Skip to content
Skip to page content

7. Ensure the security of processing

The icon features a closed padlock with a symbol depicting a person in the middle. The shackle of the padlock is broken. The icon is surrounded by a light green frame. This icon can be used to express that the situation involves a personal data breach.

The hobby organiser must take care of the protection of data at all stages of processing from collection to erasure. Secure processing requires that the controller is able to guarantee the confidentiality, integrity, usability and resilience of the systems and services at all times and is able to restore the data quickly in the event of a fault. The processing of personal data must also be monitored and supervised to ensure security.

The adequate level of data security depends on the nature and volume of the data being processed. For example, sensitive data and special categories of personal data require more effective technical safeguards. Large volumes of data can attract interest from outside parties and thus require more effective safeguards. Personal data must be secured at all stages of processing, that is, from collection to erasure.

Data must be protected from access by third parties. ‘Third parties’ means everyone without a basis or right to process the personal data.

In electronic systems, third-party access to personal data can be prevented with access rights management. The controller must ensure that only persons whose duties give them the right to process personal data can gain access to the data. Remember that viewing the data also counts as processing. When a person changes roles within the club, you should also remember to immediately deactivate their access rights to systems they are no longer entitled to access.

Example

In a sports club, the coaches and team manager of a football team have the right to process the personal data of their team’s players but not the personal data of players from other teams in the club.

You should use individual usernames in your systems. The use of shared usernames is not recommended. With individual usernames, the controller can control and verify the processors of personal data, including retrospectively.

The controller must check the default settings of new systems and applications before starting to use them. With regard to data protection, you should check that all users cannot see personal data by default.

What does data security mean?

Data security is one way of implementing data protection. It is intended to protect data and information systems. Among other things, it refers to organisational and technical measures taken to ensure the confidentiality and integrity of data, usability of systems and the realisation of the rights of the data subject.

Who has the right to process personal data?

The controller must specify the persons who have appropriate grounds for processing personal data in any given situation. You should also document these grounds. Appropriate grounds can include both regular work duties and one-off circumstances.

Remember

Check the default settings of new systems and applications to ensure that they are not collecting unnecessary data or allowing too many users to see personal data.

6. Only process accurate personal data and rectify inaccurate data
8. Define storage periods for personal data and erase unnecessary data