FAQ: Data protection at clubs and associations: This is what you must pay attention to
Spending time together, indulging in a passion together, overcoming weaknesses in a group setting – clubs are a good thing. Thanks to them, people meet who would never have met otherwise. It’s especially nice when a hobby brings the most varied people together in a common pursuit.
What many do not realize, however, is that there is a lot of bureaucracy in the background. The new General Data Protection Regulation also applies to associations and clubs and has a major impact on how they are run.
It raises the following questions:
- Can you continue to send membership lists?
- How does the GDPR affect membership applications?
- What must be observed with regard to personal data?
- Are there any legal changes in how you manage contributions and donations or pay an expense allowance to honorary positions?
- Do you need consent if you publish member photos on the website?
We have compiled the most important facts on the subject of data protection at clubs and associations for you.
What is personal data?
According to the GDPR, the following member data requires increased data security:
- Date of birth and age
- Address and telephone number
- Email address
- Social security numbers
- Bank details
- Physical characteristics
The question of all questions: Does the GDPR affect you at all?
In a nutshell: Yes. Clubs and associations are not exempt from data protection if they process personal data. This usually begins the moment interested parties fill out a membership application or pay a membership fee.
If you are not sure how to implement the GDPR, you should make use of the advisory services offered by the German federal states. We also recommend that you take advantage of all-inclusive programs such as a data protection kit. In addition to providing support with regard to membership applications and privacy statements for (non-profit) associations, the kit comes with GDPR templates and checklists that help make coping with all the tasks easier.
Do you need a data protection officer for your association?
If your association or club has more than nine members who process personal data, you are obliged to appoint either an internal or an external data protection officer for your association. This includes the coach of a sports club if this person regularly accesses member information. This is the case, for example, if the person sends emails or Whatsapp messages about the club to members. If you decide to assign the role of data protection officer to an internal employee, please make sure that they have received sufficient training. There are eLearning sessions on data protection and special training courses for this. Find out more either on our comparison platform or from public authorities in your city. Please do not forget, however, that you must contact the applicable supervisory authority and notify them that a data protection officer has been appointed to your association.
To what extent do you process personal data?
An association processes information like this every day. Basically, you work with personal data all the time:
- Membership fees
- Membership lists
- Registration for sports competitions
- Invitations for general meetings
But how does your website handle the issue of data protection? Many clubs have their own website on which they introduce their members, advertise the organization and discuss their daily doings. Regardless of whether it concerns new or already existing content, you are obliged to ask your members to sign a declaration of consent. In conjunction with the new data protection guidelines, the association must make it clear to what extent personal data is made accessible to the public. The addressees must clearly understand in advance what they are signing.
But when are you allowed to collect information?
If it is purely an end in itself, collecting information does not pose any problems. This applies, for example, to the membership fees already mentioned, which are preceded by the formation of a contract. For anything that goes beyond this (including advertising), you need written consent.
When are you allowed to transmit personal data?
In some cases, you are even obliged to do so. This applies to you if you have to send regular reports to your umbrella organization. During a police investigation, it might be the case that you may or must neglect data protection regulations and disclose association data. But only if there is a well-founded suspicion. In all other cases, you are obliged to protect the privacy of your members.
Sometimes, however, the club itself is asked for specific information, for example, when a member wants to contact another member. Then it’s up to you. You are free to decide whether or not you are willing to share the requested information.
The procedure directory becomes the processing directory
Prior to May 2018, you were already obliged to keep a procedure directory. Basically, this is now renamed. The new General Data Protection Regulation continues to stipulate that you as an association must list all events in which you have processed personal data. You should be able to describe these in detail and produce them on request.
Clubs and photos: Every event is documented
Some time ago, nobody had a data protection problem with photos of clubs being published on their own website or generally on the internet. But the GDPR not only forces associations to rethink their actions. The members must now also deal with the issue. After all, snapshots of association events are increasingly shared on the internet. But what do you need to pay attention to in the future?
Do you need consent in order to publish team photos?
Everyone wants to celebrate successes. At sports events, it’s nice to take a photo of the winning team so you have a souvenir. In cases like this, your interest lies in documenting the club activities. According to Art. 6 (1) sentence 1 (f), you do not need the consent of the members in the photo, as long as they are all adults. If, on the other hand, you are photographing children and adolescents under the age of 18, you need the written consent of the parent or guardian.
However, this does not mean that you are exempt from your duty to provide information. Data protection at associations involves informing your members about the publication of photos. You are also required to communicate the place of publication: newspaper, website, blog, etc. In addition, keep in mind that any person photographed can revoke their consent at any time. You must explicitly point out this option.
Data protection for associations goes hand in hand with the proper technical and organizational measures
You must ensure that all personal information collected is kept secure so that it cannot be accessed by unauthorized third parties. However, this not only applies to the information you have stored in a cloud or on a hard drive. This also applies to email traffic.
One data protection measure, for example, would be the encryption of club data. You are also obliged to check regularly for security gaps. Moreover, we recommend that your members have limited access to personal data. Only the treasurer and their deputy, for example, should have access to the bank details of association members.
Enter into processing contracts
The subject of the cloud has already been mentioned. In this case, you give all information to a third party. You have the data processed externally. According to Art. 28 (3) GDPR, you must enter into a processing contract – for data protection reasons between the association and the service provider/provider/manufacturer. This applies to you even if you use dedicated accounting software.