On June 21, 2023, the Lower Saxony data protection authority (LfD Niedersachsen) published a guide on data protection for clubs and associations. In particular, the LfD Niedersachsen highlighted that the guide is aimed at clubs with a variety of purposes, including sports, hobbies, music, environmental protection, and self-help clubs.

Firstly, the guide recommends that the principles of personal data processing under the General Data Protection Regulation (GDPR) be taken into account for all personal data processing, including transparency, purpose limitation, data minimization, data accuracy, storage limitation, and integrity and confidentiality.

Likewise, the guide recommends that clubs observe a recognized legal basis for processing personal data under the GDPR. Specifically, the guide outlines that the transfer of personal data of club members to another organization, for example as part of a sports competition, is permissible under Article 6(1)(b) of the GDPR. Further, the guide clarifies that legitimate interests for processing should be balanced with the fundamental rights and freedoms of data subjects' reasonable expectations and that such a consideration also applies to data that does not have a factual connection with members and non-members of the club (i.e., guests/visitors).

On the publication of club member information, such as competition results or performances, and data such as nationality, date of birth, or address, which does not serve the purpose of the club, may only be published with the voluntary consent of the member. The guide further recommends that clubs create a privacy policy, specifying the type of data, the purposes for which it is processed, and to whom such data refer, stipulating that reciting the provisions of the GDPR is not enough. Finally, the guide clarifies that the obligation to appoint a data protection officer (DPO) applies to clubs according to the GDPR.

You can read the press release here and download the guide here, both only available in German.