GDPR guide

GDPR and diaspora platforms: the compliance guide

If you manage a regional diaspora, an alumni network or an international association, you process personal data subject to the GDPR. Here is what that means in practice: responsibilities, hosting, international transfers, consent, data-subject rights, compliance checklist.

April 2026 Read ~7 min By the Terrilink team

Who is the data controller, who is the processor?

This distinction is at the core of the GDPR (articles 4.7 and 4.8). For an alumni network or diaspora that uses a SaaS platform:

  • Data controller: the association, school or organization that decides why and how its members' data is collected and used. It carries the legal responsibility.
  • Processor: the SaaS platform vendor (e.g. Terrilink), which processes data on behalf of the controller, without deciding on purposes.

This split must be formalized in a Data Processing Agreement (DPA). Any serious platform provides one; without a DPA, the controller is in breach.

Hosting: France, EU, United States?

The GDPR does not forbid hosting outside the EU, but it regulates it strictly:

  • France/EU hosting: no cross-border transfer, the simplest situation. Recommended for communities with predominantly European members.
  • US hosting: since the invalidation of the Privacy Shield (2020), a personal-data transfer from the EU to the US requires Standard Contractual Clauses (SCC) plus additional measures based on impact assessment. Legally complex.
  • Third countries without an adequacy decision: even more restrictive.

For a diaspora or alumni network, France/EU hosting is the simplest and most robust choice. See Terrilink for Diaspora, hosted in France.

The 6 rights of data subjects

Every member of your diaspora or alumni network has GDPR rights that the platform must enable them to exercise:

  • Right of access: know what data is held about them
  • Right of rectification: correct inaccurate data
  • Right to erasure (to be forgotten): request deletion
  • Right to restriction: suspend processing
  • Right to portability: retrieve data in a structured format
  • Right to object: object to certain processing (marketing, profiling)

In practice, the platform must offer a simple way to exercise these rights (DPO email, form, "My data" section in the member space).

Consent and legal basis

Processing must rest on one of the six legal bases in GDPR article 6. For an alumni or diaspora platform, the typical bases are:

  • Performance of a contract: association membership, dues (no additional consent needed)
  • Legitimate interest: communication with members about the life of the association
  • Consent: for geolocation on a public map, marketing newsletter, sharing with third parties

Consent must be freely given, specific, informed and unambiguous. A pre-ticked box is not valid consent.

Breach notification: 72 hours

In case of a data breach (unauthorized access, leak, loss), the controller must notify the CNIL within 72 hours (GDPR art. 33) and inform affected individuals if the risk is high. The processor (the platform) must report any breach to the controller without delay.

Check your platform's DPA for the alert deadlines and procedures.

Special case: members outside the EU

Diasporas often have members living outside the EU. The GDPR continues to apply if the controller (your association) is established in the EU, regardless of the country of residence of the member. A member living in Canada or Senegal enjoys the same rights as a member in Paris.

Compliance checklist for your platform

DPA signed with the vendor

Contractual document formalizing controller/processor roles, security measures, subsequent subcontracting, assistance with rights requests.

Documented hosting

Physical server location specified. If outside the EU, SCC signed and impact assessment available.

Accessible privacy policy

Visible from every page of the platform. Clear language, listed purposes, retention periods, data-subject rights.

Consent management

Opt-in for optional processing (newsletter, public-map geolocation). Ability to withdraw consent as easily as giving it.

Data export available to each member

"Export my data" button in the member space. Structured format (JSON, CSV).

Effective account deletion

Deleting an account actually erases data (or anonymizes it), within a reasonable timeframe. Not just "deactivated".

Terrilink's position

Terrilink is hosted in France (EU), provides a standard DPA to every client organization, documents its privacy policy and allows every member to export or delete their data from their member space. The controller/processor split is explicit in article 8 of the CGU/CGV.

A GDPR-ready platform, hosted in France

DPA provided, France hosting, data export available at any time. 14-day free trial.

Try Terrilink Book a demo