Link Search Menu Expand Document
Responsible data management toolbox

3.2 GDPR application


Keep in mind

Interpretation of the GDPR’s geographical scope of application is different within the NGOs’ legal departments (affected populations, whether they are located in the European union or outside as well)

Nevertheless, it seems problematic for humanitarian aid and international development NGOs to treat populations differently depending on their location, especially with respect to ethical principles and the rights of individuals.

There are tools to support you and facilitate step-by-step implementation in terms of personal data protection.

This section explains the application criteria of the GDPR, to determine who is concerned, as well as the tools to better understand and support its implementation.

3.2.1 To whom does the GDPR apply?

The GDPR is a legislation initiated by the European Union (EU), but its application is broader than it seems. It is important to analyse the status of NGO field operations, in order to determine whether they are – legally speaking – subject to it or not.

Let us recall nevertheless that what we are looking at here is only the legal and unethical lens of the application.

GDPR applies (Source: The French CNIL):

  • to organisations established in the EU, whether they are data controllers or data processors: this is the establishment criterion. In this case, the place where the data is processed (such as where the data is stored or analysed) is not determinative.
  • to organisations established outside the EU (data controllers or data processors) that target data from EU residents (this mainly concerns HR data in the sector, except for non-European NGOs working with European populations such as those affected by the Ukrainian conflict): this is the targeting criterion.

Warning: These determination criteria are to be examined according to each organisation, based on its internal network: the independence or interdependence relationship between headquarters and offices, for instance, will make it possible to know whether the GDPR applies or not.

3.2.2 What supports exist to master it?

As discussed, many NGOs (whether European or not) are subject to the GDPR on at least part of their activities and have an independent supervisory authority responsible for overseeing its application. They also have many practical resources that can be of interest to NGOs.

For French NGOs, the Commission Nationale de l’Informatique et des Libertés (CNIL) is the supervisory authority. It has several missions: supporting civil society, informing, processing complaints relating to personal data breaches and sanction in accordance.