Doping control in sport – how about personal data?

15.11.2018

As the legal representatives of the Slovak Anti-doping Agency (hereinafter referred to as “SADA”), we have taken part in several proceedings known as anti-doping rule violations (hereinafter referred to as “ADRV”). ADRV is considered as conduct of an athlete which breaches rules identified either by the World Anti-doping Code (2015) or certain provisions within national legislation. In the case of the Slovak Republic this legislation is Act No. 440/2015 Coll. on Sports (hereinafter referred to as “Act”).

Violation of these rules can be detected via doping controls which are conducted by the Doping Control Officer (hereinafter referred to as “DCO”). The DCO is an authorized doping control of an athlete including collection of an athlete’s biological samples (hereinafter referred to as “Sample”).

From the data protection law perspective, Sample can be considered as the personal data of an athlete, specifically regarding the special category of personal data according to the Art. 9 GDPR. Undoubtedly, processing of personal data is an inevitable and inalienable part of each doping control, and this consequently establishes the position of the athlete as a data subject having respective rights according to the GDPR, (the latter corresponds to the obligations of SADA as a controller).

The GDPR and our Slovak national law (Act No. 18/2018 Coll. on Personal Data Protection) (hereinafter referred to as „Personal Data Legislation”) recognises six separate legal grounds for processing of personal data. According to the GDPR, each data processing must have its own relevant legal basis and purpose for the processing. The processing of an athlete’s personal data is no exception to this.

It is important that controllers must have decided in advance of a collection what the applicable lawful basis for the doping control in fact is.

On several occasions, we have witnessed controllers being keen to apply consents as legal grounds when processing personal data during a doping control. Below, we have identified those legal grounds which are relevant to such processing of an athlete’s personal data while doing a control:

1) Art. 6/1 c) GDPR (legal obligation): 

a. par. 86/4 b) of the Act: “SADA conducts, organizes and manages doping controls”;

b. par. 90/1 a) of the Act: “SADA performs doping control on its own initiative”;

c. par. 91/1 of the Act: “Doping control is carried out by SADA through doping officers appointed and recalled by the Director of SADA. The doping commissioner has the status of a public official in connection with doping control; and

2) Art. 6/1 e) GDPR (public interest) together with Art. 9/2 j) GDPR: “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes“

Based on the above-mentioned facts, the consent of an athlete to processing in the context of the doping control would be against the general interest. Nonetheless, there are more relevant and more appropriate legal grounds to be identified for this. It is important to note here that in the case a controller chooses to rely on consent for any part of the processing, he must be prepared to respect such a choice and halt that part of the processing. As a general rule, if consent is withdrawn, all data processing operations that were previously based on consent and took place before the withdrawal of that consent remain lawful, however, the controller must now stop the processing actions concerned. At the same time a controller is not authorised to simply swap from consent to another legal grounds once the consent is invalid or withdrawn.

Another fact, testifying the above-mentioned conclusions, is that in the case an athlete withdraws their consent, SADA would be unable to conduct doping controls and identify any potential ADRV. In other words, relying on consent could lead to the inability of SADA to fulfil its obligations established by the Act to conduct doping control. Such an absurd conclusion is imaginable in the event an athlete had withdrawn their consent with the consequence that SADA would not be able to process a Sample in order to establish possible ADRV committed by an athlete.

 

Article provided by: Miroslav Chlipala & Stefan Pilar (Slovakia)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.