In Italy, as in other European countries, fundraising activities are widespread.

To carry out such fundraising efforts, donor data is typically processed for subsequent contact regarding potential charitable initiatives.

Initially, data collection within non-profit associations primarily focuses on managing donation agreements, rather than utilizing personal data for future charitable endeavors.

In this context, a point of considerable interest is the application of Article 30 of Regulation (EU) No. 679/2016 (hereinafter “GDPR”) to the highlighted sector. This article outlines one of the primary obligations of the Data Controller, which involves maintaining a Record of Processing Activities.

It is a document containing the principal information (as specifically identified by Article 30 of the GDPR) related to the processing operations conducted by the Data Controller and, if applicable, by the Data Processor.

The Record must be in written form, which includes electronic form, and must be presented to the Data Protection Authority upon request, if necessary.

Given that Article 30 of the GDPR specifies that this obligation does not apply to organizations “with fewer than 250 employees, unless the processing they carry out poses a risk to the rights and freedoms of the data subject, the processing is not occasional, or includes the processing of special categories of data as referred to in Article 9(1), or personal data related to criminal convictions and offenses as referred to in Article 10,” it raises questions regarding its applicability to the Italian Third Sector, which is predominantly composed of small organizations.

Therefore, while the aforementioned obligations may not be universally mandatory due to the organizational size of these entities, it is essential to recognize that much of the processed data is considered sensitive under the law. This is often because it pertains to religion, financial transactions, or political interests. Consequently, the potential requirement to implement the Record must be evaluated on a case-by-case basis, taking into account the specific activities conducted by each organization.