Skip to Content
17th January 2020

Anti-doping rules in a GDPR world.

Share this article:



The World Anti-Doping Code (the Code), created by the World Anti-Doping Agency (WADA), is the ‘fundamental and universal’ document on which the World Anti-Doping Program in sport is currently based. Sport organisations who are signatories to the Code must ensure that any anti-doping rules they maintain accurately reflect the Code’s mandatory principles. Where instances of non-compliance arise, WADA can report such cases to its stakeholders, who then have the right to impose sanctions on the offending organisation. The recurring sanctions received by Russia over the years (including a recently announced four-year global ban from participating in major sporting events) demonstrates how serious non-compliance with the Code can be.

The Code is seen as a ‘live’ document and regular revisions are carried out to ensure that it reflects the current sporting (and legal) landscape as accurately as possible. The next set of revisions will be implemented in the 2021 edition of the Code and, further to concerns voiced by the European Data Protection Board (the EDPB), will need to take into account the substantial changes to data protection laws in recent years.

In 2013 WADA had already received notice from the Article 29 Working Party (the EDPB’s predecessor) addressing several concerns it had for the Code in relation to privacy and data protection safeguards. The Article 29 Working Party made clear that it did not feel previous revisions to the Code ‘struck the necessary and proportionate balance’ between WADA’s aims, and individuals’ fundamental rights. Areas of concern included consent legitimacy, retention periods for personal data, automatic publication of sanctions, and adequate protection for international data transfers. The EDPB has since carried out regular reviews of revisions to the Code, and advised in WADA’s recent public consultations for the 2021 Code revisions that progress had been made regarding privacy and data protection safeguards, however some ‘important concerns’ remained.

One of the EDPB’s overall concerns was that the International Standard for the Protection of Privacy and Personal Information (the Privacy Standard), which completes the Code with regard to data protection and/or privacy issues, is not legally binding. This is because the Code states that its signatories must comply with the rules laid out in the Privacy Standard, as long as such compliance does not breach other applicable laws. This might not be an issue if a sport organisation is based in a country where the national law provides a higher standard of protection for personal data than the level provided in the Privacy Standard. However, a problem could arise if such an organisation was based in a country in which national law provided a lower level of personal data protection than in the Privacy Standard. The EDPB recommended that, where a sporting organisation faced such a dilemma, it should be required to make WADA aware of the situation so that it can implement suitable actions for the protection of any affected personal data.

A further concern addressed the definition of ‘Athletes’ in the Privacy Standard, and the fact that it gives sport organisations the discretion to apply anti-doping rules to all levels of athletes, including to those who take part in sporting activities at a recreational level. This would mean, where such an individual has violated an anti-doping rule, they would be subjected to the full set of consequences provided by the Code for a Code violation. This would include requiring the non-competing individual to provide a substantial amount of personal data to the sport organisation and WADA, such as location, testing and sample analysis, and their athlete biological passport. The EDPB stated that in accordance with GDPR principles (including proportionality, necessity and data minimisation), processing activities of personal data carried out by sport organisations should not exceed ‘what is strictly necessary and proportionate for the purposes of preventing and fighting against doping in sport’. Consequently, the EDPB felt that this discretion afforded to sporting organisations (to apply the Code rules to individuals who take part in sporting activities on a recreational basis) was a ‘disproportionate interference with the right to privacy and to protection of personal data’.

Following WADA’s public consultations on the revisions for the 2021 edition of the Code, a revised version of the Privacy Standard was approved by WADA on 7 November 2019 and will be effective as of 1 January 2021. The EDPB’s concerns will have been taken into account, however it remains to be seen how far WADA will be able to adapt the Code and implement its revisions to meet data legislation requirements, but equally still ensure that the Code remains an important and effective instrument in assisting global anti-doping efforts.


For more information on anything raised in this article please contact Kasia Reda on 0207 400 5043 or click here to email Kasia.