1. AG Spielmann on Data Processing Concerning Anti-Doping in Sport
On 25th September, AG Spielmann offered his opinion in the case of NADA Austria and Others. In terms of the facts, the case concerns anti-doping procedures, which led to the suspension of certain athletes. According to Austrian anti-doping legislation, the National Anti-Doping Agency, Austria (NADA) ‘publishes on its website a list of the names of persons who have been suspended…. For the duration of the suspensions, that list includes the first name and surname of the athlete concerned, the sport practised, the infringement of the anti-doping rules committed, the penalty imposed, and the start and end dates of the penalty’. Another body, the Austrian Anti-Doping Legal Committee (the ÖADR) ‘also publishes the same data, along with any prohibited substances involved, in a press release on its…website’. Following this publication, the athletes concerned requested the bodies to refrain from publishing their names and their sporting disciplines. After this request was ignored, the athletes filed a complaint with the Austrian DPA ‘seeking a declaration that there had been an infringement of the right to erasure or restriction of data, and an order requiring the ÖADR and NADA to remove the publication of their names and the sports from the abovementioned websites. They also argued that the case involved a special category of personal data and the processing of personal data relating to criminal convictions and offences, within the meaning of Articles 9 and 10 of the GDPR…. They submitted that the undifferentiated publication system provided for in Austrian law is incompatible with Article 6(3) of the GDPR and is neither necessary nor proportionate’. The Austrian DPA dismissed the complaint as unfounded, which led to an action before the Bundesverwaltungsgericht (Federal Administrative Court, Austria). In this regard, this national court referred several questions to the CJEU, which the AG summarized as follows:
1. Does ‘the implementation of anti-doping legislation constitutes an ‘activity’ which falls within the ‘scope of Union law’ within the meaning of the first sentence of Article 16(2) TFEU’?
2. Does ‘the publication of the personal data at issue relates to ‘data concerning health’ within the meaning of Article 9 of the GDPR’?
3. Does ‘the publication at issue’ constitute ‘processing of personal data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR’?
4. Are ‘the activities or decisions of an authority which has been given responsibility for exercising control over the processing of personal data relating to criminal convictions and offences or related security measures, in accordance with Article 10 of the GDPR…subject to judicial review’?
5. Do ‘Article 5(1)(a) and (c) and the second subparagraph of Article 6(3) of the GDPR’ preclude an obligation in national law on national anti-doping bodies, to publish the personal data concerned…in particular, the names of athletes sanctioned for an infringement of the anti-doping rules, the duration of the ban imposed and the reasons for it’ and does the GDPR require ‘case-by-case balancing of the interests involved by the controller before publication’ or is ‘the proportionality test provided for by the legislator…sufficient’?
6. Is ‘a complaint under Article 77 of the GDPR concerning an alleged infringement of the right to erasure (Article 17 of the GDPR)…admissible even though the personal data relating to the data subject had not yet been processed at the time when the complaint was lodged…or at the time when that authority took a decision’?
In this regard, the AG offered the following advice to the Court:
1. The processing of personal data consisting, pursuant to national anti-doping rules ‘cannot be regarded as part of an ‘activity which falls outside the scope of Union law’ within the meaning of Article 2(2)(a)’.
2. Disclosing ‘the name of the athlete concerned, the duration of his or her suspension and the grounds for that suspension does not constitute processing of data concerning health…unless those grounds include the name of the prohibited substance or substances found to be present in the body of the athlete in question, where that indication is capable of revealing, even indirectly, information on…health status’.
3. Article 10 applies ‘to the processing of personal data relating to convictions or offences under national anti-doping regulations, where, irrespective of the classification of those offences under national law, the convictions which they involve have a punitive purpose and have a degree of severity such that they have an effect equivalent to a criminal penalty’.
4. Article 10 means ‘that it must be possible for the activities or decisions of’ such an authority ‘to be subject to judicial review’.
5. Article 5(1)(a) and (c) and Article 6(3) preclude ‘an obligation imposed on national anti-doping bodies to publish personal data, such as the names of athletes sanctioned for an infringement of…anti-doping rules’ etc. ‘where, given the specific circumstances of the case, the requirement for proportionality is not or is no longer met’. And ‘Articles 5 and 6…must be interpreted as requiring the controller to carry out, prior to the processing of data, a case-by-case balancing of the interests involved if that is necessary in order to process personal data…consistent with the GDPR’.
6. Article 77 means ‘a complaint based on Article 17…is inadmissible where it concerns…processing…which, even if imminent, did not exist either at the time the complaint was lodged by that data subject with the supervisory authority, or at the time when the decision of that authority was adopted’. And further, Article 77 ‘does not preclude the admissibility of a complaint previously rejected as inadmissible by the supervisory authority, where the data processing takes place while judicial proceedings relating to the same facts are pending before the court’.
This is a long and involved Opinion, dealing with a number of fascinating questions – concerning, for example, the scope of the concept of data concerning health, and the proportionality obligation – to which we cannot do full justice in this summary. We would suggest all interested in the factual or legal issues raised by the case, to consult the original materials in detail. As always, however, we remind the reader that it remains to be seen whether, and to which degree, the court follows the opinion of the AG.
2. AG Szpunar: Not Responding to Non-Abusive Access Requests could Give Rise to Damages
On 18th September, AG Szpunar advised the Court to rule that an abusive intent on the part of a data subject might serve to classify an access request as ‘excessive’, but where it is not excessive, the controller could give rise to claims for damages where they do not respond to the access request, in Brillen Rottler GmbH & CO.KG v TC. As to the facts of the case, the data subject (TC) subscribed to the newsletter offered by Brillen Rottler (the controller in casu). Shortly afterwards, he submitted an access request, which was turned down by the controller with the argument that from the information published on the internet it was obvious that TC was using the same tactic – subscribing to a newsletter only to file access requests afterwards and claim compensation for damages after not receiving an answer in the prescribed time limit. The disputed escalated in domestic courts. Hence, the referring court sought clarification on the following two points: (1) what qualifies as an ‘excessive’ request in the sense of Article 12(5) GDPR; and (2) may merely not responding to an access request, which is not abusive, give rise to compensation for damages under Article 82(1) GDPR? AG Szpunar advised the Court to answer as follows. As to the first question, building on the existing case law, he paid attention to the intentions of the data subject who submits a data access request and argued that ‘an initial access request, made under Article 15 of the GDPR to a controller, can be characterised as ‘excessive’ when the controller demonstrates, taking into account all the relevant circumstances of the case, an abusive intention on the part of the data subject, such an intention being found when that person has consented to the processing of his or her personal data to be able to submit that access request and then claim compensation’ but that ‘the mere fact that it appears from publicly available information that, in the event of infringement of the law relating to the right to protection of personal data, the data subject has asserted in a large number of cases his or her right to compensation against the controller, is not sufficient to characterise such a request as ‘excessive’’. As to the second question, AG Szpunar argued for a wide interpretation of the right to compensation when it is demonstrated that the data subject has actually suffered (non-material) damages, in the sense that the right to compensation should apply where the controller has infringed the provisions of the GDPR, even if the infringement does not relate to the processing of personal data, but consists in non-responding to an access request.
3. EDPB Publications
Over the past two weeks, the EDPB has published the following important documents:
• ‘Response to CCIA Europe concerning EDPB guidelines on calculation of fines’;
• ‘Guidelines 3/2025 on the interplay between the DSA and the GDPR’.