Are WhatsApp groups in sports clubs breaching GDPR?


27 Feb 2020

Image: © Denys Prykhodov/Stock.adobe.com

The GAA has advised its clubs against using WhatsApp groups. Here, the team at William Fry examines what other sports clubs should think about.

It is common practice for sports clubs to communicate with members using the WhatsApp groups feature. However, the collection and further dissemination of personal data in this manner gives rise to concerns from a data protection law compliance perspective.

The GAA, which has identified a number of concerns, recently advised its members that WhatsApp groups used for official communications might not be compliant with GDPR.

The GAA’s policy sets out three potential GDPR compliance issues that arise where personal data is shared via WhatsApp groups.

1. Lawful basis

According to GDPR, personal data can only be processed where there is a lawful basis for doing so. Examples of lawful bases include that the processing is necessary to perform a contract, for legitimate interests or to comply with a legal obligation.

In many cases, there will be a clear lawful basis for sports clubs to collect personal data from members, for example, to administer club membership or to comply with child protection laws.

However, this would only be lawful to the extent that the data collected is limited to what is necessary to administer membership and that the processing itself is restricted to that purpose alone.

If there is additional processing of club member personal data, for example, numbers and profile pictures being shared with larger WhatsApp groups who do not need access to the data, it may be necessary to obtain consent from the club members to ensure the processing is lawful.

Under GDPR, consent is only valid if it is specific, fully informed, freely given, provided by means of a clear affirmative action and as easy to withdraw as it was to provide.

2. Compliance with subject access requests (SARs)

A person has the right to obtain a copy of his or her personal data from the controller of the data. The controller must respond with a copy of the data within one month of receiving the SAR. This right is subject to a number of exceptions being applied. For example, data may be withheld if disclosing the data may adversely affect the rights and interests of others.

Sports clubs responding to SARs must locate data across various media, collate the data and, before handing it over to the person in question, must review the personal data to ensure none of the exceptions under the Data Protection Acts 1988-2018 apply and, in particular, that the disclosure of the personal data does not adversely affect the rights and interests of others.

The transmission and storage of personal data across multiple WhatsApp groups creates challenges for sports clubs in seeking to comply with SARs and providing members with a full suite of personal data within a one-month timeframe.

This challenge is exacerbated by the fact that WhatsApp does not have an auditing feature, which would allow the club to gather a person’s data or delete it.

3. International data transfers

There is also a risk that personal data may be transferred outside the European Economic Area (EEA) without the additional safeguards required by GDPR being put in place by the club.

Under GDPR, personal data may only be transferred outside the EEA where the country or the recipient in question has provided appropriate safeguards, such as putting certain contractual terms in place with the relevant recipient.

The GAA’s policy

The GAA has stated that, “due to these reasons, the use of WhatsApp in an official capacity is not advisable”. However, WhatsApp has responded to the GAA policy, emphasising that the messaging service also has a number of built-in tools that put individual users in control of their group interactions.

These include a Group Privacy Setting, which enables users to decide, at a very granular level, who can add them to a group.

As a solution to these concerns, the GAA has started developing a GDPR-compliant messaging service as part of its own app. This messaging service aims to ensure that personal data is not shared without consent, give clubs auditing ability over the data processed, and ensure that all personal data will be stored within the EEA.

What other sports clubs need to consider

These GDPR concerns need to be considered by all sports clubs that use messaging services for official communications with teams and members. National governing bodies and clubs should develop or use a communication method that complies with GDPR.

Sports clubs should not share members’ names, phone numbers and other personal data without their consent or another lawful basis. This might be achieved by contacting club members individually rather than through a group chat.

Clubs should use a messaging service that allows the ability to compile a member’s personal data and delete it if requested to do so by the member. Personal data should also be stored within the EEA or, if transferring data outside the EEA, the service should have the required additional safeguards in place.

Governing bodies and clubs should further consolidate these steps by appointing an individual to take responsibility for data protection compliance and putting in place data protection policies, practices and accountability frameworks to comply with the GDPR and the Irish Data Protection Acts 1988-2018.

By Derek Hegarty, Craig Sowman and Leo Moore, with contributions by Patrick Murphy, Donnacha Egan and Anna Ní Uiginn

Derek Hegarty and Craig Sowman are partners in William Fry’s Litigation and Dispute Resolution department. Leo Moore is a partner in the William Fry Technology Group. Patrick Murphy is an associate in William Fry’s Litigation & Dispute Resolution department and a member the William Fry Sports Group. Donnacha Egan is a trainee solicitor at William Fry. Anna Ní Uiginn is an associate in William Fry’s Technology Department.

A version of this article originally appeared on the William Fry blog.