General Data Protection Regulation (GDPR) Rules for Fundraisers
1. Purpose
This policy sets out how Globalgood Corporation (“Globalgood”) and its fundraisers must handle personal data of donors, prospects, volunteers, and other stakeholders located in the European Economic Area (EEA) and the United Kingdom, in full compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the U.K. GDPR. It explains donor rights—including the right to opt out, access, and erase data—along with operational rules for capturing consent and managing communications.
2. Scope
Applies to:
- Existing Fundraisers and Prospective Fundraisers processing personal data on behalf of Globalgood.
- All processing activities involving EU/EEA and U.K. residents, regardless of where the fundraiser is located.
- Digital platforms (websites, forms, CRM, email marketing tools), physical sign‑up sheets, and any third‑party processors.
3. Key Legal Principles
Principle | Requirement | Operational Impact |
Lawfulness, Fairness, Transparency | Process data under a valid legal basis and inform subjects | Fundraising forms must display clear privacy notices and purpose statements |
Purpose Limitation | Collect data for specified, legitimate purposes only | Email captured for campaign X cannot be reused for unrelated initiative Y without fresh consent |
Data Minimization | Collect only data necessary for the stated purpose | Limit mandatory fields to name, email, donation amount unless further data is essential |
Accuracy | Keep personal data up to date | Provide donors an easy way to update contact information |
Storage Limitation | Retain data no longer than necessary | Archive or delete inactive donor records after 7 years unless renewed consent obtained |
Integrity & Confidentiality | Protect data with appropriate security | Encrypt databases, restrict access, enforce MFA |
Accountability | Demonstrate compliance | Maintain processing logs, consent records, DPIAs where required |
4. Legal Bases for Fundraising Processing
- Consent (Article 6(1)(a)) – e.g., e‑mail marketing, newsletter sign‑ups.
- Contract (Article 6(1)(b)) – e.g., processing pledges or recurring donations.
- Legal Obligation (Article 6(1)(c)) – e.g., financial reporting to revenue agencies.
- Legitimate Interests (Article 6(1)(f)) – e.g., direct mail to existing donors, subject to balancing test.
Fundraisers must document the chosen legal basis for every data‑processing activity in the GDPR Register of Processing Activities (ROPA).
5. Data Subject Rights & Response Times
Right | Articles | Response Deadline |
Access | 15 | 30 days |
Rectification | 16 | Without undue delay |
Erasure (“Right to be Forgotten”) | 17 | 30 days |
Restriction | 18 | 30 days |
Data Portability | 20 | 30 days |
Objection / Opt‑Out | 21 | Immediately cease processing for marketing |
Automated Decision‑Making | 22 | Provide human review |
Fundraisers must forward any request to privacy@globalgoodcorp.org within 24 hours and suspend related processing until resolved.
6. Consent Management Rules
- Explicit, Granular Consent – separate checkboxes for email, SMS, phone. Pre‑ticked boxes are prohibited.
- Freely Given – consent must not be a condition for receiving a service unless strictly necessary.
- Informed – disclose purpose, data categories, retention period, withdrawal process, and link to Privacy Policy.
- Documented – volunteers capturing data must log: date/time, method (webform, paper, phone), statement text, and fundraiser ID.
- Withdrawal – provide one‑click unsubscribe in every electronic communication; honor within 24 hours.
Volunteers must log consent for every email capture in the CRM or approved spreadsheet (template GG‑GDPR‑Consent‑01). Missing consent logs constitute a compliance breach.
7. Data Protection Impact Assessments (DPIAs)
Required for:
- Large‑scale processing of special‑category data (e.g., health, religious beliefs).
- Systematic monitoring (e.g., behavior tracking via cookies).
- New tech deployments (AI‑driven donor segmentation).
DPIAs are filed with the Data Protection Officer (DPO) before launch.
8. Data Breach Notification
- Internal reporting: to DPO within 4 hours of discovery.
- Supervisory Authority: within 72 hours if breach likely to risk rights/freedoms.
- Data Subjects: without undue delay if high risk.
A breach log must be maintained per Article 33(5).
9. International Data Transfers
Transfers outside EEA/U.K. require:
- Adequacy Decision, or
- Standard Contractual Clauses (SCCs) with supplementary measures, or
- Binding Corporate Rules (BCRs) approved by authorities.
Cloud providers must be vetted and listed in the Processor Register.
10. Roles & Responsibilities
Role | GDPR Responsibilities |
Fundraisers / Volunteers | Capture consent; honor opt‑outs; log requests; use secure systems |
Data Protection Officer (DPO) | Oversee GDPR compliance; manage SARs; conduct DPIAs; liaise with authorities |
Compliance Office | Maintain policies; provide training; audit consent logs |
IT Department | Implement technical measures, encryption, access controls |
Third‑Party Processors | Sign DPA; comply with GDPR; report breaches without delay |
11. Training & Awareness
- Mandatory GDPR e‑learning module for all fundraisers within 30 days of onboarding and annually thereafter.
- Periodic phishing and data‑handling drills.
12. Record‑Keeping & Retention Schedule
Record Type | Retention Period |
Consent logs | Duration of consent + 7 years |
Donation transaction data | 7 years (aligns with revenue‑agency rules) |
SAR records | 3 years |
Breach logs | 7 years |
13. Non‑Compliance & Penalties
Failure to comply may result in:
- Internal sanctions: suspension or termination of fundraising privileges.
- Administrative fines up to €20 million or 4 % of annual global turnover.
- Reputational damage and donor trust loss.
14. Review & Amendment
Reviewed annually or upon regulatory change by the DPO. Published under Legal Policies and Notices on globalgoodcorp.org.
15. Contact Information
Globalgood Data Protection Officer
Email: privacy@globalgoodcorp.org
Phone: +1 614‑829‑5030
Mail: 7211 Charleton Ct., Canal Winchester, OH 43110, USA
Disclaimer
This document is for informational purposes only and does not constitute legal advice. Fundraisers should consult qualified professionals for legal interpretations of GDPR obligations.