Data protection for associations

What impact does the GDPR have on clubs and associations?

All clubs and associations fall under the GDPRregardless of how they are organized. In addition, every club or association with more than 20 employees must appoint an internal or external data protection officer.

Why is the GDPR relevant for your club or association?

As an association, you process the personal data of your members. In addition to the legal obligation, you also have an ethical responsibility towards your members to process their data confidentially.

Does a club or association have to appoint a data protection officer?

Yes, in accordance with Art. 37 GDPR a data protection officer must be appointed in the association if the association has more than 20 employees. You must take into account that not only full-time employees are counted, but also part-time employees, mini-jobbers and volunteers. An internal or external data protection officer can be appointed. 2B Advice can provide your club or association with an experienced legal and data protection expert as an external data protection officer: External Data Protection Officers: Services of 2B Advice GmbH (2b-advice.com)

Related articles from our blog: What are the costs of a data protection officer? Read here

What should you pay attention to when it comes to GDPR compliance in your club or association?

Typical questions in this regard are:

• May membership lists be published?
• What contact information of members may be sent to Third be passed on?
• Who is authorized to process, read and delete the data?
• How long may/must I keep the data?

These are some important considerations for Data protection in your club or association.

What liability do you have as a club or association board member if data protection is disregarded?

With the coming into effect of the GDPR in 2018, with fines of up to four percent of the previous year's global turnover, some of the toughest penalties for data protection violations in the world were introduced. This gives regulators powerful leverage to enforce compliance with the laws that Consent of the data subjects and to reduce the likelihood of data breaches occurring. Apart from the pressure and the threat of fines, even a small Fine or a Data breach affect the reputation of and trust in your club or association. Therefore, those responsible for the association must ensure that clear guidelines for functioning data protection are given and implemented.

What categories of personal data does a club or association collect?

The personal data collected from association members may include name, address, date of birth, gender, telephone number, e-mail address, bank account details and religious or political beliefs.

What typical data processing takes place in a club or association?

The typical data processing activities of a club or association include

• Member administration and communication
• Website
• Donor website
• Social media
• Organization of events

Related articles from our blog: Data protection impact assessment (DPIA): What needs to be done? Read here

A data protection checklist for your club or association that you should consider

The data protection checklist of your club or association should include a List of processing activities which contains the following information:

• Name and contact details of the person responsible
• Purpose of the Processing
• Categories of affected persons
• Categories of personal data
• Legal basis of the Processing
• Authorized users
• Deletion periods
• Technical and organizational measures (TOM)
• Recipient of the data

In addition, you must note that association members must be involved in some data processing before the start of the Processing must give their explicit consent.

Special obligations of those responsible

Persons who are responsible for a club or association, such as board members, have a special obligation to comply with and guarantee data protection.

Data protection impact assessment for clubs and associations

One Data protection impact assessment is required if data processing is likely to result in a high risk to the rights and freedoms of data subjects. Data protection impact assessments are important accountability tools and are one of the requirements that clubs and associations must meet in order to protect the personal data they process. A Data protection impact assessment may require specialized legal and data protection expertise or tools that your association board does not have. 2B Advice can provide your club or association with expertise in Data protection impact assessment support.

Always keep the privacy policy on the website of your club or association up to date

If you haven't reviewed the privacy policy on your club or association's website for a long time, now is a good time to do so. Does it cover the following points:

• Who is the Responsible persons?
• Which processing purposes take place on which Legal basis take place?
• How long will the data be stored?
• What rights do the data subjects have?
• Is there a list of the used Cookies and a feature for obtaining a Consent?

Do what is best for data protection in your club or association

If you are looking for legal expertise on the GDPRIf you are a data protection officer, an external data protection officer or would like to find out more about data protection and the obligations of your club or association, contact 2B Advice today. We will be happy to assist you!