The GDPR obliges you as the controller to inform your participants about data processing. In practice, this can be realised via data protection notices on the website or a separate information sheet.

The data protection information must contain the following content 

• Who processes the participants' data? 
• For what purpose is the data processed? (e.g. for the proper organisation of the training course)
• On what legal basis does the processing take place? (In this case, on the basis of a contractual measure (see Article 6, paragraph 1 b GDPR - more information in our course "Basic course on data protection")
• What personal data is processed? (You should have this list in front of you after the last exercise)
• Who has access to this personal data? (In addition to the employees of your organisation, these may be third-party providers, e.g. if a learning system is provided by an external service provider).
• How long will this data be stored? When will the data be deleted from your systems? (Remember: as soon as the purpose for processing the data no longer applies, you must delete the data. Exception: if there are corresponding statutory retention periods that you must adhere to).
• Last but not least, the information sheet must also inform the data subjects about their rights in accordance with Art. 12 - 23 GDPR. These are primarily information and access rights as well as the right to erasure, data portability, the right to lodge a complaint with a supervisory authority and the right to object

You can find a template for the data protection notice in our "Tools and Tools" course.

Source: heyannieb on Pixabay