GDPR and alumni directory: 12-point checklist before going live

Why GDPR kills 30% of alumni projects

The pattern repeats in 1 out of 3 alumni projects. The alumni office picks a platform, negotiates the contract, configures it, prepares the communications. The school's or association's DPO is consulted at the last minute — sometimes at D-15 before launch. They block. The project takes a 2-to-6-month delay, or worse, switches platforms entirely mid-contract after signing.

Three refusal cases consistently come up. First: refusal to validate US hosting after the Schrems II ruling. Second: refusal of automatic LinkedIn profile imports without explicit consent from the individuals. Third: refusal of mass emailing without opt-in documented by a timestamped log. Each of these refusals is legitimate — and predictable if the DPO is consulted upstream.

Typical impact: 2 to 6 months of delay, hidden costs of double configuration, loss of internal trust between leadership and IT, and in 15% of observed cases, contract termination with the vendor at exit fees. The lesson is simple: validate GDPR compliance before signing, not after.

The 12 critical points to validate

Here is the minimum checklist to have signed off by the DPO before signing with a vendor. None of these points is negotiable on compliance — they all fall within the letter or spirit of the GDPR and French CNIL recommendations.

1. Legal basis for processing. Legitimate interest of the school for the institutional directory, or explicit consent for the alumni association. Document the choice in the records of processing activities (ROPA). Don't mix the two: they don't have the same obligations.
2. Up-to-date records of processing. CNIL obligation for any entity > 250 employees or processing sensitive data. The alumni directory must appear in it with purposes, duration, recipients.
3. Retention period. Alumni = lifetime? No. Define a duration (often 10 years after last login) and an automatic purge process. Keeping data "by default" is a violation.
4. Transfers outside the EU. Since Schrems II, hosting in France or the EU is recommended. If a US transfer is unavoidable, SCCs (Standard Contractual Clauses) + documented complementary measures.
5. Cookies and trackers. CNIL-compliant banner (2020 deliberation), refusal as easy as acceptance, consent log retained for 5 years. No trackers until consent is given.
6. Anonymization vs pseudonymization. For placement statistics (CGE/CTI), anonymization is required — not just pseudonymization. See the CGE survey guide for exact rules.
7. Right to erasure. An alumnus deletes their account in 3 clicks from their space, not via an email to support that takes 3 weeks. Documented process, maximum 30-day delay.
8. Right to portability. JSON or CSV export of all user data on request, delivered within 30 days max. Test the feature before going to production.
9. Breach notification. Documented internal process to inform the CNIL within 72h of a breach. Include the vendor process in the DPA.
10. Designated DPO. Public school: mandatory. Alumni association: depending on thresholds and processing. Possibility of sharing an external DPO between school and association with clear governance.
11. DPIA (Data Protection Impact Assessment). Mandatory for high-risk processing: automated mentorship scoring, LinkedIn enrichment, sensitive data crossing, profiling. Not optional.
12. DPA signed with the vendor. Mandatory annex to the contract. A vendor that refuses to sign a DPA is a deal-breaker — no contract without a DPA.

Special cases: dual members, alumni abroad, sensitive data

Some situations complicate the standard picture. The dual member case first: an alumnus is both in the school's institutional directory (legal basis: legitimate interest) and in the alumni association file (legal basis: consent). The two processing activities coexist but must be documented separately. Don't blend the legal bases in a single opaque processing.

Second case: alumni residing outside the EU. The GDPR applies as long as collection is performed by an EU entity, even with non-EU end users. A French alumnus expatriated to Singapore remains protected by the GDPR in their relationship with the French school. Data exports to third countries (for a local event for instance) require the same guarantees as US transfers.

Third case: sensitive data (religion, politics, health, sexual orientation, trade-union affiliation). To be avoided by default in an alumni directory. If collection is necessary — for example for a faith-based affinity group — explicit consent AND legitimate purpose AND storage isolated from other data. For specific extra-EU cases, see the GDPR diaspora guide which details diaspora / GDPR cross-rules.

France hosting vs SCCs (Schrems II in practice)

The Court of Justice of the European Union's Schrems II ruling (July 2020) weakened all data transfers to the United States. The reason: the US CLOUD Act allows federal authorities to access data stored by US companies, even if the servers are located in the EU. This extraterritoriality is incompatible with the GDPR level of protection.

Two solutions in practice. Solution A: hosting in France or the EU with a provider not subject to the CLOUD Act. The three references: OVHcloud (Roubaix, Gravelines, Strasbourg), Scaleway (Paris), Outscale (Dassault, SecNumCloud-certified). It's the solution recommended by the CNIL and the simplest choice for a DPO.

Solution B: Standard Contractual Clauses (new 2021 version) with documented complementary measures. Legally accepted but regularly challenged in practice, and most public-school DPOs refuse this path for student and alumni data.

Direct market consequence: public-school DPOs regularly block AlumnForce when components are hosted outside the EU, and Hivebrite whose main infrastructure is in the United States. France hosting becomes a decisive competitive advantage for public-school contracts or public-interest associations.

DPA template to sign with your vendor

The DPA (Data Processing Agreement) is the annex to the contract that frames the processor's role (the vendor) vis-à-vis the controller (the school or association). Without a DPA, the contract is not GDPR-compliant. The CNIL provides a public template to adapt.

The 9 mandatory DPA clauses are specified in article 28 of the GDPR:

• Subject, nature and purpose of the processing
• Duration of processing and end-of-contract terms
• Types of data processed and categories of data subjects
• Obligations and rights of the controller
• Sub-processors (up-to-date list, right to object)
• Documented instructions from the controller
• Confidentiality of processor staff
• Security of processing (technical and organizational measures)
• Processor assistance for data-subject rights and breaches

Frequent negotiation points: liability in case of breach (capped or not), right to audit (real or documentation-only), sub-processors (change with 30-day notice). A vendor that refuses to negotiate these points should be ruled out — DPOs will demand them anyway.

Final checklist before signing

Before signing the contract with the vendor, have the 12 points above validated by the DPO. For each, require a written response from the vendor, not just a commercial pitch. A written "Proof of Compliance" binds the vendor; a sales speech counts for nothing in case of audit.

• Obtain the records of processing made available by the vendor
• Verify France hosting or SCC guarantees on paper
• Test GDPR rights in real conditions (account deletion, data export)
• Validate the DPA template with the school's legal team and the DPO
• Document all answers in a compliance table signed on the date of go-live

To go further: dedicated section on the /alumni/ page (infrastructure and France hosting), and the guide clean migration from Excel which details consent handling when switching over legacy data.