DAYS UNTIL
Advanced Google Analytics Course
Aviva Stadium

Privacy Policy

New Stadium Designated Activity Company

 

PRIVACY POLICY

 

1. Introduction:

1.1 This is the Privacy Policy of New Stadium Designated Activity Company (t/a Aviva Stadium), which is referred to as “New Stadium DAC”, “us” or “we” throughout this Privacy Policy. This Privacy Policy provides details of the way in which we Process Personal Data when managing and operating the Aviva Stadium (the “Stadium”) in compliance with our obligations under Data Protection Law.

1.2 Capitalised terms used in this Privacy Policy are defined in the Glossary in Annex I.

 

2. Background and Purpose

2.1 The purpose of this Privacy Policy is to explain what Personal Data we Process and how and why we Process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we Process data will evolve over time and we will update this Policy from time to time to reflect changing practices.

2.2 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into various points of data capture used by us (e.g. application forms etc.).

 

3. New Stadium DAC as a Data Controller

3.1 New Stadium DAC will act as a Data Controller in respect of Personal Data provided to us by various individuals in connection with the operation and administration of New Stadium DAC, in particular when managing and operating the Stadium. Such individuals will generally include the following:

(a) all visitors to the Stadium (including stadium tour visitors);

(b) employees and contractors of New Stadium DAC;

(c) other match day personnel (e.g. medical staff and stewards);

(d) officials from organisations such as the IRFU, the FAI, concert promoters and other organisations (including visiting officials);

(e) business contacts of New Stadium DAC; and

(f) business contacts of related parties.

3.2 Personal Data is processed by New Stadium DAC for the following purposes:

Purpose of Processing

Lawful Basis under GDPR

Processing of visitor details, including tour visitors to allow New Stadium DAC to act as a stadium venue and to provide its business services.

Such processing is necessary: (a) for the performance of a contract between New Stadium DAC and its stadium tour visitors pursuant to Article 6(1)(b) GDPR; and (b) for the legitimate interests pursued by New Stadium pursuant to Article 6(1)(f) GDPR. 

 

Processing for the purpose of access control to the stadium, including access control cards.

Such processing is necessary for: (a)  for the performance of a contract between New Stadium DAC (or another entity) and the data subject in pursuant to Article 6(1)(b) GDPR accordance with the Stadium Ground Rules (Regulations); and (b) the legitimate interests pursued by New Stadium DAC pursuant to Article 6(1)(f) GDPR to control and monitor access to the stadium.

 

Processing of CCTV footage for security purposes.

Such processing is necessary for the legitimate interests pursued by New Stadium DAC pursuant to Article 6(1)(f) GDPR to protect staff and visitors to the stadium and New Stadium DAC property.  Such processing is necessary to protect the vital interests of data subjects under Article 6(1)(d) GDPR. See Section 8 of this Privacy Policy.

 

Processing of employees’ personal data for employment purposes including payroll administration, general personnel administration and New Stadium DAC management. 

 

Such processing is necessary for the performance of a contract between New Stadium DAC and its employees pursuant to Article 6(1)(b) GDPR.

Processing of personal data of officials from organisations such as the IRFU and FAI (and visiting officials from other organisations).

Such processing is necessary for the legitimate interests pursued by New Stadium DAC pursuant to Article 6(1)(f) GDPR.

 

Processing of personal data of match day personnel such as security and medical personnel. 

Such processing is necessary for the performance of a contract between New Stadium DAC and match day personnel pursuant to Article 6(1)(b) GDPR.

 

Processing of personal data of contractual service providers such as catering and merchandise services. 

Such processing is necessary for the performance of a contract between New Stadium DAC and service providers pursuant to Article 6(1)(b) GDPR.

 

Processing of business contacts of New Stadium DAC.

Such processing is necessary for the legitimate interests of New Stadium DAC pursuant to Article 6(1)(f) GDPR as a company.

 

General correspondence with members of the public (by post or various Aviva Stadium email address) for example where an individual sends correspondence to inquire about meetings and venue hire or for other reasons.

Such processing is necessary for the particular purpose for which the correspondence is sent to New Stadium DAC. Depending on the particular context of such correspondence the relevant lawful basis may be: (a) the individual’s consent; (b) to take preparatory steps prior to entering into a contract; or (c) New Stadium DAC’s legitimate interests (for example, responding to queries from the public).

 

Processing of personal data for website purposes such as technical information, information about your website visit and cookies.

Such processing is necessary for the legitimate interests pursued by New Stadium DAC including for troubleshooting, data analysis, testing, research, statistical and survey purposes pursuant to Article 6(1)(f) GDPR.

 

4. New Stadium DAC and Data Processors

4.1 New Stadium DAC willl engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of New Stadium DAC and gives rise to a Data Controller and Data Processor relationship, New Stadium DAC will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.

4.2 New Stadium DAC will also act as a Data Processor in certain situtions when Procesing Personal Data for and on behalf of third parties such as the Irrish Rugby Football Union and the Football Association of Ireland. Where the New Stadium DAC acts a Data Porcessor, we will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.

 

5. Record Keeping

5.1 As part of our record keeping obligations under Art. 30 GDPR, New Stadium DAC retains a record of the Processing activities under its responsibility. This comprises the following:

Art. 30 GDPR Requirement

New Stadium DAC’s Record

Name and contact details of the Controller

 

Care of: Company Secretary

New Stadium Designated Activity Company

Ballsbridge

Dublin 4

Ireland

The purposes of the processing

 

See Section 3 of this Privacy Policy.

Description of the categories of data subjects and of the categories of personal data.

 

See Annex II of this Privacy Policy.

The categories of recipients to whom the Personal Data have been or will be disclosed.

 

See Section 11 of this Privacy Policy.

Where applicable, transfers of personal data to a third country outside of the EEA.

 

See Section 11 of this Privacy Policy.

Where possible, the envisaged time limits for erasure of the different categories of data.

See Section 12 of this Privacy Policy.

Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

See Annex III of this Privacy Policy.

 

6. Special Categories of Data

6.1 New Stadium DAC processes Special Categories of Personal Data (“SCPD”) in certain circumstances, such as the ordinary course of employee administration (e.g. sick notes / medical certificates off employees). New Stadium DAC shall Process such SCPD in accordance with Data Protection Law.

 

7. Individual Data Subject Rights

7.1 Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):

(a) The right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);

(b) The right of access to Personal Data;

(c) The right to rectify or erase Personal Data (right to be forgotten);

(d) The right to restrict Processing;

(e) The right of data portability;

(f) The right of objection; and

(g) The right to object to automated decision making, including profiling, and any processing undertaken by New Stadium DAC based on our legitimate interests.

7.2 These Data Subject Rights will be exercisable by you subject to limitations as provided for under Data Protection Law. You may make a request to New Stadium DAC to exercise any of the Data Subject Rights by contacting the Company Secretary. Your request will be dealt with in accordance with Data Protection Law.

 

8. CCTV on New Stadium DAC Premises

8.1 The Stadium is a public place and to ensure the security and safety of visitors and staff, New Stadium DAC uses closed circuit television cameras (“CCTV”) located throughout its premises covering buildings, internal spaces, car parks, roads, pathways and grounds. New Stadium DAC’s CCTV system is implemented in a proportionate manner as necessary for the legitimate interest of the security of staff, and visitors including tour visitors to the New Stadium DAC premises (to protect their vital interests) and to protect New Stadium DAC property against theft or pilferage.

8.2 Whilst CCTV footage is monitored by New Stadium DAC security staff, access to recorded footage is strictly limited to authorised personnel. Footage is retained for no more than 30 days, except where incidents or accidents have been identified in which case such footage is retained specifically in the context of an investigation of that issue. CCTV footage is not disclosed to third parties except where disclosure is required by law (such as for the purpose of preventing, detecting or investigating alleged offences) and in such instances disclosure is based on a valid request. Signage indicating that CCTV is in use is displayed prominently throughout the New Stadium DAC premises, including the stadium, the stadium management building and the stadium underground car park.

8.3 For information on CCTV operations at New Stadium DAC please contact the Company Secretary.

 

9. Photographs and Recordings

9.1 New Stadium DAC hosts national and international sporting fixtures and other events.  These events are of public and media interest and therefore are subject to audio and visual recording and photography.  When attending the Stadium, which is a public place, there is a reasonable expectation that staff and Stadium visitors may be photographed and recorded in video footage and that these images and recordings may be published by us for promotional purposes and third parties including media outlets and broadcasters. Such processing is undertaken in New Stadium DAC’s legitimate interests and those of media outlets and broadcasters. By attending the Stadium for such events, you acknowledge that the Stadium is a public place and that you may have a reduced expectation of privacy. While you have a right to object to your inclusion in any photographs or video footage, any such objection must be balanced against the legitimate interests pursued by New Stadium DAC and/or third party media outlets and broadcasters.  

 

10. Data Security and Data Breach

10.1 We have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access.  Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords. For more information on security measures see Annex III.

10.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by New Stadium DAC will be dealt with in accordance with Data Protection Law and New Stadium DAC’s Data Breach Procedure.

 

11. Disclosing Personal Data

11.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data).

11.2 We may also disclose Personal Data to selected third parties including our insurance broker and legal advisors.

 

12. Data Retention

12.1 We will keep Personal Data only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as described in this Privacy Policy).

 

13. Data Transfers outside the EEA

13.1 From time to time, New Stadium DAC may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland. If such transfer occurs, New Stadium DAC will ensure that such processing of your Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission) or ensuring that the recipient is Privacy Shield certified, if appropriate. If you require more information on the means of transfer of your data or would like a copy of the relevant safeguards, please contact the Company Secretary.

 

14. Further Information/Complaints Procedure

14.1 For further information about this Privacy Policy and/or the Processing of your Personal Data by or on behalf of New Stadium DAC please contact: The Company Secretary, Aviva Stadium, Ballsbridge, Dublin 4. While you may make a complaint in respect of our compliance with Data Protection Law to the Irish Data Protection Commission, we request that you contact the Company Secretary in the first instance to give us the opportunity to address any concerns that you may have.

Date: 25 May 2018

 

 

ANNEX I

Glossary

In this Privacy Policy, the terms below have the following meaning:

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller.

“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the [Data Protection Act 2018] and any other laws which apply to New Stadium DAC in relation to the Processing of Personal Data.

“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.

“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:

- a name, an identification number;

- details about an individual’s location; or

- any other information that is specific to that individual.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.

“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

 

ANNEX II

Types of Personal Data

Categories of Data Subject

Type of Personal Data

Event day attendees

Ticket details which may include first and last name and / or affiliated organisation

Stadium tour attendees

Booking details may request certain personal data such as first and last name and / or affiliated organisation

Employees

Recruitment related data

Personnel file

Payroll data

Pension details

Performance details

Grievance / other investigations

Medical information

Event Stewards

Payroll data including name, contact details, social security number, event pay, bank details etc.

Contractors

Name, title, company details, contact details

Officials from organisations such as the IRFU and FAI (and visiting officials).

Name, title, organisation details, contact details

Business contacts of New Stadium DAC

Name, title, organisation details, contact details

Match day personnel (including medical staff)

Name, title, organisation details, contact details

Stadium Access Control

Stadium accreditation will require name, title, contact details and will also require photographic ID which is stored securely and for the sole purpose of stadium access control.

 

ANNEX III

IT Security Measures

 

Technical and organisational security measures are used by New Stadium DAC for data security purposes, and include the following:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The company employs IT personnel directly and indirectly and continuously reviews the company IT policies and procedures to ensure adherence to best practice.