Skip to content
Skip to page content

8. Manage the life cycle of personal data from planning to collection, storage and erasure



The life cycle of personal data processing begins with the planning of processing and ends with the erasure or archiving of the data. Data protection must be taken into account in every stage of the life cycle.

When planning the processing of personal data, first determine the legal basis and purpose for the processing. At the same time, consider the principles of personal data processing, informing the data subject and fulfilling their rights, and measures to secure personal data. Conduct a risk assessment and draw up data protection documentation, such as a record of processing activities and a processing agreement. Also define the roles and responsibilities related to processing.

When collecting personal data, take data minimisation and accuracy into account. When using personal data, remember at least the principle of purpose limitation, access rights management, and the requirements related to the disclosure of data.

When storing personal data, you need to pay attention to the storage location and the necessary technical safeguards. When the storage period of personal data expires, the personal data must be erased securely and in accordance with the storage periods.

In hobby activities, it can be useful to define processes for at least the following situations related to processing:

  • fulfilling the rights of the data subjects;
  • detecting personal data breaches and notifying the supervisory authority and data subjects of them;
  • data protection impact assessments and agreeing on processing in connection with new acquisitions;
  • the collection of personal data: what data is collected and by whom, where it is stored, and when and how it is erased; and
  • the erasure of personal data when someone quits the hobby: what do the various parties (coach/instructor, team manager, club employee) need to take into account.

Example

A gymnastics club has defined a process for erasing personal data when a gymnast quits. When a gymnast tells their coach that they are quitting the hobby, the coach notifies the club’s director of coaching and the team manager of it. The team manager then notifies the team’s treasurer. The director of coaching lets the club secretary know.

The coach, team manager and treasurer erase the necessary data concerning the gymnast according to the club’s instructions, for example from their email and paper documents. The club’s director of coaching and secretary erase the required data from the club’s ERP system and notify the national association that the gymnast has left the club. The gymnastics club will have to keep some data for the statutory period and cannot erase it right away.

Brief data protection checklist for the Boards of hobby organisers

  1. Identify the hobby organiser’s own role in the processing of personal data in various contexts.
  2. Identify the personal data being processed in the hobby activities, the persons processing it, and the roles of each party in the processing.
  3. Define a purpose for the processing of personal data and only process the data for that purpose. If you change the purpose, the data subjects must be notified of it before the start of processing.
  4. Specify the bases for processing personal data for the various purposes.
  5. Minimise the processing of personal data in connection with the hobby activities. If you have to process personal data, think carefully about which personal data are necessary for which purpose.
  6. Check the accuracy of participants’ personal data regularly and rectify inaccurate data everywhere it is being stored. Ask participants to notify you of any changes to their data.
  7. Inform the various parties (e.g. the participants, employees, instructors, coaches, custodians and stakeholders) of the processing of their personal data. Pay special attention to the intelligibility of information provided to children.
  8. Minimise the storage of personal data: erase data immediately when it is no longer necessary. Also delete any backups.
  9. Design a process for fulfilling the rights of the data subjects: how can the data subjects contact you, who replies to their requests, how is the data subject identified, and how are their data protection rights fulfilled in practice.
  10. Detect personal data breaches, assess the risks they cause to the data subjects, and notify the supervisory authority and people affected if necessary. Document the events and the steps of managing the breach.
  11. Draw up a record of processing activities for the hobby.
  12. Draw up processing agreements with third-party processors who are processing personal data on the hobby organiser’s behalf.
  13. Identify and assess the risks caused to data subjects by the processing. Conduct a data protection impact assessment if the risk is high.
  14. Instruct people involved in the hobby on the processing of personal data.
7. Give people involved in the hobby instructions and training in data protection
What should you take into account when publishing photos and videos?