T TeamFeePay Trust

UK General Data Protection Regulation

UK GDPR

The UK's primary data protection regime for personal data — the retained EU GDPR as it forms part of UK law, read alongside the Data Protection Act 2018.

Autoridad
Information Commissioner's Office (ICO)
Jurisdicción
United Kingdom
En vigor desde
1 de enero de 2021

Nuestra declaración de cumplimiento

The UK GDPR applies to our processing of personal data relating to data subjects in the United Kingdom. For data submitted by clubs (member contact details, fee records, communications) we act as a processor on behalf of the club, which is the controller. For data we collect directly (e.g. marketing-site analytics) we act as a controller.

How we comply

  • Lawful basis & transparency. Our Privacy Notice sets out the lawful bases on which we process personal data as a controller. As a processor we only process personal data on documented instructions from the club acting as controller.
  • Data subject rights. Club administrators can fulfil the majority of access, rectification, erasure, restriction, portability and objection requests directly from the admin console. Where our help is required, we respond within the one-month statutory window.
  • Data Processing Agreement. A UK GDPR Article 28-compliant DPA is offered to every club at onboarding and is available on request from this Trust Centre.
  • Records of processing (Art. 30). We maintain a Record of Processing Activities for our controller and processor roles, reviewed quarterly.
  • Data Protection Impact Assessments. DPIAs are completed before introducing any new processing that is likely to result in a high risk to data subjects.
  • International transfers (Chapter V). Customer data is processed in the UK and EEA. Onward transfers to subprocessors outside the UK/EEA rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment.
  • Breach notification (Art. 33). Confirmed personal-data breaches affecting customer data are notified to the relevant controller without undue delay, and in any event within 72 hours of becoming aware.
  • Data protection by design and by default (Art. 25). Encryption in transit and at rest, pseudonymisation where appropriate, least-privilege access, and data-minimisation are baked into the platform — and audited under our ISO/IEC 27001 ISMS and ISO/IEC 27018 cloud-PII controls.

Our supervisory authority is the UK Information Commissioner's Office. Data subjects always retain the right to lodge a complaint with the ICO.

Leer la legislación

El texto legal completo en el sitio oficial de legislación del Reino Unido.

Leer el texto oficial