Who is the data controller of association members' personal data, and what is the legal basis for processing association members' personal data?

ANSWER

It should first be noted that under Article 4(7) GDPR a data controller may be a natural or legal person, a public authority, agency or other body which alone or jointly with others determines the purposes and means of processing personal data. Under the GDPR, the data controller in the situation described will therefore be the association — the sports club. The president of the association alone will not be the controller, as they are a member of the management board authorised to represent the association.

Association members' personal data will as a rule be processed on the basis of Article 9(2)(d) GDPR for special category personal data, while for other personal data the appropriate bases are found in Article 6(1)(a)–(f) GDPR.

As regards publishing association members' images together with their first and last names — whether on websites or, for example, at the club premises — consent under Article 6(1)(a) GDPR must be obtained for such a processing purpose. At the same time, remember consent under Article 81(1) of the Copyright and Related Rights Act or the exception under paragraph 2 of that provision.