5. Only process necessary personal data

Data minimisation is one of the principles of data protection. It means that the processing of personal data must be limited to what is necessary and the controller must be able to justify the need for processing the data. Data minimisation must be taken into account in all aspects of the hobby activity from the very beginning.

Data minimisation must be taken into account already when collecting data: information that is not necessary for the hobby activity may not be collected about participants, their custodians, or any other people involved in the hobby activity. To ensure that only the necessary personal data is collected, the controller must evaluate, on a case-by-case basis, the purposes for which the data is being collected and what data is necessary for those purposes. The storage of personal data must also be limited: personal data that is no longer necessary may not be stored for no reason.

When publishing information, you must make sure that you do not publish unnecessary information on your website or publish unnecessarily detailed information about participants on social media. When publishing information on the internet, on social media and in messaging applications, you should remember that the controller may not be able to control what happens to the personal data after publication. Limiting the processing of personal data to the strictly necessary helps prevent the uncontrolled spread and potential misuse of personal data.

Example

A sports club is organising a kick-off event for the autumn season at its home arena. The club asks participants to register for the event so that it can get the right number of merchandise gifts for the participants. On the registration form, the club only asks participants to indicate whether they will be attending the event or not, since it does not need to know the participant’s name or other contact details in order to get the gift merchandise.

How can the hobby organiser take into account requirements such as data minimisation?

1. Before you begin processing personal data, you must determine whether processing is required for your intended purpose in the first place. If the processing of personal data is necessary, you need to evaluate which data will be necessary for the purpose.

2. If you intend to publish lists containing personal data either online or on paper on a notice board, you need to consider in advance whether it is actually necessary to publish the list at all. If publishing is necessary, you must evaluate whether the list contains any personal data that is not necessary to publish.

Example: A gymnastics club sends an email to a custodian who has registered their child for fairy-tale gymnastics, confirming that the child has been accepted into the group. The club does not publish the names of people who have registered their children for fairy-tale gymnastics online, because it informs everyone accepted into the group personally by email, thus minimising the publication of personal data on its website.

3. System access rights are limited so that only persons who are supposed to process personal data can access them.

4. The use of file-sharing services, for example for processing the personal data of football players on a large scale and to which all club members and their custodians have access, should be avoided.

5. When sending email to a large number of recipients, you can enter the recipients’ email addresses in the BCC field so that the recipients cannot see everyone’s email addresses.

6. Specify the methods and places for processing personal data in advance, so that the same data is not processed in several places unnecessarily.

7. You should avoid printing out personal data without a good reason, so that it is not disclosed to outsiders or stored unnecessarily.

Remember

Minimise the processing of personal data in hobby activities by considering carefully whether you have to process personal data and which data are necessary for which purpose.