Privacy and the GDPR for verenigingen

  • KVK Editors
  • The basis
  • 12 December 2022
  • Edited 28 February 2025
  • 2 min
  • Rules and laws

Verenigingen (associations) and stichtingen (foundations) often have to deal with the General Data Protection Regulation, GDPR. For example, if you keep lists of members or donors, or post images of board members on the website. In this article, you will find everything you need to know about what the GDPR means for your vereniging or stichting.

Membership administration

Do you process personal data of your members as a verenigingen? Then you need to let them know what you do with that personal data and why. This can be done in a privacy statement.

GDPR, known as Algemene verordening gegevensbescherming, AVG, in Dutch, sets out which information you must provide in the privacy declaration. For instance, which personal data you process, why you do so, and how you handle that data. You also have to keep a processing register, collect no more personal data than necessary, and make sure your systems are secure.

Do not record information that is not necessary for membership. Also let members know if you share their data within the association for certain purposes. If someone objects, you can take this into account.

Sharing a list of members or donors

A vereniging may not simply share a list of members  with other members, just as a stichting may not simply share a list of donors. This is only allowed if there is a justified interest. For example if it is necessary so that team members can make appointments to practice or play sports. You can only share the data that the individuals need to arrange the appointment. 

Permission for other purposes

You may only use personal data for the purpose for which you collected it. A foundation or association may not pass on personal data of members or donors to other persons or organisations. For this, you need permission from the members or donors. If you ask for permission, you must make clear what exactly people are giving permission for. Members and donors can always withdraw their permission.

Example

Sometimes a vereniging has to submit its membership list to the municipality for a subsidy application. For example, because the municipality only provides the subsidy if a minimum number of members live in the municipality. The association does not have to give all the data. In this example, only the members’ names and place of residence is enough. Because the municipality is an organisation outside the association, the members must give permission to share the personal data.

Images and videos

You are not allowed to simply publish photos and videos. If the people in the images are recognisable, then the images are also personal data and GDPR applies. No one is allowed to publish another person’s personal data on the internet without their permission.

You must have the permission of the members, visitors or other persons visible in the image to create or publish visual materials The members must have given permission of their own free will. And you must make it clear for which purpose the images will be used in advance. Members have the right to withdraw permission at any time.

You may choose how you wish to ask for permission, but the permission must meet certain requirements. It is important that you can prove that you actually received permission. If you want to publish images of members under the age of 16, you must ask for permission from their parents or guardian.

Personal use

If a person creates photos or videos for their personal use, for example as a spectator at a sports event, then the GDPR does not apply. The GDPR includes an exception for personal  or household use, in which you keep the image materials for yourself or share them with a very limited circle.

Also of interest