GDPR Instructions for Districts and Clubs

The text here under is copied from the minutes of th General Assembly of the 51St KI*EF Convention in Baveno.

It relates to the speech of Manfred PUCHNER, KI-EF Bylaws advisor

According to the GDPR the “data subject” (=member of a club) has a fundamental right to
the protection of his personal data.

In order to ensure this fundamental right, the GDPR requires that the data subject
(=member) has actively provided his or her consent, when data is stored.

1. Data controller:
The organization, that stores the data is referred to or known as the “Data controller” in
the GDPR. The data controller must have received the required declaration of consent, when storing
data. If the data controller shares the data with a third party, which then processes this data, the
data subject must first be informed in the active consent form that his or her data will be
shared with a third party. The data subject must be in agreement.

2. Data processor:
If the data subject agrees that the data is to be disclosed, the data controller must
conclude a written “order processing agreement” with the third party (referred to in the
GDPR as Processor”).

3. Order processing agreement:
The order agreement shall specify exactly which data and the reasons for which the processor 

may store them and the duration thereof and further thathe guarantees the technical safety

and confidentiality of such stored data.
In our case, this means that each club, represented by the president or his/her database
manager with the district, represented by the governor or its database manager must
conclude such an order processing agreement in writing.

However, before this type of order processing agreement is reached, the database
manager has to enter the data in a data processing directory! On the basis of the data
subject`s consent (member).

4. Data processing directory:
This date processing directory will list
– the data of the data controller (or his representative)
– the purposes of the data processing
– the details, such as the categories of the data subjects, i.e. club members, the legal
basis, that refers specifically to membership in this case or if the club has already amended
the statutes accordingly to include consent in the club statutes.

The district, which has stored the data subject`s data, wishes to share them with any District

database, the district also has to conclude an order processing agreement with
the operator of the District server in the same manner as between the club and the
district. Likewise, such an order processing agreement is to be concluded when the district
agrees to a data transfer with KIEF.

5. Data transfer to KI:
If, however, the data is to be forwarded to Kiwanis International, i.e. to the US, the
district or, provided it has been agreed, KIEF has to conclude a special US data transfer
agreement with the US based on the standard clauses approved by the EU Commission.
This is because the US is considered a non-secure third country in terms of data protection.

If such agreements are not concluded according to the standard clauses laid down by the
EU, these agreements shall be deemed avoid.

6. Conclusion
Through the secretary I have sent some formulars to all the governors of the districts of KI
EF. I kindly ask all governors to send this formulars to their clubs to inform the members so they
can work with the new legislation. It is up to the districts to put the provided texts in conformity

with their local rules and legislations.

The basic documents are the following and be downloaded here

The General Data Protection Regulation (GDPR) Basics

Data collection – Member

Agreement on order processing (Art. 28 GDPR)

Data processing directory (Art. 30 GDPR)

 

Manfred PUCHNER

KI-EF Bylaws Advisor