GDPR for Non-Profit Organizations: Real Obligations
Associations are subject to GDPR like any other organization. But the real obligations for a small association are much simpler than people think — provided you know the rules.
What Data Do Associations Process?
The 5 Essential Obligations for an Association
Every membership, donation, or registration form must mention: association identity, purpose (member management, newsletter, etc.), legal basis, retention period, data subject rights. A simple text under the form suffices.
Even small associations must keep an Art. 30 register. It can be very simple for a small structure: a table listing processing activities (members, newsletter, events), their legal basis, and retention periods.
The member list must not be accessible to anyone. Password-protected Excel file, sharing limited to authorized officers. Event photos and videos: only publish people who have consented.
Never transmit the member list to partners, sponsors or federations without explicit member agreement. Sharing associative directories can be an underestimated GDPR risk.
Anyone can request access to their data, correct it, or delete it. Provide a dedicated contact email (e.g., gdpr@[association].org) or a designated officer. Response time: 1 month.
Is your association's website GDPR compliant?
Cookies, forms, newsletter: RGPDScan checks your site's compliance in 60 seconds. Free.
The Derogation for Religious, Political or Union Associations
Article 9.2.d of GDPR provides an important derogation: non-profit associations with political, philosophical, religious or union purposes can process data revealing members' beliefs without additional consent, under three strict conditions:
- Processing concerns only members or persons in regular contact with the association.
- Data is not disclosed outside the association without the consent of the persons concerned.
- Data is not cross-referenced with other processing unrelated to the associative purpose.
This derogation typically covers: political parties (activism data), unions (membership data), religious associations (religious practice data), philosophical associations.
Going Further
- Complete GDPR guide for associations
- Newsletter and GDPR: exact rules
- Simplified processing register
- GDPR checklist 2026