By Dr Estelle Ivanova, Attorney at Law and Member of the Paris Bar
In France, athletes’ data protection is based on both the General Data Protection Regulation (GDPR) and national data protection legislation, notably Law No. 78-17 of 6 January 1978, as amended, and its implementing Decree of 29 May 2019, under the strict oversight of the Commission nationale de l’informatique et des libertés (CNIL). Its importance is particularly evident in the sporting context, where large volumes of sensitive data are routinely processed.
A central feature of the French approach lies in the strict qualification of athletes’ health and disability-related data as “special categories of personal data” under Article 9(1) GDPR. In this respect, the CNIL considers that any data collected by actors within the sports ecosystem that makes it possible to identify the type or severity of a disability must be regarded as data concerning health. Their processing is, in principle, prohibited unless justified by strict necessity and, where applicable, supported by explicit and freely given consent pursuant to Article 9(2) GDPR. This applies notably in contexts such as medical monitoring, classification of Paralympic athletes, and licence renewal procedures.
The CNIL has issued targeted guidance for sports federations and organisations, emphasising the principles of data minimisation and purpose limitation. Only data that is strictly necessary for performance optimisation, competition management, or regulatory compliance may be collected. In parallel, robust security measures are required to ensure the confidentiality and integrity of such information. This approach is reflected in the CNIL May 2024 guidance, which requires that the collection of disability-related data shall be strictly limited to what is necessary for a specific and clearly identified purpose, assessed on a case-by-case basis. It further emphasises that compliance with Article 6 GDPR is insufficient in itself, thereby reinforcing the stricter regime applicable to sensitive data.
Particular attention is also given to anti-doping frameworks. The Agence française de lutte contre le dopage (AFLD) operates under a dedicated data protection policy governing the collection, use and sharing of personal data in the context of anti-doping controls. This framework seeks to reconcile the effectiveness of anti-doping programmes with the protection of athletes’ privacy.
In practice, the processing of sensitive data—such as biological samples and whereabouts information—is subject to strict safeguards, including limited access on a need-to-know basis, secure handling, and controlled sharing with other anti-doping organisations bound by equivalent standards. Data retention is also regulated, with defined periods that may be extended where necessary for investigative or disciplinary purposes.
The regulatory landscape has been further intensified in the context of the Paris 2024 Olympic Games. The CNIL has increased its monitoring of large-scale data processing operations, particularly in relation to ticketing systems and the deployment of AI-based video surveillance technologies for security purposes. These developments highlight the increasing overlap between sport, public security, and data protection concerns.
Athletes retain the full spectrum of rights under the GDPR, including the rights of access, rectification, erasure, and objection. These rights constitute essential safeguards against disproportionate or opaque data practices in an increasingly data-driven sports environment.
However, in practice, their effectiveness may be constrained by structural imbalances within the sports ecosystem, where athletes often operate in highly regulated and hierarchical environments. In this context, the principle of data minimisation remains a key safeguard: personal data must be adequate, relevant and limited to what is necessary for the purposes pursued.
This requirement is particularly significant in sport, where the collection of sensitive data must be carefully justified and proportionate. Further guidance is provided by sectoral initiatives, including those developed by European Athletics, as well as broader policy frameworks such as the Council of Europe IRIS Programme, which contribute to shaping a more coherent approach to athletes’ rights across Europe.
More broadly, recent European initiatives emphasise that the protection of athletes’ data must be understood within a wider framework of fundamental rights in sport, including privacy, health, dignity, non-discrimination, and effective remedies. As highlighted in the H.E.R.O. Roadmap for the Protection, Respect and Promotion of the Human Rights of Athletes in Sport in Europe, sports governance is increasingly expected to align with international human rights standards.
This broader perspective is further illustrated by the case law of the Court of Justice of the European Union (CJEU). In its judgment of 4 October 2024 in Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (Case C-621/22), the CJEU clarified that a commercial interest may, in principle, constitute a “legitimate interest” under Article 6(1)(f) GDPR.
However, such processing remains subject to strict conditions: it must be strictly necessary, comply with the principle of data minimisation, and not override the fundamental rights and freedoms of data subjects. Particular importance is attached to the reasonable expectations of individuals at the time that their data are collected. The CJEU further suggested that less intrusive alternatives—such as informing members and allowing them to control the disclosure of their data—should be considered.
In the specific context of anti-doping, these issues have recently been further examined in the Opinion of Advocate General Dean Spielmann (the Opinion) of 25 September 2025 in AR and Others (Case C-474/24). He considered that the online publication of named anti-doping sanctions constitutes processing of personal data subject to the GDPR.
He rejected the argument that such practices fall outside the scope of the GDPR under the national security exception, emphasising instead that anti-doping policy falls within the supporting competence of the European Union in the field of sport.
Importantly, the Advocate General adopted a broad interpretation of “data concerning health” under Article 9 GDPR, noting that even indirect inferences may reveal health-related information. He further suggested that the most severe sanctions may, depending upon their nature and degree of severity, resemble criminal convictions within the meaning of Article 10 GDPR, potentially triggering the application of stricter safeguards, including effective judicial remedies.
From a compliance perspective, the Opinion raises significant concerns regarding proportionality. The systematic and potentially unlimited online publication of sanctions appears to be at odds with the principle of data minimisation. Alternative measures—such as restricted dissemination, pseudonymisation, or time limitations—were identified as more balanced solutions. The case, which concerns the Austrian anti-doping framework, is currently pending before the CJEU.
Whilst the French approach illustrates a particularly rigorous model of data protection in sport, grounded in strict regulatory oversight and an increasing emphasis on proportionality, the protection of athletes’ personal data is likely to remain a central issue in an evolving landscape shaped by sports governance, technological innovation, and fundamental rights. Future developments, particularly at the European Union level, will play a decisive role in refining the balance between regulatory objectives and the effective protection of individuals.
Dr Estelle Ivanova may be contacted by e-mail at ‘