Summary

The general data-protection obligations under the EU’s GDPR (and the UK GDPR / Swiss FADP) that affect how campaigns collect, store and use supporter data.

Body

The EU General Data Protection Regulation (2016/679) — operative since May 2018 — applies to almost every campaign that handles EU-resident personal data, regardless of where the campaign is based. Core obligations: a lawful basis for processing (usually consent or legitimate interest); clear, specific opt-in consent for marketing and political communication; data-minimisation; purpose limitation; storage limitation; the right to erasure; data-protection impact assessments for high-risk processing; a 72-hour breach notification. Most EU member states have supplementary national laws (e.g. Germany’s BDSG, France’s Loi Informatique et Libertés) [source: la-quadrature-du-net]. Tactical Tech’s holistic-security curriculum covers the data-hygiene practices that GDPR operationalises — minimisation, retention policies, breach response [source: tactical-tech]. The Amadeu Antonio Foundation and Digitalcourage both publish German-language guidance on the BDSG and on the data-protection regime specifically applicable to civil-society organisations [source: amadeu-antonio], [source: digitalcourage]. For a campaign: the consent banner and signup form design is where most GDPR risk lives. EU authorities have repeatedly fined political parties and campaigns for unlawful data processing.

Use it for

Designing a compliant signup form; assessing a campaign’s data-handling risk; responding to a subject-access request; reporting a breach.

Related

None yet.

Open Questions

None yet.

Open Questions

None yet.

Sources & verification

• sources/la-quadrature-du-net — grounding: secondary — RAW (2498 chars)
• sources/tactical-tech — grounding: secondary — RAW (588 chars)
• sources/amadeu-antonio — grounding: secondary — RAW (51338 chars)
• sources/digitalcourage — grounding: secondary — RAW (3487 chars)

Verified 2026-06-23 by llm-qc.