Privacy Policy

Introduction:

The Gaelic Athletics Association (‘GAA’) is Ireland’s largest sporting organisation and is celebrated as one of the great amateur sporting associations in the world.

The GAA is committed to protecting your privacy rights in relation to the processing of personal information in both electronic and paper format and take our obligations with regards to the protection of the personal information entrusted to us very seriously. The GAA has a Data Protection Officer (‘DPO’), who can advise on any queries you have in relation to this privacy policy or the rights afforded to you under the applicable data protection law such as the General Data Protection Regulation (‘GDPR’). The GAA Data Protection Officer can be contacted at dataprotection@gaa.ie

The information below is intended to inform you how your personal information will be used, by whom, for what purposes and explains your data protection rights.

The GAA is the data controller for the majority of processing activities however there will be circumstances where the GAA will act as joint controller alongside the respective club.

Why the GAA processes personal information and an overview of the legal basis for processing personal information;
How you, a data subject, can execute your rights under existing data protection legislation;
Who we share your personal information with;
Transferring personal information outside of the EEA;
How long the GAA will keep your personal information;
How to raise a complaint;
Cookies

1. Why the GAA Processes Personal Information and an overview of the legal basis for processing personal information:

The GAA will process personal information in a way compatible with your interaction and involvement with the organisation and this will vary depending on whether you are, for example, a player, coach, match official, club member, attendee at a matches, camps or event or a visitor to our museum, website or social media channels etc.

To ensure personal information is processed lawfully, we identify and apply the most appropriate lawful basis. The six lawful basis are:

Legal obligation: for example, to comply with the National Vetting Bureau (Children & Vulnerable Persons) Acts 2012 – 2016 or to comply with instructions from regulatory bodies such as the Data Protection Commission/ICO or law enforcement such as An Garda Siochana.
For the performance of a contract: for example, where you apply for membership with your club or buy a ticket for a match.
Legitimate interest: Such legitimate interest includes to process personal information for operational or organisational purposes. In order to rely on this lawful basis, a balancing exercise will be completed to assess and demonstrate that such processing does not negatively impact your, the data subjects, fundamental right to privacy.
Consent: By obtaining your demonstratable consent, for example by a written statement or ticking a box. Where a child is below the age of 16, adequate consent can only be provided by the parent/guardian of that child.
Vital Interest: The processing is necessary to protect your or a third parties life/welfare or to mitigate against a potential risk/threat/ harm to an individual. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.
Public Interest: The Processing is necessary to complete a task which is carried out in the public interest (e.g. notification in relation to the outbreak of disease).

Outlined below is why the GAA will process your personal information along with the relevant legal basis.

Purpose of Processing	Legal Basis
Name, date of birth, contact information, player/membership status is processed as it is necessary in order to register and administer your membership with your club.	Performance of a contract Where the registration is for a person under the age of 16, the GAA will rely on consent from the persons parent or guardian in order to process their personal information.
Name, player/membership status, team name, information relating to conduct and play is processed for the purpose of team sheets, referee reports, disciplinary matters, sanctions and permits.	Performance of a Contract
Name and contact information is processed in order to facilitate ticket sales.	Performance of a Contract
Contact information is processed to keep you informed of GAA events and fundraisers.	Consent
CCTV is in place in and around GAA stadiums and most Clubs for security and health and safety purposes. The use of CCTV is indicated by signage on the grounds.	Legitimate Interest
Contact information and any other personal information you choose to disclose is processed to respond to any queries or complaints you may have.	Performance of a Contract
Personal information is processed to perform data analytics and statistical analysis to allow the GAA to understand and to support club, county and provincial needs. Aggregate reports are used for this purpose where individuals are not identifiable.	Legitimate Interest
We will process your personal information, where you choose to upload a photo or another image of your likeness to your Foireann profile. In order to do this, we may request access to your device's camera or photo library to enable image capture or selection. All collected images are stored securely and treated with the utmost confidentiality. We implement industry-standard security measures to protect against unauthorized access, disclosure, alteration, or destruction of your images.	Consent
Contact information is processed to book attendance for the Croke Park Museum and purchase tickets to special events e.g. Santa Experience, Easter, Halloween events etc.	Performance of a Contract
The name of participants of the Skyline Tour is processed to evidence that every individual is familiar with the Health and Safety Notice.	Legal Obligation
Player/match official/team management name, contact information, medical data, and loss of wages data (if applicable) is processed to administer injury claims through the GAA Injury Benefit Fund and to record injuries.	Consent
Player name, address history (previous and current), contact information, membership ID and club details are processed in order to administer a transfer request and in order to become a member of the Association in general.	Performance of a Contract
Player health data to include cardiac health and concussion data is processed for player welfare and wellbeing.	Vital Interests
Education and training information of individuals, for example players, match officials, coaches and those involved in the running of their club/county team is processed to track completion and retained on the GAA’s Learning Management System.	Legitimate Interest
Referee name, contact information, health data will be processed for health screening services.	Consent
The GAA utilise GPS wearables for referees which collect raw data to estimate certain metrics to include: Total Distance, High Metabolic Load Distance, High Speed Running, Maximum Heart Rate.	Explicit Consent
Name, contact information and detail of concern/complaint is processed to comply with the mandatory Safeguarding of Children obligations.	Legal Obligation
Education and training data is processed to keep record of learning qualifications such as safeguard training, vetting status or accreditation.	Legal Obligation
The name of participants of the Skyline Tour is processed to evidence that every individual is familiar with the Health and Safety Notice.	Legal Obligation
The personal information you provide when you enter a competition through any of our social media channels is processed and assessed by us to fulfil that purpose.	Consent
Social media profile/handle will be processed when you engage with a GAA social media channel.	Contract Execution

2. How To Execute Your Data Protection Rights;

The GDPR affords a number of rights to individuals and these rights allow you to exercise meaningful control over the way in which your personal information is processed. These rights may be executed free of charge. In certain exceptional circumstances a reasonable fee may be charged, or the GAA may refuse to act on the request.

Once your identity has been verified, the GAA will begin the process of responding to your request without undue delay and within 30 calendar days of receipt of the request.

These periods may be extended in exceptional circumstances and we will inform you where the extended period applies to you along with an explanation of the reasons for the extension.

The GDPR allows for the following Rights under Chapter III:

Access to your personal information: This Right allows you to request and obtain a copy of the personal information, also known as a Data Subject Access Request (‘DSAR’), the GAA processes about you as well as other supplementary information such as:

the purposes of processing;
the categories of personal information concerned;
the recipients of your personal information;
the period for which your personal information will be stored;
the existence of your right to lodge a complaint with the Data Protection Commission; and
the source of your personal information.
Correct your personal information: This right allows you to correct/rectify inaccurate personal information concerning you or instruct completion of incomplete personal information taking into account the purposes of the processing.
Restrict your personal information: This right allows you to request the restriction of your personal information in certain circumstances. This includes if you dispute the accuracy of information held, you can request that we restrict processing this information while your complaint is being examined or where we no longer need your personal information for the purposes of processing but you require the data in relation to a legal claim.
Delete your personal information: This right allows you to request deletion of your personal information in certain circumstances such as the personal information is no longer needed in relation to the purposes for which it was initially collected or the personal information has been unlawfully collected and processed.

We are not under an obligation to rectify or delete your personal information where to do so would:

prevent us from meeting our contractual obligations to you or,
where the GAA is required or permitted to process your personal information for legal purposes or otherwise in accordance with our legal obligations.
Request your personal information is transferred (or ported) electronically: This right allows you to request we provide you with your personal information in a structured, commonly used and machine-readable format. The individual may also request this data is transferred from one data controller (such as the GAA) to another. This right is restricted to where we process personal information under the lawful basis of consent or contract execution only.
Withdraw your consent: Where your personal information is processed based on the lawful basis of consent, you may invoke your right to withdraw this consent at any time. Withdrawing your consent will not affect the lawfulness of the personal information processed prior to consent withdrawal.
Object to your personal information being used for certain purposes: This right allows you to raise an objection if you disagree with the way in which the GAA processes personal information. This right is restricted to where we rely on legitimate interest as the lawful basis to perform such processing. Upon receipt of an objection, the GAA will assess the nature of the objection and whether we can demonstrate our legitimate interest to proceed with the processing.

3. Who We Share Your Personal Information With;

Access to your personal information within the GAA is restricted to those who need it for a specific purpose, relevant to the performance of their duties in the organisation.

The GAA also sometimes uses third parties who provide important functions and do so based on our instruction. We will at all times ensure appropriate security and confidentiality measures are in place prior to exchanging any personal information with third parties. An example of such third parties includes service providers who:

assist in the management of membership, registration & administer player transfers;
provide IT security, hosting, ticket sales and system administration services;
provide registration services and capture expression of interest for GAA events;
provide the GAA with performance management services and platforms to contact volunteers;
send GAA communications to include marketing (where consent is provided) and service messages;
provide customer management services and databases;
facilitate the payment of expenses;
conduct research on behalf of the GAA;
provide professional services such as legal, health screening, research, call centre, insurance, payroll services.

Our website may include links to third-party websites and applications. By clicking on those links or enabling those connections, it may allow third parties to collect or share data about you. The GAA do not control these third-party websites and are not responsible for their privacy practices.

4. Transferring personal information outside of the EEA;

As noted above, the GAA uses a number of third party service providers and some of these are based outside of the European Economic Area (‘EEA’). The EEA includes all member states of the EU with the addition of Iceland, Lichtenstein and Norway. Where we process/transfer personal information outside of the EEA, we will ensure measures are implemented to ensure all personal data is protected. These measures will include the following data transfer mechanisms:

that country provides an adequate level of protection for personal information as set down by the European Commission; or
the transfer is made under a legally binding agreement which covers the EU requirements for the transfer of personal information to data processors outside of the EEA such as the model contractual clauses approved by the European Commission; or
Binding Corporate Rules (‘BCRs’); or
such other approved mechanism or model approved by the European Commission

5. How Long The GAA Will Keep Your Personal Information;

The length of time the GAA retains your personal information depends on the nature and purpose of the data being processed. For example, we will retain your personal information to provide you with a product or service you requested, to comply with a legal obligation or statutory order, or to protect, enforce or defend our rights and property.

On certain circumstances, your personal information may be retained for longer than your relationship with the GAA. This may be as there is an ongoing claim or the GAA are obliged to retain the data following receipt of a statutory order.

Where the GAA no longer needs your personal information and the retention period has passed, the personal information will be deleted or anonymised which means that your personal information is stripped of all identifying characteristics.

6. How To Raise A Complaint;

If you do not think the GAA processed your personal information in line with this Privacy Policy, please contact us in the first instance at dataprotection@gaa.ie.

As is your right and where you are dissatisfied with any aspect of the GAA’s processing of your personal information, you may make a complaint to the relevant Supervisory Authority depending on your jurisdiction:

Data Protection Commission:

Address: Data Protection Commissioner, 21 Fitzwilliam Square North Dublin 2 D02 RD28

Phone: + 353 57 868 4800

Email: info@dataprotection.ie

Website: www.dataprotection.ie

Information Commissioner’s Office:

Address: 3rd Floor, 14 Cromac Place, Belfast, BT7 2JB

Phone: 028 90278757

Email: ni@ico.org.uk

Website: ico.org.uk

Cookies

Information may be sent to your computer in the form of an Internet "cookie" to allow the GAA servers to monitor your requirements. The cookie is stored on your computer. The GAA server may request that your computer return a cookie to it. Please see https://www.gaa.ie/news/cookies/ for more information in relation to our use of cookies.