Who we are
Scottish Rugby Limited (“Scottish Rugby” “we” or “us”) is a company registered in Scotland (Company Number SC132061) and is registered as a controller with the Information Commissioner (ICO registration number Z9734099).
We will contact you (by email or letter) to notify you of these updates where:
- we are making substantial changes; or
We are committed to protecting your personal information and respecting your privacy.
If you are not satisfied with the response we provide, you have the right to lodge a complaint with the Information Commissioner’s Office. Find out on their website how to report a concern at ico.org.uk/concerns/.
What personal information we collect
We may collect, hold and use the following personal information from or about you:
- Personal details: this may include your name, address, date of birth, telephone number, email address and gender;
- Financial information: this may include your billing address, bank account, payment card details and your purchasing preferences;
- Images: your image (if filmed or recorded when attending our sites or events for example);
- Information about how you interact with us and our services, and how these can be delivered and tailored to you: this includes information about how you use our website and app, including information collected by cookies, as well as relevant demographic and lifestyle information, which may be used to automatically suggest improvements to your customer experience – please see Automated Decision Making;
- Marketing and communication preferences: this includes the preferences you have given us, your responses to marketing and other communications, and information to help us understand your interests;
- Your devices and location: this may include details of your use of our IT systems, applications and websites (including traffic data, location data, weblogs and other communication data and the resources you access) information about your computer, including your IP address, operating system and browser type;
- Details of complaints: details of any complaints you may have submitted to us; and
- Records of your contact with us: this may include any other personal information you provide to us when contacting or corresponding with us, when requesting any products and services from us, when providing any products and services to us, when entering into or performing any contract with us, when signing up to, attending or participating in our events, competitions or matches, or when entering our promotions.
Where we collect your personal information from
In order to provide you with relevant services we need to collect and use your personal information from a number of different sources, including:
Personal information we collect directly from you:
- Personal information you give to us
- CCTV that is in operation at our premises, matches and events for safety, security and crime prevention purposes
- When you talk to us on the phone
- When you use our websites, mobile device apps, or web chat services
- In emails and letters
- In customer surveys
- If you take part in our competitions or promotions
We endeavour to keep all personal information that we hold about you correct, complete and accurate. However, we need your help. If you become aware that any of the personal information you have provided to us or that we hold about you is out of date or is otherwise inaccurate, please contact us using the details set out above – please see Contact information.
Personal information we collect when you use our services include:
- Information about how you respond to email communications we have sent, such as whether you have opened an email
- Online profile and usage data
Personal information that we collect from our third-party partners:
- Other rugby unions, competition administrators and related venues
- Government and local councils
- Law enforcement agencies
- Social media
- Companies that introduce you to us
- Agents and contractors working on our behalf
Personal information that is recorded – call recording, CCTV, video and photos
Please also note that filming and photography takes place at certain of our matches, competitions and events. By attending any match, competition or event, you agree to your image being filmed, photographed or recorded at that match, competition or event and grant your permission, free of charge, for both Scottish Rugby and its licensees to use such images in pictures and/or films (including publication on the internet and in social media).
Who we share your personal information with
In order to provide our services to you, we need to provide your personal information to third parties who may be working on our behalf or collaborating with us where there is an appropriate legal basis to disclose your personal information to them. We share your personal information with the following categories of third parties:
- with other members, private equity partners or trading divisions of the Scottish Rugby Group;
- with our website hosting, server and IT systems providers;
- with any third-party whose services we require to use for credit control, debt collection or payment processing purposes, these may include our online ticketing services provider, our catering & hospitality services provider, our retail services provider, our printing and fulfilment providers, our customer relationship management database/services provider, the rugby club, body or society of which you are a member, or any third-party operator of a match, competition or event at one of our sites;
- with any actual or potential purchaser of the whole or any part of our organisation or assets (or those of any members of our group of companies);
- with our sponsors or partners to keep you informed via mail, email, SMS or telephone about other offers, events, products and services offered by them that may be of interest to you (only if you have agreed for your personal information to be shared in this way and subject to your ability to withdraw that agreement at any time);
- with our legal advisers and other professional advisers (including auditors) for the purposes of taking such advice;
- with any third-party where necessary to comply with applicable laws or regulations, court orders, law enforcement, fraud prevention, to enforce the terms under which you contracted with us, or to protect our rights, property or the safety and security of users of our website or attendees at our matches, competitions and events;
- The Information Commissioner’s Office;
- with other rugby unions, competition administrators (such as Six Nations Rugby, World Rugby or United Rugby Championship) and related venues;
- with people with whom you have authorised us to share your personal information; and
- with any third-party whose services we require for print and design, customer or market research, and analytics.
We will only ever share your personal information with our third party partners and service providers for the purposes of marketing their products and services or directly promoting their products and services where we have your consent to do so.
Where we share your personal information with our third party partners and service providers, your personal information shall only be shared for specific and limited agreed purposes and such data sharing shall be subject to a suitable data sharing agreement which shall set out the permitted uses of the personal information, the data security requirements, duration of the data sharing, and procedures for return or deletion of personal information upon termination of the data sharing.
Why we collect your personal information
We may collect, hold and use personal information from or about you for the following purposes:
- to manage, develop, promote and administer matches, competitions, events and the sport of rugby union;
- to administer and complete any request that you make of us, for example to provide any product or service that you have requested from us (and to keep in contact with you for such purposes);
- for the purposes of the performance of any contract that you have entered into or are taking steps to enter into with us (and to keep in contact with you for such purposes);
- to enable us to administer and provide any of our competitions, events or other offers/promotions that you have entered or are taking steps to enter with us (and to keep in contact with you for such purposes);
- to set up and administer any of your online accounts with us;
- to manage, understand and respect your preferences;
- to keep you informed via mail, email, social media, SMS or telephone about other offers, events, products and services offered by us, or our sponsors or partners, that may be of interest to you and to personalise and/or tailor any such communications (only if you have agreed to be contacted in this way and subject to your ability to withdraw this agreement at any time);
- to improve the products and services we offer, we may use third party service providers to help us to do this and such services may include data enrichment (to improve the accuracy and completeness of the personal information that we hold), as well as data segmentation (to allow us to conduct more tailored and targeted marketing) – please see Data enrichment and segmentation;
- to obtain feedback on our website or on our events, competitions, products and services;
- for record keeping, research, monitoring and analysis purposes;
- to keep you informed of any changes to our website;
- to help diagnose server problems and administer our website; and
- to comply with applicable laws or regulations, court orders, law enforcement and fraud prevention requirements.
We may ask you from time to time if we can collect, hold and use your personal information for other purposes. If we do so, we will provide you with any necessary information on how we will use your personal information for such additional purposes.
Our lawful basis for using your personal information
There are four main ways that we are permitted to use your personal information:
- To enter into or fulfil our contractual commitments to you,
- To meet our legal obligations,
- When you consent to us using your personal information, or
- When it is in our legitimate interests.
Many of these uses are mandatory – in other words, where we need to use your personal information to meet our contractual obligations to you or to meet our legal obligations.
We may use your personal information for more than one purpose, depending on the circumstances. There may be situations where we rely on two legal bases as a matter of course to achieve the same or similar purposes. These include those relating to direct marketing and service communications.
To fulfil some of the purposes, we may use automated decision making, in particular in respect of improving our products and services and tailoring how we market these products and services to you. For more information about this, please see Using your personal information to make automated decisions below.
We have determined, acting reasonably and considering the circumstances, that we are able to rely on legitimate interests as the lawful basis on which to process your personal information in certain circumstances. We have reached this decision by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual.
Data enrichment and segmentation
We sometimes combine your personal information with personal information collected from other members of the Scottish Rugby group, our sponsors or partners and other rugby unions and competition administrators, as well as our third party service & Data providers in order to create such customer segments (not containing any personal information). This combined information is then used to monitor and improve the competitions, matches and events that we run and the products and services that we offer to improve the customer experience, refine our marketing strategy and tailor and target our marketing messages in order to provide you with marketing that is relevant to your lifestyle and preferences.
Using your personal information to make automated decisions
On occasion we will use algorithms, computer programmes and automated decisions to speed up our customer service and make our products and features more relevant to you, as well as to analyse personal information by creating customer segments – see Data enrichment and segmentation.
However, these automated decisions do not introduce legal (or other similarly significant) effects on you (unless this is a necessary step to take when entering into or as part of a contract with you). You have a right to object to these algorithms, computer programmes and automated decisions – please see Controlling your personal information, each objection will be reviewed by one of our customer services team.
How your personal information is protected and where it is kept
Your personal information will be held within the United Kingdom or in the European Economic Area on a secure server. We will use reasonable security measures to seek to prevent unauthorised access to your personal information.
If a password is required to access certain areas of our website, IT systems or applications, you are responsible for keeping your password secure and confidential. You must not leave your password unattended or disclose your password to any other person.
Sending data outside of the UK or the EEA (by us)
On occasion your personal information will be transferred to third-party organisations, some of whom may be located outside of the UK or the EEA, to facilitate provision of our services. For example, this could happen if any of our servers that store your personal information are located in a country outside of the UK or the EEA, or when one of our service providers is located in a country outside of the UK or the EEA, such as South Africa or Australia. Different countries have different data protection and security laws and some of these do not offer the same level of protection as you enjoy under UK and EU data protection legislation.
We will have agreements with these third-party organisations which provide that they will not use your personal information for any purposes other than those we have agreed with them. We explicitly require that any third-party organisations that use your personal information on our behalf implement adequate safeguards to protect your personal information, in accordance with the UK or EU GDPR (as applicable) and any other applicable UK and EU data protection legislation. For example, we may put contracts in place (which are approved by the UK Information Commissioner and, where applicable, the European Commission and are known as “standard contractual clauses”) with those service providers, or alternatively will ensure they have signed up to, and comply with, any other approved mechanisms that may become available to us in the future. We will also carry out an appropriate risk assessment of the laws and practices of the destination country to identify any technical and organisational measures that need to be put in place to ensure that your personal information is fully protected when in that country.
How long your personal information is kept
Your personal information will be held for no longer than is reasonably necessary for the purpose for which it was obtained. We will carry out periodic reviews of the personal information that we hold about you to ensure that this is the case.
We will also retain your personal information to maintain historical, statistical and statutory records in accordance with applicable laws, regulations or guidance. Where we do this, we will implement appropriate safeguards to protect your personal information, including where technical limitations restrict our ability to remove your personal information from our systems.
If you choose not to give personal information
We may need to collect personal information by law, or under the terms of a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services or provide a product you have requested.
We wish to send you marketing communications for products and services that may be relevant to you. We may also need to send you communications that are not direct marketing communications (service communications) from time to time. Service communications relate to information that is necessary for us to convey when you are attending events, competitions or matches, or receiving products and services.
We will only contact you, or businesses associated with you, with marketing messages by email/ MMS/ SMS/ in-App where we are permitted to do so in accordance with UK data protection legislation (i.e. where we have collected the appropriate permissions).
Where we rely on your consent, we may seek, or re-seek, your marketing consent any time there is a change in our marketing strategy or your relationship with us, including where there is a change in law or where there is a structural change in our organisation.
From time to time, we may send you marketing messages by email/ MMS/ SMS/ in-App relating to our own events, products and services without your consent where you have not opted out of receiving marketing message. Under the UK data protection legislation, we are permitted to do this in relation to existing customers or those prospective customers that have expressed an interest in our events, products or services. However, we will never send you marketing messages of third parties without your prior consent. We will always give you the chance to opt out of receiving direct marketing messages by email/ MMS/ SMS/ in-App when we first collect your personal information and, thereafter, in every marketing message that we send (via the “unsubscribe” link at the foot of the marketing message). Where you exercise this option, we will cease to send you marketing message by email/ MMS/ SMS/ in-App. Additionally, you have a right to object to all marketing messages whether electronic marketing or by post or telephone (please see Controlling your personal information below). You are free to change your preferences at any time either online or by contacting us – please see Contact information.
Social media and other digital platforms
We work with third-party digital platforms, including Google, and social media companies, including Meta and Instagram, to advertise our events, products and services, and also to prevent some or all of our customers from receiving advertising directed directly to them. This will take place on the social media and digital platforms where advertising space has been made available to us.
We will send your email address in scrambled encrypted form to social media companies who match this with scrambled versions of information they already hold. The social media site will then use this information either to exclude you from advertising, or to show you adverts for events, products or services that may be relevant to you (for example, upcoming events or ticket sales). We will require that the social media companies have processes in place to prevent them from viewing your unscrambled email address and they will delete it immediately if there is no match.
Where there is a match, the social media sites may also use their records to create lists of people who, according to their records, share similar characteristics to you and who may be interested in Scottish Rugby events, products and services and we may show our advertising to those groups.
If you use social media services, please see their separate privacy policies which will describe their use of your personal information in more detail, including how you can opt out of this type of direct marketing.
If you wish to exercise any of your rights outlined below, please contact us at: email [firstname.lastname@example.org] or write to us at [Scottish Rugby Limited, BT Murrayfield, Edinburgh EH12 5PJ].
Obtaining your personal information
You have the right to obtain a copy of the personal information we hold about you. To exercise this right, please contact us using the details set out above.
You also have the right to get your personal information from us in a format that can be easily re-used. You can also ask us to pass on your personal information in this format to other organisations if this is technically feasible.
Correcting your personal information
You have the right to question any information we have about you that you think is wrong or incomplete. Please contact us if you want to do this using the contact details set out above.
Controlling your personal information
UK data protection legislation provides you with a number of rights in relation to how we can use your personal information.
- Right to erasure (Right to be forgotten) – you have the right to request the deletion or removal of your personal information where there is no compelling reason for its continued processing by us.
- Right to restrict processing – you have the right to request that we block or suppress processing of your personal information.
- Right to object – you have the right to object to the processing of your personal information by us where the processing is based on our legitimate interests, is processed for direct marketing purposes (including profiling) or for the purposes of statistics. If you wish to object to our use of legitimate interest for marketing, please see Withdrawing your consent below for contact details.
- Rights related to automated decision-making including profiling – you have the right not to be subject to automated decision making, including profiling that introduce legal (or other similarly significant) effects on you. We can only carry out these activities where the decision is necessary for entry into or the performance of a contract, authorised by a UK law to which we are subject or based on your explicit consent – for more information, please see Using your personal information to make automated decisions.
There may be legal or other reasons why we need to use your personal information in this way, but please contact us if you think otherwise.
Note also that if you exercise your right to erasure, to restrict processing or to object, this may adversely affect your ability to attend or participate in our matches, competitions or events, to obtain products and services from us, or to use our website;
Withdrawing your consent
Where we process personal information based on your consent, you have the right to withdraw this consent at any time. If you withdraw your consent, and we rely on it to use your personal information, we may not be able to provide certain products or services to you. Please contact us if you want to do this.
March 2023 © Scottish Rugby Limited 2023