AccessibilityTottenham Hotspur Stadium

#Information

Privacy Policy

About us

In this Privacy Policy, we use the term “Tottenham Hotspur” (and “we”, “us” and “our”) to refer to Tottenham Hotspur Ltd, Tottenham Hotspur Football & Athletic Co. Limited, Tottenham Hotspur Women’s Club and Tottenham Hotspur Stadium Limited. Full details about Tottenham Hotspur Ltd, Tottenham Hotspur Football & Athletic Co and Tottenham Hotspur Stadium Limited. Limited are provided in the “Legal notice” section below.

Introduction

Tottenham Hotspur Football Club (hereafter referred to as “Tottenham Hotspur”, “we”, “us” and “our”), is the data controller for the personal information we process. We recognise that your privacy is important and consequently we are committed to protecting it. This Privacy Policy explains what personal information we process about you when you:

  • purchase our products or services such as tickets, memberships, coaching courses, tours and merchandise;
  • attend events at the Tottenham Stadium;
  • use our web sites, the Tottenham Hotspur app or the Stadium wifi facilities;
  • communicate with us by email, telephone or on social media;
  • subscribe to our direct marketing communications;
  • interact with us as a representative of our suppliers or partners.

Please note that the Tottenham Hotspur Foundation has a separate privacy policy which you can access by clicking on the following link:

Other websites

Our websites and digital platforms may contain links to other websites which are outside our control and are not covered by this Privacy Policy. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy policy, which may differ from ours.

How to contact us about this Privacy Policy

We have a dedicated Data Protection Officer (DPO) who you can contact if you have questions about this Privacy Policy or about your personal data in general. Please write to:

Data Protection Officer
Tottenham Hotspur Football Club
Lilywhite House
782 High Road
London
N17 0BX

Alternatively email: personaldata@tottenhamhotspur.com.

Personal information we process and what we use it for

Tottenham Hotspur will only process your personal information for the purposes outlined in the following sections. If these purposes change over time or we want to use data for a new purpose which we did not originally anticipate, we will only go ahead if the new purpose is closely related to the original purpose. If the new purpose is incompatible with the original purpose, we will seek your specific consent for the new purpose; or if a clear legal provision exists requiring or allowing the new processing in the public interest, we will inform you accordingly.

Visitors to our website

You can access and browse our websites without the need for you to actively provide us with your personal data. However, you will need to register a user account in order to purchase tickets, memberships or coaching courses (see “Registering on our websites” for more information).

When you visit our websites we automatically collect information about your device and about your visit. This helps us to better understand how you use our digital platforms and enables us to design our site to better suit our your needs whilst also creating better, more personalised content which improves your experience for future visits. The information we collect includes:

  • how you have reached our digital platform, the internet protocol (IP) address you have used, and the MAC address of your device
  • your operating system, browser type, versions and plug-ins
  • your journey through our digital platform, including which links you click on and any searches you made, how long you stayed on a page, and other page interaction information
  • photos you share with us
  • videos you have watched and the duration
  • offers you have redeemed
  • what content you like or share
  • which adverts you saw and responded to
  • which pop up or push messages you might have seen and responded to
  • your current subscription status
  • information collected in any forms you complete
  • location based services
  • ticketed access to our venues

We may also infer your country of location from the IP address you have used to access our digital platforms.

Back to Top

Cookies

Some of this information is collected by cookies which are small text files that store basic information that a website can use to track on-line traffic flows, recognise repeat site visits and record information about your on-line preferences. They often include an anonymous unique identifier that is sent to your browser from our websites, which is then stored on your computer's hard drive. Cookies do not attach to your system and damage your files but observe user behaviour and compile aggregate data that we then use to improve web services. We also use cookies to measure the effectiveness of advertising.

For further, more detailed information on how we use cookies, please refer to our Cookie Policy.

The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. The only exception to this is the placement of non-essential cookies on your devices where we rely on article 6(1)(f) of the GDPR which requires us to obtain your consent.

Back to Top

Registering a user account on our websites

To access the areas of our websites where you can purchase match tickets, memberships and coaching courses you will need to register with us. During the registration process you will be asked to submit personal information including:

  • title and name,
  • date of birth,
  • gender,
  • delivery address,
  • email address,
  • account password,
  • contact number
  • contact and location preferences. 

We use this information to provide you with a secure, identifiable user account, to ensure we provide you with age appropriate content, and to fulfil and communicate with you about your purchases.

Where we use this information to provide you with a secure, identifiable user account,

the legal basis we rely is article 6(1)(f) of the GDPR, which allows us to process personal data for our legitimate interests.

Where we use this information to ensure we provide you with age appropriate content when you are logged on, the legal basis we rely is article 6(1)(c) of the GDPR, which allows us to process personal data to meet our legal obligations.

Where we use this information to fulfil or communicate with you about any purchases you have made, The legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party (see Purchase our Products and Services for more information).

We may also send you information about our latest news, competitions, ticket and merchandise updates and offers and those of our partners. The legal basis we rely on for this activity is article 6(1)(a) of the GDPR, which requires use to obtain your consent (see Direct Marketing for more information).

Back to Top

Purchasing our products or services

We need to process your personal data in order to provide you with the products and services you purchase from us. If you have already registered an account, then we will use the information you provided during the registration process to deliver and communicate with you about your purchase. In addition to this, we will need to collect your payment card details in order to process payment

The legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party.

Depending on the service or product you have purchased, we may also need to collect additional information such as:

  • details of any disability or access requirement when you purchase a ticket for an event or service which will take place at the stadium or any of our other locations. This enables us to make reasonable adjustments to make your visit safe and comfortable and compliant with the Equality Act 2010. The legal bases we rely on for this are article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation and article 9(2)(b) as the processing is necessary for the purposes of carrying out our obligations in the field of social security and social protection law.
  • details about any medical conditions you may have when you enrol in one of our coaching courses. We have a duty of care for all participants that enrol in our coaching courses. Processing this information enables us to administer appropriate first aid in the event that participants are injured or taken ill whilst on our premises. The legal bases we rely on are article 6(1)(a) and 9(2)(a) which require us to obtain your explicit consent.
  • details about your vehicle where the product or service you have purchased entitles you to a parking space. The legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party.
  • When you scan your ticket using a mobile device to enter the Stadium, we process this information to keep a record of who is in the Stadium. This is because we are legally required, for health and safety purposes, to know who is on our premises. We may also send you notifications based on this data where you have consented to in-app push notifications (see ‘Push Notifications’ below to enhance your match-day experience).

Back to Top

Fraud screening and prevention

Sometimes where there is suspicion of illegal activity such as fraud or ticket touting, we will ask you to provide a copy of an identity document such as a passport. This is usually only necessary for overseas customers and some UK customers where the value of the purchase exceeds a threshold or where the delivery address is different to the card address.

In addition, we may keep the personal information of individuals suspected of suspicious purchasing and touting activity. This information may be shared with other clubs and local law enforcement agencies as we attempt to protect the public against seriously improper conduct.

We also requested copies of identity documents for ticket holder name changes i.e. maiden to marital surname, to verify the name change and ultimately to prevent tickets being reallocated to different people. 

When we have completed the check process, we delete the copies.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data for our legitimate interests. In this case our legitimate interests are protecting us and our customers against fraud.

Back to Top

The Tottenham Hotspur App

You are able to browse the Tottenham Hotspur App anonymously or by signing in using your Spurs user account for more features/services. When you download the App to your mobile device it collects the following information automatically:

  • The type of mobile device you are using;
  • A unique identifier (like the device ID or IP address);
  • Information about how you use the App.

This enables the App to remember you and provide you with the content you have asked for. We also use this information to personalise your content. The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data for our legitimate interests.

The App may also collect additional information or perform certain actions but only where you have given permission. The lawful basis we rely on for all of the processing activities listed below is article 6(1)(a) of the GDPR which requires us to obtain your consent.

Where you give us your permission to send push notifications, if you scan into the Stadium with your mobile device (this functionality is powered by our trusted partner, Fortress Inc), we will share notifications with you when you enter our Stadium.

Back to Top

Location data

The App will ask you for permission to access your device’s location data. It may also ask you to provide your country of residence. You are under no obligation to provide this information and you can choose to provide neither.

If you do give your permission, the App will collect your location data on match days. We use this data to help us understand the travel patterns of our supporters with a view to ensuring that the travel facilities we put in place on match days are adequate. Where you also permit push notifications (see Push Notifications), we will use your location data to provide you with any relevant updates.

Push notifications

The App will ask you to permit push notifications so we can notify you of things we believe you would want to know. If you have permitted push notifications and you scan your ticket on the App to enter the Stadium, we will send you a push notification to confirm your entry and we may send you notifications in order to enhance your in match day experience. This may include sending you notifications about the match itself, and concession stand offers and deals. You can turn these push notifications off at any time in your smartphone settings. We will only track your GPS location data if you have consented to this within our App.

Bluetooth

When you attend the Tottenham Hotspur Stadium and Bluetooth is enabled on your device, we use Bluetooth beacons to estimate your location within the Stadium. We do this to provide you with in-App directions to Stadium facilities and to notify you of any relevant promotions or offers in your immediate vicinity.

Taking photos using the App

It is possible to take photos from within the App however the App will need to access your device’s camera in order to do this. When you use this function, the App will ask for your permission to access your device’s camera.

Publishing your photos to the “photo wall” or sharing on social media

Within the App you can choose to upload your photos for display on a pre-moderated “photo wall”. You should be aware that the “photo wall” is visible to all other App users. You can also share photos to your social media profiles from within the App where they will be visible to your social media contacts.

Our App will remind you of this at the time you upload your photos and we will take your submission of the photo as your consent for it to be displayed on the “photo wall” or posted to your social media profile. 

Quiz leader boards

When you take part in quizzes within the App, we may display your first name and the initial of your last name on quiz leader boards. This will only happen if you are logged into the App.

You can change your permissions at any time by using the permissions part of the App.  

Back to Top

Stadium wifi

When you attend the Stadium we provide an open wifi network for your use. We may ask you for any personal information, such as your name or email address, when you connect to the wifi but we have to collect your device’s IP address and MAC address in order to facilitate your connection. We retain these two pieces of information for the duration of a season. At the end of each season we delete all such data from the wifi system. 

We also operate a web filtering system which blocks access to indecent or malicious websites that could pose a security threat to our wifi network. The filtering system will collect information about the websites you visit whilst you are using our wifi network. We retain this information for 1 month in order to assist us with any investigations into the mis-use the wifi network or any security incidents.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

This information is not personally identifiable and we do not combine it with other data you may have provided us through your other interactions with us. Consequently, this data remains

Back to Top

Direct marketing and market research

When you register your user account on our websites we ask you to set your contact preferences for marketing and market research communications from us and our partners. These settings are opted out by default meaning that we and our partners will only send you such communications where you actively opt-in.

We also include the option to opt in to marketing and market research communications on some of our online forms i.e. competitions and quizzes. Again, we will only ever send you these communications if you opt-in.

For research purposes, when sending communications that individuals have opted in to receive, we may track the open and click through rates. This activity helps us to measure the success of campaigns for those who have provided their consent to receive marketing materials, and for specific Club updates for those individuals who have an existing relationship with the Club and are therefore receiving information as a legitimate interest. This activity can be disabled through opting out at any time.

If you do opt-in and you later change your mind, we provide an unsubscribe link at the bottom of every marketing communication. You can also object to marketing communications by contacting our Data Protection Officer.

The legal basis we rely on to process this data is article 6(1)(a) of the GDPR, which allows us to process personal data with your consent.

Back to Top

Competitions, voting, and quizzes

From time to time we will run competitions, votes and quizzes. When you take part in these activities we will ask you for some basic personal information to enable us to administer the competition, vote or quiz. This will usually consist of your name and email address which we will need in order to contact you if you win. 

As stated in the Direct Marketing section, we will not use this information to send you marketing communications unless you opt-in.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Back to Top

Making an enquiry or complaint

When you contact us to make an enquiry or complaint, we collect personal information such as your email address so that we can respond to you.

We may monitor or record telephone calls for security purposes and to improve the quality of services that we provide to you.

We record details of all enquiries or complaints on our systems and share them with the areas of the business that are best placed to address them.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. In this case our legitimate interests are dealing with the enquiry or complaint and any subsequent issues that may arise, and to check on the level of service we provide.

Back to Top

CCTV

We have CCTV systems in our premises, including the football stadium, for the purposes of public and staff safety. CCTV is also installed on the outside of some of our buildings for the purposes of monitoring building security.

In all locations, signs are displayed notifying you that CCTV is in operation and providing details of who to contact for further information.

Images captured by CCTV will not be kept for longer than required and will not be stored.

Body Worn Cameras incorporating audio recording are also used by our Stadium security staff when necessary for operational purposes. The aim of the technology is to:

  • Promote the safety of Fans and Security Staff
  • Reduce the potential number of confrontational situations
  • Reduce potential escalation of incidents
  • Augment opportunities for evidence capture
  • Support the investigation of any recorded incidents

If you are involved in an incident you have the right to request images/audio recording of yourself in accordance with the General Data Protection Regulations (GDPR) and Data Protection Act 2018 and be provided with a copy of the images. You can request this by contacting the Data Protection Officer.

We shall only disclose images and audio to authorised bodies who require it for the purposes stated above. Images and audio will not be released to the media or placed on the internet for public viewing.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests. In this case our legitimate interests are public and staff safety, crime prevention and detection.

Back to Top

Interacting with us as a representative of our suppliers or partners.

Tottenham Hotspur operates with a broad portfolio of suppliers and commercial partners. Our staff will process details of our suppliers’ or partners’ nominated business contacts in order to manage these business relationships. This includes information such as names, job titles and contact details.

In the case of deliveries to the Stadium, we ask our suppliers to provide the name and photo of their delivery drivers. We use this information to verify delivery drivers when they attend the Stadium.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. 

Back to Top

Visiting our offices

All visitors are asked to sign in with their name and company and to show a form of ID. The ID is for verification purposes only, we don’t record this information.

We will issue you with a temporary visitor pass which will include your name and company. This should be worn at all times when you are in our offices and will be destroyed when you leave the premises at the end of your visit.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. 

We have Wi-Fi on site for the use of visitors. We’ll provide you with the address and password.

We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited, duration and date sent/received.

The purpose for processing this information is to provide you with access to the internet whilst visiting our site. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Back to Top

Applying for a job at Tottenham Hotspur

When you apply for a job with us, we collect and process a range of personal data in order to assess your suitability for employment. You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

We ask for:

  • personal details including name and contact details
  • details of your qualifications, skills, experience and employment history;
  • information about your current level of remuneration, including benefit entitlements;

The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

We will also ask whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process. The legal bases we rely on for this are article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation and article 9(2)(b) as the processing is necessary for the purposes of carrying out our obligations in the field of social security and social protection law.

You will also be asked to provide equal opportunities information including information about your ethnic origin, sexual orientation, health, and religion or belief. This is not mandatory – if you don’t provide it, it won’t affect your application. This is done for the purposes of equal opportunities monitoring only and we won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. The legal bases we rely on are article 6(1)(a) and 9(2)(b) which require your explicit consent.

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts. It these situations the legal basis we rely on is article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation

When we make a job offer we will also seek information from third parties, such as references supplied by former employers and information from employment background check providers. For some roles, we are legally obliged by safeguarding legislation to conduct criminal records checks. This usually applies to roles that involve working with minors. The legal basis we basis we rely on is article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation.

Sharing your information

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

We will not share your data with third parties, unless your application for employment is successful and we make you an offer of employment. The organisation will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.

Keeping your information

If you are unsuccessful after assessment for the role, we will hold your data on file for 6 months after the end of the relevant recruitment process. At this point your data will be deleted unless you have told us that you would like your details retained in our talent pool. If this is the case, then we would proactively contact you should any further suitable vacancies arise.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

Back to Top

Responding to requests to exercise your data subject rights

When you contact us to exercise your data subject rights (see “Your Rights” for more information) we will ask you for some information so that we can confirm your identity and ensure that we action your request against the right account. This will usually be your Customer Reference Number (CRN) however if you do not have a CRN or cannot remember it, we may ask for other information. We do not store this information – we just use it to confirm your identity.

We maintain a record of all the data subject rights requests that we receive. If you do make a request, this record will capture your name and a differential piece of data such as your email address or CRN. We keep this record to evidence our compliance with data protection legislation and as a record of our activities in case we are challenged.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

Back to Top

Children

If you are under 16

If you are under 16 and register for restricted areas of our digital platforms, we will collect your date of birth and retain that with your name and other details you may provide. This is so we can ensure we treat you in an age appropriate way in line with this policy.

If you have signed up to receive a product or service, we may contact you about this.

Back to Top

Ages 13-15

If you are aged 13-15, you must first tell your parent or legal guardian that you wish to register on our digital platforms and get their consent. You must make sure that your parent or legal guardian knows and agrees each time before you:

  • email us or ask us to email anything to you; 
  • send any information to us; 
  • enter any competition or game that requires information about you or offers a prize; 
  • purchase an official membership; or 
  • offer or agree to buy anything online.

If you are the parent or legal guardian of a user of our digital platforms who is aged 13 to 15 we do not seek your direct consent to their registration, but we expect them to inform you and get your agreement in advance before they register and before each time they do any of the activities listed above.

Aged under 13

If you are under 13, you may only use the restricted areas of our digital platforms if your parent or legal guardian has first told us that you are allowed to do so.

If you are under 13 and wish to register, you must truthfully tell us your name, email address, country and date of birth. We will then ask you for the name and email address of your parent or legal guardian. We will send them an email, so they are aware of your request and will ask them for their consent and to confirm they have authority to give that consent. We need their consent or refusal within 7 days, or else we will assume consent is not granted. Their consent can be withdrawn at any stage.

Even if your parent or legal guardian gives their consent to your registration, if you are under 13 we still expect you to tell them and get their agreement in advance each time before you:

  • email us or ask us to email anything to you; 
  • send any information to us; 
  • enter any competition or game that requires information about you or offers a prize;
  • purchase an official membership; or 
  • offer or agree to buy anything online.

If you are the parent or legal guardian of a user of our digital platforms who is under 13, they can access and use unrestricted areas, but we will need your direct consent if they wish to gain access to restricted areas.

Back to Top

Automated Decision-making and profiling

Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without human review.

The only time we conduct any form of automated-decision making based on profiling is when you visit our websites. We use third party software to analyse the way you use our websites in order to provide you with a more personalised experience next time you visit our websites. For example, we may analyse the products you buy from our shop or the types of web pages you look at the most. Next time you visit our website we will then tailor the content we provide you based on those preferences. We might also suggest other products or services you might be interested in.

These activities are fully automated and you can turn them off by disabling our website’s cookies in your web browser. Our Cookie Policy explains how to do this.

We do not conduct any other forms of automated-decision making particularly anything that could have a legal or similarly significant effect on you. If this changes over time, we will seek your explicit consent and update this privacy notice accordingly.

Sharing your information

Tottenham Hotspur shares your personal data internally and with selected third-parties in the following circumstances:

Third party service providers.

In order to provide our products and services to you or to otherwise fulfil contractual arrangements that we have with you, we may need to appoint data processors to carry out some of the data processing activities on our behalf. These may include, for example, payment processing organisations, delivery organisations, fraud prevention and screening and credit risk management companies, mailing houses and IT system providers. We have contracts in place with our data processors which means that they cannot do anything with your personal information unless we have instructed them. They will not share your personal information with any other organisations and will hold it securely and retain it for the period we instruct.

Back to Top

Commercial Partners

We may also share personal data, such as your name and contact details, with our commercial partners but only where you have explicitly consented to this or requested that we do so. For example, when you enter a competition which is a joint promotion, or you request to receive certain marketing communications. In any case, we will provide you with clear information before we share your personal data.

Other football clubs

Some European countries require their football clubs to keep full records of all away fans attending their matches. Consequently, when you purchase an away match ticket for a European game, we may be required to disclose your personal information to the hosting club. As this activity forms part of us providing you with the product or service you have purchased, the legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party. You can object to us sharing your data with other clubs however it we will not be able to guarantee your entry at the match.

Publicity and media

We may disclose your personal data publicly via the media or social media. For example, when sharing a comment or opinion you have provided or if you win a competition or promotion we may disclose your name online. In such cases, we will clearly notify you of the sharing and you will have the choice not to participate or to otherwise object to such sharing, subject to our other legal obligations.  

Supporters’ Clubs

Tottenham Hotspur has a network of Supporters’ Clubs around the globe. We may share personal data, such as your name and contact details, with the representatives of your nearest Supporters’ Club but only where you have explicitly consented to this or requested that we do so.

Legal and other

We may also share your data with third parties:

  • if we are under a legal or regulatory duty to do so
  • if it is necessary to do so to enforce our terms and conditions of sale or other contractual rights
  • to lawfully assist the police or security services with the prevention and detection of crime or terrorist activity
  • where such disclosure is necessary to protect the safety or security of any persons
  • and/or (e) otherwise as permitted under applicable law.

International data transfers

We are based in the UK but sometimes your personal information may be transferred outside of the European Economic Area (EEA). For example, some of our third-party suppliers or commercial partners to which we disclose your personal data may be situated outside of the EEA. Where we do transfer your personal data outside of the EEA, we make sure that we put one of the EU’s approved suitable safeguards in place, for example using approved contractual agreements or by obtaining your explicit consent for the transfer.

Security

Protecting your personal information is very important to us and as such we have put a range of security defences in place in order to ensure it.

This includes:

  • Technical measures such as encryption when we send your data over the internet, anti-virus software, secure user accounts on our systems that restrict access to your personal information, regular data back-ups, and conducting security testing of our systems.
  • Physical security measures that ensure that physical access to your data, whether it is in electronic or hard copy form, is also restricted and controlled.
  • Personnel security measures such as contractual clauses in employment contracts that require our employees to protect the confidentiality of your data, and regular awareness training about data protection and information security.

Some of our IT systems are provided by third party suppliers. In these cases the security of your data is a shared responsibility and we have contracts in place which outline each party’s responsibilities for the security of data.  

Keeping your information

We retain your personal information for the minimum reasonable time period to allow us to fulfil the purposes that we collected it for. We will delete or destroy your data after that time except where we need to keep any personal information to comply with our legal obligations, resolve ongoing disputes or defend ourselves against future legal claims, or enforce our agreements.

Occasionally, we may continue to use data without further notice to you. This will only be the case where any such data is anonymised and you cannot be identified as being associated with that data.

Please contact personaldata@tottenhamhotspur.com for further information about our retention periods.

Your Rights

You have certain rights in relation to your personal information. In order to exercise any of the following rights please complete the data subject access request form here or contact the DPO using the details above.

Right of access. You have the right to access the data that we hold on you. We provide you with access to as much of your personal information as possible via your account on our website, however, if you require access to other information, you should make a subject access request in writing.

Right to rectification. You can request that we update any of your personal information, which is out of date or incorrect. We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it. Please note that you are able to correct basic personal information on the HR and recruitment systems and it is your responsibility to ensure the data is up to date.

Right to erasure: In some circumstances you can ask for your personal information to be deleted. You should be aware however that this is not an absolute right and there are situations where legally, we will not be able to comply with your request. If we cannot comply with your request, we will clearly explain our reasons.

Right to object. You can object to our processing of your personal information where we do so in our legitimate interests or in the public interests. If you do object, you should provide specific reasons why you are objecting to the processing of your data. You should be aware that this is not an absolute right, and we can continue processing if we can demonstrate compelling legitimate grounds for the processing or if the processing is for the establishment, exercise or defence of legal claims. If we cannot comply with your request, we will clearly explain our reasons.

Right to restrict processing. In some circumstances, you have the right to ask us to restrict the processing of your personal data. This may be because you have issues with the content or accuracy of the information we hold and want us to restrict processing whilst these issues are addressed. Alternatively it could be because you have objected to our processing of your data for the purposes of our legitimate interests, and you want us to restrict processing whilst we considering our response. Where we comply with these requests, we will always inform you before lifting the restriction.

Consent withdrawal. Where you have given clear consent for us to process your personal data for a specific purpose, you have the right to withdraw your consent at any time. Please note that we do not rely on consent for the majority of employee personal information we process.

ID Validation

In order to understand exactly who is in attendance at the Stadium on matchdays we are asking the relevant Season Ticket Holders over the age of 18 to verify their identification by providing the Club with a copy of a valid passport or UK driving licence.

The lawful basis the Club has applied for collecting this data under data protection law is GDPR Article 6(1) - legal obligation; we have a common law duty of care to protect the welfare and wellbeing of individuals who attend matches in the Stadium. 

Your personal data will be retained only for the purposes stated in this section of the privacy notice and will be held by the Club for no more than 31 days at which point it will be automatically purged.

Changes to this policy

As Tottenham Hotspur changes, this Privacy Policy is expected to change as well. We reserve the right to amend this Privacy Policy at any time, for any reason, without notice to you, other than the posting of the amended Privacy Policy on our websites. We may email periodic reminders of this Privacy Policy and will email relevant data subjects to notify them of any material changes. You should check our website frequently to see the current Privacy Policy that is in effect and any changes that may have been made to it.

More information & Complaints

Should you have any questions regarding this Privacy Policy or if you wish to make a complaint about how we process your personal information, please contact personaldata@tottenhamhotspur.com.

You are also able to make a complaint to the Information Commissioner’s Office (ICO) if you think your data protection rights have been breached in any way by us. You can do this by contacting the ICO at:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Alternatively, visit the ICO website or email icocasework@ico.org.uk