GDPR for Amateur Sports Clubs: How to Handle Member Data Compliantly

Amateur sports clubs — whether you run a Sunday league football team, a local cricket club, a swimming club, or a tennis section — are data controllers under GDPR. That might come as a surprise to the volunteers who send out the fixture list from a shared Gmail account or store the membership roll in a spreadsheet on someone's laptop. But if your club holds names, contact details, dates of birth, medical information, or DBS check results, you are processing personal data and the law applies to you.

This guide is written for club secretaries, committee members, and welfare officers who want to understand what GDPR means in practice — without the legal jargon.

Before diving in, run a free 60-second scan of your club website at app.custodia-privacy.com/scan to identify any digital privacy gaps.

---

Why Your Club is a Data Controller

A data controller is anyone who decides why and how personal data is processed. Your club almost certainly meets this definition. Consider what you hold:

• Member databases — names, addresses, dates of birth, phone numbers, email addresses, emergency contacts
• Junior member data — all of the above plus parental details, school information, and potentially medical needs
• Health and medical information — allergies, conditions, injury history, medications
• DBS check records — for coaches, committee members, and anyone working with children or vulnerable adults
• Payment records — membership fees, standing orders, bank details
• Match and training photos and video — images posted to social media and club websites
• Website and social media data — contact form submissions, email newsletter lists

Each of these involves personal data. Processing it lawfully requires a valid lawful basis — and in some cases, additional safeguards.

---

Lawful Basis: Getting the Foundations Right

GDPR requires you to identify a lawful basis for every type of data processing you carry out. For sports clubs, the main bases you will rely on are:

Contract — When someone joins your club, a contractual relationship is formed (even if informally). You can rely on contract as your lawful basis for processing the personal data necessary to deliver membership: recording their details, issuing fixture lists, collecting fees, and communicating about training sessions and matches.

Legal obligation — Some processing is required by law. Keeping DBS check records for those working with children and vulnerable adults is a legal obligation under safeguarding legislation. Retaining financial records is required for tax and charity law purposes. You do not need consent for these — legal obligation is your basis.

Legitimate interests — For some club communications — such as emailing former members about an annual fundraising dinner — you may be able to rely on legitimate interests, provided the processing is necessary, proportionate, and not overridden by the individual's rights. This requires a documented balancing test.

Explicit consent — For special category data (health information, medical conditions) and for processing children's data outside of the membership contract, you need explicit, freely given, informed consent. A pre-ticked box or a blanket consent buried in the membership form does not meet this standard.

---

Junior Member Data and Parental Consent

Junior members — typically under 13 in the UK — require particular care. GDPR and the UK's age-appropriate design code mean that you should obtain consent from a parent or guardian rather than the child themselves for data processing that goes beyond what is strictly necessary for their participation in the club.

Practically, this means:

• Your membership form for junior members should be completed and signed by a parent or guardian
• Consent for medical data (including any conditions or medications the coach needs to know about) must be explicit — a specific, separate consent statement, not a general "I agree to the terms"
• Consent for photographs or video of juniors must be obtained separately from membership consent, and you should make clear how images will be used (internal only, club website, social media)
• Parents should be told they can withdraw any consent at any time, and the club must have a process to act on withdrawals promptly

Maintain a consent register for junior members. If a parent withdraws consent for photography, you need a simple system to ensure no images of that child are posted online.

---

Sports Photography and Video at Matches

Photography and video at sports events is one of the most common GDPR grey areas for clubs. Here is how to approach it:

Adults — For adults playing at club events, you can generally rely on legitimate interests for taking photographs of matches and sharing reasonable coverage on club social media, provided you are not singling out individuals in ways that could embarrass or harm them. It is good practice to include your photography approach in your privacy notice and allow individuals to opt out of being photographed.

Junior members — Consent from parents or guardians is required before images of under-18s are published publicly. Photographs of juniors should not be published on publicly accessible social media without documented parental consent. If you hold training sessions, coaches should not photograph or video junior members on personal devices without club-sanctioned justification and parental agreement.

Third-party photographers — If you bring in a photographer for a presentation evening or a club event, they are acting as a data processor. You should have a written agreement covering how they will use images, how long they will retain them, and what happens to raw files.

Practical safeguards — Use a permission slip approach: issue a photograph consent form to all members at the start of each season. Collect, record, and store the results. Train committee members and coaches not to post images of anyone who has not consented.

---

Club Management Software as Data Processors

Many clubs use dedicated management platforms to handle memberships, fixtures, communications, and payments. Popular options include Pitchero, Teamer, ClubBuzz, and TeamApp. When you use these platforms, you remain the data controller — the platform is your data processor.

Under GDPR Article 28, you must have a written Data Processing Agreement (DPA) in place with every data processor you use. Most reputable platforms provide one as part of their terms of service, but you should:

• Check that a DPA exists (look in the platform's privacy centre or legal documentation)
• Understand where your members' data is stored — is it within the UK or EEA, or does it transfer to servers in the US or elsewhere?
• Know how to extract or delete your member data if you switch platforms or a member requests erasure
• Ensure the platform's security standards are adequate for the sensitivity of the data you are storing (especially if you hold junior member data or medical information)

If a platform cannot provide a DPA or is unclear about data storage locations, that is a red flag — consider whether you should continue using it.

---

Sharing Member Data with National Governing Bodies

Most sports clubs affiliated to a national governing body (NGB) — such as the FA, ECB, RFU, LTA, or Swim England — are required to share some member data with that body for registration, licensing, or competition purposes.

This sharing is generally covered by your membership contract: joining the club and being registered with the NGB is part of what membership involves, so you can rely on contract as your lawful basis. However, you should:

• Tell members at the point of joining that their data will be shared with the NGB and explain why
• Include the NGB in your privacy notice as a recipient of personal data
• Check the NGB's own privacy policy to understand how they will use the data
• Limit what you share to what is strictly necessary — do not send the NGB data it does not need

If your NGB requires junior member data, the same consent requirements that apply to the club apply to the transfer — parental consent must cover sharing with the NGB.

---

Volunteer Coach and Staff DBS Data

DBS (Disclosure and Barring Service) checks are a legal requirement for coaches, committee members, and volunteers who work regularly with children or vulnerable adults. They generate some of the most sensitive personal data a sports club holds.

Under GDPR, DBS check results are criminal conviction data — a special category requiring strict controls:

• DBS certificates should not be photocopied or stored digitally unless you are registered with the DBS Update Service. Instead, record the date of the check, the level (basic, standard, enhanced), and whether it was satisfactory
• Access to DBS records must be restricted to those who genuinely need to see them — typically the welfare officer and a designated committee member
• DBS data should be retained only as long as necessary. The ICO recommends retaining DBS check records for six months after a recruitment decision is made. For ongoing volunteers, retain records for the duration of the relationship and delete promptly on departure
• Your welfare officer should be trained in data protection as well as safeguarding — the two are deeply connected

If a DBS check reveals a concern and you take a safeguarding action, any records relating to that action may need to be retained longer as part of a safeguarding file. Take guidance from your NGB or a qualified safeguarding adviser.

---

Club Website and Social Media

Your club's digital presence creates its own data protection obligations:

Website contact forms — If your website has a contact form, you are collecting personal data. You need a privacy notice on your website explaining what you collect, why, and how long you keep it. Contact form submissions should not be retained indefinitely — set a deletion schedule.

Email newsletter lists — If you send a newsletter to club members and supporters, ensure you have a valid lawful basis. For current members, contract or legitimate interests may apply. For non-members (such as local press or sponsors), you need consent or a clear legitimate interest. Every newsletter should include an easy opt-out mechanism.

Social media accounts — When you post images of members on club social media, you are processing personal data. Images of identifiable adults and children are personal data. Apply the consent framework described above. Do not share images of juniors on public social media without parental consent.

Cookies and trackers — If your website uses Google Analytics, Facebook Pixel, or similar tools, you need a cookie consent banner and a cookie policy. Many club websites run on platforms like Pitchero or ClubBuzz that include analytics tools — check what tracking is enabled and whether your cookie notice covers it.

---

Membership Data Retention After a Member Leaves

One of the most commonly neglected areas is what happens to member data when someone leaves the club. Retaining data indefinitely is not compliant — you need a retention policy.

A reasonable approach:

• Current member data — retain for the duration of membership plus a reasonable administrative period (typically 12 months) to deal with any disputes or queries
• Financial records — retain for 6 years (UK statutory requirement for accounting records)
• Junior member data — retain until the member reaches adulthood (18) and for a further period to deal with safeguarding queries that may arise after a member has left; many clubs adopt a 25-year retention period for safeguarding records on advice from their NGB
• DBS check records — 6 months from the date of the check or, for ongoing volunteers, the duration of the relationship plus 6 months
• Photographs and video — archive historical club photographs are a legitimate interest to retain, but images held primarily for social media promotion purposes should be reviewed and archived or deleted when members leave

Communicate your retention policy to members in your privacy notice. When data reaches the end of its retention period, delete it securely.

---

GDPR Compliance Checklist for Amateur Sports Clubs

Work through this checklist with your committee:

Lawful basis

• [ ] You have identified a lawful basis for each type of data you hold (membership data, health data, DBS data, marketing)
• [ ] Explicit consent has been collected for health/medical data and for junior member data beyond the membership contract
• [ ] Consent for photography is collected separately from membership, with junior member consent obtained from parents

Privacy notice

• [ ] Your club has a written privacy notice that members receive at the point of joining
• [ ] The notice covers what data you collect, why, how long you keep it, and who you share it with (including the NGB)
• [ ] Your club website has a publicly accessible privacy policy

Junior members

• [ ] Junior membership forms are completed by a parent or guardian
• [ ] A parental consent register for photography is maintained and updated each season
• [ ] You have a process to act on consent withdrawals promptly

DBS and safeguarding data

• [ ] DBS check results are not stored as full copies — you record only the reference number, date, level, and outcome
• [ ] Access to DBS records is restricted to the welfare officer and a designated committee member
• [ ] A retention schedule for DBS records is in place

Club management software

• [ ] A Data Processing Agreement is in place with Pitchero, Teamer, ClubBuzz, TeamApp, or whichever platform you use
• [ ] You know where member data is stored geographically
• [ ] You know how to delete member data from the platform when required

Sharing with NGBs

• [ ] Your privacy notice explains that member data is shared with the NGB and why
• [ ] You share only the minimum data required by the NGB

Website and social media

• [ ] Your website has a privacy policy and cookie notice
• [ ] Email newsletters include an opt-out mechanism
• [ ] You do not post images of juniors on public social media without documented parental consent

Retention

• [ ] A retention policy is documented and communicated to members
• [ ] Former member data is deleted or anonymised at the end of the defined retention period

---

Where to Start

If you are starting from scratch, the highest-priority actions are:

1. Write or update your privacy notice and distribute it to members
2. Introduce a separate photography consent form for junior members
3. Check that a DPA is in place with your club management software
4. Review how DBS check data is stored and restrict access

For your club website, run a free compliance scan at app.custodia-privacy.com/scan — it identifies trackers, cookie issues, and missing privacy policy elements in 60 seconds, with no sign-up required.

---

This article provides general guidance on GDPR obligations for amateur sports clubs. It does not constitute legal advice. Your specific obligations depend on your jurisdiction, the sports you play, the age of your members, and your data processing activities. Consult a qualified data protection adviser or your national governing body's compliance team for advice tailored to your club.