Data protection for associations - does my association need action?

A. Shpak
Updated on

The much vilified subject of the GDPR has created more uncertainty than trust in Germany, if not Europe. What many do not know here is that the topic can be a real blessing for us if you do it right.

Let me therefore explain the most important points around the topic of "data protection in the club", clear up prejudices and show you that the topic can definitely help you and your club.

What is the General Data Protection Regulation about?

Since May 25, 2018, the uniformly applicable General Data Protection Regulation, or GDPR for short, has existed throughout the European Union. This regulation replaces the previously applicable Federal Data Protection Act and brought a standardization and improvement of the EU-wide, very different data protection laws. Before, there was real chaos, which made it virtually impossible for many clubs and associations to exchange ideas with partner clubs or even to maintain data together.

The big difference between the GDPR and its predecessor is mainly in the vocabulary. Order data processing was previously called order processing, for example.

Why does data protection affect my association at all?

The GDPR is always relevant when personal data is collected, stored and processed. Personal data are those that can be used to identify a specific person. This is for a name, a customer number, addresses, but also account data. The GDPR does not apply as soon as a specific person can no longer be identified.

If your association works with personal data, the work falls under the law of the GDPR, from its collection to its deletion. It is also important that you are only allowed to process the data if there is a legal basis for doing so.

It is not surprising that in the vast majority of associations come into contact with the laws of the GDPR.

Who is responsible for the implementation of the GDPR in my association?

In the association, the board of directors is fundamentally responsible for compliance with the GDPR and thus also for the introduction of data protection measures. If there is a data protection officer in your association, who can be internal or external, he is responsible for implementation and monitoring. 

What if I haven't implemented anything for the GDPR in my club?

Don't worry, you are nowhere near the last. Nevertheless, you should take the topic very seriously, because the puppy protection on the subject of GDPR has evaporated, so that penalties are now implemented faster and tougher.

If you have not yet fully implemented the GDPR, it is advisable to tackle the externally effective areas first and then secure the internal ones.

In this case it is best to proceed as follows:

  • Adapt data protection information obligations on the website (see below)
  • Revise data protection declarations of consent (see below). This means that when you add new data, your member must actively consent to this collection
  • Appoint a data protection officer if more than 20 people are involved in the processing of personal data. You can name the data protection officer internally or call in an external advisor. In both cases, you must report to the data protection officer of the state data protection authority

You should also carry out the other measures:

  • Establish / renew a register of processing activities
  • Fulfill information obligations (see below) towards members, employees and all participants whose data I process
  • Conclude / renew order processing contracts
  • And very important: Make sure you draw up a rough contingency plan on how to deal with data protection violations.

What is the record of processing activities?

The list of processing activities gives you and the members transparency about the processing of personal data. In addition, the directory also serves as a legal safeguard.

All processing operations in which you process personal data are recorded in the directory of processing activities. In clubs, this is usually the member administration or bookkeeping.

For each of these processes you should be able to explain the following:

  • For what purpose are the data processed?
  • Which data are processed?
  • On what legal basis is the data processed?
  • If applicable, to whom will the data be transmitted?
  • Which measures are taken to protect the data?

Don't worry, if you are wondering how such a directory should look, you can find it under our downloads.

What are the data protection information obligations mentioned above?

There are extensive information obligations for associations to ensure maximum transparency for those affected, such as members, service providers, employees or users. These are especially necessary for the website of your association and the recruitment / acceptance of new members.

The data protection information obligations oblige you as an association to inform the members comprehensively if you process their personal data such as names or e-mail addresses.

As an association, do I have to take care of data security?

Yes you definitely have to. You are obliged to ensure that your data is adequately protected. That means protection against unauthorized access to the data, always up-to-date virus protection, regular security updates of operating systems and electronic data processing systems (EDP).

If you enter into contracts with third parties, such as a program for sending newsletters, you should also always conclude an order processing contract to ensure that the data is really only used for the intended purpose. If your service providers then breach and they have not adhered to the GDPR or your order processing contract, you are covered and out of liability.

What do I have to do now as the person responsible for the club?

The effort is manageable if you were already well positioned. You should make small adjustments to the information requirements. Furthermore, you should adapt the directory on the processing activities and check the contracts for order processing. Please also familiarize yourself with the documentation and proof obligations of the GDPR in order to be able to prove proper data processing in the worst case. You can already find the instructions for this in this article.

What does the GDPR look like at Loxonet?

Data protection is of course our top priority and we can proudly share our concept with you. Have a look at our article on data protection issue stop by and get to know our safety standards.


Moin ????
Nice to meet you

Would you like to be kept informed about Loxonet updates on a regular basis?

We do not send spam! We send a maximum of one newsletter per month.