I may need to close the community on Match 25. ...

[Mario]

This is the day the new EU Data Protection Directive (GDPR) becomes binding.

Since I sell IMatch, I have to comply to the same rules and laws as companies like Google, Facebook or Microsoft. Only a strictly private use is exempted from GDPR.

I have so far been unable to find ways to change the Simple Machines Community software (which is used to run this community) to make it GDPR compliant. I've neither found another community software which does handle all the requirements of the GDPR and would allow an import of all the data and know-how we have collected here on this site over the past 10 years.
I would be willing to attempt a migration but so far I've found nothing.

I have already upgraded the privacy policy of my web site. Since I don't use ads or trackers or Google analytics or anything on photools.com, this is the easy part. WordPress stores a cookie but I don't use it to identify you with any 3rd party. I also don't care about your IP address or anything.

I'm still trying to figure out what I have to change to make the customer portal compliant. Since I do record your email and  license key, I'm collecting so-called personal data. Since this is required in order to access your downloads, its mandatory. I probably need to make everyone sign yet another privacy agreement before access to the customer portal is granted again. Sigh. More work I don't need.

My biggest problem, however, is this community. And if I can find no way to make it GDPR compliant (looks bad) I have to shut it down to avoid being sued by greedy lawyers or individuals.

[ben]

 
I really really hope you find a way!!!

[jch2103]

As you are fully aware, the Community is a critical support element of IMatch. I certainly hope you find a suitable solution!

I suspect GDPR has caught a lot of vendors unaware (especially but not exclusively in the US), despite the advance publicity. Hopefully, some of them are now working on solutions, but apparently there are lots of questions/issues re GDPR implementation that may cause delays. E.g., see from a US perspective:
https://www.nytimes.com/2018/05/15/opinion/gdpr-europe-data-protection.html?action=click&pgtype=Homepage&clickSource=story-heading&module=opinion-c-col-left-region&region=opinion-c-col-left-region&WT.nav=opinion-c-col-left-region

[Mario]

I suspect GDPR has caught a lot of vendors unaware

There are many, many, many problems caused by this. It's not that people have been caught unaware. It's often that people don't have the ability to comply. And that individuals selling shareware like me and huge corporations like Google are treated the same way be the new regulations.

Google just wrote that they've put 400 man years (!) of work in adjusting their products and services to the GDPR. I doubt that other companies making money mostly from spying on people and selling data (Google, Facebook, ...) have spent less lawyer money on keeping their business model going somehow. These data-grabbing companies are the main target for the EU. But one-man shops like me are hit as well.

None of the popular community software system (from SMF to Elkarte to Disqus to younameit) are ready for GDPR or even have understood all the fine details of the law and how to apply all that to their software. And since small companies or even individuals like me are unable to develop a software like SMF just to have a community, we can only close our communities until we have a community software which allows us to handle the new laws.

I will rather close the community than to risk to be sued by lawyers. I don't have the money.
If a greedy law firm figures out that SMF.based communities (and there are many, including the ExifTool community) are not GDPR compliant, they can send out mass mails and sue each (I donÄt know the English word for "Abmahnung") of them not solely run for private purposes.

I know this is bad for all the IMatch users. You can still reach me via email. Problem is, when you send me an email, I'm already collecting data about you (your email address and the text you have sent). I probably have to first reply with a 15 page privacy statement you have so sign before I can reply to your email and support you... 

[herman]

[...]
I will rather close the community than to risk to be sued by lawyers.
[...]
they can send out mass mails and sue each (I donÄt know the English word for "Abmahnung") of them not solely run for private purposes.

That is really bad news.
I think everyone here would understand you when you don't want to take the risk to be sued.

Am I right when I understand the core of the problem is that you make money from IMatch and at the same time you own, administrate and use a message board to support your business, and therefore the message board has to comply to GPDR?
If my understanding is right, perhaps the problem could be solved when the community owns, administrates and uses a message board to discuss the use of your product, and that you are just a member of that community like anyone else? That could take your commercial responsibilities out of the equation.
I am not a lawyer though, so maybe this idea is utterly nonsense.....

[Jingo]

First I'm hearing of all these laws?  Doesn't makes sense though.. there are millions of boards.. fredmiranda.com, dpreview.com, nikonians.com... they all sell subscriptions or products and host a forum... are you saying anyone that sells a product, collects info and has a forum is affected by this?

This board is a huge part of the "software connection" and a major reason why I use the software... as herman mentions - can someone else just host a community website and if you are not the owner.. then that solves the problem?  Does the forum just need to be hosted and stored outside of the EU?

[herman]

... are you saying anyone that sells a product, collects info and has a forum is affected by this?

It affects any business that has EU citizens as customers.
For example see this article for one of the unwanted side-effects: https://www.bleepingcomputer.com/news/security/new-service-blocks-eu-users-so-companies-can-save-thousands-on-gdpr-compliance/

[Jingo]

... are you saying anyone that sells a product, collects info and has a forum is affected by this?

It affects any business that has EU citizens as customers.

Sure.. but fredmiranda has tons of EU citizens as customers... not a peep over there!

[Frank]

Would it help if the community runs under an other private person. That the community is a help for user2user and you just participate in the so called offside user community. This could do the job.
Than you only need a person who is the official owner of the community. That should be easy i suppose.

Frank

[Mario]

It's not intended purpose of the community that counts. At least that's the most often read interpretation.
If you run a community to discuss solely your own's family topics, you're good.

If your community supports a commercial product like Match, you have to adhere to the GDPR. The GDPR applies to all EU organizations – whether commercial business, charity or public authority – that collect, store or process EU residents' personal data, even if they're not EU citizens.

Sure.. but fredmiranda has tons of EU citizens as customers... not a peep over there!

This may become expensive for him. If a EU citizen demands his rights and does not get them. There are many idle lawyers in the EU who will have a ball with law suits like this. Minimal risk, very scalable and financially attractive.


The problem is that the law is so huge and so fuzzy in so many areas. Most of the law will be hammered into shape by European courts over the next years. But I don't want to be one of the people who gets sued by a lawyer or competitor. Even the initial cost for settling things out of court are several thousand €...

It's much like the cookie law, just much more severe. Everybody I know is feed up by all the "Our site use cookies, ..." popups that suddenly had to appear everywhere. And they click the popups away without really understanding what some cookies do. Or how Google, FB and all the advertisement networks use them to track whatever you do all over the Internet.

I definitely don't want to close this community. What I want is something that is legal and safe even after May 25. I hade hopes that at least one of the affordable community software vendors comes up with something. Some started talking about the GDPR more than a year ago. But so far I did not find anything. Disques, phpBB, MyBB, Discourse, SMF ... all don't have the tools I need to support everything that's in the GDPR. And using a global "I you want to use this community you agree to waive your GDPR rights" is illegal.

I can come up with a way to make all users agree to the new privacy terms by hacking SMF and add an extra "Please read this and click the box to agree" page in front.

If a user wants to be deleted from the community (which is a right after May 25.) I can rename his account to something random and then delete all hist data and posts. That's sufficient.

But a user can also request from me to get all his data from this community in a in a 'commonly use and machine readable format' and have the right to transmit that data to another controller. And this means I need a way to extract all his data and dump it in some format. There are no tools for that in SMF and all the other vendors are still struggling with either understanding what they need to do or with implementing stuff.

I'm still making tight ship on photools.com and the customer portal. Thankfully I don't collect much data anyway (even the log files are deleted after a short time, I use them solely for optimization and error management). Giving a user the data I collect about him in the customer data basically resolves to the email and license key 

This community is a different matter entirely. But I'm working on it. I won't lose this community.

[Jingo]

This community is a different matter entirely. But I'm working on it. I won't lose this community.

Please let us know if there is something we can do to assist.... I'm more than happy to sign a new privacy policy statement... or create a new community website for you!

[sinus]

This community is a different matter entirely. But I'm working on it. I won't lose this community.

Please let us know if there is something we can do to assist.... I'm more than happy to sign a new privacy policy statement... or create a new community website for you!

Jingo, whatever Mario will do, your will to help is very kind!
I think there are many ways to comply with GDPR on the web, even if it is a very complex issue.
Moreover, everything is very new and we do not yet know how it all works.

I think, maybe this is a good thing for the user, but for "poor Mario" it is a kind of "nightmare".
But I am (almost) sure he will find a satisfactory solution.

Finally, the community here is very important for at least some IMatch users.

[Mario]

Please let us know if there is something we can do to assist.... I'm more than happy to sign a new privacy policy statement...

A new agreement to updated privacy policy will be mandatory for all users. For the web site. The community. The customer portal. Services offered by photools.com.
For people using the Map Panel. They need to read and understand the privacy policy statement of OpenStreetMap, Google and Bing. That's probably a 100 pages of text to read.

I'm already on page 27 of the Datenschutzerklärung. Not that any user will ever read this. Most users don't know a thing about privacy laws or don't care. All this is just for the lawyers and evil folks who try to make money for nothing by abusing the GDPR for their benefit.

These laws and the terms of service we have to agree before using anything, from Google to Facebook s*ck. They've carefully designed by 1,000$ per hour lawyers to cover the big companyies rear ends, not to explain users what the big companies are doing with all the data they gather. Just look at the printed out user agreement from Facebook on this page:

https://www.thedailyafrican.com/u-s-senator-asks-facebook-to-write-user-agreement-in-english-not-swahili/

(from the senate hearing). This looks like over 200 (!) printed pages. And every Facebook user has agreed to have read and understand it. Otherwise you are not allowed to enter Facebook. As with all law texts, each and every line on these 200 pages is open to interpretation by lawyers and courts, and way beyond what normal people can understand.

That's what the EU wants to change, to give people some control back. I'm fine with that. People are selling their privacy and data for a bit of free email and and web search. Baaad idea, in the long term. Most of my non IT friends don't even understand what they are giving away. Or why we IT people are so obsessed about privacy.

The problem is, like so many EU laws, its way over the top. Much too bloated (I've read somewhere that there were 4,000 changes and amendments to the original law alone, created by the big companies via their local influencers and  lobbyists).

The GDPR is nothing a small company, a shop with a web site or an individual like myself can possibly understand and handle properly. No problem for the big companies, though, with their law departments as large as a small country.

or create a new community website for you!

Thanks. But then the GDPR would apply to you as well. Running a community for a commercial product or service falls under the GDPR after May 25., as long as your community is open for EU citizens.

It's complicated. I've read many discussions, how-to's and law texts over the past weeks. Nobody knows really what this is all about. But I'm sure many shady law firms have already printed and stamped letters with "declarations of discontinuance" (Unterlassungserklärung)  (expensive one's, naturally)...

[sinus]

or create a new community website for you!

Thanks. But then the GDPR would apply to you as well. Running a community for a commercial product or service falls under the GDPR after May 25., as long as your community is open for EU citizens.

It's complicated. I've read many discussions, how-to's and law texts over the past weeks. Nobody knows really what this is all about. But I'm sure many shady law firms have already printed and stamped letters with "declarations of discontinuance" (Unterlassungserklärung)  (expensive one's, naturally)...

Not necessarily.
If I open a new forum with the topic "Photoshop", but don't sell the program myself, then this probably shouldn't affect the GDPR.
But of course, I don't know for sure.

And you're right, not many people know Exactly and you read a lot of nonsense about it.

[Mario]

then this probably shouldn't affect the GDPR.

You should ask your lawyer in this case 

Most discussions and articles I have read say exactly the opposite. If you mention, explain, endorse or whatever commercial software or other products, your blog / forum is no longer dedicated to private use. Private use would be you posting cat phots without any commercial interest (because you like cats) or you running a forum exclusively for your family and friends to discuss the latest family gossip...

[Jingo]

then this probably shouldn't affect the GDPR.

You should ask your lawyer in this case 

Most discussions and articles I have read say exactly the opposite. If you mention, explain, endorse or whatever commercial software or other products, your blog / forum is no longer dedicated to private use. Private use would be you posting cat phots without any commercial interest (because you like cats) or you running a forum exclusively for your family and friends to discuss the latest family gossip...

But... what if I then endorse a certain cat food on that blog... or - I mention that I bought a new car to my family and say what a great place "Don Juan Motors" is... that too would be subject to litigation?  What about blogs that review products?  Sounds kinda extreme...

[Mario]

Feel free to ask a lawyer. Many things are still fuzzy, but better safe than sorry.

[Carlo Didier]

There's many aspects to GDPR (as I'm working in IT, I see alot of its effects!). Actually, nobody can say he has been caught unaware, because the GDPR has been in existence for two years now, during which everyone was supposed to get compliant, before it becomes binding on the 25th.

Unfortunately, not only companies, but also government institutions and lawmakers have slept over it. The effects are potentially disastrous for photographers! Taking a picture with a digital camera which automatically adds metadata is now a collecting of data which falls under the GDPR (unless the national government has adapted the GDPR with the option to put certain local laws above it, like the KUG in Germany, but the Germans missed the point ...).

The result is that from 25th on, it is legally impossible to take any pictures with unknown people in them in the public or even on private events without getting their written permission in advance! Imagine wanting to photograph the Colosseum in Rome with several hundred people in front of it. Theoretically, you then must get a written permission by everyone in the picture before you press the shutter! And that's even if you only take the picture for private, non-commercial use.

But that aspect is not even the fault of the GDPR, but rather of the various national governments who didn't realize the implications if they didn't do anything about it. Norway is one of the few who did it right.

[sinus]

The result is that from 25th on, it is legally impossible to take any pictures with unknown people in them in the public or even on private events without getting their written permission in advance! Imagine wanting to photograph the Colosseum in Rome with several hundred people in front of it. Theoretically, you then must get a written permission by everyone in the picture before you press the shutter! And that's even if you only take the picture for private, non-commercial use.

Sorry, I cannot believe this.
Such pictures with persons on them have always been subject to the right of personality.
It also depends on whether someone complains or not.
In principle, people depicted (if they are not photographed in groups) could still sue for a newspaper (as an example) every day.

Photojournalists have very rarely had and still do have the written consent of people who photograph them and who will appear in the magazine in the next few days.
But this is rarely the case, because many people who appear in the newspaper when the article is positive simply have only joy. Such people rarely complain, but could undoubtedly do so.

I have experience with it myself, I have already had to go to court several times because people had sued.
But I won every time, luckily, because although I had nothing in writing, I could prove that the person "agreed" with it.
(complicated to explain legal phrases and so on).

Carlo, you're writing right, in theory. That may be true, but as explained, the practice is (usually) different. I don't think this GDPR has a big impact on photographers.
But of courese on websites and the like it is different, there the impact is great.

But as always, of course, I can be wrong.
Maybe I'll be in jail in two months! 

[Jingo]

Agree with Markus... there is the "letter of the law" interpretation.. and then there is the "common sense" interpretation.... I HIGHLY doubt anyone is going to put someone in jail for taking a photo in public regardless of metadata... if the law was written in such a way - then it is obvious those who wrote the law missed the boat and an amendment or "re-interpretation" will be forthcoming really really soon!

[Carlo Didier]

Markus, you are right on the point of photojournalists ... if they are employed by a newspaper or other news agency, but not when they are freelance.

As I said, that's the theory if the GDPR is applied as written. We all think that common sense will prevail, but the problem is that the lawmakers didn't clarify the situation and that creates big problems for many professional photographers (like wedding photographers for example) because there is insecurity and danger of very expensive lawsuits.

There are many lawyers that specialize is milking people for their money with other such vague laws and this will play into their hands. There will be thousands of letters to blackmail money from freelance photographers ...

It's the insecurity about what could and will happen if you photograph someone, like at a wedding where you have a written contract and consent of the couple, but of nobody else who's there ... Anyone of the guests could use the GDPR to force you to remove him from all images (even years after the fact!!!) or try to get compensation from you.

[sinus]

Thanks, Carlo
It seems to be all very new and not everything is clear.

https://www.wbs-law.de/datenschutzrecht/dsgvo-und-fotografie-was-gilt-ab-25-mai-fuer-fotografen-fotojournalisten-und-private-77116/

Wedding:
A couple orders me to photograph their wedding.
There are usually a lot of people at this wedding, up to 100 and more.
And now?

Should I let everyone sign a contract?
Is that up to the couple?
Or don't do anything, like always photographing and delivering the pictures (on CD for example, not the web)?

Or should I refuse the order? 

[Mario]

That's one of the problems. After several years of working on this law. 4000 change requests. 2 years time for the EU to adapt to this law...all we have is questions. The same law applies to huge corporations like Google and little Joe's pet shop...

The problem are not (most) users. You can trust most users to have some common sense. For example, that I need to collect their email address in order to allow them access to the customer portal so they can download their software. Or that I sometimes need to send out emails to my customers/users to inform them about updates or special discounts. I don't share or sell your data. I don't care about where your live, what your skin or hair color is. Or if you plan a vacation in Italy (which is beautiful) next year. Or which car you drive...

The problem is created by sub-life which abuses email to send SPAM or advertisement. By sub-life which is abusing cookies or other web technologies to milk users, steal their data, sell their information for whatever purpose. By sub-life which makes money from collecting as much data about you as possible, and then selling that data to whoever pays for it. This means companies like Google, Facebook and others.  They earn billions of dollars by spying on all of us. Never forget, if something is free on the Internet, chances are that your data is the payment.

There are reasons why I host everything on my own platforms. Why I don't use Google analytics. Why I don't display advertisements on my web site or in this community. Doing so could easily cover the cost of operating all this. But I don't want to sell information about IMatch users to 3rd parties.

Back to the topic: Of course a wedding photographer will involuntarily take photos of Bob and aunt Annie. I doubt they will object to be photographed when they are part of Muriel's wedding. But there is also sneaky Pete, who wants to milk some quick bucks from the wedding photographer. And with the help of shady Al, his lawyer, he may now do so. If you can spot the references, by my guest 

Most people understand that for me to run this community, I need to gather certain information. Like your user user name. Or your IP address when you post.
I'm responsible. If you post something that is not appropriate, you abuse or blackmail other users, you post advertisements, unwanted or illegal political content or even instructions for building a bomb, I may get sued by German authorities if I don't remove your posts fast enough. And if the law knocks on my door, I need your IP to put the blame on you.

The new laws go into the right direction. But so many webmasters (like myself) are caught dead in the water because the companies or groups providing the software we use (from WordPress to Simple machines Forum) has failed to use the 2 year period to get their act together...

Heck, even simple functionalities like "Make all users read and confirm a modified privacy policy" or "Allow a user to download all his/her posts" is unavailable. Sigh.

[Kucera]

As Mario said
" I probably have to first reply with a 15 page privacy statement you have so sign before I can reply to your email and support you... "
   That may be a useful interim "band-aid fix" - if nothing else, it would demonstrate a "reasonable effort to comply" which would (in a worst case scenario) aid a defense and buy time to fully comply,  at least if the site were attacked by the authorities. And would discourage private low-lifes from trying to gain by sueing.
Regards  Emil

[sinus]

I for me think, I will go ahead like ever. 

The life is a risk.
If I jump into my car and drive 100 miles, it is a risk, that some idiot does something bad and I am dead.
And this risk (driving a car) is not that slow. 

If a guest is picking his nose, I won't be photographing him with a Supertele.
And so my privilege is that I hold the camera in my hand.
When I take pictures, a person (usually) never knows for sure if they are on it.
In the event of a problem, I can always simply say that I took a different photograph.

I don't have to prove anything. The pictures are in my camera (I don't use WiFi) and I can watch them at home in peace. If I don't make it public, normally nothing will happen to me either, no problem (except special cases, for example if my hard disk is stolen or something like that).

So despite GDPR, as a photographer, I am reasonably on the safe side.
I doubt that much will change for a photographer. Because as I said, a right of personality has existed until now and many photographers could have been sued many times already.
I think the restrictions for websites and communities and the like are many times higher.
We'll see what the future holds.

[DigPeter]

Sounds kinda extreme...

Yes  like so much of EU regulation.

[Mario]

We will see these popups, in addition to "We use Cookie" popups everywhere.
You will see similar disclaimers when you try to log into the customer portal after May 25.
I will also need to setup something similar for this community. And my new privacy policy is almost done, too.

[sinus]

We will see these popups, in addition to "We use Cookie" popups everywhere.
You will see similar disclaimers when you try to log into the customer portal after May 25.
I will also need to setup something similar for this community. And my new privacy policy is almost done, too.

So far I haven't noticed a big difference personally. OK, a pop-up field here and there, and that's it.
I think that's and was a big hype for a little thing.

Many websites, which had great fears, in principle continue to run normally.
IF you take the GDPR really EXACTLY, ok, then many websites are affected.

But until there are at most first judgements, many things continue (almost) normally.
Including our site. 

[billy3]

Hi,

ich habe im blauen Forum gesehen, dass jeder, der ein Thema posten oder kommentieren bzw. eine Frage stellen will, automatisch mit dem Klick auf den Absenden-Button sein Einverständnis hinsichtlich Speicherung seiner Daten im Sinne der DatenschutzV erteilt.
Vielleicht ist diese Vorgehensweise eine Möglichkeit.
Ferner habe ich im TV gesehen, dass Kleinunternehmen unter einer bestimmten Zahl von Mitarbeitern keinen besonders hohen Aufwand bezgl. DatenschutzV treiben müssen. Das betraf zwar den Onlinehandel, möglicherweise gilt es aber auch für den "Betrieb" des Forums.
Gruß
billy3

[Mario]

Ferner habe ich im TV gesehen, dass Kleinunternehmen unter einer bestimmten Zahl von Mitarbeitern keinen besonders hohen Aufwand bezgl. DatenschutzV treiben müssen. Das betraf zwar den Onlinehandel, möglicherweise gilt es aber auch für den "Betrieb" des Forums.

Das ist ein Irrtum. Es geht nur um "rein privat" und "gewerblich". Kleinere Unternehmen und Einzelunternehmer (moi!) müssen lediglich keinen Datenschutzbeauftragten benennen und etwas weniger dokumentieren.

Da ich aber keine Daten sammle (außer kurzzeitig Dinge wie IP Adresse, notwendigerweise), kein Tracking oder Google Analytics benutze, keine Werbung schalte usw. sind meine 20 Seiten Datenschutzerklärung hoffentlich ausreichend. Und meine allen Anwendern angezeigten Cookie / Datenschutzreminder hier und auf meiner Webseite und im Kundenportal.

[Aubrey]

I've taken to using Windscribe VPN (free with up to 2 GB of traffic) and setting my location in USA. This avoids all the GDPR stuff!   

[sinus]

Ferner habe ich im TV gesehen, dass Kleinunternehmen unter einer bestimmten Zahl von Mitarbeitern keinen besonders hohen Aufwand bezgl. DatenschutzV treiben müssen. Das betraf zwar den Onlinehandel, möglicherweise gilt es aber auch für den "Betrieb" des Forums.

Das ist ein Irrtum. Es geht nur um "rein privat" und "gewerblich". Kleinere Unternehmen und Einzelunternehmer (moi!) müssen lediglich keinen Datenschutzbeauftragten benennen und etwas weniger dokumentieren.

Nein, das ist kein Irrtum, je nach Tätigkeit müssen solche Kleinstunternehmen wirklich keinen besonders hohen Aufwand betreiben.
(zb Zum Beispiel gibt es eine Sondervorgabe bezüglich des Führens eines Verzeichnisses von Tätigkeiten (gem. Art. 30 DSGVO) für Einrichtungen, welche weniger als 250 Mitarbeiter haben und anderes)

Das Problem ist, dass so vieles Unterschiedliches mit Google gefunden werden kann gefunden werden kann, dass niemand recht weiss, was echt Sache ist.
Dass gewisse Kanzleien und Anwälte natürlich ein Interesse haben, die Unsicherheit (und teilweise Panik) zu schüren, liegt auch auf der Hand.

Im Prinzip sind sich auch die Anwälte nicht einig, ausser bei einer Sache:
Klarer wird einiges erst werden, wenn es Rechtssprechungen (Urteile) gibt.
Und die werden irgendwann kommen.

[Carlo Didier]

I've taken to using Windscribe VPN (free with up to 2 GB of traffic) and setting my location in USA. This avoids all the GDPR stuff!   

Wrong! GDPR applies to any personal data about EU citizens, wherever in the world they are stored or treated!

[sinus]

I've taken to using Windscribe VPN (free with up to 2 GB of traffic) and setting my location in USA. This avoids all the GDPR stuff!   

Wrong! GDPR applies to any personal data about EU citizens, wherever in the world they are stored or treated!

Hm, it depends. For example, GDPR (DSGVO) does not apply to a purely private blog (without ads, etc.).
It's very complicated, but from my point of view there is also too much hype.
In addition, assuming someone sues a "small blogger" who has even placed some ad banners (i.e. no longer running under private), then the authority must also act proportionately.

The DSGVO provides for really high fines - up to 20 million euros or up to 4% of the world's annual turnover for companies. Well, 4% wouldn't ruin many little ones, and that won't happen anyway.
The emphasis here is on "possible fines". As I said, if the authorities are targeted, their actions must always be proportionate.
And usually an authority relies more on advice than punishment for "small fish". Article 83(2) also gives a list of points for the fines, where the small club, which acted out of ignorance, would have little to fear. Against such people there will be usually no punishment with offence, but a warning with references, how one observes DSGVO correctly.

But it is quite clear that DSGVO is very complicated and above all, to my knowledge, practically no court decisions have yet been made. Because once a judgement has been made, others will rely on it. GDPR is still really deep, murky water.