THE RECOGNIZED PUBLIC UTILITY ASSOCIATION (ARUP) and the GDPR
Associations recognized as being of public utility (ARUP) are non-profit organizations that have been recognized by the State for their contribution to the general interest. As such, these associations are required to collect and process personal data to achieve their objectives. General Data Protection Regulation (GDPR) is a European law that governs how organizations collect, process and protect the personal data of European Union (EU) citizens.
The recognized association of public utility (ARUP) is aimed at associations which meet certain strict criteria of public utility, which are defined by law and which may vary depending on the country.
In France, to be recognized as being of public utility, an association must meet criteria such as:
- Have an activity that is of general interest and benefits a wide audience;
- Be apolitical and non-denominational;
- Have disinterested and transparent management;
- Have at least 3 years of seniority;
- Have a widespread territorial presence and national reputation.
Obtaining ARUP status confers several advantages on the association, such as:
- The possibility of receiving significant tax-free donations and legacies;
- The possibility of benefiting from larger public and private subsidies;
- Official recognition of the public utility of the association;
- Better credibility with partners and the public.
ARUP is a prestigious status, awarded by the executive branch (the Prime Minister in France) after a rigorous process of examining the application for recognition. Only a few associations are recognized as being of public utility each year, and the recognition decision is subject to the favorable opinion of the Council of State.
As with any organization processing personal data, recognized public utility associations (ARUP) may process different categories of personal data of their members, donors, volunteers, employees, etc. Personal data may include:
Associations recognized as being of public utility must respect the rules for the protection of personal data set out by the General Data Protection Regulation (GDPR) and the Data Protection Act.
Importance of the GDPR for ARUPs
ARUPs are required to comply with the provisions of the GDPR, as they regularly process sensitive personal data of their members, volunteers, donors, and other stakeholders. This data may include personally identifiable information such as names, addresses, telephone numbers, and email addresses, but also sensitive data such as health information or political opinions. The GDPR aims to ensure that this data is processed securely and transparently, thereby protecting the privacy of the individuals concerned.
GDPR principles applicable to ARUPs
Lawfulness, fairness, and transparency: ARUPs must process personal data lawfully, fairly, and transparently. This includes clearly informing individuals about how their data is used and obtaining their explicit consent for the processing of their data.
Purpose limitation: Personal data must be collected for specific, explicit and legitimate purposes, and must not be further processed in a manner incompatible with those purposes.
Data minimization: ARUPs must ensure that they only collect and process personal data that is strictly necessary to achieve the purposes for which it was collected.
Accuracy: Personal data must be accurate and, where necessary, kept up to date. ARUPs must take all reasonable steps to ensure that inaccurate data is rectified or deleted.
Retention limitation: Personal data should only be retained for the period necessary to achieve the purposes for which it was collected.
Integrity and confidentiality: ARUPs must ensure the security of personal data by implementing appropriate technical and organizational measures to protect data against unauthorized access, modification, disclosure or destruction.
EN 
FR 
DE 
ES 
EL 
IT 
HR 
PT 
NL 
DE_AT 
ET 
FI 
LV 
LT 
SK 
SL