GDPR for Sports Coaches: A Complete Compliance Guide

Why GDPR Applies to Sports Coaches

If you coach athletes — whether at a grassroots club, a private academy, or as an independent personal coach — you almost certainly process personal data. Names, contact details, date of birth, medical conditions, injury histories, performance metrics, and even video footage of training sessions all constitute personal data under the UK GDPR and EU GDPR.

Sports coaching sits at an unusual intersection of data protection law. Coaches handle not just ordinary personal data, but frequently special category data — particularly health and medical information — which attracts the highest level of legal protection. Add children into the mix, and the compliance obligations become even more significant.

The Information Commissioner's Office (ICO) in the UK and equivalent supervisory authorities across the EU expect sports organisations, clubs, and individual coaches to take data protection seriously. This guide explains what you need to do — practically and clearly — without requiring a law degree.

What Data Do Sports Coaches Actually Collect?

Before you can comply with GDPR, you need to know what personal data you hold. For sports coaches, this typically includes:

• Basic identity data: Full name, date of birth, address, email, phone number
• Medical and health data: Injury history, current medical conditions, medications, allergies, medical clearance forms, physiotherapy reports
• Performance data: Training logs, competition results, fitness test scores, personal bests, progression tracking
• Biometric and wearable data: Heart rate data, GPS location data, VO2 max readings, sleep and recovery metrics from fitness trackers
• Video footage: Training session recordings, competition footage, video analysis clips
• Financial data: Payment records, bank details, invoice history
• Emergency contact information: Next of kin names and phone numbers
• Parental and guardian data: For athletes under 18, names, contacts, and consent records
• Safeguarding records: DBS check records, safeguarding incident logs

Each of these categories carries different legal obligations. The key distinctions are between ordinary personal data, special category data (health and biometric information), and children's data.

Children's Data: Additional Protections for Under-18 Athletes

Many sports coaches work primarily with children and young people. GDPR and the UK GDPR impose additional obligations when processing the personal data of minors.

Parental Consent

Under UK GDPR, children under 13 cannot provide valid consent to data processing — a parent or guardian must give consent on their behalf. For children aged 13 to 17, they can consent to some processing, but for health data and sensitive processing you should still seek parental consent as best practice.

In practice, this means your registration forms for junior athletes must be signed by a parent or guardian, and must explain clearly what data you collect, why, how long you keep it, and who you might share it with.

Safeguarding Policies

If you coach children, you are likely required by your national governing body (NGB) to hold a valid DBS (Disclosure and Barring Service) certificate. The records relating to your DBS check are themselves personal data and must be handled appropriately — stored securely, retained only as long as necessary, and not shared unnecessarily.

Any safeguarding concerns or incident reports relating to children must be handled with particular care. These records are sensitive and should be held securely, with access restricted to those who need it.

Social Media and Photos

Posting photos or videos of child athletes on social media — even on your club or coaching business page — requires explicit, informed consent from a parent or guardian. A blanket "you agree to photos being taken" clause buried in a registration form is not sufficient. The consent must be specific, freely given, and easily withdrawable.

Health and Medical Data as Special Category Data

Health data is classified as special category data under Article 9 of the GDPR. This means it requires a higher standard of legal justification to process — you cannot rely on ordinary legitimate interest.

What Counts as Health Data in a Sports Context?

• Injury history and injury reports
• Medical conditions that affect training (e.g. asthma, diabetes, epilepsy)
• Medications that athletes take
• Medical clearance forms signed by GPs
• Physiotherapy and rehabilitation notes
• Mental health information
• Allergy information

Lawful Basis for Processing Health Data

For health data, you need both a lawful basis under Article 6 and a condition under Article 9. The most relevant conditions for sports coaches are:

• Explicit consent: The athlete (or their parent, if under 13) has given specific, written consent to you processing their health data.
• Vital interests: Processing is necessary to protect someone's life — for example, an emergency medical situation.
• Substantial public interest: Relevant for some safeguarding processing, particularly where there is a legal safeguarding obligation.

You should document which condition you rely on for each type of health data processing, and keep records of the consents you have obtained.

Lawful Basis for Ordinary Personal Data

For non-sensitive personal data (name, contact details, performance records), sports coaches typically rely on one of these lawful bases:

• Contract: Processing is necessary to perform the coaching contract.
• Legal obligation: Certain processing is required by law — for example, keeping financial records for HMRC, or safeguarding records as required by your NGB.
• Legitimate interest: You have a genuine business interest that does not override the athlete's rights.
• Consent: For optional processing — such as sending a newsletter or sharing performance data with a third party — you need freely given, specific, informed, and unambiguous consent.

Video Analysis Footage: Consent Requirements

Video footage of individuals constitutes personal data under GDPR. Many sports coaches now routinely record training sessions and competitions for analysis purposes — and this is entirely lawful, provided you handle it correctly.

What You Need to Do

• Tell athletes (and parents of junior athletes) before recording begins that footage will be taken and how it will be used
• Explain how long recordings will be retained and who will have access
• Obtain consent where required — particularly for footage of children
• Store recordings securely — not on public cloud services without appropriate controls
• Delete footage when it is no longer needed for its original purpose
• Never share footage publicly (e.g. on social media) without explicit consent from every person who appears in it

If you use third-party video analysis platforms, you must have a data processing agreement (DPA) in place with that provider.

GPS and Wearable Fitness Data: Biometric Considerations

GPS tracking devices, heart rate monitors, and wearable fitness trackers generate data that can be considered biometric data under GDPR. As a practical matter:

• Inform athletes clearly that you are collecting this data and for what purpose
• Obtain explicit consent before using third-party apps or platforms that process wearable data
• Check the privacy policies of any fitness tracking platforms you use and ensure they comply with GDPR
• Do not retain granular biometric data beyond what is necessary for the coaching purpose

Sharing Data with Clubs, NGBs, and Selectors

Sports coaches frequently need to share athlete data — with the club they coach for, national governing bodies, talent selectors, or medical staff. GDPR requires you to be transparent about this sharing and, where necessary, to have legal agreements in place.

If you are an independent coach, you are likely the data controller. If you share data with another organisation (such as a club or NGB), that organisation may also become a controller in their own right. Where another party processes data on your instructions, you must have a written data processing agreement with them.

Your privacy notice must tell athletes (and parents of young athletes) who you share their data with and why.

Data Retention: How Long to Keep Athlete Records

GDPR requires you to keep personal data only for as long as necessary. A practical retention schedule for sports coaches:

• Coaching session records and performance data: Duration of coaching relationship plus 1–3 years
• Medical and health records: Often longer — check with your NGB or professional insurer
• Financial records: 6 years (HMRC requirement)
• Safeguarding records relating to children: Often until the child reaches age 25, or longer
• Consent records: Keep for as long as you rely on the consent, plus a period afterward
• Video footage: Delete when no longer needed for analysis

Practical GDPR Compliance Checklist for Sports Coaches

Data Inventory

• [ ] Have you mapped all the personal data you collect, store, and share?
• [ ] Have you identified which data is special category (health, biometric)?
• [ ] Do you know where all data is stored?

Lawful Basis

• [ ] Have you identified the lawful basis for each type of data processing?
• [ ] Do you have explicit consent records for health data processing?
• [ ] Do you have parental consent records for athletes under 13?

Privacy Notice

• [ ] Do athletes and their parents receive a clear privacy notice at registration?
• [ ] Is your privacy notice written in plain, clear language?

Data Security

• [ ] Are athlete records stored securely?
• [ ] Do you have a process for reporting data breaches to the ICO within 72 hours?

Video and Images

• [ ] Do you have consent for recording and video analysis?
• [ ] Do you have parental consent before posting images of children on social media?

Retention and Deletion

• [ ] Do you have a documented retention schedule for each category of data?
• [ ] Do you regularly review and delete data that is no longer needed?

---

Getting Started

GDPR compliance for sports coaches does not need to be complicated. Start with the fundamentals: understand what data you hold, document your lawful basis for each type of processing, put a clear privacy notice in place, and obtain proper consents — particularly for health data and for children.

Tools like Custodia can help you generate compliant privacy policies, manage cookie consent, and handle data subject access requests automatically — so you can spend more time coaching and less time on paperwork.