During popular sports events, the personal data of participants undergo various forms of processing. We therefore decided to carry out an evaluation of the system used by a service provider from the industry. We focussed not only on the processing carried out by the service provider himself, but also on the user interface supplied to the organiser of the sports event.
As a matter of principle, the organisers of sports events need to have a justified ground for processing personal data. When participants register for an event, they know that their data will be used to prepare the start list, to provide information and a competitor number and to draw up the ranking lists which will be posted. Personal information will also be used for the prize-giving ceremony as well as for reports in the media and announcements made by the commentators during the event. These uses are justified by the private interests of the organiser and the public interest of the sports event.
However, when the organiser then publishes the data on the internet in the form of start lists, rankings, or a link with photographs taken during the event, this could give rise to a number of concerns. Hence the need to inform participants what data will be published when they register. This could be done in a data protection declaration or in the description of services listed on the registration form. However, the person concerned must have the possibility of refusing to allow the publication of their data on the Internet.
By the same token, any transfer of personal data by the organiser to third parties, and in particular to photographers who intend to sell pictures of the participants after the event, or to companies involved in advertising, is not permitted. It is not sufficient to include a reference to the regulations or the data protection declaration, as this kind of data processing is not standard practice at sports events. What is needed is the participants' express consent. This means that when they register, participants must be explicitly informed of the disclosure of their data, the purpose of that disclosure, and the possibility to oppose it.
We therefore ask the organisers of all such events to ensure that the paper or online registration form clearly and precisely indicate the purpose of the data processing, and identify the third parties to whom the data will be disclosed. Furthermore, participants must be given the possibility to expressly prohibit the disclosure of their personal data (on the Internet, in newspapers, to third parties, etc.). This could be done by ticking the appropriate box on the form.
The administration interface provided to organisers is designed to encourage a proportionate use of data processing. The service provider, for example, has restricted the personal data held on the system to what is strictly needed for the organisation of the event. For example, mobile telephone numbers that participants have given voluntarily in order to receive relevant information will be deleted once the event is over. With regard to the database, organisers are offered a solution which allows them to keep the different types of data completely separate and to process the information they need. Furthermore, the generation of lists is limited to the information actually required for running the particular event. As far as the personal data that belongs to the organisers is concerned, the method of accessing and deleting the data may need to be adapted if requests are sent by mistake to the service providers.