1. Fulfil the participants’ data protection rights

The icon features a rectangle representing personal data, with a plus sign in the bottom right corner. The icon is surrounded by a light green frame. The icon can be used to indicate that the instructions concern the processing of personal data concerning the data subject.

The icon features an open palm holding a rectangle, which represents personal data, with a symbol depicting a person in the centre. The icon is surrounded by a light green frame. This icon can be used to express that the situation involves the controller's obligations related to the processing of personal data.

‘Data protection rights’ mean the rights related to processing that the data subject has in respect of the controller processing their personal data. When a hobby organiser processes personal data as a controller, it must ensure that the data subjects’ data protection rights are fulfilled. Data protection rights include the participant’s right to access their data and to have inaccurate data rectified. The hobby organiser must make it easy for participants to exercise their data protection rights and tell the participants how they can do so.

Data subjects have the following data protection rights:

a. Right to obtain transparent information on the processing of their personal data

The data subjects must be informed of the processing carried out by the hobby organiser, and this information must be provided in clear and intelligible form.

Example

A swimming club informs its members of the processing of their personal data in a privacy statement on the club’s website.

b. Right of access to one’s data

Data subjects have the right to receive confirmation from the controller whether it is processing personal data concerning them. If the data subject’s personal data is being processed, the controller is required to supply a copy of the processed personal data to the data subject.

c. Right to the rectification of data

Data subjects have the right to demand that the controller rectify inaccurate personal data concerning them. Data subjects also have the right to have incomplete personal data completed.

d. Right to the erasure of data and to be forgotten

In certain situations, the data subject has the right to have the controller erase the data concerning them without delay. In some circumstances, participants have the right to have their data erased. However, the hobby organiser may sometimes have the right to keep or publish the data even though the member has demanded that they be erased. The hobby organiser may be required to keep the data for a certain period to comply with the law, for example.

e. Right to the restriction of processing

A data subject can request the controller to restrict the processing of personal data concerning the data subject. This means that, apart from storage, the personal data subject to the restriction may only be processed with the data subject’s consent, in connection with a legal claim, to safeguard the rights of another person, or for an important public interest.

f. Right to data portability

A data subject has the right to receive the personal data which they have provided to a controller in a structured, commonly used and machine-readable format, as well as the right to transmit that data to another controller should they wish. The data subject has the right to have the data transmitted directly from one controller to another, where technically feasible.

g. Right to object to the data processing

In certain situations, the data subject has the right to object to the processing of their personal data, that is, request the controller not to process it at all. If the data is being processed in the public interest, in the exercise of public authority vested in the controller, or for pursuing the legitimate interests of the controller or a third party, the data subject can object to the processing on grounds relating to their particular situation.

h. The right not to be subject to a decision based solely on automated processing

The data subject has the right to demand that decisions concerning them are made by a human.

What do you need to take into account when a data subject wants to exercise their data protection rights?

As a rule, the controller is required to respond to the request within one month of receiving the request. The response must describe the measures taken by the controller due to the request.

If there are many requests or they are complex, the controller can notify the data subject that it needs more time to process them. In such cases, the deadline can be extended by at most two months. The controller must notify the data subject of the extension within one month of receiving the request.

What do you need to take into account if the controller refuses the request?

If the controller refuses the data subject’s request, it must justify the refusal and notify the data subject of it within one month of receiving the request. The controller must have a legal basis for its refusal.

The controller must also inform the data subject of their opportunity to lodge a complaint with the Office of the Data Protection Ombudsman and of the data subject’s other legal remedies.

The contact details of the hobby organiser or person responsible for fulfilling the rights of the data subject must be easy to find. You do not need to give the name of a specific individual in the contact details. For example, you can provide just an email address (e.g. dataprotection@sportsclub.eg) that the person responsible for data subjects’ requests has access to.

The extent of the rights of the data subject depends on the basis of the processing. If the basis is the controller’s legal obligation, the public interest or the exercise of public authority, the rights of the data subject are more limited than in processing based on agreement, consent or the controller’s legitimate interest.

The rights of the data subject do not always apply to all personal data. For this reason, it is important to consider how the rights and requests of data subjects will be fulfilled in practice.

If a hobby organiser processes the personal data of a child or adolescent, it must take into account that the minor’s custodian may also have the right to exercise the minor’s data protection rights on their behalf. On the other hand, minors also have the right to their own data, and it may not be permitted to disclose their data to their custodians in every case.

Remember

Design a process for fulfilling the rights of the data subjects: how can the data subjects contact you to exercise their rights, who replies to their requests, how is the data subject identified, and how are the requests fulfilled in practice. Also remember to document the requests. Take the fulfilment of data protection rights into account also when procuring new systems.