Just yesterday I read an article of the chamber of commerce and industry (Germany) about protection of data privacy.
Simply put, it states that a firm or organisation must survey and use (the german terms are defined by law) as little as possible person-related data as possible, meaning that if the usage is not clear or "collecting data ahead" is not allowed.
Person-related data are (§3, 1 BDSG (Bundesdatenschutzgesetz - Confederation Law of protection of data privacy):
particulars of personal or factual relations about a specific or determinable natural person (for instance name, adress, personal number, but also assessments).
The data must be removed if the purpose of saving isn't given anymore. The purpose must be defined and must be clear to the person about whom the data are.
Usually a business (also organisation) is allowed to collect data if the concerned clearly stated his allowance in a contract.
If there is no contract, the legitimacy depends _on the acceptance of the concerned_.
Notification of the concerned:
If the concerned isn't aware that a business is saving his person-related data, he must be notified. The business must provide information about the sort of data and on what purpose they are being stored. Also the business must tell who is responsible for them.
I translated those important parts as good as possible, don't sue me if something is wrongly translated >.>
However, Talad: the non profit org is registered in Texas, USA.
So the above concerning the German law might not or only partly take affect in this matter.
The reason why I posted this was the statement of DaveG and the mere non-understanding reactions on Janners mentioning of legal terms. I hope this may sensitize the legal understanding of this matter, although after the German law, the devs wouldn't have to tell the points, only that they are stored and to which purpose.
