Privacy Policy
How we collect, use and protect your personal data.
Version 1.0 · 5 May 2026 · Adopted 19 May 2026
1. Who we are
Tenpin Ireland (also known as ‘TI’, ‘we’, ‘us’, or ‘our’) is the National Governing Body for the sport of tenpin bowling in Ireland. We are the data controller for personal data processed in connection with our role as the NGB.
You can contact us:
- By post: Tenpin Ireland, Irish Sport HQ (NGB Building), National Sports Campus, Blanchardstown, Dublin 15
- By email: secretary.executive@tenpinbowling.ie
- Through the website: https://tenpinbowling.ie
1.1 Our Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for monitoring our compliance with data protection law and acting as the contact point for data subjects and the Data Protection Commission.
- DPO email: to be confirmed — in the meantime please contact the office at secretary.executive@tenpinbowling.ie
- DPO postal contact: Data Protection Officer, Tenpin Ireland, Irish Sport HQ (NGB Building), National Sports Campus, Blanchardstown, Dublin 15
2. Scope and purpose of this policy
This policy explains what personal data we collect about you, why we collect it, the legal basis on which we process it, who we share it with, how long we keep it, and the rights you have under the GDPR and the Data Protection Act 2018.
It applies to members, prospective members, junior athletes and their parents or guardians, coaches, officials, volunteers, club officers, employees of affiliated centres in their capacity as members, visitors to our website, and anyone else whose personal data we process in the administration of the sport.
3. The personal data we collect
Depending on your relationship with us, we may collect the following categories of personal data:
- Identity data: name, date of birth, gender, nationality, photograph (where supplied)
- Contact data: postal address, email address, telephone number
- Membership data: club affiliation, membership history, membership category, dates of membership
- Bowling data: averages, rankings, competition entries, results, team selections, qualifications
- Coaching and officiating data: qualifications, dates, level, vetting status (where applicable)
- Safeguarding data: Garda Vetting data where applicable, training records, declarations
- Special category data (Article 9 GDPR): limited health information you choose to disclose to us, for example to support reasonable accommodations at events. We process this only where you have given explicit consent or where another lawful basis under Article 9 applies.
- Communications data: records of correspondence, marketing preferences, attendance at events
- Website and technical data: limited cookie and analytics data — see Section 13.
We collect personal data directly from you, from your club, from affiliated bowling centres in Ireland and internationally, from international federations, and (in respect of vetting) from the National Vetting Bureau.
4. Children’s personal data
Tenpin Ireland is involved with junior athletes. Children’s data is given specific protection under the GDPR and the Data Protection Act 2018.
- Section 31 of the Data Protection Act 2018 sets the age of digital consent in Ireland at 16. Where we rely on consent to process the personal data of a child under 16, we obtain that consent from a parent or guardian.
- Section 30 of the Data Protection Act 2018 makes it an offence to process a child’s personal data for the purposes of direct marketing, profiling, or micro-targeting. We do not do this.
Our full approach to children’s data, including parental consent, retention of junior results, and the handling of safeguarding information, is set out in our Children’s Data Policy.
5. Why we use your data and on what legal basis
Under Article 6 GDPR, all processing of personal data must have a lawful basis. The table below sets out the main purposes for which we use your data, the data involved, our legal basis, and how long we keep it. The full Retention Schedule is published separately.
| Purpose | Data used | Legal basis (Article 6) | Retention |
|---|---|---|---|
| Member registration, renewal and administration | Name, address, DOB, gender, contact details, club, membership history | Contract (Art. 6(1)(b)) | While you are a member and for 3 years after your last active season |
| Entry to and administration of competitions | Name, DOB, gender, club, average, ranking, results | Contract (Art. 6(1)(b)) | Entries deleted 1 year after the event; results retained as a competition record (see Section 9) |
| Coaching, officiating and qualification records | Name, contact details, qualifications, vetting status | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) | 5 years after qualification expires or as required by law |
| Vetting and safeguarding (incl. Garda Vetting where applicable) | Name, address, DOB, vetting application data, outcomes | Legal obligation (Art. 6(1)(c)) under the National Vetting Bureau Acts 2012–2016 | 5 years after the vetting application or as governed by legislation |
| Selection for representative teams (national and international) | Name, DOB, gender, nationality, performance data, contact details | Contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) | While you are eligible for selection and for 3 years after |
| Communications with members (operational, not marketing) | Name, contact details, club | Legitimate interests (Art. 6(1)(f)) | While you are a member |
| Marketing communications and newsletters | Name, email address, preferences | Consent (Art. 6(1)(a)) | Until you withdraw consent |
| Reports and statistics relating to the sport | Aggregated and (where necessary) identifiable participation data | Legitimate interests (Art. 6(1)(f)) | Aggregated indefinitely; identifiable data per Section 9 |
| Complaints, disciplinary and grievance handling | Whatever data is necessary to investigate the matter | Legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)) | 7 years from the conclusion of the matter |
| Crime prevention, detection and member safety | Whatever data is requested or required | Legal obligation (Art. 6(1)(c)) and substantial public interest (Art. 9(2)(g) where special categories are involved) | Per applicable law |
6. Special category (sensitive) personal data
Some of the data we hold may be ‘special category’ personal data under Article 9 GDPR — for example health information disclosed to support a reasonable accommodation at an event, or data revealing trade union or political affiliations that may incidentally appear in correspondence.
Where we process special category data, we rely on one of the conditions in Article 9(2) and the corresponding provisions of the Data Protection Act 2018 — most commonly explicit consent (Article 9(2)(a)), substantial public interest (Article 9(2)(g)), or where the data subject has manifestly made the data public (Article 9(2)(e)).
7. Sharing your data
We share personal data only where we have a lawful basis to do so. The main recipients are listed below. We share only what is necessary for the purpose, and where we share data with a service provider acting on our behalf we have a written agreement in place under Article 28 GDPR.
| Who we share with | Why | Where they are based |
|---|---|---|
| Sport Ireland and Sport Ireland Coaching | To register coaches, support funding administration, and meet reporting obligations as an NGB | Island of Ireland / EEA |
| International Bowling Federation (IBF) and the European Bowling Federation (EBF) | To enter bowlers in international competitions and to maintain international rankings | EBF: within EEA. IBF: international (see Section 8) |
| Affiliated bowling centres and clubs | To administer leagues, tournaments, and venue access | Within Island of Ireland |
| Service providers acting on our behalf (e.g. IT, hosting, email, membership systems) | To deliver services to us under written data processing agreements (Article 28 GDPR) | Case by case; within EEA where reasonably possible |
| An Garda Síochána, PSNI, and other statutory bodies | Where there is a legal obligation, a court order, or a need to prevent or detect crime or protect the safety of members | Within Island of Ireland |
| Tusla or designated safeguarding contacts | Where required by our child protection and safeguarding obligations | Within Island of Ireland |
We will not sell your personal data, and we will not share it for marketing purposes without your consent.
8. International transfers
Some of the bodies we share data with operate outside the European Economic Area (EEA), in particular the International Bowling Federation. Where we transfer your personal data outside the EEA, we ensure that an appropriate transfer mechanism is in place under Chapter V GDPR. This may include:
- Transfers to a country with an adequacy decision from the European Commission
- The use of Standard Contractual Clauses approved by the European Commission
- Other safeguards permitted under Articles 46 and 49 GDPR
If you would like more information on the safeguards that apply to a particular transfer, please contact our DPO.
9. How long we keep your data
We keep personal data only for as long as it is necessary for the purposes for which it was collected, including any legal, accounting or reporting requirements. Our full Retention Schedule is published as a separate document. The headline periods are:
- Membership data: while you are a member and for 3 years after your last active season.
- Adult competition entries: 1 year after the event.
- Adult competition results and rankings: retained as an historical record of the sport, with personal identifiers limited as necessary.
- Junior (under-18) competition results: retained in identifiable form for a defined and limited period as set out in the Children’s Data Policy and Retention Schedule — not indefinitely.
- Coaching and officiating qualifications: 5 years after expiry.
- Vetting data: 5 years after the application or as required by law.
- Health and other special category data: 1 year on receipt of a new annual membership form, or until no longer necessary.
- Disciplinary and complaints records: 7 years from the conclusion of the matter.
10. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful access, alteration, disclosure, loss, or destruction, as required by Article 32 GDPR. These measures include:
- Access controls limiting personal data to officers and volunteers who need it for their role
- Use of strong, unique passwords and, where supported, multi-factor authentication on the systems we use
- Encryption of personal data in transit and, where appropriate, at rest
- Written agreements with our service providers under Article 28 GDPR
- Training and clear instructions for officers and volunteers handling personal data
- A documented Data Breach Response Procedure (see Section 12)
11. Your rights
Under the GDPR and the Data Protection Act 2018, you have a number of rights in relation to your personal data:
| Right | What this means |
|---|---|
| Right to be informed | You have the right to be told how your personal data is being used. This Privacy Policy is the principal way we meet that obligation. |
| Right of access | You can ask us for a copy of the personal data we hold about you. We will respond within one month. |
| Right to rectification | You can ask us to correct personal data that is inaccurate or to complete data that is incomplete. |
| Right to erasure | You can ask us to delete your personal data in certain circumstances, including where the data is no longer needed for the purpose it was collected for. |
| Right to restrict processing | You can ask us to limit how we use your personal data in certain circumstances. |
| Right to data portability | Where processing is based on consent or contract and is carried out by automated means, you can ask to receive your data in a structured, commonly used format. |
| Right to object | You can object to processing based on legitimate interests, including direct marketing. Where you object to direct marketing, we will stop. |
| Rights re. automated decision-making | We do not currently make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects. |
To exercise any of these rights, please contact our DPO using the details in Section 1.1. We will respond within one month, although we may extend that period by up to two further months for complex requests, in which case we will let you know within the first month and explain why. The way we handle these requests is set out in our Subject Access Request Procedure.
You will not normally be charged a fee for exercising your rights, although we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive. We may need to verify your identity before responding to a rights request. This is to protect your data.
12. Data breaches
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours of becoming aware of it, as required by Article 33 GDPR. Where the breach is likely to result in a high risk, we will also notify the affected data subjects without undue delay, as required by Article 34 GDPR.
Our internal procedure is set out in our Data Breach Response Procedure.
13. Cookies and the website
Our website uses cookies and similar technologies. We rely on consent for any non-essential cookies, in line with the e-Privacy Regulations 2011 (S.I. No. 336/2011) and DPC guidance. A dedicated Cookie Notice with full details is being prepared and will be published on this website.
14. How to make a complaint
If you are unhappy with how we have handled your personal data, please contact our DPO in the first instance. If you remain unhappy, you have the right to lodge a complaint with the Data Protection Commission:
Data Protection Commission
6 Pembroke Row, Dublin 2, D02 X963, Ireland
Telephone: +353 (0)1 765 0100 / 1800 437 737
Website: www.dataprotection.ie
15. Changes to this policy
We will review this policy at least once a year and whenever there is a material change to our processing or the law. The current version and date are shown at the top of this policy. Where changes materially affect you, we will let you know directly.
16. Adoption
This Privacy Policy was adopted by the Executive Board of Tenpin Ireland on 19 May 2026.