What should you take into account when processing health data in hobby activities?

The icon features a rectangle depicting information. There is an eye crossed over with a line on the bottom right corner of the rectangle. The icon is surrounded by a light green frame. The icon can be used to indicate the processing of special categories of personal data or instructions for such processing.

Information on a child’s allergies, illnesses or medication is often essential for guaranteeing the child’s health and safety in hobbies and leisure activities.

Health data is a special category of personal data, the processing of which is generally prohibited. The processing of health information can be permitted, for example based on the data subject’s consent. If health data is collected based on the consent of the child or their representative, they must only be requested to provide health data necessary for the child’s health and safety.

Data may not be collected just in case or for possible future needs. For example, it is not permitted to collect data on food allergies if there is no appropriate basis and need for it at the time. The hobby organiser must be able to demonstrate that the child or their representative has given their explicit consent for processing the child’s health data.

Jump to section about consent

Example

The coach of a Finnish baseball team sends the parents of children who join the team a link to a form asking for information on the child’s illnesses or medication which the coach should be aware of during training to ensure the child’s health and safety. The baseball club has instructed coaches to collect the players’ health data with the form in question, so that the children’s health information will be obtained in the manner specified by the club and only the appropriate coaches who need to process the data can do so.

The child’s custodian logs into the form with two-factor authentication. The form asks the custodians to only report illnesses and medication that the coaches need to know about to ensure the child’s health and safety during training. The form also asks for consent for the processing of health data and states that the consent can be withdrawn at any time. Since consent for processing the child’s health data is being requested with an electronic form, the baseball club will be able to demonstrate that the custodian has given their consent for the processing of the child’s health data and that the club has a basis for processing the data in question.