not generally require parental consent for the use of cookies or similar technologies on our website. However, where we process children’s personal data in other contexts (for example, participation in programmes or activities), we will take appropriate steps to ensure that such processing is fair and lawful, which may include seeking consent from a parent or guardian where required.
We take into account regulatory guidance on children’s data and design our communications and processing activities to be fair, clear and appropriate for younger users.
We keep our approach to children’s data under review and take steps to ensure that their personal data is appropriately protected.
Under data protection law, we must have a lawful basis for using your personal data. Depending on the circumstances, we rely on one or more of the following:
Consent – where you have given us permission to use your personal data. Where we rely on consent, you are free to withdraw it at any time. Where possible, you may do so using the same method by which consent was given. Refusing or withdrawing consent will not result in any detriment to you unless the processing is necessary to provide a service you have requested. Further information about these lawful bases can be provided on request.
We use your personal data for the purposes set out below:
| Purpose | Personal data used | Lawful basis |
|---|---|---|
| Operating and administering our website, including improving website functionality and user experience | Technical and usage data | Public task; Legitimate interests in operating, maintaining and improving the website. For details regarding the information we collect via cookies, please see our Cookie Policy. |
| Providing goods and services (including purchases made through our website) | Identity, contact, financial and transaction data | Performance of a contract; legal obligation for financial / tax records; legitimate interests for administration, record-keeping and enforcing terms |
| Managing bookings, stays, courses, activities and access to facilities | Identity, contact, participation data and vehicle data (where required) | Performance of a contract |
| Managing memberships and use of our facilities | Identity, contact, membership and payment data | Performance of a contract; legitimate interests for service improvement and administration |
| Ensuring health and safety in our facilities and activities | Identity, contact and health data | Vital interests where necessary to protect someone’s health/safety;
|
| Communicating with individuals in the sport sector (clubs, associations and organisations) | Identity, contact and sport sector engagement data | Public task / exercise of official authority;
|
| Supporting and promoting participation in sport (including use of images) | Identity, contact and content and publicity data | Public task / exercise of official authority. Where we intend to collect and use images or video of you for this purpose, or otherwise process special category data, we will ask for your explicit consent to do so. |
| Administering grants and funding programmes | Identity, contact, grant and funding data and equality information | Public task / exercise of official authority;
Where special category data is to be processed in connection with this purpose, such as for the monitoring of equality and data we may rely on substantial public interest. In other instances, we will ask for your explicit consent. |
| Sending newsletters and marketing communications | Identity, contact and marketing and communications preferences | Consent (for newsletter subscriptions);
|
| Handling enquiries, complaints and correspondence | Identity, contact and communications data | Legitimate interests in complaint handling and dispute resolution;
establishment/exercise/defence of legal claims |
| Conducting surveys and improving our services | Technical and usage data, communications data and aggregated and anonymised data | Legitimate interests in evaluating and improving services;
|
| Recruitment and employment processes | Identity, contact, recruitment and employment data and (where appropriate) criminal offence data | Taking steps before entering into a contract;
Where criminal offence data is collected for this purpose, it will be processed in accordance with Article 10 UK GDPR with reliance upon the employment, social, security, and social protection authority provided by Schedule 1 of the Data Protection Act 2018. |
| Supporting athletes through the Welsh Institute of Sport (including performance and medical support) | Identity, athlete support data and health data | We may also rely on |
| Security, fraud prevention and legal compliance (including CCTV) | Identity, transaction, CCTV data and incident-related data | Public task; substantial public interest in preventing/detecting unlawful acts;
|
We do not carry out solely automated decision-making that produces legal or similarly significant effects on individuals.
For more information about how we use cookies, please see our Cookie Policy.
Certain personal data we collect is treated as a special category to which additional protections apply under data protection law. The type of special category personal data we may process from time to time includes:
Where we rely on your consent to process special category personal data, we will ask for your explicit consent. For instance, this could include instances where you agree to participate in our promotional content and share sensitive information about yourself when doing so.
However, in limited circumstances, we may rely on a different lawful basis to process your special category personal data. These lawful bases may include:
In all cases, we will ensure that we have an appropriate lawful basis for processing your personal data in accordance with data protection law.
We share personal data with third parties where this is necessary for the purposes set out in the above section ‘How will we use your personal data?”.
Service providers
We share personal data with third party service providers who help us deliver our services and perform our contracts with you. This may include:
IT and systems providers
We use third party providers to support our IT systems and infrastructure. This includes:
Cyber security providers
We may share personal data with third party services providers who provide cyber security services to help protect our digital systems, network, and data held.
Such providers may process data automatically, or with the assistance of artificial intelligence, in accordance with their own policies.
Marketing and communications providers
We may share personal data with third parties who assist us with marketing and communications, including creating and delivering communications on our behalf.
Professional advisers
We may share personal data with our professional advisers, including lawyers, accountants and auditors, where necessary for the provision of professional advice or in connection with legal claims.
Regulators, authorities and law enforcement
We may share personal data with courts, regulators, public authorities and law enforcement bodies where:
Other disclosures
We may also share personal data where necessary to:
Safeguards
We require all third parties to respect the security of your personal data and to process it in accordance with the law. Where third parties process personal data on our behalf, we put in place appropriate contracts and data processing agreements to ensure that your personal data is protected and only used for specified purposes.
Further information
The identity of our service providers may change from time to time. If you would like further information about the third parties we share data with, please contact us using the details set out in this policy.
We do not sell your personal data
We do not sell your personal data to third parties.
We may transfer your personal data to countries outside the United Kingdom.
Countries outside the UK may have different data protection laws which may not provide the same level of protection for personal data.
Where we transfer your personal data outside the UK, we will ensure that appropriate safeguards are in place to protect your personal data, in accordance with data protection law. These may include:
We will only transfer personal data outside the UK where it is lawful to do so.
If you would like further information about any transfers of your personal data outside the UK, please contact us using the details set out in this policy.
We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
In determining how long to retain personal data, we consider:
Retention periods
We retain personal data for the following periods:
When we no longer need your data
When personal data is no longer required, we will securely delete it.
In some circumstances, we may retain personal data for longer periods where necessary to:
We have appropriate technical and organisational measures in place to protect your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a genuine business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected personal data breach. Where required, we will notify you and any applicable regulator of a personal data breach in accordance with data protection law.
We regularly review and update our security measures to ensure that your personal data remains protected.
Your rights include:
Access
You have the right to request a copy of the personal data we hold about you.
Correction
You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
Erasure
You have the right to request that we delete your personal data in certain circumstances.
Restriction
You have the right to request that we restrict the use of your personal data in certain circumstances.
Data portability
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to have that data transferred to another organisation where technically feasible.
Objection
You have the right to object to the processing of your personal data where we are relying on a legitimate interest or public task, and to object at any time to your personal data being used for direct marketing.
Withdraw consent
Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time.
If you wish to exercise any of your rights, please contact us using the details set out in this policy.
We may need to request specific information from you to help us confirm your identity before responding to your request.
We will respond to your request within the timeframes required by data protection law.
In most cases, you will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse to comply with a request if it is clearly unfounded, repetitive or excessive.
Further information
For more information about your rights, you may find it helpful to visit the Information Commissioner’s Office (ICO) website.
If you have any concerns about how we use your personal data, we encourage you to contact us in the first instance using the details set out in this policy. We have an internal process for handling complaints about how we use personal data and will investigate your concerns and respond within a reasonable timeframe. We may ask you for further information to assist in investigating your complaint and will inform you of the outcome.
You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues.
You can contact the ICO using the details below:
• Website: https://ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113
We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO.
If you have any questions about this privacy policy or how we use your personal data, or if you wish to exercise your rights, please contact us using the details below:
Email: DPO@sport.wales
Address: National Centre, Sophia Gardens, Cardiff, CF11 9SW
Telephone: +44 (0)29 2033 8259
Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy.
If you have any questions about this policy or how we handle your personal data, you can contact the DPO using the contact details above.
We may update this privacy policy from time to time. When we make significant changes, we will take appropriate steps to inform you, such as by publishing the updated policy on our website.
We recommend that you check this page periodically to stay informed about how we use your personal data.
Our website contains links to third party websites. We are not responsible for their privacy practices. Please review their privacy policies before providing any personal data.
If you would like this policy in another format, please contact us (see ‘How to contact us’ above).