What does the WBTR mean for associations + GDPR?

The WBTR (Dutch Governance Act) entered into force on 1 July 2021 and modernises corporate law for associations, foundations, cooperatives, and BVs. Core change: joint and several director liability also in non-profit sector. Directors can become personally liable for serious culpable mistakes — including GDPR breaches. What must the association arrange? (1) Update articles (within 5 years of effective date, so before 1 July 2026): rules on director absence, conflict of interest, multi-vote rights. (2) Privacy policy (GDPR Art. 5(2) accountability): who processes member data, retention, who has access. (3) RoPA (GDPR Art. 30) — often mandatory even for small associations. (4) DPAs with IT suppliers (member-administration software, email marketing, payment platform). (5) Data breach procedure — who reports, when, how. For sports associations specifically: no BSN use (Wabb), photos of minors with separate parental consent, member health data under Art. 9 = special category. Liability risk: on large data breach + proven culpable behaviour (no DPIA, no DPA, no insurance) the board can be held personally liable — not just the association. Privacy liability insurance is recommended.