General Data Protection Regulation (AVG)
Since 2016 the General Data Protection Regulation (GDPR / AVG) has been adopted in the Netherlands. This means that associations have to abide by these rules. To assist you, a five step guide by Sportaal https://sportaal.nl/ is explained below. Under 'Attachments' you will also find an example Privacy Statement.
Step 1: Registration
Provide insight into which data you process and why you do it. Under the GDPR you have accountability, which means that you must be able to demonstrate that your sports association acts in accordance with the GDPR. Examples where personal data is processed are: 1. Membership administration, 2. Personnel 3. Suppliers, 4. Participants tournaments and activities, 5. Contacts sponsors and 6. Login details of website visitors.
Step 2: Adding extra features to the registration
For each activity, in addition to the purpose and categories of data from step 1, you also determine to whom the personal data is provided (both internally and externally) and how long you keep the data or when you destroy it. In addition, your personal data may only be used for as long as it is necessary in view of the purpose for which the personal data is processed. However, in some cases a retention obligation may apply on the basis of special (usually fiscal) regulations. This duty then takes precedence. Furthermore, you can – if possible – at any registration indicate which security measures you have taken. For example, think of the encrypted sending or receiving of data or a secure environment within your website for members only.
Step 3: Informing your members and others whose data you process
The GDPR prescribes that you must inform the persons whose personal data you process about the use of their data. You can meet this obligation in most cases by drafting and publishing a good privacy statement on, for example, your website.
To summarize step 1 till 3 a privacy statement mockup can be found under 'Attachments'. Here an insightful table is discussed via which you can clearly determine how you can manage different types of data.
Step 4: Make someone responsible for the topic of privacy
It is important that the subject of information security and privacy is given a place within the administrative responsibility. In view of the legal obligations, we recommend to discuss the topic regularly in board meetings and take responsibility for this to assign the drafting and implementation of the privacy rules to one of the board members.
Step 5: Follow-up actions
With steps 1 to 4 you lay a good foundation and you also show that you take the responsibilities regarding privacy seriously. Please note that the European rules require more than just the registration and information obligation. The proper implementation of these additional obligations depends on the nature and size of your organization, the data you process and the way in which you do that for example, if you leave data to other organizations (such as the sports association or a collection agency) then it may be necessary to conclude a so-called processing agreement.
By going through steps 1 to 4, however, you have already laid a good foundation for this.
Additionally a document stating frequently asked questions such as “Can I use pictures of members?” can be found here (in Dutch): https://sportaal.nl/assets/Uploads/Questions-and-Answers-AVG-Sportverenigingen-samengevoegde-versie-juni-..-.pdf