GDPR – Data Policy


24 May 2018

This notice describes how The Dublin Rebels American Football Club (the “Rebels”) processes personal data, in particular the personal data of members of the Rebels.

This notice describes the types of personal data collected, the purPOLposes for which that personal data is collected, the limited contexts in which personal data may be shared with other parties, and the measures the Rebels take to protect the security of the data. It also outlines data subjects’ rights and choices with respect to personal data, and how to contact the Rebels to update your data or ask questions about the Club’s data and privacy practices.

The Rebels process personal data of members in order to comply with the rules and regulations applicable to playing American Football in Ireland, and related activities. Data used for this purpose includes membership and player registrations, team sheets, records involving disciplinary processes, communications and notifications of events organised and hosted by the Rebels, fundraising and promotional activities, coaching activities and compliance related requirements (i.e. garda vetting, child protection compliance measures, and insurance).

What data The Rebels have about members

The Rebels control certain information about its playing and non-playing members, including:

  • Name
  • Email address
  • Home Address
  • Telephone contact details
  • Date of birth
  • Team (if relevant)
  • Jersey Number (if relevant)
  • How Many Years you have been a member
  • Previous Clubs (if relevant)
  • Coaching qualification details (if relevant)
  • Officiating Qualifications (if relevant)
  • Position
  • Height
  • Weight

This information is in The Rebels’ control having been provided by members. The Rebels will access this data for limited and defined purposes connected with its duties as a club, and in accordance with this policy.

The Rebels are bound by the By Laws of the Irish American Football Association, and is required by these by-laws to process certain data regarding members, including:

  • personal data entered on team rosters and provided to IAFA officials in accordance with the by laws,
  • (in certain circumstances and in order to comply with IAFA by laws regarding appeals and suspensions) video footage of games.

The Rebels’ policy is to minimise the amount of personal data collected so that it only has what is needed to perform its role as a Club. The Rebels’ fundamental policy is not to collect, maintain, or process data beyond what is needed for its functions as a club, and those necessary for complying with the IAFA By Laws and game rules (e.g. the processing of data on rosters, team sheets, referee’s game reports etc.). In the event that the Rebels process any data beyond this, this will be communicated to the data subject, and the data will be dealt with in accordance with this policy. Appropriate safeguards will be put in place.

The Rebels will not to collect, process, or deal with members’ sensitive personal data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. In some cases, where it is absolutely necessary to do so, the Rebels may collect and process such information where doing so is of critical importance (e.g. data relating to someone’s health in relation to on-field injuries). In such a case, The Rebels will ensure that the data subject is informed of such processing, and that such data is subject to all relevant data protection safeguards.

The grounds on which the Rebels processes data

The Rebels process personal data in pursuit of the Club’s role as a member of IAFA, and as a subject of IAFA’s rules and regulations. It is necessary to process personal data in connection with many requirements under the IAFA constitution and by-laws. For example:

  • Names and various other player details are required to be processed by IAFA, including by IAFA’s officiating department, in order to secure compliance with rules regarding game day rosters, player eligibility, and suspensions,
  • Personal data such as date of birth is required to assess player eligibility, level of competitive football relevant to the player, and whether child protection policies apply in certain cases (e.g. re youth football),
  • video footage is required to be shared with and processed for the purposes of resolving appeals relating to ejections.

The Rebels process personal data on the basis that it is necessary to do so in order to comply with legal obligations set out in IAFA’s by-laws and constitution, and obligations on the Rebels to provide a safe and rule-compliant environment in which its members can enjoy the sport of American Football.

The Rebels will also seek members’ consent to the processing of personal data generally, and in compliance with this policy. The members’ general consent to processing will be sought, and consent will be sought on an ongoing basis, as appropriate, in relation to certain individual instances of data processing.

The Rebels will, on occasion and where necessary, carry out processing for the purposes of pursuing its legitimate interests, such as the promotion of team events and activities. In all cases the Rebels will have regard to the rights and interests of data subjects, and all processing by the Rebels will take place in accordance with this policy.

What The Rebels will do with your data

Examples of what Rebels will use personal data to do (subject at all times to compliance with this policy) include:

  • To communicate with data subjects regarding membership or the status of a member in any respect,
  • To support or corroborate details provided on game day, via rosters provided to officials, game tape, or otherwise,
  • To consider disciplinary matters in accordance with the Rebels’ Constitution,
  • For the purpose of complying with legal requirements, including without limitation any applicable competitive and administrative requirements of IAFA, regulatory obligations, garda vetting requirements, obligations under data protection law, and obligations arising as a member of Sport Ireland, or otherwise enforce or protect the Club’s rights,
  • To update records or to perform data analyses of membership statistics,
  • To ensure accuracy and quality of data retained,
  • As otherwise permitted pursuant to this Privacy Policy or as otherwise authorised by members.

Your data will be processed only by Rebels personnel authorised to do so in relation to the specific processing in question. Such processing will be carried out in accordance with this policy. For example, hard copy rosters will be dealt with by referees on game day in accordance with IAFA By Laws.

The Rebels will ensure that such processing does not involve third parties and that, save as contemplated by this policy, personal data controlled by the Rebels is not transferred to any third party (other than IAFA as required by the IAFA by laws).

Sharing data

The Rebels will not share personal data with third parties other than in accordance with this policy, and in pursuit of the basis for which the information was collected or processed. Any data shared with a third party shall be anonymised to the greatest practicable extent, and shall be shared in accordance with this policy. Unless sharing personal data with a third party is required by law, the Rebels will seek consent of data subjects before sharing personal data.

Examples of cases in which the Rebels may share personal data with third parties include:

  • Communicating with event providers or hosts, sports agencies, entertainment representatives, tour operators or other persons involved in facilitating, hosting, organising, or liaising with IAFA-related or IAFA-sanctioned football,
  • Communicating re data hosted by service providers (e.g. Eventbrite),
  • Communicating relevant information to any external third party who has a legitimate and lawful interest in receiving the personal data, e.g. auditors, IAFA, officials of Sport Ireland, or members of a disciplinary committee.
  • If required to disclose personal data by law or as part of a legal process, in response to a request from a court, law enforcement authorities, or public/government officials,
  • When sharing personal data is necessary or appropriate to prevent physical harm or financial loss,
  • In connection with an investigation of suspected or actual fraudulent or illegal activity,
  • As otherwise permitted pursuant to this Policy.


The Rebels will review, monitor, and evaluate its privacy practices and protection systems on a regular basis. The policies and procedures relevant to the protection and management of personal data are the responsibility of the Rebels Committee, and the policies are continuously reviewed by the Committee.

The Rebels will take measures to delete personal data (or to keep it in a form that does not permit identification of an individual) when data is no longer necessary for the purposes for which it is processed, unless required by law to keep this information for a longer period. When determining the retention period for personal data, the Rebels will take into account various criteria, such as the nature of the data, potential risks arising to the Rebels and/or to the data subject and/or to any other person from the deletion of the data, the likelihood of the data being relevant to the purpose for which it is processed in future, the impact on the Rebels’ functioning if the data is deleted, and mandatory retention periods provided by law and the statute of limitations.

As a competitor within a 32 county organisation, the Rebels may occasionally be required to transfer personal data between legal jurisdictions, and data may be required to be transferred for the purposes of processing international player transfers. If data is transferred to a jurisdiction in which data protection standards differ to those applicable in the EU, the Rebels will take steps to ensure that as little data as possible is so transferred, that data is anonymised as far as possible, and that data subjects are informed of such a data transfer and of the relevant safeguards applicable to it. When the Rebels transfer your personal data to other countries, it will protect that information as described in this document or as disclosed to you at the time of the collection.

The Rebels’ policy is not to deal with the personal data of anyone under the age of 16.


Your data and your rights

Subject to applicable legal obligations, data subjects whose data is controlled or processed by the Rebels may have the right to:

  • Enquire whether their personal data is being processed, and on what basis such processing takes place, and details about that data such as any recipient(s) of the personal data to whom the personal data has or will be disclosed, and the retention period for the relevant data,
  • To request copies of certain personal data regarding them,
  • Opt out of collection and processing of their personal data in certain respects,
  • Request access to and receive information about the personal data kept by the Rebels about them,
  • Update and correct inaccuracies in that personal data without undue delay – if a person’s personal data is incomplete, they have the right to have that data completed, including by means of providing supplementary information,
  • Restrict or object to the processing of personal data,
  • Have data anonymised or deleted, as appropriate,
  • Exercise rights to data portability to easily transfer information to another entity,
  • Lodge a complaint with an appropriate supervisory authority, including The Data Protection Commissioner,
  • Withdraw any consent previously provided regarding the processing of personal data, at any time and free of charge. The Rebels will apply such preferences going forward and this will not affect the lawfulness of the processing before the withdrawal of consent.

Those rights may be limited in some circumstances by legal requirements. Note that, depending on the extent of the requested data deletion or opt-out, it may not be possible for a member to participate in Rebels football if certain essential information is not available for processing.

If a data subject would like to exercise their rights described above, please see the “Contact and Support” section below


This data policy may be updated from time to time to reflect changes in The Rebels’ data practices. The Rebels will indicate at the top of the notice the date on which it was most recently updated. If this data policy and/or privacy notice is updates, we may seek your consent.

Contact and support

Anyone can contact the Rebels regarding personal data, or generally regarding the Club’s data policies and practices, at

This point of contact can be used for all data-related purposes, including:

  • Queries seeking confirmation of whether a data subject’s personal data is being processed,
  • Data access requests,
  • Complaints about data or privacy
  • Erasure requests
  • Queries on whether personal data is accurate and up-to-date.

Rebels members may also wish to view the Data Protection policies and procedures put in place by Eventbrite, which can be viewed here: