This is some text inside of a div block.

The GDPR for clubs

The General Data Protection Regulation has now also reached club life and presents those responsible with new challenges.

Club chairmen not only have to take care of the club's life, they also have to pay attention to the club's website and data processing. The key question, of course, is whether the association needs a data protection officer at all.
Do you have any questions about the GDPR for your club?

The GDPR in clubs - an overview

All clubs are subject to the General Data Protection Regulation.
It does not matter whether the association is entered in the register of associations or no entry has been made.

The question, whether the association has to appoint a data protection officer, results from the Number of peoplewho are engaged in the processing of personal data.

As soon as this number exceeds the person size of 9, the association is for Nomination of a Data Protection Officer required by law.


heyData would like to be an expert on the subject Data protection within clubs recommend. Feel free to contact us and we will shed light on your obligations and opportunities together!

Data protection and the question of liability

If an association violates the regulations of the GDPR and a person suffers immaterial or material damage as a result of this incident, the Compensation case according to the GDPR. The responsibility for such a case of damage lies initially with the association or with a commissioned processor. The latter is only to be held liable if he has not complied with the regular instructions of the association or within the scope of its activities GDPR obligations has not met.

If the claim for damages is based on improper advice, the GDPR applies, which transfers liability to the data protection officer. An association that is not obliged to appoint a data protection officer is itself the liability holder in the event of damage.

The importance of the GDPR for clubs

An association should pay special attention to a website that complies with data protection regulations. All processes that have to do with the personal data of members or outsiders must be carefully checked. The following points should be observed when collecting data:

Individuals must give their consent to data processing (in writing)

Personal data are a prerequisite for the conclusion of a contract

Surveys and processing are basic requirements for fulfilling the legal obligation

As little personal data as possible should be requested and disclosed

How did the GDPR intervene in club life?

The GDPR represents the new regulation of the EU data protection laws.
This came into force on May 24.05.2016, 25.05.2018 and has been implemented since May XNUMX, XNUMX. The standardization of these EU laws have a direct impact on club life. Despite all the fears, no insurmountable obstacles have been placed in the way of the clubs, but every club has to deal with the requirements of the GDPR and they also live within the association. The often invoked death of clubs has largely not materialized and the clubs have come to terms with the new situation. The club has realized that you have to work with the GDPR in order to avoid high fines. It is important to stay on the ball here and to close all gaps with regard to data protection law.

The possible fines are particularly impressive for small clubs. A violation of the GDPR can cost the association up to 20 million euros. Of course, these fines are imposed on a case-by-case basis and therefore a wide variety of criteria play an evaluating role. Thus, especially small clubs are protected from excessive payments. But it is also a fact that the fine has increased from 300.000 euros to the above 20 million euros. Especially in associations, the state data protection officers are happy to offer assistance and external service providers also ensure reassuring security. If you look to the future, the assistance provided by the state data protection officer will slowly be reduced and the controls will tend to increase. In order to be prepared for the future, you should check all options for secure data protection!

The fact is that the state data protection officer has to deal with an association from the point at which he receives a complaint about the association. From practice it can be seen that the complaints have increased after the entry into force of the General Data Protection Regulation. In addition, every person is entitled to make a complaint!

A classic among the complaints is the right to information. The association is obliged to provide information within one month. This information includes B. stored data, the origin of the data, the processing purposes and the legal basis. In this case, secure organization within the association is required. Clear regulations should be made so that the prompt answering of information questions is regulated without disruption. This prevents complaints from the state data protection officer and does not force the association into its focus.


heyData offers itself as a professional in the area of ​​"data protection in clubs" - feel free to contact us!


GDPR in the association - the check

Do you have any questions about data protection in the association?

Talk to the experts and contact heyData! We bring your club safely to its destination!

What role does the data protection officer play in the association?
The rights of association members with regard to data protection
Do I need a data protection officer?

If you and your company meet one or more of the following criteria, then YES:
- Your company employs more than 20 people
- The employees regularly process automated data
- Special categories of personal data are processed in the company, such as ethnic origin, political opinion, religious conviction, health, the person's sex life
- Business-related personal data is transmitted, collected, processed or used and this represents a core activity of the company (this is the case with almost all companies that are related to personnel, e.g. software, recruiting, headhunting, consulting, etc.) 

What are personal data?

According to the GDPR, personal data is all information that relates to an identifiable or identified natural person. The persons concerned can be identified if they can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, a location or other features. In practice, this includes all data that can be assigned to a person in any way. Examples of this are telephone numbers, ID numbers, account details, license plates, customer numbers, e-mail addresses or postal addresses.

How does heyData work?

As soon as you have decided to work with heyData, after an initial needs analysis, we will carry out a data protection audit with your company in order to understand the processes of your company holistically - this process is digitally accompanied and supervised by the data protection advisor. We will then work with you to prepare the necessary documentation and, if necessary, adapt the website of your company according to our instructions, should there be a need for changes in order to achieve conformity. Depending on the package, we are then involved in a wide variety of processes in your company that require the expertise of a data protection officer to protect you in all matters; this usually extends to HR, marketing, product but also business development processes.

How long is the contract term?

The regular contract term is 24 months.

What is done in the data protection audit?

The data protection audit is intended to examine the processes of your company and to identify the essential points of data processing. You will then receive documentation of this so that the positions, the type of data processed and the persons responsible are also available as a diagram at any time.