There is no doubt that the world of sport has benefitted from advances in technology, data output and data analytics. Whether as an athlete, a fan, a rights holder, a sponsor, investor or brand, embracing the value of data can be an overwhelming positive pursuit, whether that concerns maximising commercial revenues, utilising high performance biometric data or developing targeted marketing campaigns. However, the use of technology and data to more actively engage in one’s sport isn’t without risks. In this article, we focus on one such risk area – compliance and the responsibilities of the data controller under the incoming General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (revised) (DPA). We’ll also look at some of the practical solutions that organisations and businesses (as data controllers) can adopt to stay ahead of the game.
The GDPR and the DPA
The GDPR will come into force on 25 May 2018. This new EU data protection regime will introduce new obligations on sport organisations and businesses as data controllers when processing the personal data of data subjects (such as athletes, members and fans). Furthermore, in the context of sports organisations based in Switzerland, the GDPR will have extra-territorial applicability to the extent that if such an organisation wishes to process the data of a data subject in the EU, they will have to play by the EU rules. This is entirely intended and in almost all cases where there is an EU nexus, sports organisations and businesses will need to consider and review their procedures in order to comply with the GDPR.
Swiss organisations will also need to comply with the DPA, which is being amended at the end of 2018 or in early 2019. Broadly speaking, the DPA has been introduced to complement the GDPR and a draft of the DPA was published by the Federal Council on 15 September 2017. Whilst the principles underpinning the two regimes are broadly similar there will be an important interplay between them, not least on the topic of enforcement (please see below).
What is personal data and why is a sports organisation (such as a sports federation) a data controller?
The GDPR defines personal data as any information relating to an identified or identifiable natural person (the “data subject”). A data controller is a person who, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of “processing” this includes, collecting, recording, organising, storing, retrieving, consulting, using, erasing or destroying the personal data. As such, sports federations will be in almost all instances data controllers in relation to the information they gather, store and use about all persons linked to their sport (the data subjects) which includes not only the athletes, but also fans and any other connected persons of whom data is processed.
Obligations of data controllers
So what are some of the main obligations on data controllers? Here are some key examples:
- providing data subjects with information (privacy notices) about their personal data being processed, the reasons for such processing and the details of any recipients of that data (any requests from data subjects should be reasonable and governing bodies need only provide the personal data information that they possess concerning the data subject in question, nothing more);
- keeping an up-to-date record of all processing activities for which they are responsible;
- ensure data is processed securely and have appropriate systems in place that meet the standards imposed by the GDPR and the DPA;
- ensure that any data processing which is delegated to a processor (for example, a law firm) is subject to a contract that satisfies GDPR/DPA requirements;
- notify personal data breaches to the Federal Data Protection and Information Commissioner (FDPIC) (the relevant Swiss supervisory authority) without undue delay;
- where a data subject has asked for data to be rectified or erased, notify those persons with whom personal data has previously been shared;
- implement policies to ensure data processing is performed in accordance with the GDPR and the DPA;
- tell data subjects about personal data breaches if it is likely to result in a high risk to their rights and freedoms; and
- where personal data is transferred to a country outside the EEA or to an international organisation, ensure that the European Commission has confirmed that the recipient country has adequate level of protection or, if there is no confirmation, provide appropriate safeguards (such as the encryption of data).
The GDPR establishes a two-tiered system of penalties. Some infringements (for example for violations relating to internal record keeping) are subject to fines of up to EUR 10 million or 2% of global revenue. Others (such as breaches of the data protection principles) are subject to higher fines of up to EUR 20 million or 4% of global revenue.
Under the DPA the maximum financial penalty is substantially lower than the GDPR at CHF 250,000.
The responsibility for enforcing breaches of the GDPR against Swiss based organisations will rest with the relevant supervisory authorities in each EU member state, not FDPIC. Practitioners will be watching this aspect closely and it may be that co-operation agreements (between Switzerland and the EU) will be required before EU supervisory authorities will have meaningful powers of enforcement. That being said, Swiss based organisations and businesses will be obliged (in certain circumstances) to designate a representative in the EU and as such it will likely be the case that supervisory authorities will serve the representative with orders against the Swiss organisation.
Preparing for the GDPR and the DPA
There are many steps that organisations should have already taken to prepare for the GDPR and unless they are prepared, it is unlikely that their current arrangements are GDPR-compliant. The full requirements of the DPA will become clearer when the regulatory guidance and the DPA is finalised but as a very general rule, organisations that can demonstrate compliance with the GDPR, will be well on their way to demonstrating compliance under the DPA.
Over the last year, sporting organisations will have been reviewing their current arrangements and the data they hold, and establishing new processes.
Some of the main action points organisations should be considering to ensure compliance include:
- carry out a data audit to establish, how and why data is held by the organisation and to determine what the lawful purpose of holding that data is – for example:
- where and how long it has been held for;
- reasons for the decision to keep the data for a specific time;
- who it relates to;
- why it is being processed; and
- how it is kept secure.
- update existing data protection policies to make them GDPR compliant. If no data protection policy exists, organisations should create one to satisfy their accountability obligations. The data protection policy should refer to:
- the timescale for complying with data subjects information requests;
- how personal data is processed and stored; and
- the procedures and policies they have in place to comply with the GDPR.
- decide who within the organisation will deal with GDPR compliance; for example, nominate an employee as the main point of contact for requests for information;
- carry out training for employees: in particular, all individuals involved in processing should be able to identify when there has been a personal data breach and be aware how this should be dealt with;
- consider if consent is required and, whether consent is/has been obtained from the data subjects correctly. If it has not been collected correctly, refresh the consent or consider whether another legal basis for processing that personal data is applicable under Article 6 GDPR;
- put systems in place to ensure that a data access request/ exercise of a right of erasure can be complied with quickly;
- put systems in place to deal with data protection breaches (for example; to identify, record, and (if required) report, a data breach);
- consider whether any sensitive data is processed within the organisation and whether appropriate systems are in place to safeguard them;
- ensure that personal data is held safely securely; for example, electronic documents are encrypted and password protected and backed up on a regular basis;
- consider who the data is shared with (for example; third party service providers or advisers);
- regularly assess progress (for example, by including GDPR compliance as a fixed item on the agenda at meetings);
- consider how long the data should be kept for. The GDPR requires the data to be kept "no longer than is necessary for the purposes for which the personal data are processed ….”; and
- review insurance policies to see if they can be extended to cover liability for fines and compensation under the GDPR.
An international federation (based in Lausanne Switzerland) launches a new international tournament. As part of this the federation grants a right for one of the tournament’s major UK/Swiss based sponsors to run a targeted promotion for adults over the age of 18 in the UK and Switzerland for one of its product lines. Ticket holders for the matches in the UK and Switzerland (who have provided their details (name, address, date of birth) to the federation in the first instance at the point of purchase) are offered the chance to enter a sponsor-backed competition to meet certain players after the UK and Swiss matches in return for buying the said product.
In the example above, some factors to consider would be as follows:
- The communication of the promotion to the ticket holders (by using their email addresses and selecting those within the age category) (a) in the UK, will fall within the GDPR and (b) in Switzerland, will fall under Swiss data protection law/the DPA. In addition, the federation and the Swiss based sponsor will need to comply with the DPA in relation to any data processing for which they may be subject.
- In the context of the GDPR, personal data must be processed fairly and lawfully and so the UK ticket holders would need to have provided consent to the federation to share their data with the sponsor. Similar consent requirements will be required under the DPA.
- Depending on the exact nature of the relationship between the federation and the sponsor, a contract governing the transfer of the personal data should be included in the sponsorship agreement.