We don’t do anything with health data. Before the opening of the Paris Olympics, the CNIL reminds some basic rules for athletes and sportspeople.
The GDPR attacks the Paris Olympics. In an article published on February 20, the personal data policeman gives some advice to athletes training for the Olympics, as well as to their teams. If many athletes now rely on technological devices to measure their performances, the CNIL reminds us that “regulations on the protection of personal data govern the processing of data collected in this context“.
Very supervised use
Indeed, since these devices collect “health data (e.g. heart rate, weight, height, etc.)» all of this must be handled with the greatest care, these bytes being framed very precisely by Article 9 of the GDPR and its notion of “important public interest”.
First of all, the CNIL reminds that in the event of “files or databases created» with this information, the latter must be placed under the supervision of an assigned data controller. The latter will have to determine “the objective pursued by the use made of the information» and ensure “compliance of processing» with the GDPR.
Minimization, consent and expiration
A legal basis for data processing must also be put in place and the CNIL lists a few, including those provided by the Sports Code or that of the National Institute of Sport, Expertise and Performance (INSEP ). The latter obviously does not allow you to do anything with the data since the logic of minimization (and therefore of collection limits) still applies, as does the need to determine an objective “explicit and legitimate” for the treatment.
Only informationadequate, relevant and limited» may be collected, explains the CNIL. For example, there is no question of operating a “permanent heart rate measurement […] outside of training periods» or collect information like “the use of contraception, the type of contraception or even the brand of contraceptive» for sportswomen.
The need to put in place “appropriate safety measures» as well as an expiry date for this data also applies, as for any processing protected by the GDPR. Finally, the CNIL also recalls that the port “a sensor during training and official competitions» obviously relies on the consent of the athlete concerned.
Source : Cnil
2