We’re sure that many of you will have bought merchandise from the NUFC Club Store over the past 11 years without realising that it’s just a Sports Direct store in all but name.
With that in mind, you may or may not already know about the newly updated General Data Protection Regulations (GDPR) and your right to access, right to data portability with an organisation, and your right to have your data deleted.
What does all of this mean? Put basically, it means that you can contact any company that holds information about you and have the legal right to:
- be sent copies of that information,
- be informed of who your information has been passed onto and why,
- request that all of the personal information that any company holds on you is deleted.
If you have shopped at the NUFC Club Store either in person or online, you have the legal right to contact Sports Direct at firstname.lastname@example.org or, if you wish, by post – Data Protection, Unit A, Brook Park East, Meadow Lane, Shirebrook, NG20 8RY.
Companies have a month from receiving your request to provide you with this personal data. Companies that don’t meet this deadline can be fined up to 4% of their total annual worldwide turnover.
Here’s a handy template for the first of the aforementioned GDPR rights – the right of access. Please feel free to copy and paste this for your own use.
Email to: email@example.com
Or by post: Data Protection, Unit A, Brook Park East, Meadow Lane, Shirebrook, NG20 8RY
[EMAIL ADDRESS – MUST MATCH NUFC.CO.UK/SD.COM LOGIN]
Brook Park East,
Subject Access Request
I am writing to you in your capacity as the Data Protection Officer for SportsDirect. As a customer of yours, I am concerned that your information practices may be putting my personal information at undue risk of exposure. As such, I am making this request for access to all personal data held by SportsDirect Retail Ltd about me, pursuant to Article 15 of the General Data Protection Regulation (GDPR).
I am including information to assist you in identifying me. If you require further information, please contact me at my address above, noting that under Information Commissions Office (ICO) GDPR Right of Access guidelines, the level of identification requested of me should be necessary and proportionate to the request. e.g. not a certified document that will incur a charge. Failure to adhere to this will result in a further complaint to Sports Direct Retail Ltd under my Right to Raise a Concern and, if necessary, to the ICO under Article 77 of GDPR.
I would like you to be aware from the outset, that I anticipate a full response to my request within one calendar month as required under Article 12 of GDPR, failing which I will forward my inquiry with a letter of complaint to the ICO.
Please confirm whether or not you are processing personal data, as defined by GDPR Article 4(1) and (2) concerning me. In case you are, I hereby request you provide me with the following information under Article 15 of GDPR:
a) The purpose of the processing;
b) The categories of personal data being used;
c) Where the personal data are not collected from the data subject, any available information as to the data source;
d) The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period, please identify how long each category is retained;
e) Information on if my data has been or is going to be transferred to third parties, including their names and categories, the reasons for the transfer, and what will be done with the data;
f) Information on if my data has been or is going to be transferred overseas, including the country involved, the reason for the transfer, and what will be done with the data;
g) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer;
h) If applicable, the contact details for any third parties that you have transferred my data to;
i) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (me).
My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.
Please make the personal data concerning me, which I have provided to you, available to me in a structured, commonly used and machine-readable format as laid down in Article 20(1) GDPR.
In addition, I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach. If so, please advise as to the details of the breach and a description of the measures taken or that will be taken to prevent further unauthorised access to my personal data.
If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.
[YOUR FULL NAME HERE]