Doping control and data protection might seem topics not that closely related to each other. However, the GDPR applies to a large part of the data processing taking place in the anti-doping process. A lot of sensitive data is being processed in the context of doping control. Yet, WADA’s World Anti-Doping Code (WADC), applied by more than 700 sport organizations, still falls short in terms of GDPR compatibility.
A legal analysis of the GDPR and WADC has shown several points of conflict. For example, the WADC defines different grounds based on which sensitive data can be processed, such as explicit consent. However, the GDPR requires that when information is processed based on explicit consent, this consent needs to be ‘freely given’. Yet, if an athlete does not want to provide their consent, the WADC prescribes harsh sanctions and negative consequences for the athlete. It is therefore hard to classify this consent as ‘freely given’, since athletes could feel obliged to give consent.
Furthermore, WADA requires the automatic and mandatory publication on the internet of all anti-doping violations, including the name of the athlete and the sanctions imposed, for a period of at least one month. This however does not seem to be conform the GDPR’s proportionality principle. WADA sees this publication as necessary for athletes to not take on another role in sport, but less intrusive measures such as a certificate of good conduct, which these athletes wouldn’t be able to provide, can fulfill this role.
These are just a few examples, but they show that a more far-reaching adaptation of the WADA documents to the GDPR remains desirable. However, even though they agree with some adjustments, interviews with athletes, coaches and sport federations have shown that they think it is good that some anti-doping rules are so intrusive, since it scares off other athletes to take doping. They fear that if the current measures are adjusted to be more GDPR-compliant, this will lower the threshold to doping violations and make doping controls more difficult. So while this research answered a lot of questions, the question still arises of how to find measures that are both more in line with the GDPR and considers the comments made by athletes and sports federations.