Data protection

In the D-A-CH area, two legal regulations must be observed in the context of data protection. For Germany and Austria, the EU General Data Protection Regulation (EU GDPR), which came into force on 25 May 2018, applies; for Switzerland, the new, totally revised Data Protection Act (nFADP), which comes into force on 1 September 2023, applies.

Please note: PC CADDIE cannot and must not offer legal advice of any kind. The respective legal entities - i.e. golf clubs, golf courses, etc. - are responsible for the correct implementation of the legal requirements. We recommend that you seek advice from an appropriate specialist lawyer or a qualified person authorised to do so.

Text of the law in full length: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&qid=1692776893079

Text of the law in full length: https://www.edoeb.admin.ch/edoeb/en/home/datenschutz/grundlagen/ndsg.html

Text of the law as synopsis: https://www.kmu.admin.ch/kmu/en/home/facts-and-trends/digitization/data-protection/new-federal-act-on-data-protection-nfadp.html

Specific contexts for data protection in PC CADDIE can be found at Informationen zum Datenschutz einzelner Module bei PC CADDIE .

A file with the most important procedures for deletion and pseudonymisation of data can be found here as a PDF, e.g. for submission to your data protection officer: Deletion&Pseudonymisation.

• Reversal of the burden of proof: if the customer is of the opinion that the club is not handling the data properly, then a club within the EU from 25.5.2018 or within Switzerland from 1.9.2023 must prove that it has worked cleanly.
• Duty to provide information: the customer has a right to receive a COMPLETE overview of the data stored about him. The time limit for providing such information is 30 days, starting from the WRITTEN request for information.
• Right to deletion/pseudonymisation: The customer may request that his/her data be deleted. The deletion must be recorded. He can also request that his name be pseudonymised so that he no longer appears on start lists/results lists and the like (this function is only local!).

• Ideally: Exchange with a specialist lawyer about the necessities in the club.
• In the European Union: Designate a contact person or external data protection officer (Attention! This has legal consequences). In Switzerland, such a designation is still optional.
• Create a procedural directory of all processing of personal data in the club (sample via DGV service portal): https://serviceportal.dgv-intranet.de/clubintern/recht-versicherung/recht-steuern/a-z.cfm). In Switzerland, this applies in the same way, but is referred to as a „directory of processing activities“.
• Inform members, obtain consent if necessary.
• Clean password management for your employees (it makes sense to have only one or two employees with real supervisor rights; for all others, their functions must be given corresponding authorisations).

• In general: sign the contract for commissioned data processing (ADV contract for short) quickly and send it to PC CADDIE. Why? Because otherwise we are no longer allowed to provide support.
• Fill in the contact sheet with your contact person and send it to us. Why? So that we also have a contact person in your club in the future. Because there will certainly continue to be a need for information on this topic.
• Use the PC CADDIE data protection functions according to the requirements in order to be able to comply with the EU-GDPR/nFADP (The latest update can be downloaded under menu item „End/PC CADDIE update“).

Two points are important in the future:
A) Documentation of the stored data,
B) deletion/pseudonymisation of the data with the corresponding documentation thereof.

Please note from the beginning
ALL ACTIONS OF DELETION AND PSEUDONYMISATION ARE IRREVERSIBLE! Because that is the purpose of the respective data protection laws!
Please consider in advance what makes sense. Advise your clients well, consult with your data protection officer and try to find out what the concern actually is.

In the personal data, tab „Characteristics there is a new button „Data protection“:

Click on this button to see all options relevant to the customer in a new window.

Here you can store the data when a customer expressed which wish with regard to data protection.

This is the basic setting for the permissions/objections/mail use/deletion/pseudonymisation stored for this client.

The upper two date fields are self-explanatory. I.e. usually you would fill in the upper date field for e.g. new members, if e.g. in the admission form the use of the data is approved. It is best to discuss internally with your data protection officer how you have dealt with the consent of members/customers so far, e.g. whether you want to enter everything later.

The date field Objection is filled in if the customer objects to the further use of the data. Please note, however, that you can no longer manage the customer as soon as he/she objects. An example would be if guests who play on a green fee basis object to the use of their data, they can no longer be loaded into a tournament, booked into tee times or otherwise used. For users without supervisor rights, the customer's data record disappears; they can no longer be selected. This is only possible for users with supervisor rights, who can reactivate these customers in a special setting.

It is therefore necessary to consider exactly what the customer's will is and find the optimal solution with him.

Before carrying out this action, however, you will be asked again if this is what you really want:

You will then recognise a contradiction by this alarm signal:

If you then carry out another action, e.g. call up another data record, etc., no result will be displayed the next time you try to dial the person who has objected to the use of data.

With „Blocking the data“ it gets tricky: the date field is automatically filled if you select an action other than Normal from the drop-down menu:

• Access for supervisor only: here, the person working with administrator rights has the possibility of still being able to activate data for the purposes of statistics or financial data retention. For all other staff members with other authorisations, the client can no longer be found.
• Processing disabledIf this is clicked, then the customer is no longer visible and accessible to ANYONE after the final click on OK. He is actually gone. NB: Even PC CADDIE can no longer retrieve him. You must then re-enter the data!

The options are controlled here. The default setting is „normal“. We will take a closer look at what this means under the </ignore>Supervisor-Funktionen look at.

You can specify here whether or not a customer agrees to the use of the mail for newsletters, etc. This setting also ensures that even if the wrong mailing list is selected, no unauthorised mails are sent. With this setting you can also make sure that customers who have objected to receiving mails do not receive unauthorised mails even if they have selected the wrong mailing list. „Neutral“ with the correct basic settings as well as „not agreed“ BLOCK any mails for advertising purposes and thus act like the filter NONEWSfilter, which you can use in the Supermailer to suppress the unauthorised sending of advertising mails to recipients who have objected to receiving newsletters.

Our default setting after loading the latest update is such that you cannot send any mails for the time being. This is to prevent customers from unlawfully receiving an advertising mail from you. With the supervisor settings, you can define how customer data is to be handled with regard to mails.

You can also store preferences for specific distribution groups in the newsletters. You can use the ones we suggest, but you can also create groups yourself. In this way, for example, team players who would otherwise not like to receive a newsletter can still be included in a distribution list for special news relating to the team.

You proceed as for creating a normal list of persons and then create a new filter, e.g. „e-mail use“ or similar. Then you take the field „E-mail group“ and can filter according to the following criteria:

• OK agreed for use,
• OK or DISAGREED for use not approved,
• NEUTRAL for neutral setting.

Here, too, there is a query in the lists of persons for which you can save a filter (e.g. data protection status):

The query runs here via the following parameters:

• N (=Normal),
• S (=Supervisor),
• L (=Locked =locked).

List of members who have NOTHING in the data protection consent date?

Members WITHOUT consent date

EMPTY(golfmitg->MITGPRIV)

Members, WITH consent date

STOD(golfmitg->MITGPRIV) > STOD("19900101")

The filters are created as described above.

SUBSTR(golfmitg->(xFieldGet("mitgpriv", "")), 26,1)=="A"  -  nur Personen mit "Mailverwendung zugestimmt"

SUBSTR(golfmitg->(xFieldGet("mitgpriv", "")), 26,1)=="M"  -  nur Personen mit "Mailverwendung widersprochen"

Here, too, we have programmed a separate field in which this information can be stored.

But beware: this field is purely informative and not connected with any functionality concerning pictures!

The query of persons for this field works as described above.

Also important are the dates you enter when the client made the request for data protection and your personal notes about it.

In this field you can enter a nickname („artist's name“) for a client if he/she wishes. But ATTENTION: this nickname will only appear in local lists. It will not be transported towards the DGV Intranet. So if the client plays in another club or competes in a federation match, his/her real name will always be visible in the lists.

Furthermore, here are the buttons with which you can print out the summary of the customer's data if desired and also save it - ideally on a USB stick of the customer.

Here you must decide for yourself which account areas you want to export/print. By default, NONE is ticked, i.e. you have the choice of including only one, several or all account areas. This decision is to be made in the club. Likewise, you can choose what type of data to output: really everything, only the number or also only the account areas.

TIP Have the request for a printout of all data given to you in WRITING and always hand over the data collection to the customer PERSONALLY (if necessary against presentation of the identity card, if there are doubts about the identity)!

By clicking on this field, you can carry out a final pseudonymisation if the client wishes. But beware: You will then no longer be able to find or edit the client!

Before you finally carry out the action, you will be asked again.

For this reason we have built in some functions for „supervisors“ to be able to reactivate the data, at least for statistics and fiscal checks. And this is how you get there (Attention: this menu item is ONLY visible for supervisors):

Clicking on the menu item opens the following window:

As a supervisor, you can set here how e-mail addresses are usually handled.

• Standard: no sending to people who have not explicitly agreed to receive advertising mails –> no mail goes out, no distribution list is generated for the supermailer.
• Permanent setting, variant 1Mails are only sent to people who have explicitly agreed to receive them or to members (e.g. if you have regulated receipt by statutes).
• Permanent setting, variant 2Mails are sent to all those who do not have a red cross in the no red cross in the customer mask.

If you select these variants, the system remembers the selection. With the following two options, the action is only temporary.

• Temporary, Variant 1 and 2: same as Permanent, Variant 1 and 2. It is a club decision how you want to handle it.
• Temporary, variant 3: Dispatch really to all (e.g. annual accounts or invitation to the general meeting, if legally secured).

Clicking on the button opens the following security query:

All statements in favour of the process must be ticked. The four answer options vary.

IMPORTANT

• This function also disables the transmission of Covid information from the app to your local PC CADDIE.
• Please remember that this function can only delete Covid information officially programmed in PC CADDIE. If you have independently stored the Covid status in a self-defined additional information, this information must be deleted individually. However, this can also be done in one go for all contacts - details can be found here. belegungen_tauschen_oder_loeschen
• This information is not a call to delete your data - the decision to delete is the responsibility of each golf facility in consultation with your responsible data protection officer!

IMPORTANT!
ALL PERFORMED ACTIONS OF DELETION AND PSEUDONYMISATION ARE IRREVERSIBLE! Because that is the meaning of the law!
Please consider in advance what makes sense.

A file with the most important procedures for deletion and pseudonymisation of data can also be found here as a PDF, e.g. for submission to your data protection officer: Deletion&Pseudonymisation

The deletion/pseudonymisation of larger amounts of data must be determined individually according to a specific cycle. This is also only done with supervisor rights. The button can also be found in the menu People/Data Protection:

Clicking on the button opens the following field:

Here you can enter criteria, e.g. to delete inactive data records from the database in a certain cycle. For example, all guests of whom you have neither a mobile phone nor an e-mail address and who have not visited for 3 years. These actions are irreversible!
If you also want to delete former members, e.g. because they have left for more than 10 years, the former member feature of this group must be removed first! Otherwise they will not be deleted for safety's sake!

Since it is quite complicated to create such a person filter for a list of persons, there is a procedure with which you can check beforehand whether you are deleting the right persons.

In the function „Delete or pseudonymise persons“ there is the procedure „Set the additional info „oldrec“ for the data records“. (see screenshot in the next section). Select this and let the process run through. Afterwards you can print a list of persons with the additional information „oldrec“. You can then use this to check. For persons who are not to be deleted, remove the additional information. Then make your pseudonymisation run with the person filter „oldrec“.

As soon as the button OK button is clicked, you may answer two security questions before the run is started. This function can take a relatively long time. PC CADDIE shows you the progress:

As soon as the function is finished; the number of (in our case) deleted records appears:

With the help of the log file you can check the history:

The corresponding information after each name means:

There are several options that can be selected:

1. Pseudonymisation, without deleting attachments
2. Pseudonymisation, with deletion of attachments
3. Pseudonymisation, ask for each attachment
4. Pseudonymisation, forced deletion of attachments
5. Delete (attached documents are deleted)
6. Set the additional info „oldrec“ for the data records

With a tick in this field

supervisors can access

1. data with an objection to data processing, and
2. data of blocked users.

The function „Block data record“ is useful, for example, if a customer insists on the deletion of his data, but the legal situation is still unclear: the customer can already be „blocked“ in PC CADDIE for all functions, accesses and bookings, but a supervisor still has full access to the data for clarification of the legal situation, for example.

ATTENTION: App users must first agree to continue using the services. Since the introduction of the EU-GDPR, this query is the start screen before bookings can be made on smartphone or computer.

As long as this is not accepted, or the customers have decided to delete, one can no longer use the functionalities as an end customer. In addition, the club receives an error message when you want to send new passwords from the personal screen.

In the app, the customer can determine under „My settings“ whether his name is visible or not.

Important note: If I have excluded visibility for myself, then I cannot see the other players either!

If a member wishes to appear on results lists on the intranet with N.N. instead of his own name, this setting must be made in the DGV Service Portal.

Open the service portal and then click on the menu item Club Persons/Member Search.

Once you have selected the desired person, you only have to tick the box shown below and confirm with „save“.

Anyone who has registered there can change their settings under http://www.mygolf.de/einstellungen/datenfreigabe.cfm?sq=54705789 change them. All questions regarding Mygolf.de will be answered exclusively by the German Golf Association e.V. PC CADDIE not supported by PC CADDIE.