Doping control in sport – how about personal data?
Violation of these rules can be detected via doping controls which are conducted by the Doping Control Officer (hereinafter referred to as “DCO”). The DCO is an authorized doping control of an athlete including collection of an athlete’s biological samples (hereinafter referred to as “Sample”).
From the data protection law perspective, Sample can be considered as the personal data of an athlete, specifically regarding the special category of personal data according to the Art. 9 GDPR. Undoubtedly, processing of personal data is an inevitable and inalienable part of each doping control, and this consequently establishes the position of the athlete as a data subject having respective rights according to the GDPR, (the latter corresponds to the obligations of SADA as a controller).
The GDPR and our Slovak national law (Act No. 18/2018 Coll. on Personal Data Protection) (hereinafter referred to as „Personal Data Legislation”) recognises six separate legal grounds for processing of personal data. According to the GDPR, each data processing must have its own relevant legal basis and purpose for the processing. The processing of an athlete’s personal data is no exception to this.
It is important that controllers must have decided in advance of a collection what the applicable lawful basis for the doping control in fact is.
On several occasions, we have witnessed controllers being keen to apply consents as legal grounds when processing personal data during a doping control. Below, we have identified those legal grounds which are relevant to such processing of an athlete’s personal data while doing a control:
1) Art. 6/1 c) GDPR (legal obligation):
a. par. 86/4 b) of the Act: “SADA conducts, organizes and manages doping controls”;
b. par. 90/1 a) of the Act: “SADA performs doping control on its own initiative”;
c. par. 91/1 of the Act: “Doping control is carried out by SADA through doping officers appointed and recalled by the Director of SADA. The doping commissioner has the status of a public official in connection with doping control; and
2) Art. 6/1 e) GDPR (public interest) together with Art. 9/2 j) GDPR: “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes“
Based on the above-mentioned facts, the consent of an athlete to processing in the context of the doping control would be against the general interest. Nonetheless, there are more relevant and more appropriate legal grounds to be identified for this. It is important to note here that in the case a controller chooses to rely on consent for any part of the processing, he must be prepared to respect such a choice and halt that part of the processing. As a general rule, if consent is withdrawn, all data processing operations that were previously based on consent and took place before the withdrawal of that consent remain lawful, however, the controller must now stop the processing actions concerned. At the same time a controller is not authorised to simply swap from consent to another legal grounds once the consent is invalid or withdrawn.
Another fact, testifying the above-mentioned conclusions, is that in the case an athlete withdraws their consent, SADA would be unable to conduct doping controls and identify any potential ADRV. In other words, relying on consent could lead to the inability of SADA to fulfil its obligations established by the Act to conduct doping control. Such an absurd conclusion is imaginable in the event an athlete had withdrawn their consent with the consequence that SADA would not be able to process a Sample in order to establish possible ADRV committed by an athlete.
Article provided by: Miroslav Chlipala & Stefan Pilar (Slovakia)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org