Non-profits 9 min read·

GDPR for Non-Profit Organizations: Real Obligations

Associations are subject to GDPR like any other organization. But the real obligations for a small association are much simpler than people think — provided you know the rules.

What Data Do Associations Process?

Members
Name, address, email, phone, membership fee, membership date
Volunteers
Contact details, availability, skills, medical emergencies (if relevant)
Donors
Identity, donation amounts, banking details, tax receipts
Event participants
Registrations, attendance, event photos/videos
Employees (if applicable)
Full HR file, pay slips, contracts
Website / newsletter
Subscriber email addresses, analytics cookies, contact forms

The 5 Essential Obligations for an Association

1
Inform at collection

Every membership, donation, or registration form must mention: association identity, purpose (member management, newsletter, etc.), legal basis, retention period, data subject rights. A simple text under the form suffices.

2
Keep a simplified processing register

Even small associations must keep an Art. 30 register. It can be very simple for a small structure: a table listing processing activities (members, newsletter, events), their legal basis, and retention periods.

3
Secure member data

The member list must not be accessible to anyone. Password-protected Excel file, sharing limited to authorized officers. Event photos and videos: only publish people who have consented.

4
Don't share without reason

Never transmit the member list to partners, sponsors or federations without explicit member agreement. Sharing associative directories can be an underestimated GDPR risk.

5
Manage data subject rights

Anyone can request access to their data, correct it, or delete it. Provide a dedicated contact email (e.g., gdpr@[association].org) or a designated officer. Response time: 1 month.

Is your association's website GDPR compliant?

Cookies, forms, newsletter: RGPDScan checks your site's compliance in 60 seconds. Free.

The Derogation for Religious, Political or Union Associations

Article 9.2.d of GDPR provides an important derogation: non-profit associations with political, philosophical, religious or union purposes can process data revealing members' beliefs without additional consent, under three strict conditions:

  • Processing concerns only members or persons in regular contact with the association.
  • Data is not disclosed outside the association without the consent of the persons concerned.
  • Data is not cross-referenced with other processing unrelated to the associative purpose.

This derogation typically covers: political parties (activism data), unions (membership data), religious associations (religious practice data), philosophical associations.

Going Further

Frequently Asked Questions

Must a small association of 10 members comply with GDPR?
Yes. GDPR applies to any legal entity processing personal data, regardless of size. However, obligations are proportionate: a small association has reduced obligations (simplified register, no mandatory DPO).
Can the member list be published on the association's website?
Not without explicit consent from each member. The member list is personal data. Publication only possible if each member has specifically consented to publication of their name on the site.
Does GDPR apply to religious associations?
Yes, with a notable derogation: Art. 9.2.d GDPR allows religious associations to process data relating to their members' religious beliefs without additional consent, provided this data remains strictly internal and is not disclosed to third parties without consent.
How long to retain former member data?
After membership ends: 3 years for contact data (limitation period for associative actions), unless specific legal obligation. Accounting data (membership fees): 10 years. Volunteer data: 5 years after end of mission.
Must an association appoint a DPO?
A DPO is required for associations processing at large scale sensitive data (religious, political, union, health) or conducting systematic large-scale monitoring. For most small associations, a DPO is recommended but not required.
Does an association's newsletter require consent?
Yes. Even for members, the newsletter requires their explicit agreement to receive communications. Membership doesn't equal consent to electronic prospecting. Offer opt-in at membership and each renewal.

Check your association's website compliance

Free GDPR scan in 60 seconds. Cookies, forms, newsletter: everything automatically checked.