Names, surnames, dates of birth, email addresses, phone numbers, face photos, medical certificates, bank details, children’s names, food allergies reported for the summer camp.
Your sports club holds all of this. Probably in a password-free Excel spreadsheet, a Google Drive folder shared with “anyone with the link”, and a shoebox in the club’s storage room.
The day a former member sends an email with the subject line “Exercise of the right of access — Article 15 of the GDPR”, you have 30 days to provide the complete list of everything you hold about them. Thirty days. And most clubs don’t even know where to start.
In 2026, ignoring GDPR is no longer an option. And no, it’s not “a thing for businesses”.
”GDPR is for businesses, not for us”
This is the most common sentence heard in club boardrooms. And it’s wrong.
The General Data Protection Regulation applies to any organization that processes personal data: companies, public bodies — and associations. Including sports clubs, regardless of their size.
As soon as your club manages a membership list with names, email addresses, phone numbers, dates of birth, or photos — you’re processing personal data. And you’re subject to GDPR.
The numbers speak for themselves. In 2025, France’s data protection authority (CNIL) issued 83 sanctions and 143 formal notices, totaling €487 million in fines. While record-breaking fines target large corporations, the simplified procedure now reaches smaller organizations with fines ranging from €3,000 to €20,000. Enough to put a club in serious financial difficulty.
The 5 obligations every club must know
1. The processing register
This is the foundation of your compliance. Since 2018, associations no longer need to pre-register their files with data protection authorities. In exchange, they must maintain a register documenting:
- Who is responsible for data processing (the president or the board)
- Why you collect data (membership management, accounting, communication)
- What categories of data you collect (identity, contact, health, performance)
- How long you keep it
- Who has access (which volunteers, which tools)
- How you protect it
You don’t need a 50-page document. A clear, up-to-date table will do. But it must exist. In 2026, the rule is clear: no documentation = no compliance. Verbal good intentions no longer count.
2. Informing members
At the time of registration, your members must be clearly informed about:
- How their data will be used
- How long it will be stored
- Their rights (access, correction, deletion)
- Who is responsible for processing and how to contact them
In practice, this means adding a data protection notice on your registration form — paper or online. Not an unreadable legal wall of text, but clear and accessible information.
3. Data retention periods
This is one of the most overlooked requirements. You cannot keep member data indefinitely. The rule is straightforward:
- Active members: for the duration of their membership
- Former members: 3 years maximum after membership ends
- Beyond that: mandatory deletion or anonymization
That Excel spreadsheet containing every member since the club was founded in 2003? It’s illegal. All data from former members older than 3 years must be purged.
4. Member rights
Every member can exercise their rights at any time:
- Right of access: obtain the complete list of their data (the dreaded “Article 15” email)
- Right to rectification: correct inaccurate information
- Right to erasure: request deletion of their data
- Right to object: oppose certain processing activities (newsletter, photos)
Your club must have a procedure for handling these requests. The legal deadline is 30 days. After that, the member can file a complaint with the data protection authority.
5. Data security
Protecting your members’ data isn’t optional. Basic measures include:
- Passwords on files containing personal data
- Restricted access to only those who need it
- Regular backups of data
- HTTPS if you have a website or online forms
- No sensitive data via unsecured email
And in case of a data breach (hacking, lost computer, file sent to the wrong recipient), you must notify the data protection authority within 72 hours.
The special case of photos and minors
This is the trap nearly every club falls into.
Member photos
Publishing photos of your members on Facebook, Instagram, or the club website requires their explicit prior consent. Not implied consent. Not “they agreed verbally.” A signed document or checked box.
And that consent:
- Must specify the platforms (social media, website, display)
- Must be revocable at any time
- Cannot be a condition of registration (consent must remain freely given)
Data about minors
If your club welcomes children and teenagers — and most sports clubs do — you must exercise extra vigilance:
- Parental authorization is mandatory for using minors’ photos
- Information about data processing must be adapted to the child’s age and maturity
- Health data (medical certificates, health questionnaires) benefits from enhanced protection
Combine this with safeguarding obligations like the French law of March 8, 2024 on background checks for youth coaches, and you can see the full weight of responsibility resting on club leaders who work with minors.
What’s changing in 2026
GDPR isn’t new — it’s been in force since 2018. But three developments make compliance more urgent than ever:
1. Enforcement is intensifying. With 259 decisions in 2025 (up from 180 in 2023), the pace is accelerating. Simplified procedures now allow authorities to sanction organizations of any size quickly, including associations.
2. Documented compliance is the new standard. The era of “we’re careful, don’t worry” is over. During an audit, authorities request written evidence: processing register, privacy notices, rights management procedures. If you can’t produce them, you’re in violation.
3. Members know their rights. Access requests, deletion demands, and objections are multiplying. A worried parent, a disgruntled former member, a former volunteer in conflict — anyone can exercise their rights and, if unanswered, file a complaint.
The 5-step action plan for your club
You don’t need to hire a data protection lawyer. Here are the concrete steps to bring your club into compliance:
Step 1: Inventory your data. List every place where you store personal data: spreadsheets, software, paper files, emails, WhatsApp groups, social media. You’ll probably be surprised by the number of sources.
Step 2: Create your processing register. A simple table answering: what, why, how long, who has access, how it’s protected. Most data protection authorities provide free templates on their websites.
Step 3: Update your registration forms. Add a clear data protection notice. Include separate consent checkboxes for communications and photos. Don’t bundle everything into one consent.
Step 4: Purge old data. Delete data from members who left the club more than 3 years ago. Yes, that includes the ancient Excel file from 2012.
Step 5: Train your board. No need for a full-day seminar. A one-hour meeting to explain the basics: who has access to what, how to respond to an access request, and what to do if something goes wrong.
Compliance as an asset, not a burden
It’s tempting to see GDPR as yet another constraint on already overworked volunteers. But compliance is also a trust signal sent to your members and their families.
A club that protects its members’ data is a club that takes its responsibilities seriously. It’s a club where parents feel safe registering their children. It’s a club that inspires confidence in local authorities and sponsors.
Two evenings of work. That’s what it takes to create a register, update the registration form, and purge obsolete data. Not two months. Not a consulting budget. Two evenings.
Your club won’t be perfectly compliant — no club is at 100%. But it will be protected enough to handle an audit, reassure members, and let your volunteers sleep at night.
It’s within reach for every club. Including yours.
Paak centralizes your members’ data in a secure, 100% European environment: consent management, retention periods, member rights. Built for compliance from day one. paak.club