Data protection for associations

Data protection for associations

What impact does the GDPR have on clubs and associations?

All clubs and associations are subject to the GDPR, regardless of how they are organized. In addition, every club or association with more than 20 employees must appoint an internal or external data protection officer.

Why is the GDPR relevant for your club or association?

As an association, you process the personal data of your members. In addition to the legal obligation, you also have an ethical responsibility towards your members to process their data confidentially.

Does a club or association have to appoint a data protection officer?

Yes, in accordance with Art. 37 GDPR, a data protection officer must be appointed in the association if the association has more than 20 employees. You must take into account that not only full-time employees are counted, but also part-time employees, mini-jobbers and volunteers. An internal or external data protection officer can be appointed. 2B Advice can provide your club or association with an experienced legal and data protection expert as an external data protection officer: External Data Protection Officer: Services of 2B Advice GmbH (

Related articles from our blog: What are the costs of a data protection officer? Read here

What should you pay attention to when it comes to GDPR compliance in your club or association?


Typical questions in this regard are:

  • May membership lists be published?
  • What contact information of members may be passed on to third parties?
  • Who is authorized to process, read and delete the data?
  • How long may/must I keep the data?

These are some important considerations for data protection in your club or association.


What liability do you have as a club or association board member if data protection is disregarded?

When the GDPR came into effect in 2018, with fines of up to four percent of the previous year's global turnover, it introduced some of the toughest penalties for data protection breaches in the world. This gives regulators powerful leverage to enforce compliance with the law, ensure data subject consent and reduce the likelihood of data breaches occurring. Aside from the pressure and threat of fines, even a small fine or data breach can affect the reputation and trust in your club or association. Therefore, those responsible for the association must ensure that clear guidelines for functioning data protection are given and implemented.


What categories of personal data does a club or association collect?


The personal data collected from association members may include name, address, date of birth, gender, telephone number, e-mail address, bank account details and religious or political beliefs.


What typical data processing takes place in a club or association?

The typical data processing activities of a club or association include

  • Member administration and communication
  • Website
  • Donor website
  • Social media
  • Organization of events

Related articles from our blog: Data protection impact assessment (DPIA): What needs to be done? Read here

A data protection checklist for your club or association that you should consider


The data protection checklist of your club or association should include a record of processing activities that contains the following information:

  • Name and contact details of the person responsible
  • Purpose of the processing
  • Categories of affected persons
  • Categories of personal data
  • Legal basis of the processing
  • Authorized users
  • Deletion periods
  • Technical and organizational measures (TOM)
  • Recipient of the data


You must also note that association members must explicitly consent to some data processing before processing begins.


Special obligations of those responsible


Persons who are responsible for a club or association, such as board members, have a special obligation to comply with and guarantee data protection.


Data protection impact assessment for clubs and associations


A data protection impact assessment is required if data processing is likely to result in a high risk to the rights and freedoms of data subjects. Data protection impact assessments are important accountability tools and are one of the requirements that clubs and associations must meet in order to protect the personal data they process. A data protection impact assessment may require specific legal and data protection expertise or tools that your association board does not have. 2B Advice can support your club or association with data protection impact assessment expertise.


Always keep the privacy policy on the website of your club or association up to date


If you haven't reviewed the privacy policy on your club or association's website for a long time, now is a good time to do so. Does it cover the following points:

  • Who is responsible?
  • Which processing purposes take place on which legal basis?
  • How long will the data be stored?
  • What rights do the data subjects have?
  • Is there a list of the cookies used and a feature for obtaining consent?


Do what is best for data protection in your club or association


If you are looking for legal expertise on the GDPR, an external data protection officer or data protection management software, or would like to learn more about data protection and the obligations of your club or association, contact 2B Advice today. We will be happy to support you!

Share this post :