GDPR

GDPR (General Data Protection Regulation, EU Regulation 2016/679) has regulated personal data processing across the EU since 2018. It replaces former national laws and is complemented in Spain by LOPDGDD (Organic Law 3/2018).

For a sports club its impact is high: you handle sensitive data (minors, health data, image, financial), and you are the data controller. Core obligations: valid legal bases for each processing activity (consent, contract, legal obligation, legitimate interest), clear information to data subjects (privacy policy), record of processing activities (RAT), guarantee data subject rights (access, rectification, erasure, restriction, portability, objection), notify security breaches and, when applicable, appoint a Data Protection Officer (DPO).

Applies from the very first personal data point you process: a registration sheet with member name and email already falls under GDPR. No minimum size threshold. Obligations scale with volume and sensitivity, but the principles (lawfulness, fairness, transparency, minimisation, accuracy, storage limitation, integrity, accountability) always apply.

• Posting photos of minors on social media without signed explicit consent: very common and serious breach.
• Not keeping a RAT: Spain's AEPD requires it even from small entities; absence is sanctionable.
• Confusing consent with contractual basis: consent must be revocable; contractual basis is not.
• Forgetting data processors: club software, accountant, email provider are processors and need data-processing agreements.

If you care about this term, you probably also wonder about these:

• LOPDGDD (Spanish Data Protection Act)

  Legal

• Data Protection Officer (DPO)

  Legal

• Record of Processing Activities (RAT)

  Legal

• Personal Data Breach

  Legal

• Explicit Consent

  Legal

Long-form guides and product pages where we cover this topic in depth:

• GDPR for sports clubs — Full 2026 guide

  Full guide