ARENDT – Data & Law

Data protection for NGOs, non-profit and donation organizations (with checklist)

Free initial consultation

Services

Data protection consulting

external Data Protection Officer (DPO)

Information Security

IT-Law

Datenschutz, NGO, Spenden

You agree to receive email communication from us by submitting this form and understand that your contact information will be stored with us.

What non-profit organizations need to consider regarding data protection in fundraising.

Non-governmental organizations (NGOs), non-profit organizations (NPOs) and donation organizations make a key contribution to civil society - whether in development cooperation, refugee aid, environmental protection or political education. They stand for the common good, commitment and trust. At the same time, they process a large amount of personal data from supporters, donors, volunteers, employees and often also from particularly vulnerable groups.

The focus here is particularly on fundraising, public relations and project communication - all areas in which personal data is central. However, data protection in accordance with the GDPR poses major challenges for many non-profit organizations, as they often lack resources, expertise or structural foundations.

Data protection requirements for non-profit organizations

With the General Data Protection Regulation (GDPR), NGOs, NPOs and donation organizations are also obliged to implement all legal requirements for the protection of personal data. No special rules or exemptions apply to non-profit organizations. In fundraising in particular, data protection and legal certainty are closely linked.

Data protection in fundraising: consent and double opt-in

The following applies to fundraising: anyone who collects address data from donors - for example via online forms, events or personal conversations - requires comprehensible, informed consent. This must be voluntary and for a specific purpose. The double opt-in procedure, in which consent is verified by means of an active confirmation link, is also required for contact via email. This procedure is a central component of legally compliant, GDPR-compliant fundraising.

Observe the prohibition of coupling

The prohibition of coupling also plays an important role in the data protection of donation organizations. Consent to data processing must not be linked to an exchange, unless it is given voluntarily and transparently. For example, a free e-book may serve as an incentive - as long as consent for subsequent contact is clearly given separately.

Handling sensitive data

Viele NGOs und Non-Profit-Organisationen verarbeiten besondere Kategorien personenbezogener Daten im Sinne von Art. 9 DSGVO – etwa zur Gesundheit, Religion oder politischen Einstellung. Dies erfordert besonders sorgfältige Datenschutzmaßnahmen, da solche Daten nur unter engen rechtlichen Voraussetzungen verarbeitet werden dürfen.

Data security and technical protection measures

An appropriate data security concept is essential. This includes access restrictions, up-to-date software, encryption, secure server locations and clearly defined responsibilities. If external service providers such as payment providers or email tools are used, GDPR-compliant order processing contracts must be concluded. In the case of international providers, EU standard contractual clauses or other suitable guarantees for third country transfers are required.

Donation advertising in competition law

A common misconception: Donation advertising is not legally privileged. There is no explicit exception to the Unfair Competition Act (UWG). Although it has long been argued that charitable organizations do not engage in “commercial activity”, this view is outdated. Large donation organizations engage in professional fundraising and compete for attention and donations. Whether and in which cases the UWG is applicable remains legally uncertain - with practical consequences for e-mail advertising, telephone marketing or street advertising.

Implications for practice

Data protection and competition law requirements have a direct impact on the everyday life of NGOs, NPOs and donation organizations.

Fundraising campaigns must not only be emotionally effective, but also legally compliant. Supporters expect transparency regarding the use of their data. At the same time, there are risks associated with insecure databases, a lack of consent documentation or unclear earmarking.

Uncertainties in competition law also slow down many organizations in the design of their fundraising measures. Legally compliant advertising requires verifiable consent - especially in the case of personalized advertising.

Recommendations for data protection-compliant fundraising

For NGOs, donation organizations and non-profits, it is crucial to think data protection, fundraising and legal framework together.

Responsibilities and Data Protection Officer

Organizations should define clear internal responsibilities for data protection. If there are 20 or more employees who regularly process personal data automatically or if sensitive data is processed, the appointment of a data protection officer is also required by law. This role can also be taken on externally.

Legally compliant consent and communication

Donation forms must be designed transparently. Consent to data processing must be voluntary, separate and documented - ideally via double opt-in. When collecting data, all information obligations under Art. 13 GDPR must be fulfilled.

Checkliste: Datenschutzkonformes Fundraising

Checklist: Data Protection Compliant Fundraising for NGOs
Checklist: Data protection-compliant fundraising (click on image to download)

Check external tools and service providers

Eingesetzte Tools – etwa für Newsletter oder Zahlungsabwicklung – müssen datenschutzkonform sein. Verträge zur Auftragsverarbeitung sowie Garantien bei Drittstaatentransfers (z. B. in die USA) sind Pflicht.

Fulfilling further GDPR obligations

In addition to the duty of consent, there are other requirements, such as

  • a record of processing activities (Art. 30 GDPR),
  • if necessary, a data protection impact assessment (DPIA),
  • as well as regular training for employees and volunteers.

These measures not only increase legal certainty, but also strengthen internal awareness of data protection as part of quality and trust work.

Keeping an eye on the UWG (Unfair Competition Law) law

Competition law should also be taken into account: Anyone who combines fundraising campaigns with economic benefits (e.g. rewards, sponsoring) must make advertising and tax-related distinctions in order to avoid fines or risks to their non-profit status.

Transparency creates trust

Additional standards such as the DZI donation seal or membership of the German Donations Council can strengthen credibility and help to gain access to media or platforms.

Summary

Data protection is not a formality for donation organizations, but a basic requirement for legally compliant, effective and trustworthy fundraising. Whether you are a small NGO or a large non-profit, anyone who uses personal data bears responsibility - legally and ethically. The GDPR also applies to good causes. Those who take this into account not only strengthen their legal security, but also their relationship with donors, volunteers and funding partners.

We support NGOs and donation organizations as lawyers and external data protection officers in making your organization and fundraising compliant with data protection regulations.

Find out more at Professioneller Datenschutz für NGOs„.

Rechtsanwalt Arendt, Datenschutzbeauftragter und Experte Datenschutz, Cybersecurity

Boris Arendt
Rechtsanwalt Boris Arendt berät StartUps, mittelständische Unternehmen, Konzerne und NGOs in den Bereichen Datenschutz, Cybersecurity, Compliance und IT-Recht sowie bei der Realisierung von digitalen Geschäftsmodellen.

Free initial consultation
en_USEnglish
de_DEDeutsch en_USEnglish