Our Commitment
Deepings Rugby Union Football Club (DRUFC) is committed to protecting the privacy and security of the personal data of its members, players, officials, coaches, and volunteers.
As a data controller, we are responsible for determining the purposes and means of processing this data. We adhere to the seven principles of GDPR, ensuring data is:
1. Processed lawfully, fairly, and transparently.
2. Collected for specified, explicit, and legitimate purposes.
3. Adequate, relevant, and limited to what is necessary.
4. Accurate and, where necessary, kept up to date.
5. Kept for no longer than is necessary.
6. Processed in a manner that ensures appropriate security.
7. The club is accountable for all these principles.

Information We Collect and How We Use It
We collect and process personal data that is necessary for the administration of the club and the running of rugby activities:
Membership Data
Name, Date of Birth, Gender, RFU ID (GMS), Address, Contact details (phone, email).
To manage membership, registration (RFU Regulation 15 & 21), fee payment, and to provide match and training information. (Contractual necessity/Legitimate interest).

Sensitive Data
Medical conditions, allergies, relevant disabilities, injury history (e.g., concussion management).
To ensure player safety, welfare, and appropriate first aid provision during club activities. (Explicit consent/Substantial public interest).

Vetting Data
DBS Check Status, required qualifications.
To ensure the suitability of coaches and volunteers working with children and adults at risk, in line with RFU Regulation 21. (Legal obligation/Substantial public interest).

Communication Data
Communication preferences, image consent, marketing consent.
To communicate essential club information and, where consent is given, for marketing purposes (e.g., newsletters, events). (Consent/Legitimate interest).

Data Processing and Storage
The Game Management System (GMS)
• The club is required by the RFU to use the RFU Game Management System (GMS) to register all players, coaches, and volunteers.
• Data entered into GMS is stored and managed by the RFU. The club is responsible for ensuring the data it inputs is accurate and up-to-date.
B. Data Storage
• Outside of GMS, physical records (e.g., paper consent forms, first aid logs) are stored securely in a locked cabinet at the clubhouse or the home of the Data Protection Lead.
• Digital records (e.g., electronic spreadsheets) are stored on password-protected devices or secure cloud storage with restricted access.
• Medical data (sensitive data) is stored separately and access is highly restricted to the Team Manager, Coach, and Club Safeguarding Officer, on a need-to-know basis.
C. Data Retention
• We will retain personal data for only as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
• Upon a member leaving the club, their data will typically be archived or securely deleted after a period of two full seasons to allow for the completion of any disciplinary or financial processes, except where required for ongoing historical purposes (e.g., club records, honours boards).

Sharing of Personal Data
We only share personal data with third parties where necessary for legitimate rugby purposes or where legally required:
1. RFU and CBs: Data is shared through GMS for player registration, regulatory compliance, and governance of the game.
2. Other Clubs: Limited data (e.g., player name and RFU ID) is shared with opposition clubs and league organisers for the purpose of organising fixtures and matches.
3. Emergency Contacts: In the event of a medical emergency, a player's relevant medical data and emergency contact details will be shared with the appropriate First Aid provider or emergency services.
4. Service Providers: Data may be shared with trusted third parties who provide services on our behalf (e.g., Pitchero or other website platforms, or payment processors). We require all third parties to respect the security of your data and treat it in accordance with the law.
5. Pitchero: The club uses Pitchero as its primary website and membership management platform. Pitchero acts as a data processor on behalf of DRUFC. We use Pitchero to facilitate membership registration, team selection, communication with members, and, where applicable, payment processing. By becoming a member and providing data to DRUFC via Pitchero, you acknowledge and agree that your personal data will be processed by Pitchero in accordance with their Privacy Policy and Terms of Use. We encourage all members to review the Pitchero documentation.

Your Rights as a Data Subject
Under UK GDPR, you have the right to:
• Access your personal data (Subject Access Request).
• Request the correction of inaccurate data.
• Request the deletion of your data (Right to be Forgotten).
• Object to the processing of your data.
• Request the restriction of processing your data.
• Request the transfer of your data to another party.
• Withdraw consent at any time, where processing is based on consent (e.g., marketing).
To exercise any of these rights, please contact the Data Protection Lead in writing (see contact details below).

Contact Information and Complaints
Role: Data Protection Lead (DRUFC)
Designation: Hon. Secretary
Contact Email: secretary@deepingsrufc.co.uk

Role: RFU Data Protection Officer
Designation: Rugby Football Union
Contact Email: legal@rfu.com

If you have a concern about the way we are handling your data and are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.
• ICO Website: ico.org.uk

Pitchero Privacy Policy