Skip to content
Skip to page content

8.3 Erasure

Personal data must be erased at the end of its storage period. Different types of data can be erased in different ways and at different times, depending on their storage periods.

The data can be erased automatically or manually, depending on its form and place of storage. Ensure that personal data is erased from everywhere it has been processed and stored. For example, also delete personal data kept in cloud storage from downloaded files and emails. Do not forget to erase backups as well.

Personal data stored on paper must be destroyed appropriately, so that no unnecessary personal data is left forgotten in binders or at the back of filing cabinets. Paper documents can be destroyed by shredding or deposited in a confidential waste bin, for example.

Example

An athletics club is holding a Christmas party for all of its athletes- The
club requests information on the participants’ special diets and
allergies with the LEAP electronic survey form. After the party, the club
destroys all data on the participants’ special diets, because the data
was only collected for the Christmas patty meal and will not be needed
after that The club ensures that no personal data collected with the
LEAP survey form remains in the LEAP service, in other information systems used by the club, or on paper.

What do you need to do when a child quits the hobby?

Data must be erased when it is no longer necessary for the purpose for which it was collected. For example, the hobby organiser can have a designated contact person for quitting notices who erases the club member’s data in the agreed manner.

What do you need to do when someone involved in the club’s activities, e.g. a coach or team manager, quits their role?

The coach or team manager must make sure that they do not have any personal data related to the hobby activity in their possession when they quit. They must erase all personal data related to the hobby, for example from their email, and destroy any papers containing personal data. The hobby organiser should change the passwords of social media accounts to which the person had access and agree to whom the data in the leaving person’s possession will be transferred.

The controller is responsible for ensuring that personal data is not processed for longer than is necessary and for instructing those processing data in the hobby activity on the appropriate erasure of the data. When drawing up such instructions, the hobby organiser should remember that the roles of people involved in hobby activities can change at short notice. It is also important to provide orientation training to newcomers to the activity, such as new coaches, team managers, treasurers, volunteers and custodians.

Example

A Finnish baseball club provides team-specific email addresses to its team managers for conducting the team’s business. When the team manager changes, the previous team manager’s access to the email account can be revoked and the new team manager can be given access to it. This way, the team managers do not have to use their personal email accounts for team matters and email messages related to the team manager’s duties are available to the new team manager. The baseball club has instructed team managers to only use the email address for conducting the team’s business.

Remember

Minimise the storage of personal data: erase data immediately when it is no longer necessary. Also remember to delete backups.

8.2. Storage location
9. Demonstrate compliance with data protection legislation