4. Inform data subjects transparently of the processing of personal data

The transparency of processing personal data means that the controller must openly tell the data subjects how it is processing their personal data. The controller is required to provide all information concerning the processing of personal data to the data subjects in a concise, intelligible and clear form. The information does not have to be provided in a prescribed form

Example

A music club has attached a description of how and why it is processing the club members’ personal data to the electronic registration form for joining the club.

If the personal data will be collected directly from the data subject, the controller should inform them of the processing when collecting the data. If the personal data is not collected from the data subject themselves, they must be informed of the processing within a reasonable time and no later than one month from obtaining the data.

When data used for communicating with a person is obtained from another source than the person themselves, they must be informed when contacted for the first time, at the latest. If data intended for disclosure to another recipient is obtained from a source other than the data subject themselves, they must be informed of this before or in connection with the first disclosure.

Example

A sports club has drawn up a privacy statement of their processing. The statement is distributed to new members when they join the club. The privacy statement tells the data subjects on what grounds and for which purposes the sports club processes the personal data of its members, which personal data is being processed and for how long, as well as the data protection rights available to the club members.

When must participants be informed of the processing of personal data by the hobby organiser?

As a rule, a participant must be informed of the processing of their personal data when the processing begins. This can be done with a privacy statement on the hobby organiser’s website, an information letter sent to every participant, or on the registration form for the hobby. The choice of method depends on how the personal data is processed.

The hobby organiser can also inform the participants and their custodians of the processing of their personal data at regular intervals, especially if changes are made to the processing.

When processing children’s personal data, the controller should make sure to inform the children of it using language and style that the child can understand. In other words, it is important to describe the processing of personal data in a manner appropriate to the audience.

Example

An ice hockey team is taking part in a skill training camp organised by the club. When the team registers for the camp, the club informs members how the personal data collected in connection with the registration is processed by the club. The club specifies the personal data collected and processed in connection with the registration (e.g. the name, contact details, and accommodation and dietary information of each team member). The club also states the purposes for which the data will be processed (e.g. for organising and coordinating the skill training camp), the basis for processing the data collected in connection with registration, as well as the storage period for the data. The ice hockey club also informs the participants of how they can exercise their data protection rights (for example by contacting the team’s coach or sending email to the club’s address designated for data protection issues).

Remember

Inform the parties involved in hobby activities (e.g. the participants, employees, instructors, coaches, custodians and stakeholders) of the processing of their personal data. Pay special attention to the intelligibility of information provided to children.