GDPR Guidance for Club Administrators

Last updated: 13 February 2026

CricketClubBuilder provides tools to help you manage your club. However, your club remains responsible for the personal data you upload, manage, publish, and control.

This guidance explains your responsibilities under applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

Important Disclaimer

This page is provided for general information only and does not constitute legal advice.

CricketClubBuilder does not provide legal services. Clubs are responsible for ensuring their own compliance with applicable data protection laws.

If you are unsure about your obligations, you should consult:

• Your club’s Data Protection Officer (if applicable)
• A qualified legal advisor
• Official guidance from your national supervisory authority (such as the UK Information Commissioner’s Office)

Helpful external resources:

• https://gdpr.eu/
• https://ico.org.uk/for-organisations/

1. Your Role as a Data Controller

When your club collects and manages personal data relating to members, players, volunteers, parents, supporters, or club officials, your club acts as the Data Controller.

CricketClubBuilder provides a structured online platform that enables clubs to collect, manage, and publish information. The platform may include standard data fields such as:

• First name
• Last name
• Email address
• Phone or WhatsApp number
• Date of birth

Clubs may also use the platform to:

• Record and publish match scores and player statistics
• Publish news articles and updates
• Create and promote events
• Display sponsor information
• Add and display details of club officials (such as names, roles, and contact information) on the club website

CricketClubBuilder acts as a Data Processor, meaning we process personal data on behalf of clubs and in accordance with their instructions through use of the platform.

While CricketClubBuilder determines the technical structure, functionality, and security of the platform, your club determines:

• Whether personal data is collected
• What information is entered into the system
• The purposes for which it is processed
• The lawful basis for processing
• What content is published
• Which officials’ details are made publicly available
• How long personal data is retained

As the Data Controller, your club is responsible for:

• Ensuring there is a lawful basis for processing
• Providing compliant and transparent policies
• Obtaining valid consent where required (including for children and photography)
• Ensuring that officials have agreed to publication of their details
• Protecting personal data
• Responding to data subject rights requests

Club Policies and Legal Documents

CricketClubBuilder provides dedicated pages within the platform where clubs may create and publish their own policies and legal documents. These may include:

• Privacy Policy
• Terms & Conditions
• Junior Consent forms
• Membership Terms
• Refund Policy

These pages are provided as empty templates by default. CricketClubBuilder does not supply legal wording, create content, or review the adequacy of any policy added by a club.

Clubs are solely responsible for:

• Drafting the content of their policies
• Ensuring those policies comply with applicable laws
• Keeping policies accurate and up to date
• Making policies available to members and users
• Ensuring that required consents are properly obtained

If a club leaves any policy page empty or incomplete, this remains the responsibility of the club as Data Controller.

Recording Policy Acceptance

CricketClubBuilder may provide functionality allowing users to confirm acceptance of club policies during registration or sign-up.

CricketClubBuilder’s role is limited to providing the technical mechanism for displaying policies and recording user acknowledgement.

CricketClubBuilder:

• Does not draft, approve, or validate club policies
• Does not provide legal advice
• Is not responsible for the legal sufficiency of any policy content

2. Lawful Basis for Processing

Before collecting or entering personal data into the platform, your club must identify and document an appropriate lawful basis under Article 6 GDPR.

Common lawful bases used by sports clubs may include:

Consent
For example:

• Marketing communications
• Photography
• Public display of contact details

Consent must be freely given, specific, informed, and capable of being withdrawn.

Contract
Processing necessary to administer membership, manage teams, or organise club participation.

Legal Obligation
Processing required for safeguarding, financial compliance, or governing body regulations.

Legitimate Interests
Processing necessary for routine club operations, provided those interests do not override individual rights.

Your club must be able to explain:

• What data is collected
• Why it is collected
• Which lawful basis applies
• How long it is retained

This information should be reflected in your Privacy Policy.

3. Special Category Data (Sensitive Data)

Special category data includes:

• Health or medical information
• Disability details
• Ethnicity
• Religious beliefs
• Biometric data

CricketClubBuilder is not designed as a medical or safeguarding records system and does not provide dedicated functionality for collecting or managing special category data.

Clubs should avoid entering sensitive personal data into the platform unless strictly necessary and legally justified.

If a club chooses to store special category data using the platform (including within free-text fields), the club remains solely responsible for ensuring:

• A lawful basis under Article 6
• An additional lawful condition under Article 9
• Appropriate safeguards

Where possible, highly sensitive records should be managed using appropriate secure systems designed for that purpose.

4. Data Minimisation

Only collect data necessary for legitimate club purposes.

Appropriate examples:

• Name
• Date of birth
• Contact details
• Membership status

Avoid:

• Unnecessary personal notes
• Irrelevant personal opinions
• Sensitive data without clear justification

5. Accuracy and Updates

Clubs must ensure personal data is accurate and up to date.

You should:

• Correct errors promptly
• Update records when details change
• Remove or archive records when members leave
• Regularly review outdated records

6. Privacy Notices (Transparency Requirement)

Clubs must provide members (and parents of juniors) with a clear and accessible Privacy Notice.

A Privacy Notice must explain:

• What data is collected
• Why it is collected
• The lawful basis
• Who data is shared with
• How long it is retained
• Whether data is transferred outside the UK/EU
• Data subject rights
• How to complain to a supervisory authority

Privacy Notices should be reviewed regularly.

7. Children and Junior Players

Where clubs manage data relating to children:

• Obtain appropriate parental consent where required
• Collect only necessary information
• Take extra care with security
• Be cautious with photography and public visibility

Children’s data requires heightened care and accountability.

8. Photography and Media Use

Clubs must:

• Obtain appropriate consent for photography
• Take extra care when publishing images of juniors
• Avoid publishing excessive personal information alongside images
• Clearly explain media use in their Privacy Policy

9. Data Subject Rights

Individuals have the right to:

• Access their data
• Request correction
• Request deletion
• Restrict processing
• Object to certain processing
• Data portability (where applicable)

Clubs are responsible for responding within legal timeframes (usually one month).

CricketClubBuilder may assist with deletion requests upon instruction from the club.

10. Access Control

Use role-based permissions carefully:

• Grant admin access only to trusted individuals
• Limit access for coaches and volunteers
• Remove access when no longer required
• Never share login credentials

11. Security Best Practices

Clubs should:

• Use strong, unique passwords
• Enable two-factor authentication (if available)
• Avoid shared accounts
• Secure devices used to access the platform
• Log out of shared devices

12. Data Retention

Personal data must not be kept longer than necessary.

Clubs should:

• Define retention periods
• Avoid indefinite storage
• Document retention policies
• Securely delete data when no longer required

13. Record of Processing Activities (ROPA)

Clubs should maintain a simple record of:

• Categories of data processed
• Purpose of processing
• Lawful basis
• Who has access
• Retention periods

14. Data Protection Impact Assessments (DPIA)

If your club processes higher-risk data (such as large volumes of children’s data or publicly accessible directories), you may need to conduct a DPIA.

15. Data Breaches

If a breach occurs:

1. Secure accounts immediately
2. Assess risk
3. Notify your data protection lead
4. Contact CricketClubBuilder if assistance is required
5. Report to your supervisory authority if legally required

Serious breaches may require notification within 72 hours.

16. Leaving the Platform

If your club stops using CricketClubBuilder:

• You may request deletion of your club account and associated personal data
• Upon verified request, CricketClubBuilder will delete data in accordance with our retention and backup policies
• Clubs remain responsible for any personal data stored outside the platform

If you require a copy of your data prior to deletion, please contact support to discuss available options.

17. Need Further Advice?

CricketClubBuilder does not provide legal advice.

If you are unsure about your responsibilities, consult your legal advisor or relevant supervisory authority.

For UK clubs:
https://ico.org.uk/for-organisations/

For EU clubs:
https://edpb.europa.eu/

Final Note

GDPR compliance is an ongoing responsibility.

CricketClubBuilder provides tools to support compliance, but your club remains responsible for ensuring lawful and appropriate use of personal data.