As controllers within the meaning of Art. 4 No. 7 GDPR, associations are obliged to fulfill all data protection requirements and to demonstrate compliance with them (Art. 5 para. 2 GDPR - accountability). Implementation regularly poses considerable practical challenges, especially for smaller, voluntarily organized associations. The following explanations summarize the essential obligations in the association.
Lawfulness of data processing
The central legal basis for data processing in the association is Art. 6 para. 1 lit. b GDPR - the fulfillment of the association contract, specified by the association statutes. In addition, legitimate interests (Art. 6 para. 1 lit. f) GDPR) or consent (Art. 6 para. 1 lit. a GDPR) may justify the processing. The latter are required in particular if data is processed or published beyond the purposes of membership (e.g. photos, birthday lists, appeals for donations by email). Consent must be voluntary, informed, unambiguous, earmarked and revocable at any time. It must be documented in writing or electronically and must not be hidden in general declarations.
When processing special categories of personal data (Art. 9 GDPR) - e.g. health data - explicit consent is regularly required. This typically applies to self-help groups, trade unions or religious associations.
Organizational responsibility in the association
The board of the association is legally and actually responsible for compliance with data protection regulations (Section 26 (1) sentence 2 BGB in conjunction with Art. 24 GDPR). It must take appropriate technical and organizational measures to ensure the lawfulness of data processing.
This also includes the delegation of tasks, whereby data protection-compliant implementation must be ensured. Even in the event of delegation, overall responsibility remains with the Management Board.
Confidentiality and information obligations
All persons entrusted with the processing of personal data in the association must be obliged to maintain confidentiality. Although the GDPR does not contain a provision corresponding to Section 5 BDSG (old version), a documented commitment to the data protection principles of Art. 5 para. 1 GDPR is required.
In addition, it must be ensured that the data subjects - in particular members, volunteers and service providers - are informed about the processing of their data in accordance with Art. 13 and 14 GDPR. These information obligations should be integrated into the membership form, whereby subsequent information is recommended for existing memberships.
Security of processing in the association
The security of the processing of personal data is a central principle of the General Data Protection Regulation. According to Art. 32 GDPR, controllers - including associations - are obliged to take appropriate technical and organizational measures (TOM) to ensure a level of protection appropriate to the risk. These measures must be reviewed regularly and adapted if necessary.
Technical protective measures are e.g: Encryption of stored and transmitted data (e.g. transport and end-to-end encryption for emails), password protection and two-factor authentication when accessing member data, regular security updates and virus protection software, separate user accounts for shared systems, automatic blocking mechanisms in the event of inactivity.
The organizational measures in the association include: a clearly regulated authorization and role concept for data use, training of board members and volunteers in the secure handling of personal data, the creation of a data protection and IT security concept, the definition of reporting channels in the event of data protection incidents, written regulations on the use of private devices ("Bring Your Own Device") and their control.
In addition, back-up concepts, logging of accesses and deletion concepts for data that is no longer required are also part of the data protection organization.
Reading tip: Newsletter between GDPR and ePrivacy - consent not always required
Rights of the data subjects
Associations must establish internal procedures to ensure that requests from data subjects are processed swiftly, completely and in compliance with data protection regulations. This includes, in particular, the establishment of a central point of contact for data protection concerns, the training of responsible persons and the documentation of incoming inquiries and their processing steps.
Pursuant to Art. 15 GDPR, data subjects have a right to information about the personal data stored about them. This right to information includes the purposes of the processing, the categories of data processed, the recipients or categories of recipients to whom the data has been or will be disclosed, the planned storage period or the criteria for determining this period and the existence of other rights of data subjects. Information must also be provided about the origin of the data (if it was not collected from the data subject) and the existence of automated decision-making, including profiling.
In addition, under certain legal conditions, data subjects have the right to:
- Correction of incorrect data (Art. 16 GDPR),
- Erasure ("right to be forgotten", Art. 17 GDPR),
- Restriction of processing (Art. 18 GDPR),
- Data portability (Art. 20 GDPR) and
- Object to the processing of your data (Art. 21 GDPR).
Associations are obliged to fulfill these rights in a timely manner - usually within one month - and to inform the data subject of the measures taken. If requests are rejected, reasons must be given and the right to lodge a complaint with the data protection supervisory authority must be notified.
Data protection officer and register of processing activities in the association
A data protection officer must be appointed if at least 20 people regularly process personal data automatically (Section 38 BDSG). This also includes volunteers and part-time employees. If there is no obligation to appoint a data protection officer, a voluntary appointment may be advisable for special risks, e.g. self-help groups or political associations.
Every association must also keep a register of processing activities in accordance with Art. 30 GDPR. This must include all regular data processing activities, in particular membership administration, contribution accounting or the operation of a website. The exception under Art. 30 Para. 5 GDPR is rarely applied in practice, as associations regularly process personal data on a permanent basis.
Data protection impact assessment
One Data protection impact assessment (DPIA) pursuant to Art. 35 GDPR must be carried out if processing is likely to result in a high risk to the rights and freedoms of data subjects. This is rarely the case in the typical activities of an association, but could become relevant if:
- extensive health data is collected and processed in self-help groups,
- systematic tracking or video surveillance is carried out,
- particularly sensitive data categories are analyzed using AI or profiling methods.
If a DPIA is mandatory, it must be carried out and documented before data processing begins. In addition, the risk mitigation measures must also be specified and, if necessary, the supervisory authority must be consulted if no risk mitigation can be achieved.
In case of doubt, associations should check whether a DPIA is necessary and carry out a structured risk assessment to safeguard themselves. However, for many standard processing operations - such as membership administration or contribution accounting - there is generally no obligation to carry out a DPIA.
In accordance with Art. 32 GDPR, suitable technical and organizational measures must be implemented to secure data processing. These include, in particular, encryption, authorization concepts, the separation of association and private data and effective management of end devices that are also used in the home office. An IT security concept is also recommended. Sending personal data by email should at least be transport-encrypted; end-to-end encryption is recommended for particularly sensitive data. When using private devices, care should be taken to classify and separate data, e.g. by using separate user accounts.
Publication of club information
In the case of the publication of personal data - such as names, functions, pictures or birthdays - documented consent must generally be obtained. This applies in particular to:
- Individual and group photos at events,
- Result lists from tournaments or competitions,
- Mention of honorary memberships or anniversaries,
- Publication of meeting minutes or contact persons on the website.
Sections 22 and 23 KUG also apply to photos. Although these allow publication without consent in certain cases (e.g. for images of meetings or historical events), there is considerable legal uncertainty, particularly in the case of digital distribution. In the context of associations, consent should therefore always be obtained, which must be unambiguous, voluntary and revocable.
Particular caution is also required when passing on data to service providers: If an external third party not only provides support, but also processes the data on behalf of the controller, this regularly constitutes commissioned processing within the meaning of Art. 28 GDPR - this requires a separate contract.
For reasons of traceability and accountability, every data transfer - especially on the Internet - should be documented internally in order to be able to prove compliance with data protection requirements in the event of complaints or audits by supervisory authorities.
Data transfers to third parties - in particular to umbrella associations, association-related organizations, external service providers or the public via websites - require a legal basis. The publication of personal data on the internet constitutes a data transfer within the meaning of the GDPR and is generally only permitted on the basis of consent. The same applies to photos, minutes of meetings and lists of results, unless an exception applies under the Art Copyright Act (Sections 22, 23 KUG). To be on the safe side, consent should always be documented - especially for individual and group photos.
Order processing and website
If an external service provider is commissioned to process personal data, an order processing contract must be concluded in accordance with Art. 28 GDPR. This is the case, for example, when commissioning IT service providers, tax consultants or hosting providers.
A privacy policy in accordance with the GDPR must be easily accessible on the association's website and available on every subpage. Among other things, this must contain information on the controller, the data protection officer (if appointed), the purposes, the legal basis, the retention periods and the rights of data subjects. Cookie consent banners and transparent information on tracking and analysis tools are also mandatory.
Social media
According to the current legal situation, the use of Facebook fan pages and other social networks is not advisable, as they regularly do not meet the data protection requirements of the GDPR - in particular with regard to joint responsibility and third country transfers. If use is mandatory, additional technical measures (e.g. two-click solutions) must be taken.
Source: Data protection in the association according to the GDPR
Do you need support with implementation in your association? We offer practical data protection advice and digital solutions - efficient, understandable and legally compliant.
Get in touch with us - we can help!
☎️ +49 (228) 926165-100
📧 info@2b-advice.com
English 
German 
Italian 
French