Customer Fair Processing Notice
Heart of Midlothian Football Club takes your privacy very seriously and is committed to respecting your personal information data and will ensure that any data you provide to us will be stored securely, treated with confidentiality and processed in accordance with the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR, which includes a reference to GDPR as it forms a part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018) or any other relevant laws in force from time to time relating to privacy and data protection (together, Privacy Laws).
This fair processing notice (Notice) sets out how we will collect, use and share your personal data when you buy products, use our services, visit our premises or when you visit our websites at www.heartsfc.co.uk and www.heartsdirect.co.uk. Our websites are not intended for users under 13 years. Users under 13 years should visit our websites with a responsible adult.
Please read this Notice carefully to understand how we will use and protect your personal data and for details of your rights.
Who are we?
We are Heart of Midlothian PLC, registered under company number SC005863, known as Heart of Midlothian Football Club, (HMFC, we, us, our) and are classed as the "data controller" of your personal data. Our registered office address is at Collins House, Rutland Square, Edinburgh EH1 2AA.
If you have any questions about your personal data, please email us at email@example.com.
What is personal data?
Personal data means information, whether recorded in a material form or not, about a living individual who is either identified or reasonably identifiable.
Examples include an individual's name, address, contact number, email address and social media handles.
We collect personal data from you in various different ways. We collect personal data from you:
(a) when you use our websites or if you provide us with information through our websites, for example, by creating an online account or subscribing to marketing communications and news updates;
(b) when you take out a subscription for one of our services such as Hearts TV or subscribe to match programmes;
(c) when you provide it to us over the phone, by email or letter or when you give it to us in person, for example if you visit the Tynecastle Park ticket office;
(d) when you purchase any goods or services from us, such as match tickets, season tickets, a Hearts Pass, hospitality packages, private venue hire, sponsorship, club merchandise, memorial plaques stadium tours and heritage trails;
(e) when you send it to us to allow us to create a profile for you on our Hall of Fame;
(f) when you make a complaint and/or enquiry;
(g) when you attend matches or events;
(h) when you register to be a match mascot at one of our games;
(i) when you become a member of one of our clubs such as Junior Jambos;
(j) when you donate or loan items to us at the Hearts Museum;
(k) when you provide us with a donation or sponsor us; and
(l) through the use of CCTV at our premises including Tynecastle Park and the Hearts Museum.
We may also receive information about you from third parties such as the police and other football clubs or authorities including information about criminal convictions for event safety purposes.
We may collect various types of personal data about you. We collect the following types of personal data from you:
- Identification Information: Title, name, gender and date of birth. Additionally, audio and/or visual recordings may be taken of you while you are at our premises, including via CCTV or for broadcasting and publicity purposes.
- Contact Information: Email address, billing address, delivery address, telephone number, social media handles, organisation (if booking on behalf of a business) and parent/guardian name (for children under the age of 13).
- Account Information: Customer reference number, account password and history of products and services you have previously purchased.
- Third Party Information: We will also collect the name and date of birth / date of death (this is optional) of a friend or loved one if you purchase a personalised engraved heart for the Forever In Our Hearts Memorial Garden at Tynecastle Park.
- Billing Information: Debit / credit card information and payment information including residential status. If you purchase your season ticket using V12 Finance we will also collect details about your employment history and the length of time you have lived at your address.
- Sensitive Information: Information about your health, medical history or disabilities if it is relevant to ensuring your health and safety for example if you are attending a match or event taking place at Tynecastle Park. If you are a mascot, we will ask for your health details that are relevant to the event.
- Website Use Information: In order to improve our websites, we may collect information about your digital footprint (e.g. the URL you came from, IP address, domain types), your browser type, the country and telephone area code where your computer is located, the pages of our websites that were viewed during your visit, the advertisements you clicked on, and any search terms that you entered on our websites. We may collect this information even if you do not register with us.
Unfortunately, if you do not provide us with certain information, we may be unable to provide you with some of our services.
We will use your personal data in various different ways. We will use your personal data in the following ways:
(a) in the normal course of our business, we use identification, contact and billing information to allow us to register you to receive and provide you with our products and/or services for example by processing your transactions, fulfilling orders, sending you membership packs or personalising a plaque in our memorial garden – we also use your contact information to communicate with you about goods or services you have bought;
(b) where you have previously bought or made an enquiry about our goods or services, we will use your contact information to send you information about us, for example, to send you the latest news on our players or coaching staff, or about similar products and services which we think may be of interest to you such as upcoming matches and events or new season kit. You will be able to opt-out of such communications at any time by clicking the 'unsubscribe' link in any of our emails or by contacting us using the details at section 19 of this Notice;
(c) we may also use your contact details to contact you about parking / stadium disruption and general match day issues that are specific to the area or seat you have purchased;
(d) we will use information about products and services you have bought or enquired about, and information about how you have used our websites, to allow us to analyse your personal preferences and personalise our services to you;
(f) we will anonymise your identification information, information about products or services you have purchased, and information about how you have used our websites, to provide statistical data about HMFC to third party service providers that will help us to improve our services (including online and offline) to you (please note that the data passed to third parties and associated statistics will not directly identify you);
(g) we will use information about how you use our websites to help diagnose problems with our server and to administer and update our websites and associated web pages;
(h) we will use your identification and certain sensitive information to assist the UK Government, Public Health Scotland (or any replacement thereof) and the NHS with the Covid-19 NHS Track and Trace scheme and containing the spread of the Covid-19 virus (or any other pandemic or epidemic) in the UK;
(i) we will use your identification information and account information for security purposes, to ensure safe match day and event operation - this includes identification of any supporter who has been identified to us by the police for match ban purposes, or in connection with other illegal activity such as ticket touting or abuse, and where necessary to protect ourselves and third parties and to investigate breaches of our contracts, policies, regulations or terms and conditions; and
(j) to comply with our legal and regulatory obligations.
We will only use your personal data where we have a lawful basis to do so. We will only use your personal data where we have a lawful basis to do so and in particular in the following circumstances:
(a) we need to use your personal data to perform a contract with you, for example when you have purchased a product or service from us, such as a season ticket;
(b) we need to use your personal data to comply with our legal obligations, enforce legal rights, or where otherwise required by law;
(c) you have given us consent to use your personal data (if consent is needed); and
(d) there are legitimate interests in using your personal data and there is no disadvantage to you or risk to your personal data.
We will only use your sensitive personal data in the following circumstances:
(a) where we have your explicit consent to do so;
(b) where it is required for the prevention and/or detection of crime; and
(c) to protect your vital interests and those of other people.
Shielding the online privacy of children is extremely important to us. If we reasonably believe that you are under 13 years of age, we may need to remove any personal details gathered from you online as well as from any submissions that you make to our websites or social media platforms. We recommend that parents supervise their children while they are online. There are various control tools available for online services that we advise parents to utilise in order to create a child-friendly online environment for their children.
We are dedicated to the protection of children's personal data and we do not actively market to children under the age of 13. We endeavour to limit the amount of personal data which we collect from users who are under 13.
We need parent or carer's permission to process any application for Junior Jambos or mascots, and to post any photographic content of any person under 13 years of age.
We will share your personal data with the following third parties:
(a) service providers and third party partners who process and store your personal data on our behalf, such as our providers of IT services and booking fulfilment providers;
(b) social media companies such as Facebook and Instagram and our advertising, commercial and sponsorship partners;
(c) professional advisors;
(d) law enforcement agencies such as Police Scotland, and with other professional football clubs and football authorities, where necessary for the prevention or detection of crime or the apprehension or prosecution of offenders;
(e) taxation and legal authorities; and
(f) any member of our group, which means Heart of Midlothian PLC and other companies which may be added to our group from time to time, to the extent needed for internal group administration.
We may also share your personal data with third parties:
(g) in the event that we, our business, or substantially all of its assets are acquired by a third party (in which case personal data about customers will be one of the transferred assets);
(h) if we are under a duty to disclose or share your personal data to comply with our legal obligations, in order to enforce any contract with you or to protect our rights, property, or safety of our employees, customers, or others (for example where it is necessary to share your personal data with the UK Government, Public Health Scotland (or any replacement thereof) and the NHS in connection with reducing the spread of Covid-19 or any other pandemic or epidemic); and
(i) otherwise where we have your consent or are otherwise legally permitted to do so.
We will not pass on your personal data to any third party to market their products/services to you unless we have obtained your consent. Any information collected from persons under the age of 18 will not knowingly be used for third party marketing purposes. In the case of a competition, notifications of wins and/or prizes will be sent to a parent or legal guardian for any person under the age of 18.
Our servers are located in the UK, and those of our principal service providers are based either in the UK or within the European Union.
While we will not usually transfer your personal data to countries outside the UK or the European Economic Area (EEA), it may occasionally be necessary to do so. We will only transfer your personal data outside the UK or the EEA where either:
(a) the transfer is to a country which the EU Commission has decided ensures an adequate level of protection for your personal data; or
(b) we have put in place our own measures to ensure adequate security as required by the Privacy Laws.
We will never retain your personal data for any longer than is necessary for each of the purposes we have identified above, so this period will vary depending on your interactions with us and the nature of the personal data in question. By way of example, we will never retain credit / debit card information after the payment transaction is complete and most of the information that we collect will be deleted after two seasons. We will retain information for longer when needed for legal and tax purposes. Please note that where you unsubscribe from our marketing communications, we will keep a record of your email address and/or phone number (as applicable) to ensure we do not send you marketing emails in future.
If you would like further information about our retention procedures, please contact us using the details at section 19 of this Notice.
The Privacy Laws give you a number of rights which are listed below. If you would like to exercise any of your rights, please contact us using the details at section 19 of this Notice.
- Right to object: You may object to our use of your personal data. Please contact us, providing details of your objection.
- Right to access your personal data: You may request access to a copy of your personal data that we hold, along with information on what personal data we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You may make a request for access free of charge.
- Right to withdraw consent: If you have given us your consent to use your personal data, you can withdraw your consent at any time.
- Right to rectification: You may ask us to change or complete any inaccurate or incomplete information we hold about you.
- Right to erasure: You may ask us to delete your personal data where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
- Right to portability: You may ask us to provide you with the personal data that we hold about you in a structured, commonly used, electronic format, or ask for us to send such personal data to another data controller.
- Right to restriction: You can ask us to restrict the personal data we use about you where you have asked for it to be erased or where you have objected to our use of it.
- Right to make a complaint: You may make a complaint about our data processing activities by contacting us using the details at section 18 of this Notice. Alternatively, you may make a complaint to the UK supervisory authority, which is the Information Commissioner's Office, by visiting their website at www.ico.org.uk, by phoning 0303 123 1113 (local rate) / 01625 545 745 (national rate), or by writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
We use a CCTV system at our premises which includes all areas within and outside Tynecastle Park, our retail store and museum.
We use CCTV for the prevention and detection of crime and to keep our fans, customers, employees and suppliers safe whilst on our premises. Footage is handled in accordance with data protection laws, and in particular is only held for a limited period of time before it is automatically deleted. Please contact us using the details at section 18 of this Notice if you would like to know more about how our CCTV systems operate.
Keeping your personal data secure is very important to us.
We will treat all of your personal data in strict confidence and we will take all reasonable and appropriate steps to keep your personal data secure once it has been transferred to our systems. We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal data. Please note that whilst we take reasonable steps to prevent any breach, we cannot guarantee the security of any personal data you disclose to us online. You accept the inherent security risks of providing personal data and dealing online and will take all reasonable precautions to ensure that the security of the personal data you provide to use is not compromised.
Where you have chosen a password which enables you to access certain parts of our websites, you are responsible for keeping this confidential. Please do not share your password with anyone.
Please be aware that all open interactive areas (such as social media channels and online forums) are accessible to all users and their contents effectively available in the public domain. We highly recommend that you consider carefully about your submissions. If you choose to add content containing your personal information you do so at your own risk.
Please read our Social Media Policy for information about uploading any content such as photos or comments to our websites or social media platforms such as Facebook, Instagram or Twitter.
Please be aware that by uploading any photos or videos to our websites or social media platforms, you are granting permission for us to use these images / videos and you agree that we have no obligation to reply to or share your content.
If you upload content which identifies any third party, please note that this is personal data and the consent of the third party is required before any such content is uploaded.
Our websites may contain links to other websites, not owned, associated or managed by us.
Whilst we try our best to only link to reputable websites we cannot be held responsible for the security of information collected by sites not managed by us, nor can we accept responsibility or liability for them. We would recommend that you read the privacy information of the third party before using their website.
We may modify this Notice from time to time, so please review it regularly. We will let you know when we make any material changes to this Notice by means of notice on our website homepages. This Notice was last amended on 31 May 2021.
If you have any questions about our use of your personal data or wish to exercise any of your rights, please contact us by email to firstname.lastname@example.org or by post to Supporter Services, Heart of Midlothian Football Club, Tynecastle Park, Gorgie Road, Edinburgh EH11 2NL.