Last Updated:
by Adriana Oliveira

Organisation consents 

To comply with GDPR, organisations must have explicit consent from potential volunteers to process and store their details. Therefore new applicants must complete all consents questions when applying for a new opportunity. They can change it at any time from the applicant's portal.

Existing users can update their permissions from My details page under the Password & privacy tab.

Parental consent 

If an applicant is underage, the parents can set their child's consent preferences when filling out parental consent.

Parents can always update the child's consent preferences using the same link emailed to them.

Expired, invalid and new consents 

If an organisation adds new permissions that are compulsory, all users must update their consents preferences before using the Assemble web application.

If the user's consents expire, e.g. permission has an expiry period of six months, and the user gave their consent six months ago, then the consent must be updated.

The system will send a notification to the user 30 days before consent preferences are due to expire.

If a user is underage, then the email will also be sent to their parent/guardian.

If a user was underage (based on organisation minor age settings) and then becomes an adult, the system will also send an email notification to remind that the consents are expiring and must be updated.

Subject access request 

If you have permission you can request a SAR for another user you have access to from the details page. The system will send an email with a passworded zip folder that contains all the user tabular data as an excel file and any files/attachments in the appropriate folders.

What happens with my data

Inactive users (volunteer that has left the organisation) or unsuccessful applicants (withdrawn, not selected etc.) wanting to know what will happen with their data.


Volunteers can access "My data" page by clicking on their profile picture on the top right.

"My data" is a page that summarises how users data is used and stored. It also has links to organisations' T&Cs and other useful links.

There is also a link on the leaving form which gives information on what happens with user's data when they leave the organisation.


Below are the pre-set times for user's data anonymisation. The organisation sets these times, which they can edit at any time.

  • Applications that are cleared will be anonymised after six months
  • Applications that are closed (applicant not selected) will be anonymised after one month
  • Inactive users will be anonymised after 84 months 
  • Export contents are deleted after three hours
  • Import records are anonymised after seven days if successful, 30 days if not


Anonymisation is the process of removing users' personally identifiable information. This process will happen within Assemble for the above reasons. Also if an inactive user requests for their data to be removed from the system the organisation can do so with the right permission to 'Request anonymisation' on the users' profile.