The designation of a data protection officer means a considerable organizational and financial effort for many small companies or organizations. According to the current version of the Basic Data Protection Regulation (“DS-GVO”) and the Federal Data Protection Act (“BDSG”), which must also be observed in Germany, most (e)sports organizations are affected by exactly this obligation.
The existence of a requirement to appoint a data protection officer depends on whether there are ten individuals, who regularly process personal data.
Mandatory.
The term “processing” of personal data (eg name, contact details, player names, pictures, health data) is very broad. Therefore, in principle, individuals from the administration of the small company or the organization, for example the team manager or even the coach, are entrusted with the processing of personal data. However, when team members communicate with each other only on the basis of the data provided to them, they do not engage in “processing”.
Therefore, the company or the organization as the “responsible party” very quickly meets the obligation to appoint a data protection officer.
For eSports as a whole, no exception to these regulations is provided for by law.
Amendment.
Fortunately, the legislator has reacted and passed an amendment to ease the burden on small businesses or organisations. The new law adapts the provisions of § 38 BDSG regarding the need for a data protection officer by increasing the number of relevant people working for the “responsible person” from ten to twenty. However, the change will only apply after the promulgation of the law, which is expected in the course of 2019.
Practical Application.
Companies and organisations are nevertheless advised to ensure that the new threshold value is not exceeded by means of an appropriate organisation, e.g. statutes or rules of procedure.
The precise delineation of competences and responsibilities in relation to the data may limit the number of people entrusted with processing.
It should not be forgotten, that other data protection regulations or requirements must be observed, even if no data protection officer is to be appointed. Liability for infringements of the DS-GVO or the BDSG continues to exist!
