25253
wp-singular,post-template-default,single,single-post,postid-25253,single-format-standard,wp-theme-stockholm,wp-child-theme-stockholm-child,stockholm-core-2.2.8,select-child-theme-ver-1.1,select-theme-ver-8.7,ajax_fade,page_not_loaded, vertical_menu_hidden,,qode_footer_adv_responsiveness,qode_footer_adv_responsiveness_1024,qode_footer_adv_responsiveness_one_column,qode_menu_center,qode-mobile-logo-set,wpb-js-composer js-comp-ver-7.7.2,vc_responsive
Valloni / News  / DATA PROTECTION OF ATHLETES IN THE UNITED KINGDOM (UK)
10 April 2026

DATA PROTECTION OF ATHLETES IN THE UNITED KINGDOM (UK)

Data, nowadays, is a very valuable commodity, for all kinds of reasons, not least data related to sport, and, as such, data protection has become very important in practice.

Data protection may be defined as a set of legal rules designed to protect individuals’ personal and private information.

In sport, using analytics, athletes’ performances can be tracked, measured and coached using a wealth of information generated by their data, which is legally protected under the UK Data Protection Act of 2018 (the Act).

The Act updates data protection laws in the UK and complements the European Union General Data Protection Regulation.

Such data includes:

  • Biometric data: Heart rate, sleep patterns, and other data from wearable technology, for example, smart watches and fitness trackers.
  • Location data: GPS tracking of movement.
  • Medical records: Injury history, rehabilitation progress.
  • Psychological assessments: Mental health and performance evaluations.
  • Basic information: Name, address, contact details.

Collecting this data:

You need a valid legal reason to do so.

Under the Act, you need to have:

  • Consent: Athletes must agree to your using their data. This is crucial for sensitive health data, which includes information about athletes’ physical or mental health, such as medical diagnoses, injury reports, genetic data, disability status, or drug tests results.
  • Legitimate Interest: You must have a genuine business reason, which does not override athletes’ rights. However, you need to conduct a Legitimate Interest Assessment (LIA) to ensure this.
  • Contractual necessity: The data is needed to fulfil a contract. This may include employment contracts for professional athletes or membership agreements where athletes pay a membership fee in return for access to and use of training facilities, kits, pitch hire and sports equipment.

You must also keep athletes informed and their data safe:

  • Privacy notices: You must tell athletes what data you collect, why, who has access, and how long you retain the data for. When drafting privacy notices, clear and simple language should be used.
  • Data security: You must protect data from any breaches.

Common examples include:

  • Use strong passwords and multi-factor authentication.
  • Encrypt sensitive data.
  • Have a data breach response plan in place.

Othe matters:

  • Data minimisation: You must ensure, when processing personal data, that the processing is limited to what is necessary.
  • Storage limitation: You must retain data only as long as it is needed and develop a data retention schedule.
  • International transfers: You must ensure that, when sharing personal data with an organisation outside the United Kingdom, you have appropriate safeguards in place. The most common examples include: (i) relying on UK ‘adequacy regulations’ (essentially, this is when another country has been assessed as providing ‘adequate’ protection for individuals’ personal data); or (ii) using the ICO (the Information Commissioner’s Office) International Data Transfer Agreement or International Data Transfer Addendum.

Athletes’ rights:

Under the Act, athletes have a number of rights, which include:

  • Access (Subject Access Requests or SARs):They can ask for a copy of their data.
  • Rectification: They can ask tor errors in their data to be corrected.
  • Erasure (right to be forgotten):They can ask for their data to be deleted.
  • Restriction of processing: They can ask for the use of their data to be limited.
  • Data portability: They can ask for their personal data to be transferred to a third party in a commonly used, machine-readable format.

Knowing when an athlete has made one of those requests is paramount as (i) it may not always be obvious, at first sight; for example, an individual may request a copy of their personal data whilst also emailing regarding other matters; and (ii) unless an exception applies, requests must be dealt with without undue delay and, in any event, within one month.

Failure to comply:

For most sports organisations, complying with these legal obligations under the Act requires a significant amount of work and failing to comply can have serious consequences, which include:

  • ICO enforcement powers: The ICO has a range of powers, including issuing warnings, enforcement notices and penalty notices for the most serious of offences and can issue fines of up to £17.5 million (around Sw. Frs. 18.6 million) or 4% of the annual worldwide turnover of an organisation, whichever is the higher.
  • Reputational damage: Data breaches and privacy violations can harm the reputation of the organisation.
  • Legal action: Athletes, whose data protection rights have been infringed, may have legal grounds to pursue claims for compensation through the courts.

For example, see the notorious case of Max Mosley, the late President of the FIA, the world governing body of motorsport, who won damages of £60,000 (around Sw. Frs. 63,400) against News Group Newspapers Limited for misuse of private information, by publishing in the ‘News of the |World’ newspaper an article and video of an alleged ‘Nazi-themed’ orgy involving him.

We advise athletes and sports organisations on sports data matters in the UK, including disputes, and further information is available by emailing our International Sports Law Consultant, Prof Dr Ian Blackshaw, at blackshaw@valloni.ch.

Tags: