General Data Protection Regulation

From LOKO Kennisdatabank

The General Data Protection Regulation or GDPR entered into force in May 2018. It is aimed at the protection of people with regard to the processing of personal data. As small businesses and non-profit organizations also fall under this legislation, student associations must also adjust their operation accordingly. Below you will find a brief description of some of the most important principles of GDPR, as well as the most important obligations that associations must adhere to. The third paragraph lists out the new rules applied to the specific functioning of student associations.

Principles of GDPR

The most important principles concerning the management of personal data are:

  • Honesty & transparency: personal data must be managed in a fair and transparent manner according to the law.
  • Purpose limitation: personal data is only collected for a specific and legitimate purpose and may not be used for other purposes.
  • Data minimization: personal data must be relevant and limited to what is necessary to achieve the intended purpose.
  • Accuracy: personal data must be correct and kept up to date.
  • Retention limit: personal data may only be retained as long as necessary for the intended purpose.
  • Confidentiality & integrity: personal data must be processed in a manner that guarantees the security of the data (including protection against unauthorized access, loss or damage).


  • The right to access your own personal data: every person has the right to know what data about him is known within an organization and can also ask to change things or delete all data.
  • Organizational measures: each organization must be able to demonstrate that the rules concerning GDPR are being followed and can account for the personal data that the organization has at its disposal.
  • Security measures: collected data must be protected as well as possible (e.g. by means of virus scanners). When data leaks, the organization must report this to the privacy committee within 72 hours.

The central principle of the regulation is transparency. Every student association should develop a publicly accessible privacy policy. This must state, among other things, (i) the way in which data is processed, (ii) the purpose of the processing, (iii) the legal basis and (iv) the period for which the data are recorded. In addition, each association has an accountability obligation: they must be able to demonstrate at all times that they are complying with the data protection rules and how. If an association forfeits its responsibilities, the Privacy Commission has the right to impose a fine.

Application: student associations

  • Registration members (membership ticket sales, the sale of course material, registration activities ...)

When collecting these data, the purpose of the processing must always be clearly and explicitly stated. After all, it is illegal to store data for an indefinite purpose. Your members must give their explicit permission for the use of their data (e.g. via an opt-in box or an explicit agreement via a click on a button when filling in a form). This permission can be withdrawn at any time.

Important: marketing purposes can be seen as a legally valid legal basis for storing and processing the data.

Only data that is directly relevant to achieve the stated goal may be processed. For example, the following data may suffice to achieve most objectives: surname and first name, academic year, e-mail address, specialization and possibly the different courses that are being taken. The requirement for targeted processing also requires that storage is limited in time. For example, it is only acceptable to keep the data until the end of the academic year; then they must be deleted.

The students must be able to view their data. Based on this, they may always request to change or delete data. The data must be deleted immediately, even if the data has already been passed on to third parties. In the latter case, these third parties must be informed and requested to delete the data.

  • Cooperation with third parties

Associations are required to make clear agreements with third parties (such as Guido, Joyn, website builders, printing companies ...) if data is transferred. To that end, it must be agreed upon, among other things, for what purpose that data may be used, how it is protected and when it must be deleted.

Processing the data of the participants in an activity (e.g. a ski trip) when these are necessary for the execution of a contract is a valid purpose. Explicit consent of the participants is therefore not required in this case.

Important: those involved can always object to the use of their data for direct marketing (including advertising). If partners want to use the data of students, this must be explicitly stated and the student must give his/her permission.

What if student associations want to work with a mandatory opt-in, where membership requires permission to use the collected data for advertising purposes? The students' permission to process their data must always be "free". This means that there must be no risk of "significant negative consequences". Not receiving a discount cannot be qualified as a significant negative consequence. It is therefore permitted that students receive a discount via their membership card only in exchange for the permission to use their data for advertising purposes, if this is sufficiently clearly stated. It is important to state to whom the data can be transferred. It is sufficient to state the category of recipients, such as law firms. They must be able to revoke their permission to pass on their e-mail addresses to the offices at any time and this should not have any consequences for the discounts already received.