WhatsApp Groups And GDPR

[GetOverTheBar]

The GAA app is grand for 1 way communication but has no group chat capability so that's not going to work for a team situation. However, regardless of the 'but but but' there is a legitimate point. The problem with Whatsapp is that there is no 'opt-in' element to the group chat, you have to 'opt-out'. If you're added to a group you have no control over who sees / has access to your number, even after you opt out, which is a legitimate GDPR concern. Maybe something like Telegram where you're sent a link to join a chat, so you have to opt-in and use a nickname may be more suitable for team/group/committee information purposes.

You can make a group and only have the admins with the ability to send messages to all.

[five points]

Not disagreeing at all but to paraphrase what a top referee has frequently told me, show me where it says common sense in the rulebook / GDPR legislation.

Bad example. If a ref lets an untidy tackle go, no law is being broken.  I work in an information-sensitive industry and colleagues and customers routinely think nothing of using whatsapp. If they're all breaking the law, the law is an ass. Whatsapp wouldn't have survived thus far if this was the case.

[screenexile]

I agree with most of what you're saying wobbler except the common sense thing. . . have you been to a match recently??

The GAA is hundreds of thousands of people and trying to get that large an group to have common sense is impossible.

There will also be pricks who have common sense who will go at a club or the GAA for not adhering to good GDPR practice.

You can talk about common sense all you want but go to any club meeting up and down the country to discuss insurance and the frivolous claims the GAA are facing from their own members and how premiums are skyrocketing and you'll see what common sense gets you.

The GAA are huge and need to cover their ass on this the problem you will have now is clubs will stay with whatsapp and we'll see the fruits of that over the next few years!!

[DuffleKing]

The GAA app is grand for 1 way communication but has no group chat capability so that's not going to work for a team situation. However, regardless of the 'but but but' there is a legitimate point. The problem with Whatsapp is that there is no 'opt-in' element to the group chat, you have to 'opt-out'. If you're added to a group you have no control over who sees / has access to your number, even after you opt out, which is a legitimate GDPR concern. Maybe something like Telegram where you're sent a link to join a chat, so you have to opt-in and use a nickname may be more suitable for team/group/committee information purposes.

Would a simple opt in or opt out line regarding WhatsApp groups when paying your membership not suffice? Not up to date at all on GDPR so maybe it wouldn't?

GDPR is a scam on a global scale, creating an entirely new industry where people busy themselves inventing new ways to be relevant.

The bit in bold is the solution to keep those types of people happy.

[thewobbler]

I agree with most of what you're saying wobbler except the common sense thing. . . have you been to a match recently??

The GAA is hundreds of thousands of people and trying to get that large an group to have common sense is impossible.

There will also be pricks who have common sense who will go at a club or the GAA for not adhering to good GDPR practice.

You can talk about common sense all you want but go to any club meeting up and down the country to discuss insurance and the frivolous claims the GAA are facing from their own members and how premiums are skyrocketing and you'll see what common sense gets you.

The GAA are huge and need to cover their ass on this the problem you will have now is clubs will stay with whatsapp and we'll see the fruits of that over the next few years!!

Screen this is fair old tangent you're heading upon.

The problems that the GAA are highlighting with WhatsApp are fictional. They're attempting to enforce controls on a service that they do not provide.

To revert to my cars analogy from earlier. If a senior football team is travelling up the county in cars, they're all private cars with private insurance. That they're going to play Gaelic sports at the end of their journey is not relevant. If there is an accident, nobody is going to sue the GAA or demand that the GAA represent them in court. The GAA will never produce guidelines for "how to drive safely between GAA venues", as it's none of their business. Yet the GAA would crumble as an organisation if private cars aren't used for that very purpose.

WhatsApp should be considered along the same lines. It's a tool that can be availed of by anyone, including GAA clubs. But what happens on that platform frankly should never be a concern of the GAA.

[Ethan Tremblay]

Would implied consent not be given when a user signs up to WhatApp? As in, most people are aware their profile image and number is displayed to other users? By signing up to WhatsApp you are in fact opting in?

Take the example of a missed call on your phone.  If it is a mobile number, you can save this to your phone and check you contacts on WhatsApp and view a profile photo to see who it was. 
This has nothing to do with groups or people adding you to groups without your permission, this is just basic functionality of the app.  I would imagine in that spiel of text  before you click the "I agree" button, there is something in there detailing this and how your data is used?

[five points]

Whoever you are Wobbler, you should be running the show.

[Solo_run]

I dread to think what the new GAA will be like. I can guarantee that it will have a significant amount of security flaws that will leave the data of thousands of people at risk of it ends up being used for registration purposes etc. GAA HQ will be the ones who will have to cough up the money for GDPR beaches and once this happens the app will be a dead duck.

If the likes of Nord VPN, Talk Talk, Yahoo, etc have found it difficult to protect data then the GAA is in for a torrid time.

[AFM]

Would implied consent not be given when a user signs up to WhatApp? As in, most people are aware their profile image and number is displayed to other users? By signing up to WhatsApp you are in fact opting in?

Take the example of a missed call on your phone.  If it is a mobile number, you can save this to your phone and check you contacts on WhatsApp and view a profile photo to see who it was. 
This has nothing to do with groups or people adding you to groups without your permission, this is just basic functionality of the app.  I would imagine in that spiel of text  before you click the "I agree" button, there is something in there detailing this and how your data is used?

https://www.whatsapp.com/legal/?eea=1#privacy-policy-information-we-collect

Information You Provide

Your Account Information. You provide your mobile phone number and basic information (including a profile name) to create a WhatsApp account. You provide us, all in accordance with applicable laws, the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts. You may provide us an email address. You may also add other information to your account, such as a profile picture and about information.

Agree with all the sentiments of wobbler - commonsense seems to be a thing of the past!

[twohands!!!]

I agree with most of what you're saying wobbler except the common sense thing. . . have you been to a match recently??

The GAA is hundreds of thousands of people and trying to get that large an group to have common sense is impossible.

There will also be pricks who have common sense who will go at a club or the GAA for not adhering to good GDPR practice.

You can talk about common sense all you want but go to any club meeting up and down the country to discuss insurance and the frivolous claims the GAA are facing from their own members and how premiums are skyrocketing and you'll see what common sense gets you.

The GAA are huge and need to cover their ass on this the problem you will have now is clubs will stay with whatsapp and we'll see the fruits of that over the next few years!!

This is all driven by the GAA in terms of covering themselves as much as possible in terms of the GDPR legislation.

The punishments for not complying with this legislation are fairly serious (see below) and it's seems fairly clear from reading the links below that any organisation using WhatsApp to operate contravenes the legislation in multiple different way.

You can agree with the wrongs and rights of the GDPR legislation, but I'd be shocked if you would find a lawyer in the land who would argue that what the GAA are doing here isn't the sensible option given the legislation. From what I can see it would be gross negligence of the GAA not to issue this statement.

https://www.citizensinformation.ie/en/government_in_ireland/data_protection/overview_of_general_data_protection_regulation.html#l9b2e4

https://www.citizensinformation.ie/en/government_in_ireland/data_protection/legislation_relating_to_the_general_data_protection_regulation.html

Serious infringements
For the most serious infringements (for example, not having sufficient customer consent to process data or violating the core of privacy by design concepts) organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater.

Each member state may introduce further fines legislation, which will be enforceable within that state only.

Lesser breaches
Under the GDPR, organisations in breach of the Regulation can be fined up to 2% of their annual global turnover or €10 million, whichever is greater, for lesser breaches. Some examples of lesser breaches include: not having records in order, not notifying the supervisory authority and data subject about a breach or not an conducting impact assessment.

[thewobbler]

I agree with most of what you're saying wobbler except the common sense thing. . . have you been to a match recently??

The GAA is hundreds of thousands of people and trying to get that large an group to have common sense is impossible.

There will also be pricks who have common sense who will go at a club or the GAA for not adhering to good GDPR practice.

You can talk about common sense all you want but go to any club meeting up and down the country to discuss insurance and the frivolous claims the GAA are facing from their own members and how premiums are skyrocketing and you'll see what common sense gets you.

The GAA are huge and need to cover their ass on this the problem you will have now is clubs will stay with whatsapp and we'll see the fruits of that over the next few years!!

This is all driven by the GAA in terms of covering themselves as much as possible in terms of the GDPR legislation.

The punishments for not complying with this legislation are fairly serious (see below) and it's seems fairly clear from reading the links below that any organisation using WhatsApp to operate contravenes the legislation in multiple different way.

You can agree with the wrongs and rights of the GDPR legislation, but I'd be shocked if you would find a lawyer in the land who would argue that what the GAA are doing here isn't the sensible option given the legislation. From what I can see it would be gross negligence of the GAA not to issue this statement.

https://www.citizensinformation.ie/en/government_in_ireland/data_protection/overview_of_general_data_protection_regulation.html#l9b2e4

https://www.citizensinformation.ie/en/government_in_ireland/data_protection/legislation_relating_to_the_general_data_protection_regulation.html

Serious infringements
For the most serious infringements (for example, not having sufficient customer consent to process data or violating the core of privacy by design concepts) organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater.

Each member state may introduce further fines legislation, which will be enforceable within that state only.

Lesser breaches
Under the GDPR, organisations in breach of the Regulation can be fined up to 2% of their annual global turnover or €10 million, whichever is greater, for lesser breaches. Some examples of lesser breaches include: not having records in order, not notifying the supervisory authority and data subject about a breach or not an conducting impact assessment.

I fail to see how the GAA can be described as either the data controller or data processor for group chats on WhatsApp.

So what on earth could they find themselves in breach of?

[twohands!!!]

I agree with most of what you're saying wobbler except the common sense thing. . . have you been to a match recently??

The GAA is hundreds of thousands of people and trying to get that large an group to have common sense is impossible.

There will also be pricks who have common sense who will go at a club or the GAA for not adhering to good GDPR practice.

You can talk about common sense all you want but go to any club meeting up and down the country to discuss insurance and the frivolous claims the GAA are facing from their own members and how premiums are skyrocketing and you'll see what common sense gets you.

The GAA are huge and need to cover their ass on this the problem you will have now is clubs will stay with whatsapp and we'll see the fruits of that over the next few years!!

This is all driven by the GAA in terms of covering themselves as much as possible in terms of the GDPR legislation.

The punishments for not complying with this legislation are fairly serious (see below) and it's seems fairly clear from reading the links below that any organisation using WhatsApp to operate contravenes the legislation in multiple different way.

You can agree with the wrongs and rights of the GDPR legislation, but I'd be shocked if you would find a lawyer in the land who would argue that what the GAA are doing here isn't the sensible option given the legislation. From what I can see it would be gross negligence of the GAA not to issue this statement.

https://www.citizensinformation.ie/en/government_in_ireland/data_protection/overview_of_general_data_protection_regulation.html#l9b2e4

https://www.citizensinformation.ie/en/government_in_ireland/data_protection/legislation_relating_to_the_general_data_protection_regulation.html

Serious infringements
For the most serious infringements (for example, not having sufficient customer consent to process data or violating the core of privacy by design concepts) organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater.

Each member state may introduce further fines legislation, which will be enforceable within that state only.

Lesser breaches
Under the GDPR, organisations in breach of the Regulation can be fined up to 2% of their annual global turnover or €10 million, whichever is greater, for lesser breaches. Some examples of lesser breaches include: not having records in order, not notifying the supervisory authority and data subject about a breach or not an conducting impact assessment.

I fail to see how the GAA can be described as either the data controller or data processor for group chats on WhatsApp.

So what on earth could they find themselves in breach of?

It's the clubs themselves who would be regarded as the data controllers for the WhatsApp group chats.

I'm not a lawyer but it looks to me that WhatsApp is a minefield in terms of GDPR and the Croke Park are simply doing their job in telling clubs about their responsibilities as regards data protection and GDPR.

[thewobbler]

I'm not a lawyer either.

But a club cannot be a data controller. Groups are set up by individuals. And even if they weren't, the relationship is between the user and WhatsApp, with groups little more than a middleman, an avenue to move data around.

Plus as every individual in a group has the same ability to export a group's history, to my mind that makes them all data processors.

——

Anyhow, none of this makes sense. Every club in Ireland has a Facebook and/or Twitter account which can be traced back to an authorised club committee decision, and the appointment of suitable club personnel to manage these accounts. In these forums, clubs share, invite and exchange data with people who have made no commitment / legal agreement with those clubs.

They are clearly a data professor, maybe even a controller, as they have the ability to review, export and analyse every exchange that has taken place on their channel - whereas normal users cannot.

For the life of me I cannot work out how these platforms are "GDPR okay" but WhatsApp is the ultimate scourge of privacy.

As a result I've fully arrived at the belief that there is no issue. But somebody somewhere has decided it's in the GAA's interests to manufacture one.

[Last Caress]

Has any clubs been informed by their county board to stop using this facility? No indication that my own club is intending to stop its use. I guess it's a case of wait and see what others are doing.

[armaghniac]

Anyhow, none of this makes sense. Every club in Ireland has a Facebook and/or Twitter account which can be traced back to an authorised club committee decision, and the appointment of suitable club personnel to manage these accounts. In these forums, clubs share, invite and exchange data with people who have made no commitment / legal agreement with those clubs.

They are clearly a data professor, maybe even a controller, as they have the ability to review, export and analyse every exchange that has taken place on their channel - whereas normal users cannot.

For the life of me I cannot work out how these platforms are "GDPR okay" but WhatsApp is the ultimate scourge of privacy.

As a result I've fully arrived at the belief that there is no issue. But somebody somewhere has decided it's in the GAA's interests to manufacture one.

The Facebook page is under the control of the club, if someone posts up something then the club can take it down. Whatsapp is peer to peer, the club don't control the group although they may encourage people of join it.

The Data Protection Commissioner 's office in Laois, they have probably got this from a good source.

Building a GAA app is not the way forward, no doubt one of these apps like Whatsapp has a paid account with more control and this is the way forward, in the same way as organisation pay Google to run their mail.