With GDPR we now need to ensure we have explicit consent for handling the personal data. But what do we do with members where this is lacking?
Since removal from the membership system equates to being removed as a member of the organisation a policy document is needed for this. Specifically it needs to deal with
- Lack of general consent
- Lack of parental consent (for members <13 years old)
- Members who have not filled in a birth date (or filled in date which we could not reasonably assume to be true). [i.e. it could be argued we have not done our due diligence to ensure they are not <13]
- What to do with received membership payments where the member had to be removed from our system for one of the above reasons
When a policy has been set a reminder e-mail should be scheduled explaining this to everyone who has yet to give consent (possibly limited to those who have paid for 2018).
Consclusion based on various decision.
- No general consent is needed. Membership data is handled with intresseavvägning as the legal basis
- Minors (<13) which are known to the organisation (by entering their age, by telling us they are underage or by employees knowing them are required to have a consent form signed by their guardian.
- Members (and ex-members) whom have not entered their age are required to self-report if they are minors. Information about this is sent up during sign-up.
Anyone requesting to have their data removed, or minors lacking parental consent loose their membership