Currently, the associative fabric that makes up our society in its different aspects has as its main objective a social action for the group in question. For this reason, the personal data of associates, volunteers, users or collaborators, among others, take on (some) particular relevance due to their category and their special protection regulated in art. 9 of the General Data Protection Regulation, hereinafter GDPR.

Therefore, it is necessary to take into account the aspects detailed below:

ARE ALL ASSOCIATIONS OBLIGED TO COMPLY WITH THE GDPR?

Although most associations are non-profit per se In their daily activity, they do process personal data of various categories that are worthy of legal protection. This means that, like any company with commercial purposes, the association network is also obliged to comply with all national and international regulations regarding data protection.

WHAT TYPE OF DATA DOES THE ASSOCIATIONAL FABRIC PROCESS?

Depending on who enters the scene, some data or others will be processed. Let's look at it with an example: a person who works in a non-profit association that treats drug addicts with diverse social profiles and different ages. In this case, we have, on the one hand, the data of the worker himself (name, surname, Social Security Number, bank account number to direct the payroll, Identification Number (DNI or NIE), telephone number, postal address, date of birth and negative certificate of crimes of a sexual nature in the event that there are minor users¹ and have regular contact with them.

In the case of the user, special category data would come into play; such as: clinical history, medical reports, medical test data, psycho-social data, Social Services reports, data on the criminal situation (completion of sentences, civil liability payments...)

What is important is that, from the association, data collection must always be carried out under the principle of data minimization; so that only those data are collected that are necessary and “precise for each of the specific purposes of the treatment, reducing the extent of the treatment, limiting the conservation period and its accessibility to what is necessary.”² as explained in art. 5.1.c GDPR³.

WHAT REGULATIONS ARE APPLICABLE?

Regarding the regulations that regulate data protection in the associative fabric, it would be:

At European level: the GDPR
At the national level:

_{The Organic Law on Protection of Personal Data and Guarantee of Digital Rights}⁴
Law 34/2002, of July 11, which regulates transactions through electronic means⁵.
Jurisprudence issued by the courts in the exercise of their jurisdictional functions.
Recommendations, circulars, opinions and orders issued by the Spanish Data Protection Agency (hereinafter AEPD) as the highest authority on the matter.

HOW TO COMPLY WITH DATA PROTECTION LEGISLATION?

To comply with the law, the following aspects are proposed:

Comply with ARCO-LIPO rights⁶ included in the GDPR at the time of data collection; where at all times the duty to inform and transparency in information towards the person who owns the rights prevails.
Clearly indicate the data and the duration that will be processed, the legal basis that justifies it and whether or not there is an international transfer of data.
Request express consent to be able to process the personal data of the interested party, as well as the purposes for which those who grant it and indicate the different ways they have to be able to collect it.
Establish confidentiality clauses, both in employment contracts and those concluded between suppliers or volunteers. Likewise, it is also advisable to sign a management contract for the transfer of data if data processors who have access to the data are involved.
If it has a website, the association must have the legal texts updated in accordance with the RGPD: legal notice, privacy policy and cookie policy.
Make a Impact evaluation⁷ in order to identify possible threats, establishing the appropriate security measures to prevent their materialization.
Designate a Data Protection Delegate, indicating the means of contact, so that in the event of a security breach⁸ or if there is any query, you can contact him/her without problem.

In short, associations are designed to promote social integration as agents that contribute to a changing society where the safeguarding of their constitutionally protected fundamental rights (such as data protection) must be assured against possible interference by third parties that may violate them. For this reason, it is necessary to work on raising awareness of the importance of privacy and regulatory compliance so as not to damage the spirit of associations and the objectives and values established by each of them.

Grades:

1– As far as the certificate is concerned, it finds legal basis in the Organic Law 1/1996, of Legal Protection of Minors, modified in turn by the Law 26/2015 and the Law 45/2015, volunteering. It establishes the obligation to present a negative certificate from the Central Registry of Sexual Offenders for all professionals and/or volunteers who work or have regular contact with minors. By habitual contact, it is understood that “the job involves, by its very nature and essence, habitual contact with minors, with minors being the main recipients of the service provided.” https://www.mjusticia.gob.es/es/ciudadania/tramites/certificado-delitos (Last visited April 11, 2022)

2– https://www.aepd.es/es/derechos-y-deberes/cumple-tus-deberes/principios (Last visited April 13, 2022)

3– “Article 5 Principles relating to treatment«

1. The personal data will be: c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”) https://noticias.juridicas.com/base_datos/Privado/574082-regl-2016-679-ue-de-27-abr-proteccion-de-las-personas-fisicas-en-lo-que.html#a8 (Last visited April 13, 2022)

4- https://noticias.juridicas.com/base_datos/Laboral/632849-lo-3-2018-de-5-dic-proteccion-de-datos-personales-y-garantia-de-los-derechos.html Hereinafter, LOPDGDD (Last visited April 13, 2022)

5- https://noticias.juridicas.com/base_datos/Admin/l34-2002.html (Last visited April 13, 2022)

6- Arts. 15 -22 of the GDPR; where the rights of: Access, Rectification, Deletion (Forgetting), Limitation of Treatment, Portability and Opposition are made explicit.

7- If necessary in accordance with the casuistry established in art. 35 of the GDPR and in the list of “Types of data processing that require impact assessment related to data protection (art 35.4)” https://www.aepd.es/es/documento/listas-dpia-es-35-4.pdf (Last visited April 14, 2022)

8- The communication of the security breach to the AEPD must be made within 72 hours from when there is knowledge or evidence of its occurrence. If it is not done, it is cause for a serious sanction provided for in the LOPDGDD (if the appropriate technical security measures have not been adopted) or a minor one (if it has been reported late or incompletely).

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

*I give my express consent and accept the Privacy Policy.

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad