Federación de Balonmano de Castilla y La Mancha – €17,000 Fine (Spain, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Federación de Balonmano de Castilla y La Mancha required athletes to submit health data to participate in a handball competition, which was found to be illegal. The organization did not have a valid reason for collecting this sensitive information. This case serves as a warning for sports organizations about the proper handling of health data.
What happened
The Federación de Balonmano required athletes to upload health certificates to participate in competitions.
Who was affected
Athletes who were required to submit health data to play in the handball competition.
What the authority found
The Spanish DPA ruled that the Federation lacked a legal basis for collecting health data, violating GDPR rules.
Why this matters
This ruling underscores the need for organizations to have clear legal justifications when collecting sensitive health information. Sports organizations should review their data collection practices to ensure compliance with privacy laws.
GDPR Articles Cited
On November 2021, in order to participate in a handball competition, the data subject was required to upload, on the Federación de Balonmano de Castilla y La Mancha website, a certificate of the complete vaccination against COVID or a certificate of having recovered from the disease or an antigen test with a negative result 48 hours prior to the sporting event. Allegedly, the controller discriminated competitors based on health data they collected, given that only competitors with the presentation of the corresponding certificate of vaccination against COVID-19 or the presentation of antigen tests could play indoors without a mask. Also, the controller also did not provide information on the data retention period and other aspects provided for in Article 13 GDPR. In January 2022, the controller replied and in its response highlighted that due to the evolution of the epidemiological situation and the appearance of variants or the effectiveness, it has stopped processing the data related to COVID in order to participate in the competitions. In its conclusion, the Spanish DPA considered that the requirement of submitting health data in order to participate in the competition without a mask by federated athletes does not fall under the requirements of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021R0953 EU Regulation 2021/953], which created and established the COVID certificate. Also, there is no other legal justification or basis for the processing, violating Article 9 GDPR. AEPD highlighted that Recital 46 GDPR already recognizes that, in exceptional situations, such as an epidemic, the legal basis for processing may be multiple, based on both the public interest and the vital interest of the data subject or another natural person. In this case, the data was collected in the private area of the website managed by the Federation as part of the "safe play without mask protocol-season 21/22". Despite the fact that the website could have provided
Related Enforcement Actions (0)
No other enforcement actions found for Federación de Balonmano de Castilla y La Mancha in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
11 September 2023
Authority
Agencia Española de Protección de Datos
Fine Amount
€17,000
GDPRhub ID
gdprhub-6266About this data
Cite as: Cookie Fines. Federación de Balonmano de Castilla y La Mancha - Spain (2023). Retrieved from cookiefines.eu
Last updated: