Data Protection in the Association

In today's digital world, data protection is essential - and this also applies to associations. Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, associations have also been obliged to comply with the rules. Failure to do so could result in high fines of up to 20 million euros.
The GDPR affects every club, large or small. Here are some important points to bear in mind:

• Consent to data processing must be given in writing
• Only the most necessary personal data should be collected
• All processes involving personal data must be reviewed

An association may process different types of personal data depending on its activities and interactions with members, employees, and other individuals. Here are some examples:

• Member data: This often includes information such as names, addresses, telephone numbers, email addresses, dates of birth, gender, photographs and possibly bank account details for membership fees.
• Employee data: If the association has employees, it may hold personal data such as social security numbers, salary information, contact details, performance reviews and other work-related information.
• Volunteer data: Similar to employees, this may collect information such as names, contact information and details about their activities and involvement with the association.
• Donor data: Associations that collect donations may hold information such as names, addresses, donation amounts and payment details.
• Visitor data: If the association holds events or has premises that are used by visitors, data such as visitor lists, contact information and photos/videos of events may be collected.
• Communication data: This may include email correspondence, social media messages, contact form submissions on the website and other forms of communication with the charity.
   

According to the GDPR, the appointment of a data protection officer is mandatory if at least 20 people in an association are permanently involved in the processing of personal data. This includes activities such as collecting, storing, processing, or transmitting such data.

Internal vs. external data protection officer in the association

An association has the choice of either appointing an internal employee as a data protection officer or hiring an external service provider for this role, such as heyData. Both options have their advantages and disadvantages. While an internal officer is already familiar with the internal processes and structures of the association, an external data protection officer offers a more objective view and specialized know-how.

Qualifications and further training

Regardless of whether the data protection officer is internal or external, they must have specialist knowledge of data protection law and practices. This includes an understanding of the GDPR and other relevant data protection regulations. It is also essential that the data protection officer undergoes continuous training to keep up to date with the latest legislation and technology.

Tasks of the data protection officer

The data protection officer has several tasks, including

• Advising the association on data protection issues
• Training employees in data protection issues
• Is the point of contact for the supervisory authorities
• Checks compliance with the GDPR in the association

It is important to know and respect the rights of members in the context of the GDPR, namely:

• The right to access their own data
• The right to rectification and erasure
• The right to restriction of processing
• The right to data portability
• The right to object to processing
• The right to lodge a complaint with the supervisory authority

The GDPR applies to associations with members, volunteers, and/or donors in the European Union. It is important to understand that the GDPR aims to ensure the protection of personal data, regardless of whether it is processed by companies, organizations, or associations.
 

Liability and compensation

An association can be fined heavily for violations of the GDPR. The amount of the fine can be up to 20 million euros. In addition, claims for damages may arise, for which the data protection officer can also be held liable in some cases.
If an organization violates the provisions of the GDPR and a person suffers material or non-material damage as a result of this incident, the compensation provisions of the GDPR apply. Liability for such damage initially lies with the organization or a processor. However, the latter is only liable if it has not complied with the association's regular instructions or has not fulfilled its obligations under the GDPR in the course of its activities.

The checklist: some points that should always be considered when processing personal data

• Ensure a legal basis for the processing of personal data
• Document compliance with the GDPR
• Implement the principle of data minimization
• Ensure the implementation of data subjects' rights
• Inform data subjects about the processing of their data
• Ensure that the website is GDPR-compliant
• Train employees who come into contact with personal data

One important aspect that should not be neglected in the context of the GDPR is complaints and requests from data subjects. The number of complaints has increased since the introduction of the GDPR. Any person is entitled to complain to the state data protection officer. As soon as such a complaint is received, the state data protection officer becomes active and examines the facts of the case.

Requests from data subjects: what to do?

A frequent reason for complaints is the improper processing of requests from data subjects. Associations are obliged to respond to requests from data subjects without delay, and in any case within one month. These data subject requests include

• Requests for information about the stored data of the data subject
• Request for deletion
• Exercise of the right of objection or revocation
• Requests for rectification and restriction

To ensure that the process of responding to requests from data subjects runs smoothly, clear procedures must be established within the association. Clear rules should be established to ensure that requests from data subjects are answered quickly. This minimizes the risk of complaints to the state data protection officer and keeps the association out of the focus of the supervisory authorities.
 

It is to be expected that checks on compliance with data protection regulations will increase in the future. It is therefore advisable to act proactively and check whether the processes are complete and whether the employees are sufficiently trained. External service providers such as heyData can offer valuable support here.
heyData offers special packages for associations that provide comprehensive data protection support. From the creation of data protection documentation to annual audits and employee training, we cover all aspects to make your association GDPR-compliant.

Conclusion

Data protection is more than just a legal obligation; it is the key to your members' trust. A well-thought-out data protection concept minimizes risks and strengthens the trust of everyone involved. If you have any uncertainties or questions about the implementation of the GDPR, do not hesitate to seek professional advice. heyData is your expert for data protection and is at your side for all questions.