Thank you for reaching out to LegalBuddy. I’ll start by mentioning the relevant regulations that apply and thereafter give advice based on your situation.
Legislation on personal data collection
The General Data Protection Regulation (GDPR) applies to all automated processing of personal data of natural persons with connection to the EU. Note that there might be further national regulations that apply in conjunction with GDPR, as it is encouraged in art. 40 GDPR. The definition of personal data is broad as it includes direct and indirect information relating to a natural person, art. 4 GDPR. However, if the data is made anonymous, it is not considered personal anymore and the right to data protection is not applicable anymore.
The company is ultimately liable for adhering to the regulations and it is helpful to be mindful of the lifecycle of personal data to better comply with GDPR; the collection, management and deletion of personal data. Furthermore, the accountability principle provided for in art. 5 GDPR requires that a data controller must be able to demonstrate its compliance with the GDPR.
What data can be collected?
The principles in art. 5 GDPR states that there should be a narrow and clear purpose before the data collections occurs. The company is responsible to be lawful, open and correct, as well as treating the data with confidentiality. It is also important to not collect more data nor store it more than necessary. The processing of data is lawful only if at least one of the conditions in art. 6 GDPR can be applied.
Consent or legitimate interests are commonly used by companies. Note that legitimate interests give the company flexibility as long as the company can thoroughly justify these legitimate interests, as the data subject should be able to reasonably expect their data to be used in that way. For a consent to be valid, it must constitute a voluntary, specific, informed and unambiguous expression of will, through which the data subject agrees to the processing of personal data concerning him or her. In the provision of a service, consent is not freely given if the processing of personal data that is not necessary for the performance of that contract or service is required. An assessment of if the data is necessary must therefore be made.
In Example A above, the data is personal and the principles in art. 5 GDPR must be followed. E-mail addresses are usually considered personal data in themselves since they oftentimes contain the name of the data subject. The user’s activity and the location can also be personal data if it makes the data subject identifiable.
With regards to the aggregated data in Example B, the personal data has been anonymized and are impossible to trace back and/or identify the individual data subjects behind it. To collect and manage this data, you are still required to have a legal condition to process the data, art. 6 GDPR.
Data collection when the data subject is a child
There is an age limit given to objectively decide when a child has matured enough to be able to consent to data collection. For minors living in Sweden, the age from which they can consent without a guardian’s approval or consent is 13 years, 2 kap. 4 § lagen (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning. This may differ depending on which country the minors are living in, art. 8.2 GDPR.
Note that in the preamble nr 38, 58 and 65 GDPR, which are not formally binding but help to interpret the articles in the regulation, it is stressed that children require specific protection and therefore should be addressed in a way that is easily understood by children.
Data transfers to third parties
Under the GDPR, sharing personal data with third parties is possible as long as it is compatible with the purposes for which the data was originally collected, provided however that the data is not subject to statutory or contractual obligation of confidentiality. Furthermore, any transfer of personal data to third parties must be transparent to the data subject and should be clearly described in the information provided under art. 13 and 14 GDPR (on a side note, please note that information under art. 13 and 14 - normally provided by a “privacy notice” - should not be provided as a part of general terms of services but as a stand-alone piece of information).
In conclusion, you should be able to share personal data with the football clubs as long as you make sure that such sharing is compatible with the purposes for which the data was collected and that the data sharing is transparent to the app users. As you will be addressing younger people, it is important that your privacy notices are crystal clear and adjusted also to the target audience. Hopefully, the information above gave some clarity to your case. If more questions arise, you are welcome to contact us for more legal advice.