1. What is the purpose of this document?
Aston Villa Football Club is committed to being transparent about how it collects and uses your personal data and how the Club (defined below) protects the privacy and security of your personal data.
This Notice describes:
• what personal data the Club will collect;
• how and why your personal data will be used by the Club;
• who the Club shares your personal data with;
• how the Club protects your personal data;
• how long the Club keeps your personal data for; and
• your rights in relation to your personal data.
This notice applies to all applicants and candidates applying for any role within any of the companies detailed below. The Club may update this notice at any time but if the Club does so, it will provide you with an updated copy of this notice as soon as reasonably practical.
It is important that you read and retain this notice, together with any other privacy notice the Club may provide on specific occasions when the Club is collecting or processing personal data about you, so that you are aware of how and why the Club is using such personal data and what your rights are under data protection laws.
2. Who we are
There are four different entities within the Club’s group of companies that process personal data:
Aston Villa Football Club Limited (Company Number 3375789)
Aston Villa FC Limited (Company Number 2502822)
Aston Villa Women’s Football Club Limited (Company Number 8414046)
Aston Villa Foundation (Company Number 8589263)
This Notice is issued on behalf of these companies so when we mention "the Club", "we", "us" or "our" in this Notice, we are referring to the relevant company in the Club’s group that is responsible for processing your personal data.
The Club is a "data controller". This means that the Club is responsible for deciding how it holds and uses personal data about you as part of any recruitment process. The company that controls your personal data will depend on the role you are applying / have applied for.
You can contact the Club in relation to your personal data (regardless of which company controls your personal data) using the following details:
Email address: dpo@avfc.co.uk
Postal address: Legal Department, Aston Villa Football Club, Villa Park, Birmingham B6 6HE
3. Personal data the Club collects about you
“Personal data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are "special categories" of personal data (previously called “sensitive personal data”) which require a higher level of protection, such as information about a person's health or sexual orientation.
The Club will collect a range of personal data in relation to your recruitment application and / or candidacy.This may include:
your name, address, date of birth and contact details, including email address and telephone number;
details of your qualifications, skills, experience, employment history and references;
your image (e.g. in photographic form where provided as part of your application or CV, or in video form, if captured on CCTV at the Club’s premises);
information about your current level of remuneration including benefit entitlements;whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;
information about your entitlement to work in the UK including copies of right to work documentation, immigration documentation, copies of passports, visas, visa stamps, copies of biometric card, references and other information included in a CV or cover letter or as part of the application process;equal opportunities monitoring information, which may include personal data about your age, disability, gender re-assignment, marriage and civil partnership, pregnancy and maternity, race, (which includes ethnic origin, colour, nationality, national origin), religion or belief, sex (gender) and sexual orientation;information about criminal convictions and offences; and
any other personal data you provide to us at interview.
If you are successful and the Club offers you a position, you will commence the Club’s onboarding process and we will process your personal data in accordance with the Club’s Privacy Notice for Employees, Workers, Consultants and Volunteers, a copy of which is available from HR.
4. How is your personal data collected?
The Club collects this personal data in a variety of ways throughout the application and recruitment process, either directly from you, through referral or sometimes from an employment agency or background check provider. Personal data might be contained in CV’s, application forms, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment which might include online tests. Where you attend the Club’s premises, your image may also be captured on the Club’s CCTV cameras.
The Club may also collect personal data about you from third parties, such as references supplied by former employers, information from background check and criminal records check providers.The Club will only seek information from third parties once a job offer to you has been made.
5. Automated decision-making
The Club does not currently operate any automated decision-making in relation to your application for employment.
6. Why does the Club process personal data?
The Club needs to process your personal data to take steps at your request prior to entering into an employment or service contract with you.It also needs to process your personal data to enter into any employment or service contract with you.
In some cases, the Club needs to process your personal data to ensure that it is complying with its legal obligations.For example, it is required to check a successful applicant’s eligibility to work in the UK before employment starts.
The Club has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process.Processing personal data from job applicants allows the Club to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide to whom to offer a job.The Club may also need to process personal data from job applicants to respond to and defend against legal claims.
The Club may process special categories of personal data (such as information about your racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data) to monitor recruitment statistics for equal opportunities monitoring and reporting.The Club has a separate Privacy Notice for Special Categories of Personal Data dealing with how the Club processes such special categories of personal data. A copy of this Privacy Notice can be obtained from the Club’s HR Department.
The Club may also process health information if the Club needs to make reasonable adjustments to the recruitment process for applicants who have a disability.The Club processes such personal data to carry out the Club’s obligations and exercise specific rights in relation to employment.
The Club may collect and process personal data during the recruitment process about criminal convictions if it is appropriate given the nature of your role and where the Club is legally able to do so. This will usually be where such processing is necessary to carry out the Club’s legal obligations or exercise rights in connection with employment (to assess your suitability for your appointment to the role with the Club) and provided the Club does so in line with the Club’s Criminal Records Policy, which has appropriate safeguards which are required to maintain when processing such personal data. Less commonly, the Club may use personal data relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the personal data public.
The Club will not use your personal data for any purposes other than the recruitment exercise for which you have applied.
For the security and safety of the Club and those visiting Club premises, the Club uses CCTV in and around Villa Park and the Club’s other premises (this includes the Club’s training ground and car parks) and certain streets surrounding the Club’s premises. If you attend either of those premises your image may be captured on CCTV recordings. Whilst CCTV footage containing your image will not be used in connection with the recruitment exercise for which you have applied (except in exceptional circumstances where such use would be justified and permitted in accordance with data protection laws), the Club uses CCTV footage to monitor and review any accidents or incidents and for the safety and security of visitors to our premises. The Club has a legitimate interest in processing CCTV footage and also processes this CCTV footage as part of the Club’s compliance with its legal obligations.
7. Who has access to personal data?
Your personal data may be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area involved with the recruitment of that vacancy and IT staff if access to the personal data is necessary for the performance of their roles.
The Club will not share your personal data with third parties, unless your application for employment is successful and the Club makes you an offer of employment. The Club will then share your personal data with former employers to obtain references for you and contact employment background check providers to obtain necessary background checks, if required. Should the role you have been successfully appointed to require a Disclosure and Barring check, the Club will contact the Disclosure and Barring Service (DBS) in order to carry out any criminal record checks.
8. What if you do not provide personal data?
9. Your right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for the recruitment or selection process or for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
To withdraw your consent, please contact the HR Department. Once the Club has received notification that you have withdrawn your consent, the Club will no longer process your application for the original purpose or purposes you agreed to, unless the Club has another legitimate basis for doing so in law. Subject to the Club’s Data Retention Policy, the Club will dispose of your personal data securely.
10. Data sharing
The Club may have to share your personal data with third parties, including third-party service providers and other entities in the wider Aston Villa Football Club Group. The Club requires all third parties to respect the security and confidentiality of your personal data and to treat it in accordance with data protection laws. The Club does not allow its third-party service providers to use your personal data for their own purposes. The Club will only permit them to process your personal data for specified purposes and in accordance with its instructions. The Club may transfer your personal data outside the United Kingdom. If the Club does so, you can expect a similar degree of protection in respect of your personal data.
The Club may share your personal data with other entities in its group as part of its regular reporting activities on Club performance, in the context of a Club reorganisation or restructuring exercise, for system maintenance support and hosting of data. Specifically, the Club may share the personal data it collects about you with its parent companies.
11. Data security - how does the Club protect personal data?
The Club has a Data Protection Policy which all of the Club’s staff are required to follow in respect of any processing of personal data in which they are involved.
The Club’s IT Department have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, the Club limits access to your personal data to those employees, agents, consultants and other third parties who have a business need to know basis. They will only process your personal data on the Club’s instructions and they are subject to a duty of confidentiality.
The Club has put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where the Club is legally required to do so.
12. Data retention – how long will the Club use your personal data for?
If your application for employment is unsuccessful, the Club will hold your personal data on file for 6 months after the end of the relevant recruitment process. At the end of this period your personal data will be deleted or destroyed.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personal HR file and retained during your employment. The periods for which your personal data will be held will be provided to you in a separate Employee Privacy Notice.
The Club has in place a Data Retention Policy that sets out recommended data retention periods.
13. Your rights of access, correction, erasure, and restriction
As a data subject, you have a number of rights. You can:
• Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data the Club holds about you and to check that the Club is lawfully processing it.
• Request correction of the personal data that the Club holds about you. This enables you to have any incomplete or inaccurate personal data the Club holds about you corrected.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where the Club is relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where the Club is processing your personal data for direct marketing purposes.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to another party.
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that the Club transfers a copy of your personal data to another party, please contact the Club’s Legal Department/ Data Protection Officer (dpo@avfc.co.uk) in writing.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, the Club may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, the Club may refuse to comply with the request in such circumstances.
The Club may need to request specific personal data from you to help us confirm your identity, to ensure your right to access the personal data (or to exercise any of your other rights), and to ensure it is not disclosed to any person who has no right to receive it.
14. Data Protection Officer
The Club’s Legal Department/ Data Protection Officer (dpo@avfc.co.uk) will oversee compliance with this Notice. If you have any questions about this Notice or how the Club handles your personal data, please contact the Club’s Legal Department/ Data Protection Officer. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
15. Changes to this Privacy Notice
The Club reserves the right to update this Notice at any time, and the Club will provide you with a new privacy notice when the Club makes any substantial updates (should this take place when you have a live application progressing through the Club’s recruitment process only). The Club may also notify you in other ways from time to time about the processing of your personal data.
This Privacy Notice will be reviewed by the Legal Department annually, or sooner where new developments in legislation necessitate such a review, where factual clarification is required or changes to operational practices take place. The next review will be in February 2025.
February 2024
Legal Department