[Access the official publication on EDPB website]
Adopted on 11 February 2025
By way of letter dated 02 October 2024, the European Commission (Directorate-General for Education, Youth, Sport and Culture) requested the EDPB pursuant to Art. 70 (1) (e) GDPR to examine the current update of the World Anti-Doping Code (hereinafter the 'Code') and its complementing International Standards (hereinafter the 'Standards') in order to assess their compliance with the GDPR. In 2023, the World Anti-Doping Association (hereinafter ‘WADA’) launched a revision of the Code and its Standards, to be concluded by December 2025, and to come into effect in January 2027. The Code aims at harmonising anti-doping policies, rules and regulations internationally and it is complemented by eight International Standards with the objective of fostering consistency among anti-doping programmes that are implemented mainly via the National Anti-Doping Organisations (hereinafter the ‘(N)ADOs’). The eight International Standards refer to the following aspects: data protection; education; intelligence and investigations; laboratories; results management; testing; therapeutic use exemptions; and compliance.
The EDPB and its predecessor, the Article 29 Working Party (hereinafter the ‘Art. 29 WP’), have attentively followed WADA activities over time, when reviewing earlier version of the Code and its Standards. The Art. 29 WP adopted two Opinions in 2008 ****and 2009 ****on certain provisions of the Code and its International Standards. Subsequently, in 2013, the Art. 29 WP sent a letter to WADA ****containing a number of observations and concerns regarding the update of these documents. Lastly, in 2019, the EDPB provided its remarks regarding the (at the time ongoing) revision process of the Code and its Standards in a letter addressed to the Presidency of the Council of the EU.
The EDPB recalls that the rules of the Code and its Standards have been transposed by Member States into their national legal order, according to their respective national structure and organisation of sport. Indeed, as signatories to the 2005 UNESCO International Anti-Doping Convention and the Anti-Doping Convention of the Council of Europe, Member States have to adhere to the commitments arising from the ratification of these conventions.
As clarified by the Opinion of the Advocate General in the case C-115/22, although the Code is a private legal instrument, its effectiveness is ensured by the 2005 UNESCO International Anti-Doping Convention. Per Article 4 thereof, the provisions of the Code are not an integral part of the Convention and do not have direct effect in national law. However, by the same provision, the Member States, which are Parties to the Convention, have committed to abide by the principles of the Code. That commitment is transposed into the legal systems of the Member States in different ways, since, as specified by a 2017 study conducted for the European Commission, the Code is legally binding in some Member States, but not in others.
In any case, the EDPB reminds that when Member States adopt national anti-doping measures, encompassing legislation, regulation, policies or administrative practices, based on the principles of the Code, they have to ensure that those measures are in line with EEA law, including the GDPR. Therefore, in case the provisions of the Code and its International Standards are not in line with the GDPR, Member States cannot transpose them as they stand into national anti-doping measures, without infringing their obligations under EU/EEA law and thus negatively affecting the level of protection of natural persons in the EEA with regard to their personal data.
Moreover, anti-doping programmes are mainly executed by (N)ADOs, which are among the signatories to the Code. (N)ADOs have to apply anti-doping measures that Member States establish in line with their commitments under the International Anti-Doping Convention and in response to expectations from WADA. The EDPB emphasises in this regard that in the implementation of the national anti-doping measures, (N)ADOs as controllers, are responsible for processing personal data in compliance with the GDPR and, as administrative authorities must not apply, if necessary, those national anti-doping rules in so far as they may be contrary to provisions of the GDPR that have direct effect. Therefore, Member States, when implementing national anti-doping legislation, regulation, policies or administrative practices, should carefully assess whether the provisions of the Code and its International Standards entailing the processing of personal data are compatible with the GDPR so as to also avoid possible infringements of EEA law by (N)ADOs, and any exposure to the corrective actions and sanctions of the competent data protection authorities.
In its Recommendations, the EDPB shares some points of concern with the European Commission regarding the main aspects of the current revision of the Code and its Standards that are not in line with the GDPR, thus negatively affecting the Member States obligation to ensure a consistent and high level of protection to the rights and freedoms of natural persons in the EEA, in particular with regard to their rights to privacy and the protection of personal data. The EDPB will focus on the most important issues and the new concepts introduced by WADA in the International Standard for Data Protection (hereinafter ‘ISDP’), as mentioned in the European Commission request and will refer to its letter of 2019 for aspects that relate to its previous findings. Even if not all the relevant provisions of the other Standards complementing the Code are mentioned, they should be considered as having been referred to in these Recommendations as the EDPB remarks may still apply to them.
The EDPB welcomes the changes and progress made in the Code and its International Standards, noting that some of the issues referred to in the EDPB letter dated 9 October 2019 have been successfully resolved, such as setting a stricter deadline for notification of security breaches, and the requirement to carry out a data protection impact assessment prior to processing due to the newly introduced principle of privacy by design. The EDPB welcomes the addition of the International Standards for Intelligence and Investigations (hereinafter the ‘ISII’), as part of the overarching WADA standards, as the processing of personal data for investigative purposes is a key activity of (N)ADOs.
However, the EDPB notes that unfortunately certain key issues have not been taken into account when revising the Code and its Standards. In particular, the EDPB still raises doubts about compliance with the GDPR concerning the legal basis of consent foreseen by the ISDP, as in line with Articles 5(1)(a), 6(1)(a), 7, 9(2)(a) of the GDPR, consent must be freely given and the refusal to provide consent, or its withdrawal, can be seen to have a detrimental or adverse outcome for the data subject.
In addition to this, the EDPB notes that the purposes for certain processing activities remain vague. The principle of purpose limitation, under Article 5(1)(b) of the GDPR requires that personal data be processed only for specific, explicit and legitimate purposes. A consequence of this, is that the corresponding retention periods for personal data therefore lack a clear justification.
The EDPB notes that the roles of WADA and (N)ADOs with regard to data processing activities, particularly within the database of the Anti-Doping Administration and Management system (hereinafter ‘ADAMS’) remain unclear. This not only affects how data protection responsibilities are assigned and managed, but also has an impact on transparency, accountability, and the ability of data subjects to effectively exercise their rights.
Additionally, the legally binding nature of the Code for those bodies that have signed up to it should be made explicitly clear. Moreover, the reuse of samples, and personal data including health data should be subject to appropriate safeguards to protect the rights and freedoms of data subjects. Additionally, the purposes for analysing biological samples should be more precisely identified.
The safeguards provided for all data processing under the Code should be equivalent to the standard required by the right to data protection as enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and in the GDPR. Even though the EDPB understands that the Code covers international data flows, national applicable provisions that offer a lower level of data protection should not undermine the safeguards provided for by the Code and Standards.
The EDPB invites the European Commission to encourage WADA to incorporate the EDPB’s feedback to make their Code a global Standard of data processing in compliance with the highest level of protection of the fundamental rights and freedoms of all individuals concerned.
Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC], (hereinafter “GDPR”),
Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,