The CNPD has published a practical guide for associations.

This guide is for associations whose activity is limited to performing data processing necessary for the management of a so-called “classic” or “traditional” association.

These associations must :

• Keep a record of processing activities;
• Respect the legitimacy of each processing of personal data which must be based on one of the six legitimacy criteria provided by the GDPR: consent, performance of a contract, legal obligation, safeguarding vital interests, mission of public interest or legitimate interests;
• Respect the information and the rights of the persons concerned;
• Designate a DPO;
• Draft agreements with processors;
• Respect specific rules, such as impact assessment, notification of data breaches, implement rule relating to data transfer to third countries, technical and organisational measures and data protection by design and by default principle.