The new General Data Protection Regulation (Datenschutz-Grundverordnung) not only applies to companies, but also to sports clubs. Anybody who collects personal data or even only sends out newsletters for Christmas, must implement the GDPR by 25.5.
The GDPR (German: DSGVO) regulates the processing of personal data. These include, for example, addresses, birth dates, e-mail addresses or IP addresses. Whether this information is stored electronically or written on paper makes no difference. It's not easy for small clubs to get acquainted with the subject. There is some conflicting information on the Internet. Of course, we cannot replace legal advice with this article. However, we would like to briefly address the most important problem areas for clubs in Germany.
Does the GDPR completely prohibit the storage of data?
No. Every club is allowed to collect data from its members and other persons, suppliers for example. Requirement: The information is necessary for the fulfilment of a contract. For example, for membership or participation in a seminar. But attention: The purpose must be clearly communicated to the person affected. And the club must not use the data for other purposes. For example, it wouldn't be allowed to send the participant of a stick fighting seminar advertising emails for sports food without his consent.
What about photos?
Many clubs publish photos on the website or on social networks like Facebook. Basically, nothing much changes here. Because already now every person shown in the picture has to be asked for permission. A new feature is the "right-to-be-forgotten": Those affected may later request that their images be removed from the web. The website operator or admin must then ensure that no copies are preserved. This can be technically challenging if you use different platforms.
Oh, my goodness. Where do I start?
The data protection declaration of the club homepage must be revised in any case. The declaration must explicitly address the rights of the data subjects and the processes of data treatment. Attention: Anyone who still uses an outdated data protection declaration after 25 May will basically indicate that they have overslept through the GDPR. A shady lawyer out to send cease-and-desist-letters might be looking just for that.
As of 25 May, any person concerned may request information as to what data they have stored. In addition, the person may request that this data be deleted immediately. The association must be prepared for such requests. This is only possible if the GDPR has actually been implemented internally.
Internal implementation
The club must develop its own data protection regulations. To do this, an assessment must be made first: When is which data collected? Why and by whom? Where and how is it stored? Is the data sufficiently protected? Is data passed on to external service providers (e.g. cloud services)? When and by whom will the data be deleted again?
There must be clear rules and practical procedures for all these points in future. The data protection regulations must show how the club ensures data protection in everyday life.
The supervisory authority, i.e. the data protection officer (Datenschutzbeauftragter) of the federal state, may at any time ask for this ordinance and other internal documents to be submitted. This is an important point: in case of doubt, it is not the authority that is looking for malpractice, but the club itself must prove that it is doing everything right. Those who are unable to do so risk high fines and even the shutdown of data processing.
Do we need an internal data protection officer now?
Not necessarily. In small clubs the board can take over these tasks. Only larger clubs need to appoint a separate data protection officer. The condition is that at least ten employees regularly handle personal data. In this case, the board may not be responsible for data protection itself. Because that would be considered a conflict of interest.
If your club has not yet taken measures to implement the GDPR, now is the time to take stock. If you have already checked and adapted the internal processes, you can start with the implementation. The new data protection regulation on the website is a good start.
Photo: Allen Allen | Flickr | CC 2.0