Premier League - Privacy Policy

In this Privacy Policy, terms such as "we", "us, "our" or similar expressions shall mean the Football Association Premier League Limited.

We take your privacy very seriously and are committed to protecting your personal data (meaning any information about you from which you can be identified). This Privacy Policy explains what personal data we collect when you: access the Premier League websites at https://www.premierleague.com (regardless of where you visit it from), use the Premier League's official app; play the Fantasy Premier League game, or contact the Fanzone (the Services); engage with the Premier League (or we engage with your content) on social media platforms (including our Facebook, Twitter, YouTube and Instagram pages); and/or when you otherwise interact or communicate with us. It also explains how we may use this data, and what rights you have in relation to such data.

For information on how we collect, use and store personal data relating to players (including English Football League (EFL) players) and other people associated with them and the Premier League (for example, coaches and scouts) please refer to our Player Privacy Policy. We also have a separate Safeguarding Privacy Policy and Enforcement Privacy Policy. Please read any other privacy notices which we may provide to you carefully, so that you are aware of and understand the ways in which we collect and use your personal data.

If you are aged 13 or under, please read our Under-13s Questions and Answers here: link. If you are over 13, please read our Over-13s Questions and Answers here: link. If you are reading this on behalf of a child for whom you have parental responsibility, please also refer to 11. CHILDREN AND PRIVACY.

We keep our privacy practices under review and may change this Privacy Policy from time to time by posting changes on the Services or otherwise notifying them to you. This version of the Policy is dated 2 September 2021.

This Privacy Policy is provided in a layered format so you can click through the sections below. Alternatively, you can download a PDF version of the Privacy Policy here: link.

Please read this Privacy Policy carefully:

  1. BACKGROUND
  2. PERSONAL DATA WE COLLECT ABOUT YOU
  3. HOW WE COLLECT YOUR PERSONAL DATA
  4. HOW AND WHY WE USE YOUR PERSONAL DATA
  5. DISCLOSURE OF YOUR PERSONAL DATA
  6. TRANSFERRING YOUR PERSONAL DATA OUTSIDE OF THE EU
  7. SECURITY OF YOUR PERSONAL DATA
  8. LINKS TO OTHER WEBSITES
  9. DATA RETENTION
  10. YOUR RIGHTS
  11. CHILDREN AND PRIVACY
  12. CONTACT US
1. Background

We are a "controller" under the UK GDPR and other applicable data protection legislation (Data Protection Law). This means we are responsible for deciding how we use the personal data that we collect about you and, in accordance with the Data Protection Law, we will ensure that the personal data we hold about you is, at all times:

  1. used fairly, lawfully, and transparently;
  2. collected for limited, specific purposes only;
  3. adequate, relevant to and limited to what is necessary for those purposes;
  4. kept accurate and up-to-date;
  5. not kept for longer than is necessary; and
  6. held securely.

We shall be accountable for and able to demonstrate our compliance with our obligations under the Data Protection Law, and this Privacy Policy is one of the ways in which we do that.

In connection with some elements of the Services we also receive additional personal data about you from other organisations who have collected personal data from you, such as our member football clubs from time to time (Clubs), other footballing organisations (such as the FA or FIFA) and our commercial partners and data collected on our behalf at Premier League events. We may also receive personal data as part of the legal processes we undertake to protect our Services and our intellectual property, such as our brand or media rights, or those of our licensees/commercial partners. Each of these parties shall be a separate data controller in relation to the categories of data which it processes, and shall be accountable for its compliance with the Data Protection Law under its own privacy policy. For more information, please refer to Disclosure of your personal data below.

We have appointed a Data Protection Lead to oversee compliance with this Privacy Policy and our data protection compliance activities. The Data Protection Lead has also established a dedicated data protection team to provide the necessary support. Details of the Data Protection Lead can be found here: 12. CONTACT US

2. Personal Data We Collect About You

Personal data means any information about an individual from which that person can be identified. We may collect, store, transfer and use various types of your personal data:

  • Registration Data: To access and use some elements of the Services you must create a Premier League account by providing us with the information which is identified on the relevant registration page: name, email, gender, date of birth, and location (country/region of residence). We will also collect a username and password. Please note that some elements of the Services will not be available if you do not provide the required information. We may also ask or allow you to submit other optional information such as your mobile phone number.
  • Identity Data: We also ask you to provide identification information when we provide other elements of the Services: name, age, gender and social media handles/ usernames.
  • Contact Data: When we want to communicate with you, or you with us, we use your email address, telephone numbers, social media handles/ usernames and location (country/ place of residence).
  • Media Data: We use images from photographs and video footage of crowds and fans and other media content created by us (or on our behalf) at Premier League matches and events or provided by you for our use. We may also use some of your user generated content in social media as further described below.
  • User Data: We collect your usage and preference details related to your use of the Services such as language, game-play statistics, scores, rankings, time spent playing, game profile, preferences (including favourite Clubs), survey responses, feedback and other data that you provide to us as part of your account.
  • Marketing and/or Communications Data: We retain your preferences in receiving marketing messages from us and our Clubs and commercial partners, and your communication preferences.
  • Technical Data: Certain data is automatically generated and collected by us when you use the Services such as your IP address, MAC address and other device identifiers; your clickstream to, through and from the Services (including date and time); pages you viewed or searched for; length of visits to certain pages; page interaction information (such as scrolling, clicks, and mouse-overs); methods used to browse away from the page.

Not all of the list above will necessarily apply to you - it depends on your use of the Services and your particular interaction and communications with us. Please refer to 4. HOW AND WHY WE USE YOUR PERSONAL DATA below.

Under the Data Protection Law, there are also “special categories” of more sensitive data about you such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientations, political opinions, trade union membership, information about your health and genetic and biometric data (“Special Category Data”) and personal data relating to criminal convictions and offences (“Criminal Offence Data”) which require a higher level of protection (collectively referred to in this Policy as “Sensitive Personal Data”).  We do not regularly collect, use or store such Sensitive Personal Data but in some circumstances we may need to do so.  Please refer to 4. HOW AND WHY WE USE YOUR PERSONAL DATA below and read our separate Safeguarding Privacy Policy and Enforcement Privacy Policy, and any other privacy notices which we may provide to you carefully, so that you are aware of and understand the ways in which we collect and use your Sensitive Personal Data. 

3. How We Collect Your Personal Data

You provide us with your personal data when you:

  • access, use or play the Services;
  • create a Premier League account for the Services;
  • request information, marketing and other communications to be sent to you;
  • enter a competition, promotion or survey;
  • complete surveys or provide us with your feedback; and
  • otherwise interact or correspond with us (including via email, social media or telephone).

In connection with some elements of the Services we also receive additional personal data about you from other organisations who have collected personal data from you, such as our member football clubs from time to time (Clubs), other footballing organisations (such as the FA or FIFA) and our commercial partners (like EA) and data collected on our behalf at Premier League events. We may also receive personal data as part of the legal processes we undertake to protect our Services and our intellectual property, such as our brand or media rights, or those of our licensees/commercial partners.

We collect the Technical Data automatically as you interact with our Services by using cookies and other similar web technologies. Please refer to our Cookie Policy for more information.

We also use third party tools to help us manage and analyse our social media presence, and report on comments, mentions and other content that is posted about us on social media platforms and other public channels and forums. These third parties’ activities, and their information collection and sharing practices, are subject to the terms of the relevant social media platform, channel or forum. We will use this information in accordance with this Privacy Policy.

We use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to certain parts of the Services. This information is only used by us in a way which does not identify you. We do not make, and do not allow Google to make, any attempt to find out the identities of anyone visiting our website.

4. How and Why We Use Your Personal Data

We will only use your personal data where Data Protection Law allows us to. Data Protection Law says we can collect and use personal data on the following bases:

  1. it is necessary for us to be able to perform an agreement with you.
  2. it is necessary for our legitimate interests (and your interests and fundamental rights do not override those interests);
  3. if we have your consent (which you can withdraw at any time); or
  4. to comply with a legal obligation e. rules laid down by courts, statute or regulation.

Data Protection Law says we can only collect and use your Sensitive Personal Data where an additional basis applies: for reasons of substantial public interest, including when preventing or detecting unlawful acts or in connection with our regulatory and oversight functions in sport; in connection with legal claims; cases where you have made the data public yourself; or where you have given explicit consent.

Accordingly, we lawfully use your personal data in the following ways:

Delivering the Services: We use the Registration Data, User Data and Contact Data so that we can deliver the Services to you in an effective, efficient and accurate way. Without it, we would not be able to deliver a tailored service to you or respond to issues with these Services that are identified by us or you, or ensure you get the most out of your experience. Therefore, we use this data on the basis that it is necessary for us to be able to perform our agreement with you (i.e. the terms and conditions of the relevant Services) and for our legitimate interests of delivering the Services in this way.

Operating the Services: We use the Technical Data in order to operate and administer the Services including as necessary for testing, analysis, maintenance, support, reporting and hosting of data. Therefore, we use this data on the basis that it is necessary for our legitimate interests of operating the Services in this way. We also use Technical Data together with certain Identity Data and Contact Data to assist in security and fraud prevention, system integrity (such as preventing hacking, cheats and spam) and/or to facilitate our response to a legal process. Therefore, we use this data on the basis that it is necessary both for our legitimate interests in protecting the Services in this way and in order that we can comply with a legal obligation.

Competitions and promotions: We use Identity Data and Contact Data and any other personal data related to the entry (for example, a photograph) in order that we can administer and operate contests, prize draws, competitions or other promotions including selecting the winners, delivering the prizes and publishing the results (as required by UK advertising regulations). Therefore, we use this data on the basis that it is necessary for us to be able to perform our agreement with you (i.e. the terms and conditions of the relevant promotion) and in order that we can comply with a legal obligation. If we want to use the personal data for any other purpose we will notify you and, if necessary, seek your consent at that time. 

Marketing communications: We use the Identity Data and Contact Data to inform you of news, offers, events, competitions and promotions by specified media (including, if requested, by way of calendar notifications) which may be of interest to you and/ or we provide such data to our Clubs and/or our official commercial partners so that they can do this. We give you the option of providing opt-in consent to receive different kinds of direct marketing communications from us or these third parties or deciding not to do so.

OPT-ING OUT: You can withdraw your consent and opt-out of marketing communications from us at any time by updating your Email Preferences (where you have signed up to our website) or by following the instructions provided to you in the relevant communication (for example, the 'unsubscribe' link in an email). Alternatively, you may contact us at info@premierleague.com. We may still need to send service emails to you from time to time.

If you have chosen to receive communications directly from a particular Club or commercial partner, you will be consenting to us passing the data to them to use in accordance with their privacy policy, to which we provide links on our website, so you should contact them directly if you no longer wish to receive their communications. The privacy policy and contact details for each Club are available here: link.

Our fixtures and calendar communications function is delivered by ECAL and you should contact ECAL directly, if you want to stop receiving these communications. Instructions on how to unsubscribe from ECAL can be seen here and a copy of ECAL's privacy policy is available here.

Media coverage: We use the Media Data together with Identity and Contact Data for Premier League-related publishing and media coverage. Except where you are not the subject of the Media Data, for example in general crowd shots, we will seek your consent and provide you with information about our intended use of such information.

Fanzone callers: The Premier League delivers the Fanzone Programme in conjunction with IMG Studios. We use the Identity Data, and Contact Data along with any other information you share with us (for example, which Club you support) when you contact us via your chosen means (a "caller") in connection with our operation, administration and distribution of the Fanzone audio-visual programme. We then keep a record of this information so that we can contact you in the future if we would like to hear from you again or reuse your comments. By providing this information to us you are consenting to our use of the data for these purposes and you can withdraw that consent at any time by contacting us at dataprotection@premierleague.com. Note that we also keep a record of caller details to ensure we don't use the same callers each time and to prevent a repeat of abusive callers so we are using this data on the basis that it is necessary for our legitimate interests in providing interesting, inclusive and responsible programming. 

Other purposes: We might have to use your personal data to protect your or someone else's vital interests for example to make contact in rare emergency situations. We could also have to use your personal data in connection with legal and regulatory matters such as our maintenance of business records, compliance with external reporting requirements and internal policies and procedures and responses to requests by government, law enforcement, regulators, courts, rights holders or other third parties including in respect of the use or misuse of intellectual property, such as our brand or media rights, or those of our licensees/commercial partners or their parties. Therefore we use this data on the basis that it is necessary both for our legitimate interests in protecting, defending and enforcing rights and interests in this way and also so that we can comply with legal obligations. We may also use your personal data when we  process Media Data as part of our dedicated reporting and take-down programme helping to fight serious abuse against players, coaching staff and their families in social media. We use this data for our legitimate interests in fighting abuse and, where Sensitive Personal Data is involved, in order to prevent or detect unlawful acts, in connection with legal claims and where you have made the data public yourself.

Before using your personal data for our legitimate interests, we make sure that we take into account any potential impact that such use may have on you to ensure that your interests and fundamental rights and freedoms do not override those interests. In other words, we have determined that we have a legitimate need to process your personal data and we are not aware of any reasons that, on balance, mean we should not be doing so. If you have concerns about our processing please refer to 10. YOUR RIGHTS] below or contact us using the details here 12. CONTACT US.

Please also read our separate Safeguarding Privacy Policy and Enforcement Privacy Policy which explain the basis of processing for the other purposes described within them.

We will only use your personal data for the purposes for which we collected it as described above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

If you would like to find out more about the legal condition for which we process your personal information, please contact us using the details here 12. CONTACT US.

What if you do not want to share your personal data?

Unless otherwise specified above, generally we collect your personal data on a voluntary basis. However, please note that if you decline to provide certain mandatory personal data, you may not be able to access certain Services and we may be unable to fully respond to any inquiries you make.

5. Disclosure of Your Personal Data

We may disclose or share your personal data in the following circumstances:

  • Third Party Service Providers. We engage third party businesses to provide services to us or to you on our behalf, such as support for the internal operations of our Services (and related services), communications, data storage and delivering communications (including calendar notifications). Our service providers may access, receive, maintain or otherwise use personal data on our behalf. Our service providers only use your personal data in accordance with our strict instructions to provide the relevant services and are not permitted to use your personal data for their own purposes, unless authorised by us to do so. Where this is the case you will be notified by us and provided with their privacy policies so you can understand how they will treat your personal data.
  • Commercial Partners. We may also disclose your personal data to our commercial partners where you have consented or requested that we do so. For example, when you enter a competition or sweepstake which is a joint promotion, or you request to receive certain marketing communications. You will be given clear information in each case before we disclose share your personal data.
  • Publicity and media. We may disclose your personal data publicly via the media, social media or on the Services. For example, when sharing a comment or opinion you have provided such as when you contact the Fanzone, or if you win a competition or promotion we may disclose your name online. In such cases, we will clearly notify you of the sharing, and you will have the choice not to participate or to otherwise object to such sharing, subject to our other legal obligations.
  • Where you allow us to, we will share your personal data with your favourite Clubs to help our Clubs interact with their fans or where for example it is necessary for the fulfilment of a competition (e.g. you have won tickets to a Club match). This Privacy Policy applies to our use of your personal data only, and you should refer to the relevant privacy policy of each relevant Club to understand how they use your personal data. A list of the Clubs and links to the respective privacy policies is available here: link.
  • Legally Required. We may also disclose your personal data if we believe we are required to do so by law, or that doing so is reasonably necessary to comply with legal processes or the enforcement of our rights where we receive evidence we deem sufficient to justify such disclosure or in the event of a re-organisation of the legal or ownership structure of the Premier League.

Please read carefully any additional privacy notices which we may provide to you so that you are aware of and understand any other circumstances in which we may disclose or share your personal data which are specific to your use of the Services and/or your relationship with the Premier League.

Notwithstanding anything else in this Privacy Policy, we may share aggregate or de-identified information with third parties for research, marketing, analytics and other purposes, provided such information does not identify a particular individual and the individual cannot be re-identified.

6. Transferring Your Personal Data Outside the UK and EU

Some countries outside of the UK and the European Union (EU) do not have laws that protect privacy rights and personal data as extensively as the UK and other countries within the EU. We do not generally or routinely transfer personal data outside of the UK and the EU but some of the organisations to which we may disclose personal data may be situated outside of the UK and the EU. If we do transfer your personal data outside of the UK and the EU, we will take all necessary steps to ensure that transfers of your personal data are handled in accordance with this Policy and with the Data Protection Law. We do this by ensuring that such transfers are limited to countries which are recognised as providing an adequate level of legal protection by the UK and the European Commission or one of the specific safeguards approved by the European Commission is in place. You can find further information about these safeguards at https://ec.europa.eu/info/law/law-topic/data-protection_en. In the event that there is any change in the law such that one or all of the safeguards are no longer valid or applicable, we will ensure that we are satisfied that alternative arrangements / safeguards are in place to protect your privacy rights as required by the Data Protection Law. We do use our branch office in Singapore to process certain personal data in relation to the online abuse programme.

If you would like further information on the specific mechanism used by us when transferring your personal data out of the UK and the EU you can contact us using the details provided below.

7. Security of Your Personal Data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed (a Data Security Breach). In addition, we limit access to your personal data to those employees, contractors and other third parties who have a business need to know. They will only use your personal data on our instructions and they are subject to a duty of confidentiality.  In relation to third party service providers whom we appoint to process your personal data on our behalf, we take steps to ensure that those service providers are contractually bound to protect your personal data.

We have put in place procedures to deal with any suspected Data Security Breach and will notify you and any applicable regulator where we are legally required to do so.

Where we have given you or you have chosen a password which enables you to access certain Services, you are responsible for using reasonable care in keeping this password confidential.

8. Links to Other Sites

The Services may contain links to other websites, applications and environments that are not owned or controlled by us (the Other Sites). The owners and operators of those Other Sites are responsible for their collection and/or use of your personal data and you should check their respective privacy policies. Unless specifically referred to otherwise, this Privacy Policy applies to the Services only and not the Other Sites.

9. Data Retention

We will generally only keep your personal data for as long as necessary to fulfil the purposes we collected it for  (see 4. WHY WE USE YOUR PERSONAL DATA), in accordance with our internal Data Retention Policy. However, in some circumstances we may retain personal data for other periods of time, for instance where we are required to do so in accordance with legal, tax or accounting requirements, or if required to do so by a legal process, legal authority, or other governmental entity having authority to make the request.

To determine the appropriate retention period, we review - in addition to the purposes of use and how we can achieve them - other relevant factors such as the nature and scope of the personal data, the potential risks to data subjects from a Data Security Breach, and the applicable legal requirements, for example the limitation period for which legal claims can be made in court. For example, all non-activated Premier League accounts are deleted after 21 days and all non-authorised accounts for users aged 12 or under are deleted immediately if a parent withholds consent and after 21 days if an account relating to a user aged 12 or under is not verified.

In accordance with our internal Data Retention Policy and the Data Protection Law, after the applicable retention period has ended, your personal data will be securely deleted or destroyed or anonymised (for example, where the data will be used in aggregated/generic form for statistical purposes).

Specific details of retention periods for different aspects of your personal data are available upon request by using the contact details provided below.

10. Your Rights

Under Data Protection Law, you have certain rights (depending on the circumstances) in connection with your personal data, which include:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are using it lawfully, provided always that this does not adversely affect the rights and freedoms of other people;
  • Request correction of the personal data that we hold about you. Where any of the information we hold about you is incorrect or incomplete we will act promptly to rectify this, including where you have requested us to do so. Users of the Premier League website can update their information any time via their account preferences;
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to use it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to our use (see below);
  • Object to use of your personal data where we are relying on our legitimate interests (see above) and there is something about your particular situation which makes you want to object to our use on this ground;
  • Withdraw your consent to our use of your personal data where we do so in reliance on your consent. Once we have received notification that you have withdrawn your consent, we will no longer use your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law;
  • Request the restriction of use of your personal data. This enables you to ask us to suspend the use of personal data about you, for example if you want us to establish its accuracy or the reason for using it; and
  • Request the transfer of the personal data you have provided, on the basis of consent or for a contract with us, to you or a third party where technically feasible.

We are committed to respecting your rights. You may action your rights (as may be applicable) by contacting us using the details provided below (12. CONTACT US). We will make every reasonable effort to comply with your requests within a reasonable period and in any event within the timescales provided by the Data Protection Law, unless we have a lawful reason not to do so. Requests should be made in writing and to ensure that personal data is dealt with carefully and confidentially we will require the requestor to provide verification of their identity and all applications must be accompanied by copies of at least two official documents, which show your name, date of birth and current address (for example, driving licence, birth/ adoption certificate, passport, recent utility bill).

In responding to such requests, we will explain the impact of any objections, restrictions or deletions requested.

We will not charge you a fee to exercise your rights unless your request is clearly unfounded or excessive, in which case we may charge you a reasonable fee. Alternatively, we may refuse to comply with the request in such circumstances.

Additionally, should you wish to permanently delete your Premierleague.com account and your personal data, you may do this yourself by following the below instructions:

  • Log into your account and navigate to https://users.premierleague.com/;
  • Click 'Manage Profile' on the right hand side.
  • Click  'Delete Account'.
  • You will then be prompted to enter your password.  Please then click 'Confirm Password'.
  • On the following page, please click 'Confirm'.

Please note that if you log back in to your account during the 21 day period the account will be reactivated.

You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK data protection authority. The ICO's contact details as are follows: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Tel: 0303 123 1113 (local rate) or 01625 545 745; https://ico.org.uk/global/contact-us/   

11. Children and Privacy

It is important to us that children can enjoy our Services in a responsible manner. We encourage parents and guardians to supervise their children's online activities by, for example, adopting control tools available from online services and software suppliers that help provide a child-friendly online environment including by preventing children from disclosing their personal data online without parental permission.

We are committed to safeguarding children's personal data collected online, and to helping parents and guardians and their children learn how to exercise control over personal data while exploring the Internet. To help children understand the use of their personal data, we make available child-friendly questions and answers here: link. We encourage parents and guardians to read these with their children.

If your child is aged 12 or under, we will require permission from you as a parent, carer or person with parental responsibility in order for your child to register for a Premier League account. On registering for an account, your child will be asked to give the name and email address of the person with parental responsibility. A confirmation email will then be sent to you as the person with parental responsibility. Your child’s Premier League account will only become active once you have responded to that email confirming your parental responsibility and providing your permission. We may take other reasonable steps to confirm parental responsibility.

All personal data in respect of non-authorised accounts relating to users aged 12 and under is deleted immediately where parental consent has been refused and after 21 days if an account relating to a user aged 12 and under is not verified.

If you have parental responsibility and would like to review any personal data that we have collected online from your child, have this information deleted, and/or request that there be no further collection or use of your child’s personal data or if you have any questions about our Privacy Policy or practices, you may contact us at  dataprotection@premierleague.com.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the following contact details:

Premier League Data Protection Lead

The Football Association Premier League Limited

Brunel Building, 57 North Wharf Road

London, W2 1HQ

dataprotection@premierleague.com

(0)207 864 9000