“Reach for Gold,” the World Intellectual Property Day campaign last April dealt with the world of sport. Through sport, companies can convey their desire to embrace the values of adventure, humility, pugnacity, and innovation to the general public, collaborators, and customers.

Paris, August 28, 2019 – “Reach for Gold,” the World Intellectual Property Day campaign last April dealt with the world of sport1.

Through sport, companies can convey their desire to embrace the values of adventure, humility, pugnacity, and innovation to the general public, collaborators, and customers.

Increasingly used in the world of sport, data has become indispensable. Whether equipment or infrastructure, connected T-shirt or insole, golf clubs or mountain bikes, the analysis and exploitation of data is a genuine source of improvement in sporting achievement and technical innovation.

In 2018, the European Data Protection Regulation (GDPR) entered into force to harmonize the laws of European Union member states with regard to the processing of personal data. Following this entry into force, the French legislator has adopted law n°2018-493 of June 20, 2018, thereby modifying the “Information Technology, Data Files and Civil Liberties” Act of January 6, 19782.

Data processing is an operation or set of operations relating to personal data, regardless of the process used (collection, recording, organization, communication by transmission or distribution, modification, extraction, preservation, or any other method of making data available)3.

With the new regulation, individuals and entities performing data processing in the sports sector are impacted and must respect a number of new principles.

WHO IS AFFECTED?

Many activities taking place in a sporting context may entail the processing of personal data. Those concerned include:

  • structures and/or organizations in charge of organizing a sporting event (clubs, associations, federations, sports organizations, professional sports companies, businesses, etc.). These entities are considered to be responsible for treatment, insofar as they determine the purposes and means of processing,
  • persons concerned by the treatment: professional athletes, sporting license-holders, participants, fans, subscribers, etc.,
  • actors working on behalf of the controller (IT service providers, timing solution providers, online registration platforms, etc.),

It is specified that entities performing treatment outside of the European Union are also concerned.

WHICH DATA?

Organizing a marathon or a sports competition will necessarily entail data processing of the players and/or participants.

Personal data is defined as any information enabling the direct or indirect identification of a natural person5.

This notion being widely defined, it can, for example, be the following data: surname, first name, postal address, e-mail address, date of birth, age.

A connected watch provides data on the sports performance of the user: the distance, the measured speed, the rhythm, or the rate of hydration.

Sporting event organizers may establish files containing data relating to badly behaved fans, including data relating to stadium ban convictions issued by a judicial authority or security measures determined by administrative authorities. These recording practices, for excluding unwanted fans during events, are not new6 and have notably been authorized for the PSG football club7. These “STADE” files, even if authorized, will nonetheless have to meet the new legal requirements, in particular those relating to purpose limitation and the legal basis for the processing.

Medical data

Participation in sporting events is conditional, according to the Code of Sports, on the presentation of a medical certificate stating the absence of contraindications8. Such a document may include data “which reveal information relating to […] health status”9.

Data relating to health are “sensitive” data that entail a specific legal regime (consent, provisions relating to professional secrecy, security standards, ban on transferring or commercially exploiting data, data hosting, etc.).

Photographs or videos

Whether it is for event promotion, dissemination of results, advertising, promotional and/or commercial campaigns, or as part of a biometric facial recognition device (for example, management of stadium bans), videos or photographs of athletes and/or participants may be captured, reproduced and circulated.

Photographs or audio-visual sequences allow athletes and/or participants to be “identified, directly or indirectly”. They are therefore considered to be personal data within the meaning of the GDPR.

Like any data processing, it will be the responsibility of the controller to determine the legal basis of these treatments (see below) and to obtain prior consent for the distribution of these data (image reproduction rights of participants/athletes).

For photographs and/or videos taken during a competition, a special regime10 applies as they “belong” to organizers or sports federations. These are the only bodies that are able to commercially exploit such data.

WHAT OBLIGATIONS FOR THE CONTROLLER?

Legal basis and purposes of data processing

In order to comply with the legal requirements, to be allowable any data processing must be established according to a legal basis (consent, compliance with a legal obligation, fulfillment of a contract, legitimate interest, etc.) and correspond to specific purposes that are both explicit and legitimate.

In the context of a sporting event, the purposes of data processing for structures and organizations may be to manage administrative registration, provide bibs, or analyze and communicate sporting results.

Information of the individuals concerned  

Controllers must respect the rights of participants and/or athletes. These notably include the right to information, which must make it clear and understandable how data are used.

In practice, this information must include many indications, such as those defined in articles 13 and 14 of the GDPR (identity of the controller, purpose and legal basis of processing, duration of data retention, rights of persons such as access or deletion of data, data recipients, the existence of transfer to countries outside of the European Union, etc.).

Data protection and security

The GDPR enforces data protection principles from conception and by default. It consists, for sports structures/organizations, in the implementation of technical and organizational measures from the earliest stages of the design of processing operations, and treatment according to the highest level of privacy protection. For example, only necessary data should be processed, the duration of retention should be brief, and data accessibility should be limited to certain individuals.

Furthermore, it is necessary for the controller and the subcontractor to take “all necessary precautions, in view of the nature of the data and the risks presented by the processing, to preserve data security and, in particular, to prevent them from being distorted, damaged, or being accessed by unauthorized third parties”.

Indeed, it is a question of providing appropriate means to avoid phishing attacks, data theft, system breaches, etc. We note that non-compliance generally relates to sanctions for security breaches11. In such circumstances, the GDPR imposes that a declaration of violation be made before the CNIL and that the individuals concerned by this violation be informed.

Data outsourcing

In certain situations, athlete and/or participant data will be subject to transfer to third parties such as timekeepers, electronic registration platforms, etc., who will provide certain treatments on behalf of the organizers.

These transfers and subcontracts imply compliance with article 28 of the GDPR (contract or other legal act with the subcontractor, sufficient guarantees of appropriate technical and organizational measures, etc.).

This data flux is regulated to guarantee the safety and protection of athlete and participant data.

Data flux

Data may also be transferred outside of the European Union. For example, the storage of sports results data on a cloud platform from a US based provider is a non-EU data transfer. These transfers may only take place when in full compliance with the provisions laid down by the applicable regulations (Commission adequacy decision, appropriate guarantees, contractual clauses, binding corporate rules, etc.).

There is no doubt that the good use of data is a competitive advantage in the sports sector, worth approximately 38 billion euros in France in 2017 according to figures provided by the Ministry of Sports12.

A genuine opportunity, the implementation of good practices to better collect, control and use data in accordance with regulations is key.

1 https://www.wipo.int/ip-outreach/fr/ipday/
2 Law n°78-17 of January 6, 1978, on computers, files and freedoms
3 Article 4.2 of the GDPR
4 Article 3 of the GDPR
5 The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person” (hereinafter referred to as “data subject”). The text specifies that an “identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
6 EC, 10th and 9th chapters, June 13, 2016, no. 377194: JurisData no. 2016-012902; Comm. com. Electr. 2016, comm. 84, A. Debet.
7 Order of April 15, 2015, authorizing an automated processing of personal data, named the “stadium file” or “fichier STADE”, JORF no. 0095 of April 23, 2015
8 Article L.231-2-1 of the Sport Code
9 Articles 4 and 15 of the GDPR
10 Article L.333-1 of the Sport Code
11 Protect your data in 5 lessons
 12 This figure includes both personal and business spending, which corresponds to 1.8% of GDP

Published by

Aleksandra THÉLOT

Published by

Aleksandra THÉLOT

Take an appointment