arrow_back All policies

Privacy Policy

How we collect, use and protect your personal data.

Version 1.0 · 5 May 2026 · Adopted 19 May 2026

1. Who we are

Tenpin Ireland (also known as ‘TI’, ‘we’, ‘us’, or ‘our’) is the National Governing Body for the sport of tenpin bowling in Ireland. We are the data controller for personal data processed in connection with our role as the NGB.

You can contact us:

1.1 Our Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for monitoring our compliance with data protection law and acting as the contact point for data subjects and the Data Protection Commission.

  • DPO email: to be confirmed — in the meantime please contact the office at secretary.executive@tenpinbowling.ie
  • DPO postal contact: Data Protection Officer, Tenpin Ireland, Irish Sport HQ (NGB Building), National Sports Campus, Blanchardstown, Dublin 15

2. Scope and purpose of this policy

This policy explains what personal data we collect about you, why we collect it, the legal basis on which we process it, who we share it with, how long we keep it, and the rights you have under the GDPR and the Data Protection Act 2018.

It applies to members, prospective members, junior athletes and their parents or guardians, coaches, officials, volunteers, club officers, employees of affiliated centres in their capacity as members, visitors to our website, and anyone else whose personal data we process in the administration of the sport.

3. The personal data we collect

Depending on your relationship with us, we may collect the following categories of personal data:

  • Identity data: name, date of birth, gender, nationality, photograph (where supplied)
  • Contact data: postal address, email address, telephone number
  • Membership data: club affiliation, membership history, membership category, dates of membership
  • Bowling data: averages, rankings, competition entries, results, team selections, qualifications
  • Coaching and officiating data: qualifications, dates, level, vetting status (where applicable)
  • Safeguarding data: Garda Vetting data where applicable, training records, declarations
  • Special category data (Article 9 GDPR): limited health information you choose to disclose to us, for example to support reasonable accommodations at events. We process this only where you have given explicit consent or where another lawful basis under Article 9 applies.
  • Communications data: records of correspondence, marketing preferences, attendance at events
  • Website and technical data: limited cookie and analytics data — see Section 13.

We collect personal data directly from you, from your club, from affiliated bowling centres in Ireland and internationally, from international federations, and (in respect of vetting) from the National Vetting Bureau.

4. Children’s personal data

Tenpin Ireland is involved with junior athletes. Children’s data is given specific protection under the GDPR and the Data Protection Act 2018.

  • Section 31 of the Data Protection Act 2018 sets the age of digital consent in Ireland at 16. Where we rely on consent to process the personal data of a child under 16, we obtain that consent from a parent or guardian.
  • Section 30 of the Data Protection Act 2018 makes it an offence to process a child’s personal data for the purposes of direct marketing, profiling, or micro-targeting. We do not do this.

Our full approach to children’s data, including parental consent, retention of junior results, and the handling of safeguarding information, is set out in our Children’s Data Policy.

5. Why we use your data and on what legal basis

Under Article 6 GDPR, all processing of personal data must have a lawful basis. The table below sets out the main purposes for which we use your data, the data involved, our legal basis, and how long we keep it. The full Retention Schedule is published separately.

PurposeData usedLegal basis (Article 6)Retention
Member registration, renewal and administrationName, address, DOB, gender, contact details, club, membership historyContract (Art. 6(1)(b))While you are a member and for 3 years after your last active season
Entry to and administration of competitionsName, DOB, gender, club, average, ranking, resultsContract (Art. 6(1)(b))Entries deleted 1 year after the event; results retained as a competition record (see Section 9)
Coaching, officiating and qualification recordsName, contact details, qualifications, vetting statusLegal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f))5 years after qualification expires or as required by law
Vetting and safeguarding (incl. Garda Vetting where applicable)Name, address, DOB, vetting application data, outcomesLegal obligation (Art. 6(1)(c)) under the National Vetting Bureau Acts 2012–20165 years after the vetting application or as governed by legislation
Selection for representative teams (national and international)Name, DOB, gender, nationality, performance data, contact detailsContract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f))While you are eligible for selection and for 3 years after
Communications with members (operational, not marketing)Name, contact details, clubLegitimate interests (Art. 6(1)(f))While you are a member
Marketing communications and newslettersName, email address, preferencesConsent (Art. 6(1)(a))Until you withdraw consent
Reports and statistics relating to the sportAggregated and (where necessary) identifiable participation dataLegitimate interests (Art. 6(1)(f))Aggregated indefinitely; identifiable data per Section 9
Complaints, disciplinary and grievance handlingWhatever data is necessary to investigate the matterLegitimate interests (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c))7 years from the conclusion of the matter
Crime prevention, detection and member safetyWhatever data is requested or requiredLegal obligation (Art. 6(1)(c)) and substantial public interest (Art. 9(2)(g) where special categories are involved)Per applicable law

6. Special category (sensitive) personal data

Some of the data we hold may be ‘special category’ personal data under Article 9 GDPR — for example health information disclosed to support a reasonable accommodation at an event, or data revealing trade union or political affiliations that may incidentally appear in correspondence.

Where we process special category data, we rely on one of the conditions in Article 9(2) and the corresponding provisions of the Data Protection Act 2018 — most commonly explicit consent (Article 9(2)(a)), substantial public interest (Article 9(2)(g)), or where the data subject has manifestly made the data public (Article 9(2)(e)).

7. Sharing your data

We share personal data only where we have a lawful basis to do so. The main recipients are listed below. We share only what is necessary for the purpose, and where we share data with a service provider acting on our behalf we have a written agreement in place under Article 28 GDPR.

Who we share withWhyWhere they are based
Sport Ireland and Sport Ireland CoachingTo register coaches, support funding administration, and meet reporting obligations as an NGBIsland of Ireland / EEA
International Bowling Federation (IBF) and the European Bowling Federation (EBF)To enter bowlers in international competitions and to maintain international rankingsEBF: within EEA. IBF: international (see Section 8)
Affiliated bowling centres and clubsTo administer leagues, tournaments, and venue accessWithin Island of Ireland
Service providers acting on our behalf (e.g. IT, hosting, email, membership systems)To deliver services to us under written data processing agreements (Article 28 GDPR)Case by case; within EEA where reasonably possible
An Garda Síochána, PSNI, and other statutory bodiesWhere there is a legal obligation, a court order, or a need to prevent or detect crime or protect the safety of membersWithin Island of Ireland
Tusla or designated safeguarding contactsWhere required by our child protection and safeguarding obligationsWithin Island of Ireland

We will not sell your personal data, and we will not share it for marketing purposes without your consent.

8. International transfers

Some of the bodies we share data with operate outside the European Economic Area (EEA), in particular the International Bowling Federation. Where we transfer your personal data outside the EEA, we ensure that an appropriate transfer mechanism is in place under Chapter V GDPR. This may include:

  • Transfers to a country with an adequacy decision from the European Commission
  • The use of Standard Contractual Clauses approved by the European Commission
  • Other safeguards permitted under Articles 46 and 49 GDPR

If you would like more information on the safeguards that apply to a particular transfer, please contact our DPO.

9. How long we keep your data

We keep personal data only for as long as it is necessary for the purposes for which it was collected, including any legal, accounting or reporting requirements. Our full Retention Schedule is published as a separate document. The headline periods are:

  • Membership data: while you are a member and for 3 years after your last active season.
  • Adult competition entries: 1 year after the event.
  • Adult competition results and rankings: retained as an historical record of the sport, with personal identifiers limited as necessary.
  • Junior (under-18) competition results: retained in identifiable form for a defined and limited period as set out in the Children’s Data Policy and Retention Schedule — not indefinitely.
  • Coaching and officiating qualifications: 5 years after expiry.
  • Vetting data: 5 years after the application or as required by law.
  • Health and other special category data: 1 year on receipt of a new annual membership form, or until no longer necessary.
  • Disciplinary and complaints records: 7 years from the conclusion of the matter.

10. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful access, alteration, disclosure, loss, or destruction, as required by Article 32 GDPR. These measures include:

  • Access controls limiting personal data to officers and volunteers who need it for their role
  • Use of strong, unique passwords and, where supported, multi-factor authentication on the systems we use
  • Encryption of personal data in transit and, where appropriate, at rest
  • Written agreements with our service providers under Article 28 GDPR
  • Training and clear instructions for officers and volunteers handling personal data
  • A documented Data Breach Response Procedure (see Section 12)

11. Your rights

Under the GDPR and the Data Protection Act 2018, you have a number of rights in relation to your personal data:

RightWhat this means
Right to be informedYou have the right to be told how your personal data is being used. This Privacy Policy is the principal way we meet that obligation.
Right of accessYou can ask us for a copy of the personal data we hold about you. We will respond within one month.
Right to rectificationYou can ask us to correct personal data that is inaccurate or to complete data that is incomplete.
Right to erasureYou can ask us to delete your personal data in certain circumstances, including where the data is no longer needed for the purpose it was collected for.
Right to restrict processingYou can ask us to limit how we use your personal data in certain circumstances.
Right to data portabilityWhere processing is based on consent or contract and is carried out by automated means, you can ask to receive your data in a structured, commonly used format.
Right to objectYou can object to processing based on legitimate interests, including direct marketing. Where you object to direct marketing, we will stop.
Rights re. automated decision-makingWe do not currently make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects.

To exercise any of these rights, please contact our DPO using the details in Section 1.1. We will respond within one month, although we may extend that period by up to two further months for complex requests, in which case we will let you know within the first month and explain why. The way we handle these requests is set out in our Subject Access Request Procedure.

You will not normally be charged a fee for exercising your rights, although we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive. We may need to verify your identity before responding to a rights request. This is to protect your data.

12. Data breaches

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours of becoming aware of it, as required by Article 33 GDPR. Where the breach is likely to result in a high risk, we will also notify the affected data subjects without undue delay, as required by Article 34 GDPR.

Our internal procedure is set out in our Data Breach Response Procedure.

13. Cookies and the website

Our website uses cookies and similar technologies. We rely on consent for any non-essential cookies, in line with the e-Privacy Regulations 2011 (S.I. No. 336/2011) and DPC guidance. A dedicated Cookie Notice with full details is being prepared and will be published on this website.

14. How to make a complaint

If you are unhappy with how we have handled your personal data, please contact our DPO in the first instance. If you remain unhappy, you have the right to lodge a complaint with the Data Protection Commission:

Data Protection Commission
6 Pembroke Row, Dublin 2, D02 X963, Ireland
Telephone: +353 (0)1 765 0100 / 1800 437 737
Website: www.dataprotection.ie

15. Changes to this policy

We will review this policy at least once a year and whenever there is a material change to our processing or the law. The current version and date are shown at the top of this policy. Where changes materially affect you, we will let you know directly.

16. Adoption

This Privacy Policy was adopted by the Executive Board of Tenpin Ireland on 19 May 2026.