From 25 May 2018 the General Data Protection Regulation (GDPR) will apply, also known as the “European privacy regulation”. From that moment on there is one privacy law for the entire European Union, which replaces the Personal Data Protection Act in the Netherlands.
Obligation to guarantee the Privacy
The new privacy law says that “the processing of personal data must be in the service of mankind”. It is up to the organizations that process this data to give priority to this. Each organization has the responsibility to use and store data wisely, to protect the individuals involved from misuse and unauthorized publication of their data, and to be able to demonstrate that it is actively doing so.
To ensure compliance with the European privacy regulation, associations must:
- Only request data that is actually needed (so-called ‘data minimization’) and keep it for how long that is necessary
- Making organizational changes so that the relationship between the individual (member, parent and volunteer) and data processor (the association) is recorded, in which active permission is requested for the use of the relevant data (also applicable to the use of photos, videos)
- If digital apps and social media are used within the association, members and parents of members under the age of 16 must give their consent
- Take technical measures so that only those who use data functionally (read: the purposes for which the data have been requested) have access to that data
- Take technical measures so that the storage of personal data is properly secured
- Inform members about the privacy measures taken and efforts of the association to deal with personal data responsibly
- Document all the above measures, so that the association can prove its efforts (to comply with the privacy law)
- If a data breach occurs, this must be reported to people whose data has been leaked within 72 hours.
View the GDPR Radboud Inline-skating from Radboud Inline-Skating / Inline-Skating Westfriesland
Radboud Inline Skating must justify the use of data from its members
The GDPR makes rules for the use of personal data stricter. As an association, we are obliged to substantiate why we want to collect and process personal data from our members and how long we want to keep that data. The starting point is ‘data minimization’: we are not allowed to request more data than strictly necessary. After the end of the use of personal data, citizens in the EU have the ‘right to be forgotten’. For the association, this means that members can more easily ask for data to be removed.
Placing of visual material (photo or video)
Radboud Inline-Skating must have permission from identifiable persons who have been identified and have a legitimate interest in the production and publication of visual material. For example, consider a legitimate interest in press freedom, direct marketing, promotion of the organization or security. Competition reporting can also be motivated under the legitimate interest. In that case, a sports organization may publish or broadcast photos and images of competitions, even if, for example, spectators can be identified. The weighing of interests must be careful and the interests of the association and those of the parties involved must be thoroughly considered and described.
At events at our locations, publication will take place on the website and physically at the location where photo / video recordings will be made.