Skip to the main content.
Technology & Privacy Solutions

Explore technology and privacy solutions designed to protect and improve your operations.

Strategic Risk Management & Training

Master the tools and knowledge to effectively manage risks and empower your team.

Solutions Overview

Discover the full range of solutions we offer to safeguard and optimise your business

Discover solutions

innovation-inspiration
Cyber Security & Cloud Assessments

Ensure robust protection and compliance with our comprehensive security testing and assessments.

Specialised Training & Expertise

Enhance your team's capabilities with our training programs and professional development services.

Expert Professional Services

Our team provides specialized services tailored to meet your unique cybersecurity and compliance needs.

man-working-laptop-with-icons-social-networking-screen

 

9ine Platform Solutions

Streamline governance, privacy and vendor management and ensure compliance with our powerful 9ine Platform.

Application Library

Access the Application Library designed to take control of your EdTech ecosystem. Improve your vendor vetting processes.

Learn more

Application Library-3

 

9ine Platform Overview

Learn about the 9ine platform’s comprehensive capabilities in governance, risk management, and compliance. 

Discover 9ine Platform

Product - 9ine Platform
Tailored Solutions for UK Schools

Serving the unique needs of UK State, Independent, and Multi-Academy Trusts (MATs).

Global School Solutions

Providing innovative solutions for independent and international schools across the globe.

 

Collaborate & Grow with us

Explore partnership opportunities and career paths within our dynamic team.

Certified Vendor Programme

Join our trusted network of certified vendors and expand your business opportunities.

Learn more

Vendor Certificate - ECIS - Image

 

About us

Learn more about our mission, vision, and the values that drive our work.

Discover 9ine

business-people-office

 

3 min read

€300,000 Hurdle for Sports Club: GDPR

€300,000 Hurdle for Sports Club: GDPR

Not all sports clubs have €300,000 just kicking about. However, last week we saw an unnamed football association get hit with a large fine due to lack of compliance with data protection regulations. As time goes on, we are seeing more and more organisations being fined for not complying with their local data protection laws. This specific case could have been prevented easily, and the Association could have avoided the fine that they’d received, but most importantly, kept their user data safe by processing it properly.

What did they do wrong?

The sports club was fined for breaching the accountability requirement laid down in article 5(2) of the GDPR. As a data controller, you have an obligation to map your data, have a sufficient record of processing and understand the ways in which you or any third party services are processing personal data entrusted to the organisation. This process is also used to understand where the data is being stored and shared, so that you can ensure it is adequately protected and is not subject to misuse or misconduct. 

The organisation did not have the correct contractual procedures in place with the service provider to which they transferred member and employee personal data, and failed to log or document any of the processes or decisions surrounding the transfer (i.e., who commissioned the service provider, specific obligations of the Association and the service provider, and to what extent the service provider had access to the personal data). The supervisory authority also found that the management board's knowledge of the data transfer process was not sufficient and outsourcing of the user data without notifying data subjects, shows that the organisation neglected their basic data protection obligations. 

 

Data controllers obligations 

As a data “controller”, your organisation has an obligation to understand how the personal data under your control is being processed by the third party services that you use. Not only must you understand it, but you must also take accountability for what happens to the data. It is your responsibility to ensure that the third party services are not irresponsibly or illegally handling the data, the onus lies with the controller to ensure that the data is processed in line with regulations when using an external provider or data processor. Article 28 of GDPR states that: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

Article 28 also outlines that the “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

 

Steps to prevent similar fines

All data controllers should put in place processing agreements, sometimes called data processor addendums (“DPA”),  a contract between the data controller and the data processor so that both parties understand their responsibilities and liabilities, and to ensure the data will be handled in accordance with legal regulations. Having this legal contract in place could have assisted the Association in demonstrating compliance with the GDPR, including accountability provisions, and reduced the administrative fine or even avoided it.

Consequences, Consequences…

When it comes to GDPR, there really is no way around it. Your organisation must understand that if these provisions weren’t imperative to the protection of the data subject, they wouldn't have been implemented in the first place. The €300,000 fine imposed by the Baden-Wuerttemberg Data Protection Authority was calculated based on 4% of the Association's annual revenue. This financial loss could have been avoided if the Association had fulfilled their legal obligations when sharing their subject data to be processed by an external provider. 

If the use of a third party service provider could result in a high risk to the rights and freedoms of your data subjects, a DPA and a Data Protection Impact Assessment (“DPIA”) should be carried out to ensure that you are aware of the risks associated with the processing activities involved. 9ine’s DPIA and Records of Processing services allow your organisation to understand the risks associated with your data processing activities, mitigate them efficiently, and document your actions. This will ensure that you can evidence your compliance, thus reducing the risks surrounding your data privacy and protection activities, and eliminate the risk of being issued a fine like this sports association was.

 

Know More

 

How to Effectively Manage Your Record of Processing Activities

How to Effectively Manage Your Record of Processing Activities

In order to excel in your governance of data privacy and protection, it is essential that there is understanding and visibility of all personal data...

Read More
How can My School Benefit from GRC Technology?

How can My School Benefit from GRC Technology?

A well-planned governance, risk and compliance (GRC) strategy comes with lots of benefits: improved decision-making, more optimal IT investments,...

Read More
5 Reasons To Protect Your User Data

4 min read

5 Reasons To Protect Your User Data

Data protection regulations vary all over the world, and some countries don’t even have any regulations. Wherever you are in the world, data...

Read More