Privacy Policy
Valencia Club de Fútbol, S.A.D.
1. General Information
This Privacy and Data Protection Policy explain how we process your personal data and ensures your rights, in compliance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD), as well as the guidelines of the Supervisory Authority (AEPD).
2. Controller
Valencia Club de Fútbol, S.A.D. (VCF) – Spanish Tax ID (CIF): A46050217
Registered office: Plaza del Valencia Club de Fútbol nº 2, 46010, Valencia (Spain)
General privacy email: lopd@valenciacf.es
Tel.: +34 963 37 26 26
Data Protection Officer (DPO): dpo@valenciacf.es | Tel.: +34 963 37 26 26
3. Scope of Application
This is a general, corporate Privacy Policy. It applies to personal data processing carried out by VCF within the framework of its activities and relationships with season-ticket holders/members, fans, customers, website and application users, shareholders and their representatives, suppliers, candidates, participants in events and promotions, and, in general, any data subject who interacts with VCF through in-person and/or digital channels.
4. Processing Activities and Purposes
VCF processes personal data, by manual and/or automated means, for the following processing activities. For each one we indicate purpose, legal basis (Art. 6 GDPR), retention period and, where applicable, recipients/processors and transfers:
4.1 Season-ticket Holders / Members
Purpose: registration and maintenance of the season-ticket holder/member status, including renewals, seat allocation, issuance and control of access passes (physical or digital), payment management, direct debits, invoicing and refunds, handling incidents and after-sales, and communications strictly related to the service (operational and safety notices at the stadium).
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and, where applicable, compliance with legal obligations in commercial and tax matters (Art. 6(1)(c) GDPR).
Retention: for the duration of the contractual relationship; thereafter, data will be blocked (restricted) for applicable limitation periods.
4.2 Prize Draws and Promotions
Purpose: manage registration, eligibility checks and prevent duplicates; carry out draws/contests, allocate and deliver prizes, notify winners and alternates, handle queries and complaints, comply with tax and transparency duties set out in the terms, and apply anti-fraud controls. Where the terms provide, a limited disclosure of winners’ identities may be made (minimal data and for strictly necessary time).
Legal basis: performance of a contract/pre-contractual measures (Art. 6(1)(b) GDPR) arising from acceptance of the terms; compliance with legal obligations (Art. 6(1)(c) GDPR) including, among others, tax and transparency obligations linked to the promotion; legitimate interests (Art. 6(1)(f) GDPR) to ensure process integrity (fraud prevention and security) and to disclose minimal results when necessary and proportionate—VCF has carried out a balancing test and the data subject may object where appropriate; consent (Art. 6(1)(a) GDPR) for non-essential uses.
Retention: for the duration of the promotion, prize delivery/management and time necessary to handle potential claims. Once concluded, data will be blocked for applicable statutory/tax limitation periods; thereafter, erased or anonymised. Publication of winners, where applicable, will be kept for the minimum necessary time and with reduced data.
4.3 Commercial Communications by Electronic Means and Subscription Management
Purpose: sending VCF commercial communications and newsletters by email, SMS, push notifications or equivalent means; managing subscriptions/unsubscriptions, content and frequency preferences, and consent evidence. We may perform basic personalisation based on declared interests and interaction with communications (opens/clicks), without taking automated decisions producing legal effects.
Legal basis: consent (Art. 6(1)(a) GDPR and Art. 21 LSSI – Spanish Information Society Services Act). Checkboxes are not pre-ticked, and you can withdraw consent at any time without affecting other services. “Soft opt-in” for customers (LSSI): we may send communications about our own products or services similar to those already contracted, when we obtained your data in the context of a prior sale and you are offered an easy, cost-free opt-out in each message.
Retention: until consent is withdrawn or your object. We will keep minimal data in suppression lists to ensure you are not contacted again through this channel. Evidence of consent and of objection/unsubscription will be kept for applicable limitation periods.
4.4 Events and Promotions
Purpose: planning, registration and accreditation (physical/digital tickets), capacity and access control, seat allocation, incident handling, operational communications (schedule changes, venue safety), logistics and accessibility, and, where applicable, payment/refund management and satisfaction surveys. Limited image capture and dissemination of the event may take place when indicated in the terms or venue signage and where necessary and proportionate.
Legal basis: performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR) to manage your registration, access and attendance; legal obligation (Art. 6(1)(c) GDPR) regarding venue safety, applicable rules and tax obligations linked to the event; legitimate interests (Art. 6(1)(f) GDPR) to ensure integrity and security of the event, fraud prevention and certain non-commercial institutional communications (with balancing and right to object); consent (Art. 6(1)(a) GDPR) for non-essential promotional uses of image/voice or for commercial communications.
Retention: during organisation and celebration of the event and the time needed to handle incidents, claims and legal obligations. Thereafter, data will be blocked for applicable limitation periods and once expired, erased or anonymised. Image dissemination (where applicable) will be kept for strictly necessary time and as informed; if you withdraw consent, we will honour the request as far as possible without affecting inevitably published content or legal duties.
4.5 Shareholders and Representatives
Purpose: comprehensive management of the corporate relationship and the exercise of shareholders’ rights and, where applicable, their representatives: maintaining the share register and attendance lists; convening and holding General Meetings (in person or remote); identity and standing verification, management of proxies and votes, access accreditations, quorum calculation and vote counting, minutes (and, where applicable, recording in support of the meeting), handling queries and complaints, compliance with legal duties (corporate, tax and transparency) and fraud prevention.
Legal basis: legal obligation (Art. 6(1)(c) GDPR) deriving from applicable corporate law; performance of the corporate legal relationship (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR) to ensure process security and integrity, subject to balancing and right to object where appropriate.
Retention: for applicable corporate and tax legal periods (including retention of minutes and corporate books) and for limitation periods of actions or liabilities. Afterwards, data will remain blocked and then erased or anonymised securely. Recipients (where applicable): notary public, providers of meeting/remote voting platforms and accreditation services, competent public bodies, and administrative or judicial authorities, in compliance with the law; all acting under processor agreements when processing on behalf of VCF.
4.6 Registered Users (Website, VCF App and Online Shop)
Purpose: account creation and management, authentication and credential administration, profile and preference settings, service delivery (e.g., purchases/reservations, ticketing, cart and history), payment processing through secure third-party gateways, customer service and incident resolution, and sending communications strictly necessary for the service (e.g., confirmations, operational changes, security or maintenance notices), including push notifications you can disable in device settings. We also apply account security measures (anomalous access detection, anti-fraud protection) and operational improvement based on aggregated or pseudonymised technical metrics, without automated decisions producing legal effects.
Legal basis: performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) for invoicing and retention of commercial/tax documentation; legitimate interests (Art. 6(1)(f) GDPR) for security, fraud prevention and service improvement (with balancing and right to object). Commercial communications are governed by the specific marketing clause.
Retention: while the account is active and to manage associated services. Transaction history and accounting/tax documentation will be retained for applicable legal periods. Security and support logs will be retained for proportionate, limited periods. After account deletion or prolonged inactivity pursuant to internal policy, data will be blocked for limitation periods and then erased or anonymised securely.
4.7 Talent Pool (Recruitment)
Purpose: end-to-end management of applications and recruitment processes: receiving and reviewing CVs and related documents, managing interviews and, where informed, suitability tests; communications with the candidate; verification of references supplied by the candidate; and, in case of hiring, initial steps for onboarding and formalising the employment relationship.
Legal basis: pre-contractual measures (Art. 6(1)(b) GDPR); consent (Art. 6(1)(a) GDPR) to retain your CV in the talent pool or carry out non-essential tests; legitimate interests (Art. 6(1)(f) GDPR) to ensure process integrity; legal obligation (Art. 6(1)(c) GDPR) for onboarding steps required by labour/tax law (only if hired).
Retention: during recruitment management and necessary time to handle claims; thereafter, blocking for applicable limitation periods and erasure/anonymisation. Talent pool (with consent): 1 year from your last update or expression of interest.
4.8 Supplier Management
Purpose: supplier onboarding and qualification, contracting and order follow-up, interface management, access control to facilities where applicable, administrative, accounting and tax processing (invoicing, payments, refunds, receipts), incident and warranty management, and compliance checks (e.g., fraud prevention and risk controls).
Legal basis: performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) in commercial, tax and accounting matters; legitimate interests (Art. 6(1)(f) GDPR) for security, fraud prevention and internal audit.
Retention: for the duration of the relationship and, thereafter, blocking for legal limitation/custody periods (e.g., commercial books 6 years; tax obligations 4 years), followed by secure erasure/anonymisation.
4.9 Web Enquiries / Contact Forms
Purpose: handle and respond to your information, quote or support requests; route the enquiry to the responsible area; carry out follow-up and operational communications related to the request; and apply channel security controls (anti-spam/abuse) and logging of submission/receipt evidence.
Legal basis: pre-contractual measures (Art. 6(1)(b) GDPR) where the enquiry relates to a potential contract/service; consent (Art. 6(1)(a) GDPR) for general enquiries not linked to contracting; legitimate interests (Art. 6(1)(f) GDPR) for channel security, fraud prevention and operational improvement.
Retention: 12 months from last interaction or closure of the request. If the enquiry leads to contracting, the information is integrated into the file and the retention for that purpose applies.
4.10 Social Media and Content
Purpose: manage VCF’s corporate presence on social networks (content publishing, interaction through comments and direct messages, user support and community management), dissemination of activities and events, channel moderation (house rules), handling incidents and enquiries received via these media, and, where informed, limited capture and dissemination of event images. We may carry out audience measurement and aggregated statistics of accounts, without automated decisions producing legal effects.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR) for institutional communication, public attention, security and moderation of channels; consent (Art. 6(1)(a) GDPR) for non-essential uses (e.g., promotional reuse of your image/UGC) or for commercial communications; performance of a contract (Art. 6(1)(b) GDPR) where linked to a requested service; legal obligation (Art. 6(1)(c) GDPR) upon authority requests.
Retention: governed by the social network’s own policy. VCF only retains exports or evidence for the time strictly necessary and, thereafter, blocks them for limitation periods followed by erasure/anonymisation. Joint controllership may exist with the platform for audience statistics (Page Insights) under the platform’s terms.
4.11 Travel and Trips Linked to VCF
Purpose: planning, booking and execution of trips linked to VCF activities (e.g., transport, accommodation and tickets), including issuance and management of tickets/boarding passes, operational updates, logistics and access, insurance/reimbursement management, handling incidents and claims, and, where essential, visa or health requirements processing and emergency contact.
Legal basis: performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR) to ensure logistics security and fraud prevention.
Recipients (where applicable): travel agencies, airlines/rail/bus, hotels, insurers, payment providers, logistics operators and competent authorities. International transfers may occur where necessary, applying GDPR safeguards or Art. 49(1)(b) GDPR where essential to perform the contract.
Retention: during travel management and time strictly necessary for incidents, claims and legal obligations; afterwards, blocking for limitation periods followed by secure erasure/anonymisation.
4.12 General User Management
Purpose: support and administration of the relationship with users not covered by other specific purposes: registrations/unsubscriptions of non-transactional records, updating non-marketing data and preferences, support and incident/complaint resolution, operational (non-advertising) communications, identity verification where necessary, channel security and fraud prevention, as well as service quality improvement based on aggregated or pseudonymised metrics.
Legal basis (case-by-case): performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR) for optional actions not necessary for the main relationship.
Retention: time strictly necessary to manage the relationship and close the incident/complaint; thereafter, blocking for applicable limitation periods and then erasure/anonymisation.
4.13 Video Surveillance
Purpose: ensure the security of people, property and facilities, control access and prevent, detect and investigate incidents or offences at the venue (including perimeter and access areas on event days), and support authorities in enforcing offences and safety rules at sporting events. Cameras are not installed in spaces where privacy could be infringed and, by default, do not capture sound.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR), pursuant to Art. 22 LOPDGDD; legal obligation (Art. 6(1)(c) GDPR) when information must be provided to Law Enforcement Authorities or where required by sector rules.
Retention: a maximum of 1 month from capture (Art. 22(3) LOPDGDD), extended where incidents occur, keeping footage blocked until the procedure is resolved and liabilities prescribed.
Recipients/processors: security company/control centre as processor (Art. 28 GDPR) with restricted access. Authorities upon legitimate request. Information signage is displayed at monitored points.
4.14 Lead Capture and Requests for Commercial Information
Purpose: respond to requests for information about products and services and, if you authorise them, send you related commercial communications.
Legal basis: pre-contractual measures (Art. 6(1)(b) GDPR); consent (Art. 6(1)(a) GDPR and Art. 21 LSSI) for electronic commercial communications.
Recipients/processors: CRM/marketing, form and hosting providers acting as processors (Art. 28 GDPR). Transfers, if any, will comply with Arts. 44–49 GDPR.
Retention: handling of the request and up to 12 months from last interaction if no contract ensues; for marketing data, until consent is withdrawn or your object.
5. Legal Bases
We process your data in accordance with the legal bases in Art. 6 GDPR, applied case-by-case and under necessity and data minimisation criteria:
- Performance of a contract or pre-contractual measures (Art. 6(1)(b)): where necessary to provide a service to you, manage your registration/request or address steps prior to contracting.
- Consent (Art. 6(1)(a)): for optional purposes. Consent is freely given, informed and revocable at any time without effects on the main relationship.
- Legal obligation (Art. 6(1)(c)): where a rule requires us to process or retain data (e.g., tax or corporate obligations).
- Legitimate interests (Art. 6(1)(f)): for balanced legitimate interests (security, service improvement, fraud prevention, non-commercial institutional communications), ensuring your rights do not prevail. You may object at any time.
For electronic marketing communications, your consent is required (Art. 21 LSSI). Only in the case of customers may the LSSI soft opt-in apply.
6. Data Retention
We retain data only for as long as necessary for each purpose. Once fulfilled, data are blocked (restricted) for the applicable limitation periods to address possible liabilities and claims; after such periods, they are irreversibly erased or anonymised. We maintain evidence of consent and suppression lists with the minimal data necessary to prevent future sends.
7. Data Disclosure
We only disclose your data where an appropriate legal basis exists, and it is necessary for the stated purposes. We do not make disclosures to third parties for commercial purposes without your consent. Disclosures may include:
- VCF Group: Tiendas Oficiales VCF, S.L.U. (CIF B98205966), where indispensable for legitimate, compatible purposes (e.g., administrative support, care and logistics linked to club services).
- Sponsors and partners: only with your prior, specific and informed consent, where applicable.
- Processors (service providers): third parties providing hosting/cloud, CRM/marketing and delivery, analytics, IT support, customer service, development and maintenance—acting under Art. 28 GDPR agreements.
- Competent authorities and public bodies (including Law Enforcement, courts and tribunals): where there is a legal obligation or requirement.
8. International Transfers
Although VCF seeks to host and process data mainly in the EU/EEA, some providers or sub-processors may perform support access or certain processing from third countries. Where this occurs, appropriate safeguards under Arts. 44–49 GDPR are applied (e.g., adequacy decisions such as the EU–U.S. DPF, Standard Contractual Clauses with supplementary measures, BCRs). In the absence of adequate safeguards, transfers will only occur under Art. 49 GDPR derogations with prior information where applicable.
9. Data Sources
We collect personal data from legitimate sources: directly from you; from your legal representative; recruitment platforms and agencies acting on VCF’s behalf; and from usage of VCF digital services (technical/interaction information necessary to provide the service), in accordance with the Cookies Policy. Where data are not obtained directly, VCF provides the information required by Art. 14 GDPR within legal time limits.
10. Categories of Data
Depending on the purpose, we may process: identification and contact data; personal characteristics and social circumstances; academic and professional/employment data; account and digital service usage data; marketing information; transactions and billing; events and image data; location data (only where essential); economic/financial data (only where necessary); and health data strictly necessary and justified (e.g., accessibility or safety at events), applying reinforced safeguards.
11. Automated Decision-Making and Profiling
Limited segmentation: basic segmentations to tailor content and frequency.
No automated decisions with legal or similar significant effects: VCF does not take such decisions based solely on automated processing (Art. 22 GDPR).
Transparency if the model changes: high-impact automated decisions would be notified in advance, explaining logic, consequences, legal basis and safeguards, always offering human intervention and the possibility to contest.
Rights against marketing-related profiling: you may object at any time to direct marketing, including related profiling (Art. 21(2) GDPR).
12. Exercising Your Rights
You may exercise the following rights: access, rectification, erasure (right to be forgotten), objection (notably to direct marketing and associated profiling), restriction, portability, withdrawal of consent (at any time), and not to be subject to automated decisions (including profiling), including human intervention where applicable.
How: write to lopd@valenciacf.es or dpo@valenciacf.es, or by post to VCF’s registered office indicated above. To protect your information, we may ask you to prove your identity; if you act on behalf of another person, provide sufficient authority.
We respond within one month from receipt; this may be extended by two additional months in case of complex requests, informing you of the reason and new deadline. You may lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
13. Mandatory or Optional Nature of Data
Fields marked with an asterisk (*) are mandatory to process your request or provide the requested service; if not provided, we cannot attend to it. Remaining fields are optional. Data provided must be truthful, accurate and up to date; please communicate any changes. If you provide third-party data, you warrant authorisation and prior information about this Policy.
14. Security Measures
VCF applies a risk-based approach and privacy by design and by default (Arts. 25 and 32 GDPR). It implements updated and verifiable technical and organisational measures, maintains incident response and breach notification procedures, and performs due diligence and processor agreements before engaging providers (Art. 28 GDPR).
15. Minors
As a general rule, VCF does not target its services for children under 14. Where an activity may involve consent-based processing, individuals 14 or older may consent on their own; for children under 14, consent from parents or legal guardians is required. If we become aware of data obtained without the required authorisation, we will delete them immediately.
16. Policy Updates
VCF may amend this Policy to align with regulatory changes, AEPD/EDPB criteria or operational adjustments. The current version will always be available on the website. Material changes will be communicated visibly and, where appropriate, new consent will be obtained.