DENMARK Law and Practice Contributed by: Frederik Bruhn, Rasmus Theis Madsen, Robert Jønsson and Tim Krarup Nielsen, HortenDahl Law Firm
lection, processing and sharing of sports-related per - sonal data in Denmark. The protected party is usually the athlete, and the protection usually concerns the athlete’s performance data and biometric data. However, all personal data is covered – eg, spectator data and identity. Legal Basis for Processing Sports Data Under the GDPR and the Danish Data Protection Act, it is illegal to process personal sports data without a valid legal basis. The most common legal bases include the following. • Consent: athletes may in some situations be able to provide explicit consent for their personal data to be used – eg, in performance tracking or com - mercial activities. Consents can be withdrawn at any time. • Contractual necessity: if necessary to fulfil a contract with the athlete, personal data may be processed by clubs, providers of IT services, etc. • Legitimate interest: where the interest of the pro - cessing entity does not outweigh the interests of the athlete in restricting access to personal data, legitimate interest may be used – eg, in processing marketing or ticketing data. This requires a balanc - ing test against individual privacy rights and does not apply to sensitive data – eg, biometric and health data. GDPR Compliance Obligations Provided that a lawful basis exists, the processing entity must comply with key GDPR obligations, includ - ing the following, for example. • Basic principles for processing personal data: the processing must comply with the basic principles in Article 5 of the GDPR, including being processed lawfully, fairly and in a transparent manner, being collected and only processed for a specified pur - pose, and being limited to what is strictly neces - sary. • Individual rights: the persons having their data processed have individual rights, including that they can request the rectification and erasure of the processed data.
• No automated decisions: the personal data may only be used for automated decisions under certain specific conditions – eg, the exclusion of fans from venues or the benching of players. • Only processing within the EU/EEA: the personal data may only be transferred outside of the EU/ EEA under very specific conditions, which may severely restrict data sharing. • Internal governance system: all organisations handling personal data must have an adequate governance system to be able to document com - pliance with the GDPR. Challenges and Legal Considerations While sports data offers commercial and operational advantages, it also raises legal and ethical concerns, including the following. • Ownership of sports data: while clubs and leagues collect and store sports data, athletes retain certain rights under the GDPR, including access and con - trol over accuracy. • Biometric data and privacy risks: the use of facial recognition and health tracking is very restricted and may require explicit consent. • Third-party data sharing: sports organisations must ensure GDPR-compliant agreements for interna - tional data transfers. This is not always observed, leading to illegal data sharing, especially outside of the EU/EEA. • Consent is not always valid: consent is usually used as a legal basis. However, for a consent to be valid, certain requirements must be fulfilled, which are not always observed – eg, that it must be freely given. Enforcement and Sanctions Non-compliance with the data protection regulation is subject to sanctions, including fines of up to 4% of the global revenue/EUR20 million and injunctions to stop the unlawful processing of data. Furthermore, individuals may seek compensation if their personal data is processed unlawfully. Enforcement is handled by the Danish Data Protection Agency. However, under Danish law, fines are subject to criminal prosecution.
102 CHAMBERS.COM
Powered by FlippingBook