GDPR and your association: handling personal data

Juridisch Published: 2026-02-13

What are personal data?

Personal data are all data that can be directly or indirectly traced back to a person: name, email address, telephone number, date of birth, photos, member number, even an IP address can be personal data.

What rules apply?

The three core principles of the AVG for associations:

Purpose: Keep only data that you need for a clearly defined purpose
Minimisation: Do not collect more than is necessary (date of birth is not required if an age category suffices)
Security: Protect the data from unauthorised access

What do you need to arrange?

1. Privacy statement

On your website and/or sign-up form it should be clear what data you collect, for what purpose, how long you keep it and whether you share it with third parties. A privacy statement does not need to be long, but it must be clear and understandable.

2. Record of processing activities

Keep track of which personal data you process, for what purpose, on which legal basis and for how long. This need not be published, but you must be able to show it if the Autoriteit Persoonsgegevens asks for it.

3. Retention periods

Clearly set out how long you keep data. Former members: retain only what is necessary for tax purposes or for claims. A general rule: delete data when it is no longer needed.

4. Security

Use strong passwords and two-factor authentication
Do not store member lists in unsecured Excel files on shared folders
Only give access to people who genuinely need the data
Use secure software with encryption

5. Reporting data breaches

If a data breach occurs (data have been stolen, lost or inadvertently shared), you must report it to the Autoriteit Persoonsgegevens within 72 hours, unless the risk to those affected is negligible.

Photos on social media

Note: photos are also personal data. Photos of activities that you post on social media must not show identifiable people without their consent. When registering for events, obtain consent to use photos.

What about non-compliance?

The Autoriteit Persoonsgegevens can impose fines of up to €20 million or 4% of annual turnover. For small associations, fines are typically lower, but the reputational risk is just as great. Compliance is not only a legal obligation; it is also a matter of trust.