GDPR starter kit for sports clubs + associations

Sports clubs often have volunteer directors lacking GDPR expertise — while WBTR since 2021 enables personal liability. Main matters: (1) Member records: name + address + email + DoB (age category for matches). No BSN, not even for "verification". (2) Youth members (under 16): parental consent at registration + separately for photo publication + separately for social media. (3) Match photos: sign at entrance with opt-out + per-publication choice. State in privacy statement. (4) Social media: caution with names + photos of minors. Prefer omitting surnames. (5) Sponsors: share data only with explicit consent — not "everyone who is match sponsor" automatically into newsletter. (6) SaaS tools (Sportlink, Club.Cloud, Microsoft Teams): DPA required. (7) Match data online: KNVB / NLZ publish rankings with names — own controller. Association not liable for what KNVB puts on its site — yes for what they share themselves. WBTR impact: directors personally liable on serious negligence — like data breach + no procedure. Privacy liability insurance recommended for sports associations. Our guide: see also WBTR explainer.