HomeKnowledge base › Charities and associations
Sector

Charities and associations: destroying member and donor data

· 9 min read · DeSnipperaar
Charities and associations destroying member and donor data

A sports club, a neighbourhood initiative or a charity often runs on volunteers and a modest budget. Yet they process personal data just as much as a business, sometimes even more. Membership lists, donor data with bank details, volunteer files and event participant lists pile up over the years. The GDPR makes no exception for associations, so here too old records should be cleared out and destroyed carefully.

This article explains which data an association or charity processes, where the risks are and how to clear out everything safely, even when you do it with a changing team of volunteers. With a few simple arrangements you handle that without much hassle.

Which data does an association or charity hold?

  • Membership records with names, addresses, dates of birth and bank details for the membership fee.
  • Donor data with giving history and bank details.
  • Volunteer files, sometimes with a copy of a background check.
  • Participant lists of tournaments, events or campaigns.
  • Financial records with payments and expense claims.
  • Minutes and correspondence with personal data.

Former members and cancellations

The biggest blind spot at associations is the old membership administration. Members come and go, but their data often stays in a folder or file for years. The GDPR requires storage limitation, so data of someone who has cancelled you keep no longer than needed. What falls under the financial records you keep for 7 years, the rest you clear out. Make it a habit to go through and destroy former members' records at the year-end. How this fits the wider GDPR picture is in GDPR requirements for SMEs.

Extra care: background checks, bank details and sensitive groups

Some documents call for more care than an ordinary membership list. A copy of a volunteer's background check, donors' bank details and participant lists of a charity working with a vulnerable group are especially sensitive. If your organisation works with data about health, religion or a vulnerable situation, the stricter rules for special personal data apply. Keep those documents well secured and destroy them to a high DIN level once they are no longer needed.

What the GDPR specifically requires

Two articles of the GDPR matter directly for an association or charity. Article 5 is about storage limitation, you do not keep personal data longer than needed for the purpose you collected it for. Data of a member who cancelled years ago therefore falls outside that. Article 32 requires appropriate technical and organisational measures to protect that data. That duty applies to a volunteer organisation too, whatever its size.

If a membership list ends up unshredded with the waste paper, that is a data breach. A serious data breach you report within 72 hours to the data protection authority. For a small association that sounds formal, but the solution is simple, a fixed working method prevents the whole scenario.

How long do you keep association data?

The main rule is storage limitation, you keep nothing longer than needed. The financial records fall under the 7-year tax retention obligation. Member data, donor data and participant lists you keep as long as the membership or relationship runs, after that you clear them out. An overview per document type is in the retention periods cheatsheet.

Destruction with a team of volunteers

The reality of an association differs from a business. There is no fixed office worker, the board changes and the administration is sometimes at someone's home. That is exactly when a simple working agreement helps. Place a locked bin for paper that must be destroyed and have the contents collected periodically. That way no volunteer has to sit shredding at home and everyone knows where sensitive paper goes. For a one-off big clear-out, for example at a change of board or a move of the clubhouse, a one-off collection is the easiest solution.

Which DIN level do you need?

How finely paper must be shredded is set out by the DIN 66399 standard in levels. For an association or charity these mainly matter.

LevelParticle sizeSuitable for
P-2StripsGeneral print without data
P-4Small particlesMembership lists, expense claims, participant lists
P-5Very small particlesBackground-check copies and sensitive data

For ordinary member data P-4 is the workable minimum. For especially sensitive documents, such as a background-check copy or data of a vulnerable group, P-5 is indicated. A cheap office shredder rarely reaches that high level, professional destruction does.

Destroy safely, not with the waste paper

A membership list with names, addresses and bank details does not belong in the clubhouse paper bin. An open container stands on the street and is accessible to anyone. For loose documents a good shredder is enough, but with boxes at a time having it collected is faster and safer. You then get a certificate as proof. The general approach is in destroying confidential documents, the costs in what does archive destruction cost. Do not forget the digital side, because old membership records often also sit on a laptop or USB stick, see data destruction. If you use an online membership administration, check whether there is a processing agreement with the provider, because the association remains responsible for the data.

The proof: certificate of destruction

After a collection you receive a certificate of destruction with the date, quantity and DIN level. For an association that is handy proof towards members and donors who trust you to handle their data carefully. It also shows a new board that the administration was handled properly. Keep the certificate in the association file, so a future board can find it.

What if it goes wrong? A data breach at an association

Imagine that at a change of board a box of old membership lists accidentally ends up with the waste paper instead of with the destruction. It holds names, addresses and bank details of hundreds of members. That is a data breach, even though it was a mistake. You assess whether it poses a risk to the people involved and report it within 72 hours to the data protection authority where needed.

With a fixed working method such a mistake is almost ruled out. A locked bin for paper to be destroyed and a clear agreement about what goes where prevent a box ending up on the wrong pile.

A real-world example

Imagine a sports club gets a new board and the old treasurer hands in boxes of records. They hold membership lists from ten years ago, expense claims with bank details and tournament participant lists. The new board wants to start clean but does not know what can go. With the retention periods in hand they keep the financial documents of the past 7 years apart and have the rest destroyed confidentially, with a certificate. A fresh start without old privacy risks. The same applies when an association is dissolved, where the member and donor data may not simply be left lying around but must be destroyed carefully.

Destroy yourself or have it collected?

For a handful of forms a month a simple shredder in the clubhouse is enough. But at a change of board or clearing out years of records, such a device jams quickly. Then having it collected is more practical, especially because the work otherwise lands at a volunteer's home. A certified party collects the boxes, destroys them to the right DIN level and gives you a certificate. Data carriers with old membership records can come along in the same collection.

Costs and process: what can you expect?

Having it destroyed is no big expense for an association, which is handy on a limited budget. You pay a fixed price per box or roll container, known in advance, with no surprises afterwards. Within 20 km of Amsterdam we charge no call-out fee. The process is short. You tell us how much material you have, plan a collection that suits the board and we collect it. After that everything is destroyed to the agreed DIN level and recycled, with a certificate within a few working days. Data carriers with old membership records can come along in the same collection.

Periodic or one-off collection?

Do you have a one-off clear-out, for example at a change of board or a move of the clubhouse? Then a one-off collection is enough. Does paper keep coming in, such as expense claims and participant lists, then a fixed frequency is handier. You then place a locked bin emptied periodically, for example once a year at the year-end. That way the records stay in order by themselves, even with a changing board.

Practical tips for the association

  • Appoint someone responsible, for example the secretary, so it is clear who manages the records.
  • Tie the clear-out to the annual meeting, so it is a fixed moment.
  • Place a locked bin in the clubhouse for paper with personal data.
  • Keep the certificates with the documents you hand over to a future board.
  • Hand over data carriers in the same collection, so old backups of the membership administration disappear safely too.

Arranged in 4 steps

  1. Take stock. Gather the records now scattered among board members in one place.
  2. Separate keep from destroy. Keep the financial documents for 7 years and clear out the rest.
  3. Destroy confidentially, a handful yourself and boxes at a time via a collection.
  4. Keep the certificate in the association file as proof towards members and board.

What do your supporters expect?

Members and donors give their data out of trust. A member shares their address and bank details, a donor sometimes a sensitive reason for their gift. Those who notice an association handles that data carefully are more likely to stay members and give again. A data breach in which member data ends up on the street damages exactly the trust a volunteer organisation runs on. For charities there is also the fact that an incident quickly makes the news, with direct consequences for reputation and income. Careful destruction is therefore not only a GDPR duty but also an investment in the bond with your supporters. It shows that you take the people who support you seriously.

Common mistakes

  • Keeping former members' data indefinitely. Clear it out once the retention period has passed.
  • Membership lists with the waste paper. With names and bank details that is a data breach.
  • Forgetting records at someone's home. Make clear agreements about where sensitive paper goes.
  • Only thinking of paper. The old membership administration often also sits digitally on a laptop or stick.

Change of board or clearing out the clubhouse?

We collect your old member, donor and volunteer records and destroy them confidentially, with a certificate. No call-out charge within 20 km of Amsterdam.

Request a quote

Frequently asked questions

Must an association delete former members' data?

Yes. Data of members who have cancelled you keep no longer than needed. Keep the financial records for 7 years and clear out personal data beyond that.

Does donor data fall under the GDPR?

Yes. Name, address, bank details and giving history are personal data. An association or charity must protect those carefully and destroy them in time too.

How do you arrange destruction with only volunteers?

Make a simple working agreement and place a locked bin for paper to be destroyed. Have the contents collected periodically, so no one has to shred themselves.

Can old member records go with the waste paper?

No. Lists with names, addresses and bank details should be destroyed confidentially, not in an open paper container.

Which DIN level is needed for membership lists?

For ordinary member data DIN 66399 P-4 is the workable minimum. For background-check copies and data of vulnerable groups P-5 is indicated.

Must I report a data breach from binned membership lists?

If lost data poses a risk to the people involved, you report the data breach within 72 hours to the data protection authority. A fixed working method prevents such incidents.

Conclusion

An association or charity processes personal data just as much as a business, from membership lists to donor data with bank details. The GDPR makes no exception, so clear out old records periodically and destroy member and donor data carefully. With a locked bin, a simple working agreement and a periodic collection you arrange that even with a team of volunteers, with a certificate as proof towards your supporters. That protects the privacy of your members and donors without costing your volunteers much time.

Ready to clear out the association records? Request a quote via desnipperaar.nl or see how to have paper shredded. Within 5 minutes you have a fixed price.