Thought leadership from our experts

Sports and Data Protection: Practical Insights

Introduction

In sports, like in any other business sector, the importance of data grows. In a sporting context, data are used for a wide range of purposes, such as performance analysis, the prediction of sporting careers, the monitoring of an athlete's health or for the fight against doping1 and match-fixing, to name just a few.2

The entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018 has created important new legal obligations for sports stakeholders. This article gives a brief overview on selected legal topics.

Selected Legal Issues

Consent to the Processing of Data

One of the legal bases for the lawful processing of data is the consent of the data subject(s) concerned.3 In a sporting context, however, obtaining valid consent may be legally challenging.

The GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".4

Legal doctrine questions whether consent of an athlete can be truly regarded as "freely given".5 The main argument expressed is that athletes do not have a real choice whether to accept, for example, the regulations of a sport federation if they want to participate in organized sport. However, it may not be justified to apply the same standards of "voluntariness" in the context of sports. Indeed, sports federations do not only pursue – unilaterally – their own interests, against the interests of athletes, when it comes to the processing of personal data. There are very legitimate reasons for sports federations to make the processing of certain type of data mandatory. Therefore, it is the author's view that not all consent declarations obtained from individual athletes should per se be considered as invalid.6

Other Legal Permissions?

Whenever data of athletes are processed with the aim of governing a sport and making sure that sports competitions can be properly organized, there is a strong argument that such acts of data processing serve legitimate interests, overriding the interests of the individual athletes. This can constitute, by itself, as a valid legal permission for data processing.7 Similarly, in cases where the processing of data is crucial for the proper governance and organization of a sport, the processing of such data can be necessary for the execution of the contractual/legal relationship between an athlete and a competition organizer or sports federation. This can also constitute a legal permission for the processing of data.8 In addition, in specific areas, provisions of national state law may provide a valid legal basis for data processing acts.9

Processing of Special Categories of Data

Under the GDPR, data concerning the health of a person10 qualify as a "special category" of data. In the area of sports, processing of such data occurs, for instance, when medical data is processed by Wearable Technology, mobile devices or mobile Apps.11 In all these constellations, the legal requirements for the processing of special categories of data must be strictly complied with. In particular, it must be verified whether the necessary consent was obtained, unless another legal permission exists.12

In practice, consent is often an important legal ground for processing. Insofar as special categories of data are concerned, the GDPR requires that the data subject must give his/her "explicit consent". This means that a tacit or conclusive consent is not sufficient.13 For sports institutions that want to obtain such data from their athletes, a specific written consent declaration should by drafted and signed. However, within an employment relationship (e.g. between a football player and his club), it is again legally uncertain whether consent given by an employee is indeed always "voluntary". Therefore, special care must be taken that the consent is always given entirely freely and that no negative consequences apply if an employee refuses to give consent. In case of wearable devices or mobile applications, it must be made sure that, e.g., the terms of use contain a clear section which describes the processing of data, and it must be made sure that the user consents to these terms (by way of an opt-in mechanism).

Data Transfers to Third Countries

Data transfers to third countries outside the European Union are permitted only under specific legal requirements.14 A free cross-border transfer is permitted only to countries, which – from a EU perspective – provide for an adequate level of data protection or if specific safeguards are put into place.

For sports, particular attention must be given to such cross-border transfers if, e.g., results of doping tests or doping samples are transferred to entities or laboratories outside the European Union or if the relevant international federations, which require certain data from national federations, are domiciled outside the EU.

Recital 112 to the GDPR states that a derogation from these principles may be possible in the context of the fight against doping. This means that a cross-border data transfer may be based on the justification that it is “necessary for important reasons of public interest”.15 However, reliance on this legal permission is possible only if such an interest is recognized in the law of the European Union or in the relevant Member State law.16 In practice, this means that parties must always verify if the importance of the fight against doping is recognized also in the relevant national state law17, notably in national anti-doping legislation.18

Summary

The importance of data in sport continuously grows. At the same time, the legal framework in the area of data protection has undergone significant changes.

Consent declarations obtained by sports federations may pose legal problems, as their validity is disputed in legal doctrine. However, assuming invalidity per se and in all circumstances does not seem to be adequate.

Further attention must be given to the processing of special categories of data, e.g. when health data of athletes is monitored. Also in this context, obtaining valid consent may be legally crucial, but not always straightforward.

Special legal requirements must also be fulfilled for the cross-border transfer of data to third countries outside the European Union. Such transfers may be justified by reasons of public interest, provided that such interest is recognised in the relevant national legislation.


  1. See, in particular, the study "Anti-Doping & Data Protection", carried out by the Tilburg Institute for Law, Technology and Society (TILT), published by the European Commission in 2017 (hereinafter referred to as "Anti-Doping & Data Protection Study").
    * Dr. Jan Kleiner is a partner at Kleiner & Cavaliero, Zürich (Switzerland); jan.kleiner@kleiner-cavaliero.com.
  2. See PHELOPS, WARREN/GILCHRIST, ANDREW: The legal implications for big data, sports analytics and player metrics under the GDPR, lawinsport 2017 (www.lawinsport.com, visited on 22 November 2017); TAKER, IAN: Data protection and sport – an uncertain partnership, lawinsport 2012 (www.lawinsport.com, visited on 22 November 2017).
  3. Art. 6 para. 1 (a) GDPR.
  4. Art. 4 para. 11 GDPR; see also GDPR, Recital 32.
  5. KORNBECK, JACOB: Anti-Doping: Übermittlung von Athletendaten in Drittländer, Causa Sport 2016, pp. 118 et seqq., at pp. 119 et seqq.; SCHLARMANN, ANGELA: Datenschutz beim Kampf gegen Doping, ZD 2016, pp. 572 et seqq., at p. 573; NEUENDORF, SABRINA: Datenschutzrechtliche Konflikte im Anti-Doping-System, Bremen 2014, at pp. 109 et seqq., with further references.
  6. Legal literature accepts, for example, that the fact that data processing also serves the interests of a data subject can be taken into account when assessing the validity of consent declarations; cf. WOLFF, HEINRICH AMADEUS/BRINK, STEFAN, Beck Online Kommentar, art. 7 GDPR at para. 50.
  7. Art. 6 para. 1 (f) GDPR.
  8. See art. 6 para. 1 (b) GDPR.
  9. Anti-Doping & Data Protection Study, at pp. 84 et seq.
  10. See art. 4 para. 15 GDPR.
  11. See MADILL, JONNY: Wearable tech in sport: the legal implications of data collection, lawinsport 2015 (www.lawinsport.com, visited on 22 November 2017).
  12. For other legal permissions see art. 9 para. 2 (b) to (j) GDPR.
  13. GREVE, HOLGER, in: ESSER, MARTIN/KRAMER, PHILIPP/VON LEWINSKI, KAI (ed.), Kommentar DSGVO/BDSG, art. 9 DSGVO at para. 9. Also such a consent declaration must be "freely submitted, without coercion, duress, intimidation or deception"; SCHIFF, in: EHMANN, EUGEN/SELMAYR, MARTIN: Datenschutzgrundverordnung, Munich 2017, art. 9 at para. 29.
  14. Art. 44 et seqq. GDPR.
  15. Art. 49 para. 1 (d) GDPR.
  16. Art. 49 para. 4 GDPR. See also Anti-Doping & Data Protection Study, at p. 96.
  17. Nowadays, many national anti-doping laws provide for specific and express legal permissions for the cross-border exchange of doping-related data; see, for example, art. 25 of the Swiss Act on the Promotion of Sport and Exercise; see also KORNBECK, at p. 122 et seq.¸SCHLARMANN, at pp. 572 et seqq.
  18. See the critical remarks of SCHLARMANN, at p. 577, who assumes, however, that such transfers are generally admissible in view of Recital 112 to the GDPR; KORNBECK, at p. 122, also indicates that such transfers should be freely possible under the GDPR, in view of its Recital 112.