Can a non-profit organization record attendance by name without permission?

Question

I have a GDPR question concerning a small non-profit organization. The organization is quite informal. Although it has many regular meetings, all these meetings are open to the public. As such, most of those who attend, even many regular attendees, are not officially registered members of the organization.

The organization would like to keep track of those who attend for follow-up purposes. I have three related questions about what the GDPR permits. In the first two cases, the organization does not make any formal announcement that it is tracking the attendance of whom attends. (However, attendance numbers are occasionally mentioned informally, so it is not a secret, either.)

First, is it legal under the GDPR for the organization to take a count of how many people attend without recording any names? In this case, the organization groups the counts by the general age (child, teenager, or adult) and gender (male or female) of the attendees, but no names are recorded. These attendance numbers are shared among the organization members and are occasionally announced to all meeting attendees. (I would think that this is authorized.)

Second, is it legal under the GDPR for the organization to record the attendees by name, including their general age and gender as mentioned above? The names are obtained through informal contact with the attendees during meetings; attendees are never explicitly asked if they want their attendance recorded. These attendance lists with names are shared only among organization members on follow-up committees. (This is the main case that I have questions about under the GDPR.)

Third, in case either or both of the above cases are not authorized under the GDPR, is there any legal way that attendance by name can be recorded and shared among designated organization members? The primary hesitation to formally requesting authorization is that the organization wants attendance records to be as accurate as possible and if some attendees do not grant authorization, then the records will never be accurate. I have heard that one way to accomplish this would be to verbally announce at the beginning of each meeting that attendance is recorded, or to conspicuously post a written notice to this effect at the entrance. Would either of these fulfill GDPR obligations? Or is there an alternative solution?

In any answer, I would appreciate it if you could cite specific relevant sections of the GDPR so that I can learn the law better.

Answer 1

The scope of the GDPR is entered when personal data is being processed in a structured manner.

Personal data is any information relating to identifiable data subjects (definition in Art 4(1)). "Peter attended the meeting on the 14th" is personal data. "That woman with the blue handbag said she wanted to return on the 25th" is personal data. However, aggregate statistics do not relate to individuals, and are typically not personal data. "On the 14th, we had 25 attendees" is not personal data.

Not all use of personal data is within the scope of the GDPR. For example, the GDPR would not apply if two organizers talk about who attended the meeting. However, Art 2(1) says the GDPR applies when personal data

• is processed wholly or partially with automated means (e.g. computers, smartphones), or
• forms a filing system or is intended for a filing system (e.g. keeping notes on attendees, keeping attendance lists)

If GDPR applies, the organization would be responsible for ensuring compliance with its rules and principles, summarized in Art 5. Primarily, this means:

• having a clear purpose for processing
• selecting a suitable Art 6 legal basis for that purpose (e.g. consent or a legitimate interest)
• only processing the minimum data necessary for achieving that purpose
• determining and implementing appropriate technical and organizational measures to ensure compliance and security of the processing activities
• preparing for data subject rights, in particular by providing an Art 13 privacy notice when collecting data from the data subjects

There are of course some complexities in the details. When the legal basis is "consent" (opt-in), the organization would have to ensure that this consent was freely given and sufficiently informed. Per Art 7(4), consent would not be freely given if that consent was a condition for access to the meeting. Using "legitimate interest" (opt-out) can be more flexible, but it requires performing a balancing test to show that the legitimate interest isn't outweighed by the data subjects' interests, rights, and freedoms. Roughly, relying on a legitimate interest is appropriate when the data subjects can reasonably expect the processing activity to occur.

Regarding point 1, keeping general counts and aggregate statistics about attendees is probably OK since it wouldn't be personal data. If you are very conscientious about this, you could round all counts and use categories like "0-4 attendees, 5-9 attendees" for each facet, which makes it more difficult to make inferences about individuals. But the fundamental point is that all your data should relate to attendees as a whole, never to individuals.

Regarding point 2 and 3, this is a question of legal basis. Since you gather names through informal conversations, I think that attendees would be weirded out if they learned that you kept detailed records on their attendance. So I think that you probably wouldn't have a legitimate interest here. However, being upfront with this and offering an opt-out could change this.

On the aspect of keeping detailed notes on data from informal conversations, I'd like to point out H&M's EUR 35 million fine back in 2020 (summary on GDPRHub.eu). In a callcenter, managers used to have conversations with employees. These conversations touched on anything from vacation experiences to health problems, marriage problems, and religious beliefs. All of that is fine. What was not fine is that the managers went full Stasi and kept detailed notes about all of this on a shared drive and used that information for management decisions. This went on until a configuration error made those files accessible to all employees. This violated all the points in the basic compliance process outlined above: the records had no clear purpose, no suitable legal basis, contained way more data than necessary (and even Art 9 special categories of data like information on health or religious beliefs which have extra protection), did not have appropriate measures to prevent unauthorized access, and did not fulfill data subject rights like the Art 13 right to be informed.

In case this non-profit is a church or religious organization that had its own comprehensive data protection rules before the GDPR came into force in 2018, those can continue to apply per Art 91. This could probably address some issues of legal basis, but cannot circumvent the GDPR's general principles.