GDPR and sports clubs: regulation affects volunteers and sports entrepreneurs

In May 2018, the General Data Protection Regulation, also known as GDPR, came into force across the European Union. This legislation applies to anyone who collects or otherwise processes personal data. Personal data is any information relating to a specific natural person. Therefore, the GDPR does not avoid sports clubs and associations, which undoubtedly process data on various persons, such as players, fans, employees, etc.

Potential non-compliance with GDPR can become unpleasantly expensive. The maximum fines that can be imposed for breaches of personal data processing obligations can be up to €20 million, or 4% of worldwide turnover in the case of a company, whichever is higher. At the same time, it should be added that the fine is always imposed taking into account the individual case and the circumstances of the offender and must in no case be liquidated.

Although it may not look like it according to the more or less expert discussion that took place over the past year, the GDPR does not represent a fundamental change or perhaps a revolution compared to the previous legislation that has been in force in the Czech Republic since 2000. The basic concepts such as personal data, sensitive personal data, data processing, data controller or data processor remain the same in terms of content or have been clarified on the basis of existing practice and case law of the European courts. The same applies to the main principles of processing of personal data, such as the principle of lawfulness (i.e. the need for a legal basis for processing), fairness and transparency of processing, data minimisation or the rules on security, confidentiality and integrity of personal data.

On the contrary, the new legislation brings changes in strengthening and extending the rights of data subjects, i.e. persons whose personal data are processed. Among the most important of these are the right to information about the processing of personal data, including the right to copies of the processed data, the right to be forgotten (the so-called right to erasure), the right to object to the processing of data or the right to data portability. In particular, the last mentioned right, according to which the data controller is in some cases obliged to transmit personal data to another controller, in a machine-readable format, could cause problems for sports clubs in particular, as they are often currently not equipped to do so either technologically or administratively.

The GDPR also introduces a number of new administrative obligations for proving compliance with the rules on the processing of personal data. These include, in particular, the need to carry out a so-called data protection impact assessment when preparing new processing or involving new technology, such as a camera system processing biometric data, which includes the identification and assessment of the risks of the new processing in terms of the rights and freedoms of the data subjects. This includes, for example, the obligation to keep records of processing activities, the obligation to report security incidents affecting personal data to the Data Protection Authority and sometimes directly to the data subjects, the obligation to appoint a data protection officer in the case of certain controllers or processors, or the obligation to take appropriate measures to protect personal data when transferring them outside the European Union.

Many of the GDPR obligations affecting sports clubs relate to the personal data of their members or players. Meeting obligations for basic activities such as keeping membership records, employment law or fulfilling contracts with professional players does not usually present major complications. On the other hand, for some sophisticated procedures, which mainly concern top clubs, compliance with the GDPR already requires more effort and the setting up of detailed internal rules and procedures.

An example is when a club collects data on players through devices that track their performance or physical functions, called wearables. In this case, the processing of sensitive personal data, health data, which enjoy a higher level of protection and for the processing of which additional conditions must be met. In sport, the processing of such data requires the explicit consent of each person concerned, which must meet a number of additional requirements (informed consent, free expression) and is revocable at any time. The withdrawal of consent must not be to the detriment of the player and the data must not be further processed without being anonymised.

Another problematic point of player data processing may be the portability of the data, e.g. when a player transfers to another club. In this case, the player can request from his current club the data that has been processed about him on the basis of his consent or in the context of the performance of his contract and can subsequently transfer it to his new club. This would then include information about his performance and health. The club is also obliged to set a reasonable time limit for the continued retention of each category of data in the event of a player's departure: some data must be archived in the club's accounts, while others that are no longer objectively needed, such as the aforementioned health data, should be deleted immediately after the player's departure.

Another situation where data on the health status of athletes is processed is in the context of anti-doping activities. In this case, however, the related processing of personal data by sports clubs and national authorities or international organisations is imposed by specific legislation, which also determines the scope, method and duration of the processing of the data thus obtained. Thus, neither the consent of the person concerned nor the fulfilment of other conditions for the transfer of data outside the European Union is necessary for the processing. However, it will only be possible to transfer data that are directly related to this control.

In the processing of personal data of fans, the specifics compared to other sectors can be seen in particular in relation to ensuring the safety of persons and property during sports matches, specifically in the area of address ticketing, keeping internal records of persons who are either officially banned from entering the stadium or whom the club wants to deny entry based on its own decision, and partly in the use of cameras, especially if they can identify a specific person based on biometric data, the so-called facial recognition.

With targeted ticketing, selling tickets to specific, identified individuals, it is crucial to collect personal data only to the minimum extent that is usually sufficient to identify the individual. This can be defined as the name, surname, date of birth and place of residence of the client in question. As the processing of data to this extent is necessary to protect the legitimate interests of the sports club, it is not contrary to the GDPR if the club makes the conclusion of a contract, i.e. the sale of a ticket, conditional on the provision of the fan's personal data. On the other hand, processing the birth number or requiring a copy of the identification document will be redundant in this context, i.e. in direct contradiction with the basic principles of the GDPR.

Similarly, in the case of a CCTV system monitoring publicly accessible parts of the stadium or its immediate surroundings, the primary and main legal ground for the related data processing is the legitimate interest of one or more sports clubs or their associations. The deployment of advanced technology which, in addition to capturing images, can also automatically recognise the faces of individuals on the basis of biometric features will again involve the processing of sensitive personal data. Before deploying it, it will be necessary to comply with some of the obligations mentioned above, in particular to carry out an impact analysis and to consult the Data Protection Authority on measures to mitigate the residual risk. Again, it will be important to set an appropriate retention period for the records or biometric data captured. In the absence of any unexpected situation, such as a scuffle between home and away spectators, this destruction should ideally occur within the next day.

The maintenance of a database or access to a register of persons who have been officially banned from attending matches or events at a particular stadium in order to implement this state-imposed measure is necessary to fulfil the legal obligation of the club concerned. Therefore, from this perspective, it will be processing that is not decided by the sports club and does not require compliance with any of the obligations imposed by the GDPR or the consent of the persons concerned. However, if the club decides to keep its own records of persons whom it does not intend to admit to events organised by the club on the basis of its own decision, the club is responsible for setting up this process, the scope of the data and the retention period of the personal data.

For any processing carried out on the basis of a legitimate interest, the data subject may, among other things, object to such processing. For example, a fan who is denied access to a stadium on the basis of a club's decision may object to the related processing by stating individual circumstances which, in his or her opinion, outweigh the legitimate interest of the controller in processing his or her personal data. The data controller, the sports club, is then obliged to assess the matter on a case-by-case basis and to consider whether its legitimate interest in processing the data or the right of the fan concerned to the protection of his privacy actually prevails in the particular case.

Even in cases of processing of personal data imposed on a sports club or association by law, as well as processing necessary for the protection of their legitimate interests, the persons concerned must be informed in advance to the extent necessary and in most situations. The information must cover the purposes and legal grounds for the processing, the other parties to whom the personal data may be transferred and the rights of the data subjects, such as the aforementioned right to erasure or to object to the processing. These may, for example, be published in an appropriate manner on the website of the sports club or association.

The new data protection regulation does not only affect large commercial companies, but affects basically all sectors, including sport. Therefore, the obligation to process personal data in accordance with the GDPR and to comply with other obligations arising from the GDPR also applies to sports clubs and associations, regardless of their size. Several specific situations of personal data processing in this area have been mentioned above, but sports clubs and associations must of course also comply with obligations that in principle apply to all obliged entities to the same extent, whether it is the use of cookies and other tools in online marketing or sending e-newsletters, or the fulfilment of specific requirements for contracts with suppliers involved in the processing of personal data.

Mgr. Bc. Milan Fric, LL.M., Mgr. František Nonneman

(Mgr. Bc. Milan Fric, LL.M., works as an attorney at law in Prague and Most, specializing, among others, in sports law and personal data protection. Mgr. František Nonnemann is a lawyer dealing with personal data protection, member of the Committee of the Society for Personal Data Protection.)