It is essential for the hobby organiser, such as a sports club, to determine how long they are permitted to store their members’ personal data. If an organisation does not take care to erase unnecessary personal data on a regular basis, it can end up storing data for years without a lawful basis for processing. If this is the case, more personal data can be disclosed to outsiders in the event of, for example, a data leak, than if the unnecessary personal data had been appropriately erased.
How is the storage period of personal data determined?
The storage periods of certain types of personal data, such as data related to employment or accounting, are specified by law. When this is the case, the data is stored for the statutory period and then erased.
The law does not lay down specific storage periods for all types of personal data, however. In the absence of legislation, the hobby organiser, in its capacity as controller, must determine its own storage periods for each type of personal data. The hobby organiser should first review the types of personal data it is processing and determine the purpose of each type. The organiser can then specify a storage period for category of personal data according to its purpose. A good rule of thumb for determining the storage period is to only store personal data for as long as necessary for the purpose for which it was collected.
When determining storage periods, the hobby organiser should also take into account different scenarios, such as when someone quits the hobby. Some data can be erased immediately, but the law may require some types of data to be stored longer.
Some types of personal data are more sensitive than others, and these must be protected especially well. When storing health data, for example, the organisation needs to take into account the sensitive nature of the information and the potential harm to the data subject should it be leaked. This is especially true of children’s health information. Health data must be stored so that outsiders cannot access it and may not be disclosed to people who do not need it.
The storage period of personal data is determined by their purpose: personal data may only be stored for as long as necessary for a specific purpose.
What do I need to take into account in the storage of personal data?
Personal data is stored in electronic format in, for example, case processing systems, enterprise resource management systems, applications and electronic documents. The hobby organiser must ensure that data can only be accessed by people who have the right to process it, for example in their work.
The same applies to the processing of data on paper. For example, documents can be stored in a locked cabinet and keys given only to those entitled to access the data.
Changes in staff must also be taken into consideration in the storage of personal data. It is important for hobby organisers to ensure that people who are no longer involved in the activity do not store data without a valid reason, for example on their personal computers or in their email.
When storing personal data, you must ensure that only authorised people have access to it.
When should personal data be erased and how?
Personal data must be erased at the end of its storage period. Depending on the type and storage period of data, data may also be erased differently and at different times.
The data can be erased automatically or manually, depending on its form and place of storage. The data must be erased from everywhere: data in cloud storage must also be deleted from the downloads folder and email folders, for example. Also remember to delete any backups.
Personal data stored on paper must be destroyed appropriately, so that no unnecessary personal data is left forgotten in binders or at the back of filing cabinets. Paper documents can be destroyed by shredding or deposited in a confidential waste bin, for example.
The hobby organiser is responsible for ensuring that personal data is not processed for longer than necessary. The organiser must provide people processing personal data in hobby activities, such as coaches, instructors, team managers, treasurers, volunteers and equipment managers, with instructions on how to erase data appropriately. When drawing up such instructions, the hobby organiser should remember that the roles of people involved in hobby activities can change at short notice.
Erase personal data at the end of its storage period. Also delete any backups.
When the hobby organiser takes appropriate care of the storage and erasure of personal data, people can focus on the hobby, safe in the knowledge that their personal data is in good hands.
The GDPR4CHLDRN project creates a toolkit to support the application of data protection legislation by clubs and associations organising hobby and leisure activities for children and young people. The project also provides information on data protection rights and the protection of personal data to children and young people and their parents.
The GDPR4CHLDRN project provides information about the protection of personal data and data protection rights to children, young people and their parents. Materials targeted at them as well as icons that clarify concepts related to data protection will be developed in the project. In addition, a toolkit to support compliance with data protection legislation and its application will be created for associations and hobby clubs that organise hobby activities for children and young people.
- A two-year project that will end in August 2024.
- The project is funded by the Citizens, Equality, Rights and Values programme of the European Union.
- The project coordinator is the Office of the Data Protection Ombudsman, and its partner in the project is the TIEKE Finnish Information Society Development Centre.
Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Commission. Neither the European Union nor the granting authority can be held responsible for them.