Business life

Processing personal data in associations

Processing personal data in associations is common. For example, associations process personal data in their member register. All companies, organizations and public bodies that process personal data of individuals within the EU/EEA-area must comply with GDPR, which also includes associations.

Associations

GDPR helps to strengthen the rights individuals have regarding their privacy. It does not matter if it is a non-profit organization or an economic association. There are also many associations that process personal data about children, such as sports clubs, and then it is important to know that the rules are stricter.

Examples of when associations process personal data

Collection

When the association collects personal data, such as name and phone number, from the association's members.

When the association maintains a register with information about the association's members.

Backup

In connection with the association performing a backup of members' personal data to a cloud service, in order to be able to recreate them in case they are accidentally or unlawfully deleted or changed.

Processing personal data in associations in accordance with GDPR

Most associations process personal data in order to conduct their business. In such cases, the association is the data controller, as it is the association that decides how and why the personal data should be processed.

Therefore, the association must make sure to comply with the GDPR, which stands for the EU’s General Data Protection Regulation. In addition, two associations may be joint controllers. Furthermore, an association may engage data processors, for example, when they back up personal data to a cloud service offered by a third party service provider.

Processing of sensitive personal data in associations

Sensitive personal data are, according to the GDPR, personal data worthy of extra protection that may be allowed to be processed. But in many cases, they are forbidden to process. Examples of sensitive personal data are data that reveals information about an individual’s membership in trade unions, ethnic origin or religious beliefs.

Examples of sensitive personal data in associations

Information about a person’s membership of a trade union or religious community is sensitive personal data, according to Article 9 of the GDPR. The processing of such special categories of personal data is permitted on the basis of one of the exceptions provided for in Article 9 of the GDPR.

Please note that associations that process sensitive personal data must take appropriate technical and organisational measures to protect the data. In addition, the processing of such special categories of personal data must take place within the framework of the legitimate activities of the association.

Is it permissible to process information about a person's membership of a religious community or political party?

If a person is a member of a religious community, the membership itself can reveal the religious beliefs of the member. This constitutes sensitive personal data within the meaning of Article 9, which is, as a general rule, prohibited from processing.

However, there is one exception that the religious community can apply in this case, the so-called membership exemption. The same applies to political parties, as membership of the political party reveals information about the member’s political opinions.

What does the membership exemption mean?

According to the membership exemption in Article 9(2)(d) of the GDPR, it is permissible to process personal data about the membership, if the:

Processing concerns only active members, or former members or other persons who, for the purposes of the organisation, have regular contact with the organisation; and
Personal data will only be disclosed outside the organization or to another member based on the data subject’s active consent.

The European Court of Human Rights ruling on the processing of personal data in the context of door-to-door knocking by religious communities

In Finland and the European Court of Human Rights, legal proceedings have been conducted regarding the collection of personal data and the lists of names noted by the Jehovah’s Witnesses religious community during home visits.

Lists with personal data

The name lists that Jehovah’s Witnesses draw up at door-to-door knocking in connection with their preaching work may include names, addresses, and information about the religious beliefs of the individual they have visited in the course of their door-to-door knocking activities.

The registration of the information in the name lists often occurred without the data subject’s knowledge. The European Court of Human Rights has stressed the importance of lawful collection of personal data and respect for the right to privacy of individuals.

Consent of the data subjects

In Finland, the Supreme Administrative Court (HFD) has ruled that Jehovah’s Witnesses must obtain the consent of the data subjects in order to establish and use such lists. In practice, the ruling means that the GDPR also applies to religious communities in Finland when processing personal data.

What is the appropriate legal basis to use to support the association's processing of members' personal data?

As mentioned above, all companies, organizations and public bodies who process personal data of individuals within the EU/EEA must comply with the GDPR. This means, among other things, that each individual processing of personal data must have a legal basis in order to be lawful. If a processing takes place without the support of one of the legal bases of the GDPR, the processing is unlawful.

There are a total of six (6) legal bases, and these are set out in Article 6 of the GDPR. The following is a description of the four (4) legal bases that are most common for associations to use when processing personal data:

Consent

An association may process certain personal data on the basis of the legal basis consent. This means that a member actively, informed, unambiguously, specifically and voluntarily agrees that the association processes his or her personal data for a specific and stated purpose. If the legal basis is consent, it is not allowed to include it in the terms and conditions that require the member to give consent in order to accept the terms and conditions. There are clear rules on how a valid consent is given under the GDPR.

Legitimate interest

Associations may have a legitimate interest in processing some of their members' personal data. For example, if it is necessary to have camera surveillance in premises belonging to an economic association and containing valuables. Legitimate interest means that the controller, i.e. the association, considers that their interest outweighs the rights and freedoms of the data subjects. However, the processing of personal data through camera surveillance must be necessary to achieve the purpose.

Is it allowed for an association to publish its membership register online?

It is only allowed for an association to publish its membership register online, if such processing is based on a legal basis according to GDPR. For example, this can be done with the consent of the respective member. However, it is common for some members not to want their phone numbers, addresses or other personal data to become publicly available on the internet.

Consent of the members

In most cases, the members of the association are required to first actively and voluntarily consent to their personal data being published online on the internet. Then the association needs to ask for permission to carry out such publication.

Although another legal basis may be applicable for the association to publish its membership register online, it is recommended to first request members’ permission. If the personal data relate to children, the consent must be given by the child’s guardian, even if the child has given his or her consent.

Can an association send out its membership register by e-mail to other members or persons?

If the association sends out its membership register by e-mail, it is a matter of sharing personal data, which constitutes a processing. Such processing must take place on the basis of a legal basis in the GDPR in order to be permitted and lawful. For example, it can be done with the consent of the members.

However, it is important to keep in mind that there may be some members who, for various reasons, do not want their personal data to be disseminated to other members or people via email. For example, a member may have a secret phone number or a protected residential address.

Is an association obliged to disclose information about a member to another member?

If the association is not subject to legislation that requires the list of members to be available to those who wish to view it, the association does not need to disclose its membership register. However, a member always has the right to receive a copy of his or her own personal data that the association processes, but not about other members or persons. This right follows from the data subject’s right of access under Article 15 of the GDPR.

More information about GDPR

Processing personal data in schools and kindergartens

Processing of personal data in schools and kindergartens takes place on a regular basis. For example, in connection with digital teaching, attendance lists, grades and personal development plans. It is the school or kindergarten itself that holds the role of personal data controller under the GDPR, not the principal, teachers or other staff. However, it is important that staff comply with GDPR in practice when processing students’ personal data. Personal data about children is particularly worthy of protection under the GDPR.