The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them.
Among the new rights it introduced was the right for individuals to ask to have their personal data erased without undue delay, known as the ‘right to be forgotten’.
This new right has important implications for amateur sports clubs, including rugby and football clubs.
So, here’s our at-a-glance guide to the new right.
What is the right to be forgotten?
Individuals can request the deletion of their personal data in writing or verbally, and the organisations which hold their data must reply to them within a month.
The individual has the right of data erasure if:
- You’re holding it on the basis of consent, and they withdraw it.
- The personal data is no longer necessary for the purpose for which it was collected or processed.
- You hold it for legitimate interests for processing but the individual objects and there is no overriding legitimate interest to hold it.
- You’re processing it for direct marketing and the individual objects.
- You must delete it to comply with the law.
- You’ve processed it unlawfully.
- You’ve processed it to offer information society services to a child.
There are some circumstances where an individual might request personal data be deleted but organisations refuse on the basis of another legal obligation, such as in the case of accountants or solicitors who must hold data on their clients for several years by law.
A business may also receive a request from a customer who has an ongoing contract with them, and you need to keep that personal data until the end of the contract.
A football or rugby club might be required by local police to retain a record of any fans banned from their premises or a club might have to keep a record of a dispute with local residents in case they face legal action.
So, the right to be forgotten isn’t an absolute right and each case must be weighed up individually.
It also isn’t the only reason your club should consider deleting personal data. More of that later!
How could this be applied in rugby and football clubs?
Clubs hold a great deal of information which might be considered personal data in GDPR and the Data Protection Act 2018.
For example, names, addresses, dates of birth, phone numbers, and email addresses may well be held in membership lists.
Provided your consent forms are clear and explicit when you collect that information, you could hold that data on the legal basis of consent.
Or you could be processing the data under legitimate interests to distribute information about the club regularly.
What happens when someone decides to end their membership of the club, though?
Does that automatically mean they have also withdrawn their consent for their personal data to be held and that it is no longer held for legitimate interests?
That depends on the purpose for which it was collected and on what legal basis it is held.
Giving members a regular opt-out option would help strengthen a club’s position here. You could check whether members are happy for their data to be held on a regular basis (perhaps every six months or annually) and complete regular data protection ‘housekeeping’.
Why can deleting personal data regularly be a good thing for a club?
There is another good reason for ensuring old personal data is regularly deleted: you may receive a Subject Access Request about it.
GDPR also gave individuals the right to ask organisations what data it holds about them.
The more data you hold about individuals, the more work it is for your data protection officer to find and retrieve it and send it on to the person who requested it.
Data could be included in paper files, documents in the cloud, documents on individual devices, and in email chains.
Generally, all this must be done within a month.
That could be hugely disruptive to an amateur team staffed by volunteers, and especially galling if it ends in a request for the data to be deleted anyway!
Some amateur clubs may also have paid employees such as club stewards and stewardesses who could put in an SAR to see what’s held about them before making a complaint or bringing a case to an employment tribunal.
What happens when an amateur player decides to move clubs?
He or she could well argue that holding personal data about them is no longer necessary in relation to the purposes for which the data was collected.
With players, there’s the added complication of whether the club holds any “sensitive data”, which would be deemed special category data in the GDPR requiring a higher standard of protection.
Explicit consent of the person about whom the data relates is likely to be required to process this type of data if the player is not professional.
This category includes data relating to the individual's mental or physical health, including injuries and notes coaches have made about medical treatment.
So, it’s vital that clubs ensure they know whether they hold any sensitive data like this.
Is there a difference between amateur and professional clubs?
Yes, there is.
Players at professional clubs would also need to know what their contract says about who owns the personal data collected at their time there, especially performance data and other special category data.
Read our blog on this subject here.