Why is my child’s personal data being collected in hobbies?
Personal data is needed and used in a variety of situations in hobby and leisure activities. First of all, the organiser needs to know the names of the participants. They often also need the contact details of the child or young person as well as their custodian in order to inform them about the activities. If there is a fee for the hobby, contact details are also needed for billing. They can also be important in the event of unexpected circumstances. For example, children can be injured or suffer accidents in football training or a scout camp, and the instructors need to be able to contact the custodians if that happens.
Collecting the child’s or young person’s health data can also be necessary in some cases. The hobby instructors may need to know about the child’s allergies or other conditions to ensure safety, for example. Information on allergies can be required if food is provided during the activity and a child cannot eat or even be exposed to certain ingredients. The instructors may need information on the child’s illnesses, especially if they need to be able to react quickly or give the child medicine if symptoms occur.
On the other hand, health information with no relevance to the hobby is not necessary. You do not have to provide unnecessary information, and the hobby organiser does not even have the right to process it. For example, an art school does not need to know that a child had measles years ago. As a parent, it is your job to decide whether the hobby organiser needs any given health information about your child.
The information needed by the club or association depends on the nature of the hobby or activity. The hobby organiser probably needs to process more data if the child and organiser are serious about the activity and success. For example, if your child competes seriously in a sport, the club may need to be more familiar with the child’s health or process the child’s personal data for insurance purposes.
According to the General Data Protection Regulation, there must always be a lawful basis for processing personal data. When collecting personal data on children and their parents, the hobby organiser must be able to tell them the basis and purpose of such collection. If you are unsure about the collection of your child’s personal data, you can ask the club or association for more information on why they are asking for specific data.
Where can I get information on how a club is processing personal data?
The GDPR and other legislation ensure that, as a rule, parents have the right to know what kind of personal data, and what data specifically, a hobby organiser has on their families.
You can ask the hobby organiser for information on the types of personal data it is processing and on what basis, who have access to that data, and whether the data is being disclosed to third parties. As a rule, the organiser should publish this information in a privacy statement of their website, for example. If you want to know what data a hobby organiser has collected on your child specifically, you can submit a request of access to the organiser. This is called “right to access data”.
As the parent of an underage child, you need to take a few things into consideration before making such requests, however. Simply being a child’s parent is usually not enough to represent the child. The parent also needs to be the child’s custodian. Secondly, you should remember that as your child gets older, their right to self-determination in the processing and disclosure of their data also increases. When a child is young, their custodians represent the child and manage all of their affairs. At some point, however, the child achieves a sufficient level of maturity that they can be considered to be able to manage their own affairs, such as decide on whether their custodians are entitled to represent them in all matters involving the processing of personal data. For example, at some point the child will be able to make their own decisions on things such as whether a hobby organiser has permission to disclose the child’s personal data to their parents.
The legislation does not specify any specific age at which a child is sufficiently mature to make decisions alone on the processing of their personal data. Evidently, the parents of an adult no longer have access to their child’s data without a special reason. Such special reasons can include the child’s consent or, for example, if the parent of an adult has been appointed as their guardian to represent them in personal matters.
Minors themselves, whether they are 6 or 16, still have the right to exercise their data subject rights under the GDPR with regard to their own data. In other words, they can request access to or the rectification of their data, for example, even without their parents’ help.
The GDPR4CHLDRN project creates a toolkit to support the application of data protection legislation by clubs and associations organising hobby and leisure activities for children and young people. The project also provides information on data protection rights and the protection of personal data to children and young people and their parents.
The GDPR4CHLDRN project provides information about the protection of personal data and data protection rights to children, young people and their parents. Materials targeted at them as well as icons that clarify concepts related to data protection will be developed in the project. In addition, a toolkit to support compliance with data protection legislation and its application will be created for associations and hobby clubs that organise hobby activities for children and young people.
- A two-year project that will end in August 2024.
- The project is funded by the Citizens, Equality, Rights and Values programme of the European Union.
- The project coordinator is the Office of the Data Protection Ombudsman, and its partner in the project is the TIEKE Finnish Information Society Development Centre.
Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Commission. Neither the European Union nor the granting authority can be held responsible for them.