GDPR for sports clubs: how to comply without nasty surprises (2026)

The GDPR (Regulation (EU) 2016/679, in force since 25 May 2018) and Spain's LOPDGDD (Organic Law 3/2018 of 5 December on Personal Data Protection and Guarantee of Digital Rights) are the two pieces of law that govern how your sports club processes personal data. There is no exemption by size or legal form: if you manage members, players or families — and every club does — the GDPR applies in full.

The GDPR is not just about writing a privacy policy and pinning it on your website. It requires you to document what data you process and under what legal basis (the Record of Processing Activities, or RoPA), to collect valid consents where applicable — especially for photos of minors and marketing — to sign contracts with your processors (Stripe, club management software, accountants, banks), to notify breaches to the Spanish Data Protection Authority (AEPD) within 72 hours and to respect data-subject rights (access, rectification, erasure, objection and portability).

Sanctions are high in absolute terms — up to 20 million euros or 4% of annual turnover — but in practice fines on small clubs sit between 1,500 and 30,000 € depending on the case. The most sanctioned conduct: publishing photos of minors on social media without explicit consent from both parents and publishing lists with full identifying data (national ID, address, phone).

The good news: complying with GDPR in a small club costs between 500 and 1,500 € in year one (lawyer-drafted privacy policy + initial RoPA) and between 200 and 500 € a year afterwards (maintenance, training, renewals). The AEPD offers free templates and self-assessment tools. This guide walks you through the 7 core obligations, the legal bases for every typical club processing, the critical image-of-minors section, the difference with LOPIVI and an 18-point checklist.

Short answer: every sports club, without exception. The GDPR applies to any entity — public or private, for-profit or not — that processes personal data of natural persons in the European Economic Area. Since every club manages members, players, parents and suppliers, the GDPR applies from the first sign-up. There is no minimum threshold: a paddle club with 30 members is just as bound as a sports limited company with thousands.

Small club (<200 members): proportionate obligations

A neighbourhood club with 80 members and 4 teams also complies with the GDPR: it needs a public privacy policy, information clauses on the enrolment form, a RoPA (a simple Excel is fine), processor contracts (Stripe, software, accountant), and explicit consents for photos on social media and newsletter. A DPO is not mandatory in most cases. Realistic annual cost: 500-800 € year one, 200-300 € afterwards.

Mid-large club (>500 youth players): heightened attention

When a club processes large-scale data — especially special categories such as medical records or minors — the AEPD recommends a DPO and deeper legal review. It is not automatically mandatory (Article 37 GDPR speaks of 'large scale' without a fixed numerical threshold), but in clubs with >500 minors, year-round schools or systematic medical-record processing it is standard practice. External DPO cost: 600-2,000 € per year.

Typical error: 'my club is small and non-profit, this doesn't apply'. It does. The GDPR makes no distinction by size or legal form. What does change is proportionality: the technical and organisational measures expected from a 80-member club are not the same as those expected from an 8,000-member one.

Article 6 GDPR requires every processing activity to have a legal basis — utility alone is not enough; it must be justified. The 6 bases are: consent, performance of a contract, legal obligation, vital interest, public interest and legitimate interest. In a sports club most processing activities rely on contract performance (the member fee), legal obligation (tax, federative) or consent (marketing, image). This is the reference table.

Frequent mistakes: assuming consent works for everything (then a member who withdraws it would leave the club unable to bill them — false, that basis is contract performance) or, conversely, basing photos on social media on 'legitimate interest' (the AEPD systematically rejects this when minors are involved). Document the basis in the RoPA and use it in your information clauses.

Before you can protect it, you need to inventory it. Most clubs underestimate the volume of data they handle — between enrolment forms, federative cards, payments, WhatsApp groups and photo galleries, the real volume is much larger than the typical 'name and email'.

Typical data for adult members

Full name, national ID (DNI/NIE), date of birth, postal address, email, mobile phone, bank account (IBAN) for direct debit, photograph (if provided), payment history, possible federation licence, assigned team and, in some cases, profession or employer. All of these are 'common' data for Article 6 GDPR purposes: they need a legal basis but not reinforced protection.

Typical data for under-age players

Minor's full name, date of birth, nationality, photograph, team or age group, position, kit size, allergies and dietary restrictions, relevant medical history (asthma, diabetes, prior injuries), parents' data (national ID, phones, email, address) and, where applicable, specific authorisations (trips, outings, image use). Two reinforced categories converge here: minors and health data.

Special categories (Art. 9 GDPR)

Health data (medical record, allergies, injuries, restrictions), biometric data when used (fingerprints to access premises), data on sexual life or racial origin when incidentally present (a team photo, for instance) and minor data in general. These processings require explicit consent or a reinforced basis under Article 9.2 — the most common ones in clubs are 9.2.h (healthcare) and 9.2.a (explicit consent).

Practical RoPA tip: list every point where you collect data (web form, paper form, app, WhatsApp, event sign-ups, medical sheets, etc.) and treat each one as a separate 'processing activity' in your Record. A grassroots club typically ends up with 8-15 processing activities without much complication.

An overview of the framework. Each obligation is developed in its dedicated section below. Treat this as the backbone of compliance — everything else hangs off here.

1. Record of Processing Activities (RoPA). Mandatory under Article 30 GDPR. Document every processing activity of the club with its purpose, legal basis, categories of data subjects and data, recipients, retention periods and security measures. Without a RoPA, everything else is paper: the AEPD asks for it in any inspection.
2. Public privacy policy. Document accessible on the club's website, written in plain language, that explains who the controller is, what data is processed, why, for how long, who it is shared with, what rights the data subject has and how to exercise them. It is the public version of the RoPA.
3. GDPR clauses on enrolment forms. Any data collection must come with the Article 13 GDPR information: controller, purpose, legal basis, rights and retention. This clause lives on the sign-up form (web or paper), the enrolment sheet and any new form (camp, event, survey).
4. Explicit consent where applicable. For anything not covered by another basis — marketing, photos on social media, transfers to sponsors — consent must be freely given, specific, informed and unambiguous. Separate checkbox (not pre-ticked), clear text and ability to withdraw just as easily as it was given.
5. Data Protection Officer (DPO). Mandatory in some cases (Art. 37 GDPR): large-scale processing of special categories or minor data. Not mandatory in small clubs but appointing an internal privacy lead is advisable. In clubs with >500 minors and medical records, the AEPD recommends a formal DPO.
6. Processor contracts (Art. 28). Every supplier that processes data on behalf of the club (software, payment gateway, accountant, mailer, bank) is a 'processor' and must have signed an Article 28 GDPR contract. Without that contract the transfer is unlawful.
7. Data breach notification. If there is a breach — laptop with the database stolen, cyberattack, mass email with recipients in CC — it must be notified to the AEPD within 72 hours and, if there is high risk, communicated to affected individuals without delay.

The set only works as a system. A privacy policy without a RoPA behind it, or consents without a contract with the supplier storing them, leaves gaps that the AEPD spots in any audit. Treat the 7 pieces as one whole.

The RoPA is the internal inventory of every personal-data processing activity in the club. Article 30 GDPR requires it from almost any controller (the only formal exemption applies to entities with fewer than 250 workers that do not process special data or do so systematically — a club with minors rarely qualifies). If the AEPD audits you, or you have a breach, the first thing they ask for is the RoPA.

What every RoPA entry must contain

• Processing name (member fee, medical record, newsletter, match photos, etc.).
• Specific purpose (not generic) and legal basis from Article 6 or 9 GDPR.
• Categories of data subjects (adult members, under-age players, parents, staff, suppliers).
• Categories of data processed (identifying, contact, financial, health, image).
• Recipients or categories of recipients (federation, accountant, tax office, payment gateway, software).
• Planned retention period and technical and organisational security measures.

How to do it in practice

You do not need expensive software: the AEPD itself offers the free FACILITA RGPD tool for small entities. For a grassroots club a well-structured Excel works perfectly. List the typical processings (8-15 usually emerge: member management, player management, medical record, internal photos, social-media photos, marketing, accounting, federation, ticketing, events, volunteering, HR, video surveillance if any, web cookies, etc.) and fill each row.

Who maintains the RoPA and how often

The club controller (Board) signs the RoPA; the DPO or internal privacy lead keeps it current. A mandatory review applies whenever a new processing appears (we launch a newsletter for the first time, we sign a new software) or an existing one changes (we switch payment gateway). At minimum, a full annual review.

The privacy policy is the public version of the RoPA. It is not an optional or decorative document: it is the most visible piece of compliance and the first thing any data subject — and any inspector — will look at. It must be accessible from every page of the club's website (footer), in plain language and updated with every material change.

Mandatory information (Article 13 GDPR)

• Identity and contact details of the controller (the club, with its tax ID and address).
• DPO contact details where applicable (or the internal privacy lead).
• Purpose of the processing and the specific legal basis for each purpose.
• Recipients or categories of recipients (with mention of international transfers if any).
• Retention period or the criteria used to determine it.
• Data-subject rights (access, rectification, erasure, objection, restriction, portability) and how to exercise them.
• Right to lodge a complaint with the AEPD.
• Existence of automated decision-making where applicable.

Where to publish it

A visible link in the footer of every page of the club's website, not just the homepage. If the club has an app, also reachable from the settings screen. Every form must link to it from the information clause. Every transactional or marketing email must include a footer link.

How to write it so it is not paperwork

Plain, concise language. The AEPD penalises generic copy-paste policies that do not reflect the club's real processing activities. Layered structure: a short, visual top level, then a full-detail second level. Specific version for minors in clubs with a school: an explanation adapted to parents and, from age 14, also to the minor themselves (Art. 7 LOPDGDD).

Consent is only one of the six bases in Article 6 GDPR, not the only one. The most common mistake in clubs is to assume that 'asking for consent for everything' is the safest defensive option — it is not. When another basis applies (contract, legal obligation), using consent weakens your position because the data subject can withdraw it and unwind the processing.

When consent must be requested (and only then)

Ask for consent only for processings that lack another basis: non-operational email marketing and newsletter, image use on social media and advertising, transfers to sponsors, non-essential website cookies, geolocation where applicable, non-essential WhatsApp communications. For everything else (member fee, operational communications, federation records, accounting), the correct basis is contract or legal obligation.

How to obtain a valid consent

• Freely given: no pressure and no conditioning the main service on it (you cannot deny membership to someone who refuses social-media photos).
• Specific: one checkbox per purpose — separate marketing, social media, sponsor transfers; never a single 'yes to all'.
• Informed: the data subject must know what they are consenting to, why and for how long.
• Unambiguous: clear affirmative action — UN-ticked checkbox, signature, explicit click; never silence or a pre-ticked box.
• Documented and withdrawable: keep a record (date, IP, text version signed) and let the subject withdraw as easily as they gave it.

Common mistakes in club consents

• A single checkbox for 'data processing and marketing' — not specific, not valid.
• Default pre-ticked boxes — the Court of Justice of the EU expressly invalidated them (Planet49 judgment, 2019).
• Asking for consent for processings that already have another basis — weakens the club's legal position.
• Failing to log the consent (date, text version, IP/signature) — without traceability you cannot prove it.

This is the section where most AEPD fines on sports clubs concentrate. Read it twice. The rule: ALWAYS explicit, ALWAYS granular, ALWAYS both parents, ALWAYS revocable.

Publishing the photo of a minor on the club's website, on social media, in the magazine or on advertising material is a personal-data processing activity that the AEPD scrutinises closely. The rules are clear and yet this is where most clubs make mistakes — usually through ignorance or inertia ('we have always done it this way at my club'). The GDPR allows no shortcuts when minors are involved: consent must be explicit, granular and from both parents in cases of shared custody.

The 5 rules of minor image consent

• ALWAYS explicit, never implicit. Signing the child up to the club does not authorise the use of their image. The image consent is a separate document.
• Granular: split by channel and purpose. A separate checkbox for internal club use (magazine, album), club social media, press and advertising. The subject decides channel by channel.
• Signature of BOTH parents in shared-custody situations. If only one signs and the other complains, the consent is void. In exclusive custody one signature is enough, but the regime must be documented.
• From age 14 the minor also signs (Art. 7 LOPDGDD). Below that age, signature lies exclusively with parents or guardians.
• Withdrawable at any time, without justification. When withdrawn, the club must remove the already-published images on channels under its control. 'They were published two years ago' is not a defence.

The consent must be documented with traceability (paper or digital): minor's name, both parents' names and signatures with national ID, scope of authorised use (with the boxes ticked), duration (typically 'for the duration of player status' with revocation option), date and text version. If the policy is updated or the scope is broadened (a new sponsorship campaign, for example), it must be requested again.

Mistakes the AEPD fines in clubs

• 'One parent's signature is enough'. In shared custody both parents must sign. If only one signs, a single complaint from the other voids the consent and the publication becomes an infringement.
• 'They signed five years ago, it is still valid forever'. Consent is revocable at any time. Also, if purposes change (new platform, new sponsor, new website) it must be collected again.
• 'We post match photos on Instagram without asking anything because they're in a public space'. The match being in an open ground does not exempt you from consent. The AEPD has fined several clubs for publishing photos of minors on social media without authorisation.
• 'We post the full member list with national IDs on the noticeboard'. Publishing identifying data (national ID, address, phone) in an accessible space is a serious GDPR infringement, with fines reported in the mid-to-high range.

Practical recommendation for clubs with a youth school: handle the image consent as a separate document from the enrolment form, with granular checkboxes (internal / social / press / advertising), a line for both parents' signatures, a dedicated checkbox for over-14s, and store a scanned copy in the player's file. Review annually at the start of the season: ask if they want to change the scope or revoke. Anyone who revokes is automatically removed from the usable-image list.

The DPO is the Article 37 GDPR role in charge of overseeing compliance inside the entity. It is not the same as the LOPIVI DPI (which oversees the minor's physical and psychological protection) — they are distinct roles with distinct legal frameworks. If your club has a youth school you probably need both, although in small clubs the same person can hold both roles if properly trained.

When appointing a DPO is mandatory

Article 37.1 GDPR requires a DPO when the controller's core activities consist of processing operations requiring regular and systematic monitoring on a large scale, or large-scale processing of special-category data (Art. 9) or minor data. The AEPD interprets 'large scale' case by case: there is no fixed numerical threshold. In clubs with >500 minors, year-round schools, systematic medical records and continuous communications, most advisers recommend a formal DPO.

When it is advisable even if not mandatory

In clubs with 150-500 minors most are not formally required to appoint a DPO, but designating an internal DPO (or a privacy lead) dramatically reduces risk: somebody with explicit responsibility for keeping the RoPA, clauses, processor contracts and internal training current. The AEPD values voluntary appointments in case of inspection.

Internal vs external DPO: pros and cost

Internal DPO: a club member with specific training (60-100h official course, 300-600 €). Works well in small and mid-size clubs. Risk: conflict of interest if the same person makes operational decisions they later must supervise. External DPO: a specialist consultant or law firm. Cost 600-2,000 €/year in small clubs, more in large ones. Advantage: independence, guaranteed training, prior experience. Recommendation: if you already have a legal advisor handling the club, consider externalising the DPO through them to avoid scattering counterparts.

Any supplier that processes personal data of the club on behalf of the club is a data processor. Article 28 GDPR requires a written contract (or addendum) that governs that relationship: purpose, duration, nature of the processing, type of data, processor obligations, security measures and return/destruction at the end. Without that contract the transfer is unlawful.

Typical processors in a sports club

• Club management software (OneClub and similar).
• Payment gateway (Stripe, Redsys, PayPal).
• Tax/accounting advisor that processes the club's books.
• Email-marketing platform (Mailchimp, Brevo, etc.).
• Website hosting provider.
• Professional messaging services if used for family communications.

What the Article 28 contract must cover

Subject and duration of the processing, nature and purpose, type of data and categories of subjects, specific processor obligations, controller instructions, sub-processor authorisation, technical and organisational security measures, breach protocol, return or destruction at the end, audit rights. Large providers (Stripe, Google, etc.) already have their own Data Processing Agreement (DPA) — you just accept it. For small providers (local accountant) you will need to provide the model and have them sign.

A 'data breach' (or personal-data security violation, in GDPR jargon) is any incident causing destruction, loss, alteration or unauthorised disclosure of personal data. It does not have to be a cyberattack — most are human error. Article 33 GDPR requires notification to the AEPD within 72 hours and, if there is high risk to the rights of those affected (Art. 34), also direct communication to them without delay.

Typical breach examples in clubs

• Theft or loss of a laptop or USB with the member database.
• Mass email with recipients in CC instead of BCC (everyone sees every address).
• Improper access by a former coach with credentials never revoked.
• Hacking of the club's website or management platform with data exfiltration.
• Accidental publication on the website of an Excel with personal data on a public URL.

Step-by-step playbook

1. Contain the breach as soon as it is detected. Isolate the affected system, revoke credentials, remove the wrongly published document, cut off the attacker. Document the detection date and time.
2. Assess the risk in the first 24 hours. Which data is affected, how many people, what reasonable consequences (identity theft risk, financial loss, moral damage, especially for minors).
3. Notify the AEPD within 72 hours. Notification through the AEPD's electronic site. If you cannot meet 72h, notify anyway giving reasons for the delay. Describe nature, number of affected subjects, consequences and measures taken or proposed.
4. Inform affected individuals if there is high risk. Letter or email to each affected person explaining what happened, which data, what to do (change passwords, monitor bank movements, etc.) and where they can turn. Plain language, no jargon.
5. Log the breach internally. Confidential file with timeline, affected data, communications, decisions taken and lessons learned. Retain at least 5 years. Useful for defence in any future inspection and to improve security measures.

Breaches are not rare: they happen in small clubs much more often than it seems, almost always due to human error (CC/BCC, badly published document, lost device). What the AEPD fines is not only the breach itself but the lack of notification or the absence of reasonable security measures. Notifying well and on time significantly reduces the fine risk.

LOPIVI and the GDPR share an objective — protecting people — but protect different things, require different roles and are enforced by different authorities. Almost every club we advise mixes them up on at least one point. This is the table that clears the confusion, with a practical crossover at the end.

Practical crossover: a photo of a minor published without consent can trigger both laws at once. GDPR for unlawful processing of personal data (the image); LOPIVI for unauthorised exposure of the minor on a club channel. That is why the DPI and the GDPR lead need to talk to each other. More detail in our dedicated guide at /guias/lopivi-clubes-deportivos.

18 binary points that tell you whether your club is up to date with the GDPR. If you fail more than 4 — work for this week. If you fail more than 8 — serious risk in any inspection or complaint.

• We have a privacy policy reachable from the footer of every page.
• The privacy policy includes all Article 13 GDPR information.
• We have a written and signed Record of Processing Activities (RoPA).
• The RoPA covers every real processing activity of the club (at least 8-15 entries).
• Every enrolment form includes the Article 13 information clause.
• Consent checkboxes are separate, never pre-ticked and specific by purpose.
• Image consent for minors is a separate document from the enrolment form.
• Image consent has granular checkboxes per channel (internal / social / press).
• In shared custody we require both parents' signatures.
• We have signed Article 28 contracts with every processor (software, payment, accountant).
• Medical records are stored with restricted access and explicit consent.
• We know how to notify a breach to the AEPD within 72 hours and have a written protocol.
• There is an internal lead (or DPO) designated for privacy.
• Mass emails always use BCC, never CC.
• Lists of members or players with identifying data are not made public.
• We can distinguish a GDPR incident from a LOPIVI one.
• We have reviewed the privacy policy and RoPA within the last 12 months.
• Club staff have received at least one basic data-protection training session.

OneClub is not a substitute for your lawyer and does not draft your privacy policy, but it does remove the operational friction that makes most clubs fall out of compliance by disorder — not bad faith. This is what we automate:

• GDPR clauses built into the forms. Sign-up and enrolment forms already include the Article 13 information with separate checkboxes per purpose. Each consent is logged with date, text version and per-user traceability.
• Granular image consent for minors. Separate document from the enrolment, with checkboxes per channel (internal, social, press, advertising), a line for both parents' signatures and a dedicated checkbox for over-14s. Revocable from the member portal.
• Role-based data access. OWNER, ADMIN and USER have distinct permissions. Only the Board and the DPO access medical records and CDNS certificates. All access is audited to respond to future rights requests.
• Processor contract with signed DPA. OneClub signs the Article 28 GDPR processor contract with your club. Templates, encrypted-at-rest data, backups and documented breach procedure.

Starting is free up to 50 members — no card required. If your club already has a privacy policy and a RoPA, in one afternoon you can have the system running with active clauses and traceable consents for all staff and families.

Always work from an official source. These are the reference AEPD and BOE links — bookmark them as a privacy lead or DPO.

• AEPD — Spanish Data Protection Authority — Official AEPD homepage. Entry point to guides, templates, breach notification forms and case-law search.
• AEPD — FACILITA RGPD tool — Free AEPD tool to generate a RoPA and basic documentation adapted to small entities and SMEs.
• EUR-Lex — Regulation (EU) 2016/679 (GDPR) consolidated — Official consolidated text of the GDPR in English, with all amendments — EUR-Lex version.
• BOE — Organic Law 3/2018 LOPDGDD — Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights, consolidated text.
• AEPD — Compliance guides — Practical AEPD guides for associations, clubs and third-sector entities.
• AEPD — Data breach notification — Official form and guide to notify a personal-data breach within the 72-hour Article 33 GDPR deadline.