Malahide Rugby Football Club may collect, process, and store personal and sensitive data on an ongoing basis. This policy is aligned with the Data Protection Acts 1988, 2003, and the General Data Protection Regulation EU/2016/679 (GDPR), which outline the rights of individuals and the responsibilities of organisations.
This policy applies to all data held by the club, including paper records, electronic records, and CCTV images.
2. Ownership
This policy is maintained by the Club’s Data Protection Officer (DPO) and approved by the Executive Committee. It is reviewed at least annually or whenever relevant legal or operational changes occur.
Questions or suggestions regarding this policy should be directed to the DPO.
3. Scope
This policy applies to:
All employees (staff, contractors),
Mentors and coaches,
Relevant third parties associated with Malahide RFC.
All personnel must adhere to the principles of this policy and relevant data protection laws.
Examples of personal data covered:
Name, date of birth, address, PPSN
Contact details, work experience, employer
Bank details, income, liabilities, IP address, personal images
Examples of sensitive data:
Medical data, criminal convictions, tax offences
4. Safeguarding Principles & Measures
4.1 Fair Collection and Processing
Data will be collected fairly and only as needed.
Individuals will be informed about:
How long data is stored
Their rights under GDPR (access, correction, deletion)
Whether data provision is required
Any automated decision-making involved
4.2 Purpose Limitation
Data is collected for specific, lawful purposes only.
4.3 Use Limitation
Data will only be used for its intended purpose unless legally required.
4.4 Security Measures
Physical, technical, and organisational safeguards are in place to protect data.
Access is restricted on a need-to-know basis.
4.5 Data Minimisation
Only necessary personal data is collected and retained.
4.6 Accuracy
Data is kept up to date and corrected when necessary.
4.7 Storage Limitation
Data is retained only for as long as necessary.
4.8 Rights of Individuals
Data subjects can request:
Access to data
Corrections
Objection to processing
Erasure or restriction
All valid requests will be addressed within 30 days.
4.9 Data Transfers
No data is transferred outside the EU without appropriate safeguards.
4.10 Record of Processing
A detailed internal record of all data processing activities is maintained.
4.11 Data Breach Notification
The DPO must be notified of any suspected breach within 30 minutes.
Serious breaches are reported to the Supervisory Authority within 72 hours.
4.12 Monitoring & Compliance
A DPO is responsible for:
Maintaining processing records
Audits and compliance checks
Privacy impact assessments
Ensuring GDPR alignment
5. Data Breach Procedures
Any personal data breach (paper or digital) must be reported immediately.
Examples of breaches:
Lost/stolen devices or documents
Cyberattacks or hacking
Human error or misaddressed emails
Improper data sharing
All breaches must be reported to the DPO via the official form found in Appendix 1.
6. Training
All staff and mentors will receive Data Protection training:
During induction
With annual refresher sessions
Via online resources where applicable
7. Employee Agreement
All employees must comply with this policy. Non-compliance may lead to disciplinary action under the Club’s internal procedures.
Appendix 1 – Glossary
Term
Definition
Data
Any information that can be processed (manual or digital)
Automated Data
Data on computers or intended for computer processing
Manual Data
Paper-based files forming part of a filing system
Data Controller
The person/entity responsible for personal data
Data Processor
Entity processing data on behalf of a controller
DPO
Person responsible for overseeing data protection compliance
Data Subject
The individual whose data is held
GDPR
EU General Data Protection Regulation (2016/679)
Personal Data
Data identifying a living individual
Sensitive Data
Special categories: health, convictions, ethnicity, etc.
Processing
Any operation on data (collecting, storing, deleting, etc.)
