Not all sports clubs have €300,000 just kicking about. However, last week we saw an unnamed football association get hit with a large fine due to lack of compliance with data protection regulations. As time goes on, we are seeing more and more organisations being fined for not complying with their local data protection laws. This specific case could have been prevented easily, and the Association could have avoided the fine that they’d received, but most importantly, kept their user data safe by processing it properly.
What did they do wrong?
The sports club was fined for breaching the accountability requirement laid down in article 5(2) of the GDPR. As a data controller, you have an obligation to map your data, have a sufficient record of processing and understand the ways in which you or any third party services are processing personal data entrusted to the organisation. This process is also used to understand where the data is being stored and shared, so that you can ensure it is adequately protected and is not subject to misuse or misconduct.
The organisation did not have the correct contractual procedures in place with the service provider to which they transferred member and employee personal data, and failed to log or document any of the processes or decisions surrounding the transfer (i.e., who commissioned the service provider, specific obligations of the Association and the service provider, and to what extent the service provider had access to the personal data). The supervisory authority also found that the management board's knowledge of the data transfer process was not sufficient and outsourcing of the user data without notifying data subjects, shows that the organisation neglected their basic data protection obligations.
Data controllers obligations
As a data “controller”, your organisation has an obligation to understand how the personal data under your control is being processed by the third party services that you use. Not only must you understand it, but you must also take accountability for what happens to the data. It is your responsibility to ensure that the third party services are not irresponsibly or illegally handling the data, the onus lies with the controller to ensure that the data is processed in line with regulations when using an external provider or data processor. Article 28 of GDPR states that: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Article 28 also outlines that the “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
Steps to prevent similar fines
All data controllers should put in place processing agreements, sometimes called data processor addendums (“DPA”), a contract between the data controller and the data processor so that both parties understand their responsibilities and liabilities, and to ensure the data will be handled in accordance with legal regulations. Having this legal contract in place could have assisted the Association in demonstrating compliance with the GDPR, including accountability provisions, and reduced the administrative fine or even avoided it.
When it comes to GDPR, there really is no way around it. Your organisation must understand that if these provisions weren’t imperative to the protection of the data subject, they wouldn't have been implemented in the first place. The €300,000 fine imposed by the Baden-Wuerttemberg Data Protection Authority was calculated based on 4% of the Association's annual revenue. This financial loss could have been avoided if the Association had fulfilled their legal obligations when sharing their subject data to be processed by an external provider.
If the use of a third party service provider could result in a high risk to the rights and freedoms of your data subjects, a DPA and a Data Protection Impact Assessment (“DPIA”) should be carried out to ensure that you are aware of the risks associated with the processing activities involved. 9ine’s DPIA and Records of Processing services allow your organisation to understand the risks associated with your data processing activities, mitigate them efficiently, and document your actions. This will ensure that you can evidence your compliance, thus reducing the risks surrounding your data privacy and protection activities, and eliminate the risk of being issued a fine like this sports association was.