20 October 2020

How could the right to be forgotten affect your amateur rugby or football club?

The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them.

Among the new rights it introduced was the right for individuals to ask to have their personal data erased without undue delay, known as the ‘right to be forgotten’.

This new right has important implications for amateur sports clubs, including rugby and football clubs.

So, here’s our at-a-glance guide to the new right.

What is the right to be forgotten?

Individuals can request the deletion of their personal data in writing or verbally, and the organisations which hold their data must reply to them within a month.

The individual has the right of data erasure if:

  • You’re holding it on the basis of consent, and they withdraw it.
  • The personal data is no longer necessary for the purpose for which it was collected or processed.
  • You hold it for legitimate interests for processing but the individual objects and there is no overriding legitimate interest to hold it.
  • You’re processing it for direct marketing and the individual objects.
  • You must delete it to comply with the law.
  • You’ve processed it unlawfully.
  • You’ve processed it to offer information society services to a child.

There are some circumstances where an individual might request personal data be deleted but organisations refuse on the basis of another legal obligation, such as in the case of accountants or solicitors who must hold data on their clients for several years by law.

A business may also receive a request from a customer who has an ongoing contract with them, and you need to keep that personal data until the end of the contract.

A football or rugby club might be required by local police to retain a record of any fans banned from their premises or a club might have to keep a record of a dispute with local residents in case they face legal action.

So, the right to be forgotten isn’t an absolute right and each case must be weighed up individually.

It also isn’t the only reason your club should consider deleting personal data. More of that later!

How could this be applied in rugby and football clubs?

Clubs hold a great deal of information which might be considered personal data in GDPR and the Data Protection Act 2018.

For example, names, addresses, dates of birth, phone numbers, and email addresses may well be held in membership lists.

Provided your consent forms are clear and explicit when you collect that information, you could hold that data on the legal basis of consent.

Or you could be processing the data under legitimate interests to distribute information about the club regularly.

What happens when someone decides to end their membership of the club, though?

Does that automatically mean they have also withdrawn their consent for their personal data to be held and that it is no longer held for legitimate interests?

That depends on the purpose for which it was collected and on what legal basis it is held.

Giving members a regular opt-out option would help strengthen a club’s position here. You could check whether members are happy for their data to be held on a regular basis (perhaps every six months or annually) and complete regular data protection ‘housekeeping’.

Why can deleting personal data regularly be a good thing for a club?

There is another good reason for ensuring old personal data is regularly deleted: you may receive a Subject Access Request about it.

GDPR also gave individuals the right to ask organisations what data it holds about them.

The more data you hold about individuals, the more work it is for your data protection officer to find and retrieve it and send it on to the person who requested it.

Data could be included in paper files, documents in the cloud, documents on individual devices, and in email chains.

Generally, all this must be done within a month.

That could be hugely disruptive to an amateur team staffed by volunteers, and especially galling if it ends in a request for the data to be deleted anyway!

Some amateur clubs may also have paid employees such as club stewards and stewardesses who could put in an SAR to see what’s held about them before making a complaint or bringing a case to an employment tribunal.

What happens when an amateur player decides to move clubs?

He or she could well argue that holding personal data about them is no longer necessary in relation to the purposes for which the data was collected.

With players, there’s the added complication of whether the club holds any “sensitive data”, which would be deemed special category data in the GDPR requiring a higher standard of protection.

Explicit consent of the person about whom the data relates is likely to be required to process this type of data if the player is not professional.

This category includes data relating to the individual's mental or physical health, including injuries and notes coaches have made about medical treatment.

So, it’s vital that clubs ensure they know whether they hold any sensitive data like this.

Is there a difference between amateur and professional clubs?

Yes, there is.

Players at professional clubs would also need to know what their contract says about who owns the personal data collected at their time there, especially performance data and other special category data.

Read our blog on this subject here.

Do you need specialist advice on dealing with data protection legislation at your football or rugby club? Please call us on 029 2000 2339 or email contact@iolis-legal.com.

Recent Posts

5 Things to Remember When Meeting Over Video

As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown. There has been a lot of media coverage on […]

Read more
Will monitoring your home-working staff land your business in hot water?

Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits of remote working for their employees. Others had been wary of it and had […]

Read more
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...

I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version of the Monster Mash this Halloween! There are […]

Read more
How could the right to be forgotten affect your amateur rugby or football club?

The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among the new rights it introduced was the right for individuals to ask to have their personal data […]

Read more
What are the 4 common data protection mistakes which could cost your business dearly?

Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities, generally within 72 hours. In the UK, that’s […]

Read more

Does your UK business need a mediator or support with data protection and GDPR? Tell us how we can help you.

Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Contact us
9 November 2020
5 Things to Remember When Meeting Over Video
As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown.…
Read More
25 October 2020
Will monitoring your home-working staff land your business in hot water?
Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits…
Read More
25 October 2020
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...
I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version…
Read More
20 October 2020
How could the right to be forgotten affect your amateur rugby or football club?
The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among…
Read More
13 October 2020
What are the 4 common data protection mistakes which could cost your business dearly?
Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities,…
Read More
25 September 2020
Five Reasons you should not use WhatsApp in your business
As a business, it is very convenient to use WhatsApp to communicate with your staff and to allow staff teams to communicate with each other. But could this easy and flexible communication tool land you in hot water? In short, the answer is yes, let’s look at some of the…
Read More
© 2020 IOLIS Ltd. Reg. in England & Wales Num.11968202 For reg. address see contact details | Website designed, hosted, and maintained by Jötnar Systems