GDPR for clubs and associations: members, photos, WhatsApp
The volunteer-run football club is a controller too. Three files cover it: the member register, the photo permissions, and the group-chat rules.
The member register runs on the membership contract — name, contact, fees, team: fine without consent. Health notes for training, dietary or medical flags for youth camps are Art. 9 data: collect only with explicit (parental) consent, store separately, share with coaches on need-to-know. When members leave: delete on schedule, keep only what accounting law requires. Passing the register to sponsors or federations needs its own basis — check the federation’s rules and say so in your privacy note. Photos are the perennial fight: team photos and match reports on the public site or socials need consent — practical pattern: a per-member (per-child) photo permission at sign-up, revocable, with a no-photo list every team leader actually receives. Action shots at public matches sit in a milder zone editorially, but a no-photo child is a hard line. The school-photo logic transfers one-to-one. Group chats: adding every parent’s number to a WhatsApp group discloses phone numbers to all — ask first, prefer broadcast lists or a club app for youth teams, and set a rule that member photos stay in the group. Volunteers change; access shouldn’t linger: the ex-treasurer with the member spreadsheet on a home laptop is the classic club breach. One shared, access-controlled drive; rotate credentials with the board. A one-page privacy note on the club site plus a modest Art. 30 record and the club is genuinely done.
Verified against the sources above on 18 July 2026. Information, not legal advice.