DENMARK Law and Practice Contributed by: Frederik Bruhn, Tim Krarup Nielsen, Robert Jønsson and Rasmus Theis Madsen, DAHL Law Firm
• Data Storage and Deletion: Images not result - ing in a match with internal or police ban lists must be deleted immediately. • Transparency Obligations: FCK must inform spectators through signage and stadium announcements. This decision follows a similar approval granted to the football club Brøndby IF in 2023, signal - ling a broader trend towards AI-driven security measures in Danish club football. 5.6 Data Protection Application of Data Protection Laws in Sports Sports data is subject to Danish data protec - tion laws in the same way as any other form of personal data. The General Data Protection Regulation (GDPR) and the Danish Data Protec - tion Act thus govern the collection, processing, and sharing of sports-related personal data in Denmark. The protected party is usually the athlete, and it usually concerns the athlete’s performance data and biometric data. However, all personal data is covered – eg, spectator data and identity. Legal Basis for Processing Sports Data Under the GDPR and the Danish Data Protection Act, it is illegal to process personal sports data without a valid legal basis. The most common legal bases include: • Consent: Athletes may, in some situations, be able to provide explicit consent for their per - sonal data to be used – eg, in performance tracking or commercial activities. Consents can be withdrawn at any time. • Contractual Necessity: If necessary to fulfil a contract with the athlete, personal data may be processed by, for example, clubs, provid - ers of IT services, etc.
• Legitimate Interest: Where the interest of the processing entity does not outweigh the interests of the athlete in restricting access to personal data, legitimate interest may be used – eg, in processing marketing or tick - eting data. This requires a balancing test against individual privacy rights and does not apply to sensitive data, such as biometric or health data. GDPR Compliance Obligations Provided that a lawful basis exists, the process - ing entity must comply with key GDPR obliga - tions, including: • Basic Principles for Processing Personal Data: The processing must comply with the basic principles in Article 5 of the GDPR. This requires, inter alia, that data is processed lawfully, fairly, and transparently. It should be collected and used solely for a specified purpose, with only the minimum data neces - sary for that purpose being processed. The data must be kept accurate and up to date, retained only for as long as is strictly neces - sary for the purpose, and deleted as soon as possible. Furthermore, personal data must be processed in a manner that ensures appropri - ate security of the personal data. • Individual Rights: The persons having their data processed have individual rights. These include, for example, that they must be informed of certain aspects of the processing up front, they can request access to the pro - cessed data at any time and they can request rectification and erasure of the processed data. • No Automated Decisions: The personal data may only be used for automated deci - sions under certain specific conditions – eg, exclusion of fans from venues or benching of players.
86
CHAMBERS.COM
Powered by FlippingBook