Privacy and the GDPR for verenigingen

Verenigingen (associations) and stichtingen (foundations) often have to deal with the GDPR (General Data Protection Regulation). For example, if you keep lists of members or donors, or post a list of board members on the website. When you process any personal data, you must comply with the General Data Protection Regulation (GDPR). Personal data are any data you can use to identify a specific individual. In this article, you will find everything you need to know about what the GDPR means for your vereniging or stichting.

Verenigingen and stichtingen are required to have a privacy statement and to inform their members about the GDPR. The privacy statement describes which personal data you process, the purpose for which you use the data, and how you deal with the data. Make sure to comply with the privacy laws, keep a processing register, do not collect more personal data than you need, and make sure your systems are secure.
When new members join your vereniging, let them know that you will share their data within the vereniging for certain purposes. If the person objects to the processing of their data, you can take that into consideration. You must also ask permission to take photos and to post photos on websites or social media.

Membership records

Membership records are the collection of members’ personal data, including names, addresses, email addresses and payment details. You may not record information that is not necessary for membership.

Sharing a list of members

A vereniging may not simply send a list of members  (in Dutch) to other members. This is only allowed if there is a justified interest (in Dutch), for example if it is necessary so that team members can make appointments to practice or play sports. You can only share the data that the individuals need to arrange the appointment. In this case, you do not need to ask the members for permission to share the data. If there is no justified interest for sharing the data, then you must ask the members for permission in advance.
You do not need to share bank account numbers to arrange an appointment to play sports, for example. The treasurer does need members’ bank account numbers to collect the membership fees. That means the treasurer may use the members’ bank details.

Images and videos

You are not allowed to simply publish photos and videos. If people are visible in the images, it may violate their right to privacy. If the people in the images are recognisable, then the images are also personal data> And that is when the GDPR applies. No one is allowed to publish another person’s personal data on the internet without their permission.

You must have the permission of the members, visitors or other persons visible in the image to create or publish image materials (in Dutch). The members must have given permission of their own free will. And you must make it clear for which purpose the images will be used in advance. Members have the right to withdraw permission at any time. You may choose how you wish to ask for permission, but the permission must meet certain requirements (in Dutch). It is important that you can prove that you actually received permission.
If you want to publish image materials of members under the age of 16, you must ask for permission from their parents or guardian.

Personal use

If a person creates photos or videos for their personal use, for example as a spectator at a sports event, then the GDPR does not apply. The GDPR includes an exception for personal (in Dutch) or household use, in which you keep the image materials for yourself or share them with a very limited circle.

Advertising or sponsoring

You must have the members’ express permission (in Dutch) to share personal data with individuals or organisations outside the vereniging. You may not use the personal data from the membership records for a purpose (in Dutch) other than the one for which you originally collected the data. Members may withdraw their permission at any time. The vereniging must clearly tell the members what they are giving permission for.

Providing personal data to the municipality

Sometimes a vereniging has to give its membership list to the municipality to apply for a subsidy. For example, if the municipality will only grant the subsidy if a minimum number of members live inside the municipality. In that case, the vereniging does not have to give all of the data, because only the members’ names and place of residence are enough. Since the municipality is a party outside the vereniging, the members must give permission to share their personal data.

Stichting (foundation)

A stichting does not have members, but may still have to comply with the GDPR. For example, if it keeps a list of donors or works with volunteers. The rules for sharing a list of vereniging members also apply to sharing a list of donors for a stichting. The same applies to the rules for the use of photos and images on the website.