Slovenska antidoping organizacija

Personal Data Protection Policy

1 . Purpose, Scope and Users

1.1. This Policy sets forth the basic principles by which Slovenska antidoping organizacija, zasebni zavod za preprečevanje dopinga v športu,with its registered office at Celovška cesta 25, 1000 Ljubljana (“SLOADO”), as the data controller, processes the Personal Data of individuals. SLOADO has legal responsibilities in relation to Personal Data and strives to comply with applicable laws and regulations related to Personal Data protection.

1.2. SLOADO will process Personal Data in accordance with clause 1.1. above and pursuant to the Code and ISPPPI, which shall provide a minimum, common set of standards for the treatment of Personal Data.

1.3. The users of this Policy are all employees, contractors and third parties working on behalf of SLOADO and/or using services (such as for example the app Preveri zdravilo) or being subject to SLOADO procedures.

1.2 Definitions

“Anonymization” means irreversibly de-identifying Personal Data such that the person cannot be identified by using reasonable time, cost, and technology either by the Controller or by any other person to identify that individual.

“Code” means World AntiDoping Code, as valid from time to time.

“Controller” means the natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“ISPPPI” means International Standard for the Protection of Privacy and Personal Information, as valid
from time to time.

“Personal Data” means any information relating to the Data Subject.

“Personal Data Breach” means an accidental or deliberate breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted,
stored or otherwise processed. PersonalData breaches for example include:

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a Controller or Processor;
  • sending Personal Data to an incorrect recipient;
  • computing devices containing Personal Data being lost or stolen;
  • alteration of Personal Data without permission; and
  • loss of availability of Personal Data.

“Policy” means this Data Breach Response and Notification Procedure.

“Processor” means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.

“Pseudonymization” means the processing of Personal Data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

“Sensitive Personal Data” means Personal Data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, and merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms, such as Personal Data revealing racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a
natural person or data concerning health.

“SLOADO” means Slovenska antidoping organizacija, zasebni zavod za preprečevanje dopinga v športu,
Ljubljana, Celovška cesta 25, 1000 Ljubljana.

“Supervisory Authority” means Information Commissioner of the Republic of Slovenia.

3. Basic Principles Regarding Personal Data Processing

The data protection principles outline the basic responsibilities for organisations handling personal data.

3.1. Lawfulness, Fairness and Transparency

3.1.1. Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

3.1.2. SLOADO acknowledges that the main legal basis for processing of Personal Data in relation to anti-doping activities is compliance with legal obligations in accordance with the ratified UNESCO International Convention Against Doping in Sport. Such processing is required also on the basis that processing is necessary for public health purposes.

3.2. Purpose Limitation

3.2.1. Personal Data shall be collected for specified, explicit and legitimate purposes (i.e. for anti-doping
purposes in the context of anti-doping activities or other purposes relevant to the fight for clean sport) in
accordance with the Code and not further processed in a manner that is incompatible with those purposes.

3.3. Data Minimization

3.3.1. Personal Data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. SLOADO only processes Personal Data that is necessary for its anti-doping activities in accordance with the Code.

3.3.2. SLOADO shall apply Anonymization or Pseudonymization to Personal Data, if possible and where appropriate, to reduce the risks to the Data Subjects concerned.

3.4. Accuracy

3.4.1. Personal Data shall be accurate and, where necessary, kept up to date; reasonable steps shall be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified in a timely manner.

3.4.2. If SLOADO is informed or acquainted with incorrect information, SLOADO will within reasonable time correct such Personal Data. Individuals are encouraged to inform SLOADO in relation to any errors.

3.5. Storage Period Limitation

3.5.1. Personal Data shall be kept for no longer than is necessary for the purposes for which the Personal Data are processed.

3.5.2. Time periods pursuant to the ISPPPI will be observed.

3.6. Integrity and Confidentiality

3.6.1. Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of Personal Data risks, SLOADO shall use appropriate
security measures to process Personal Data in a manner that ensures appropriate security of Personal Data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.

3.6.2. For details on physical, organizational, technical, environmental and other measures applied, please refer to SLOADO Uniform Information Security Policy.

3.7. Accountability

3.7.1. SLOADO shall be responsible for and be able to demonstrate compliance with the principles outlined above.

4. Building Data Protection into Activities

4.1. Notification to Data Subjects

4.1.1. See Clause 5.3.

4.2. Data Subject’s Choice and Consent

4.2.1. See Clause 5.4.

4.3. Collection

4.3.1. SLOADO shall strive to collect the least amount of Personal Data possible, however still in such scope that it will be able to perform its lawful and legitimate interests and obligations. If Personal Data is
collected from a third party, Data Protection Officer shall ensure that the Personal Data is collected
lawfully.

4.4. Use, Retention, and Disposal

4.4.1. The purposes, methods, storagelimitation and retention period of Personal Data shall be consistent with the information contained in the Privacy Notice. SLOADO shall maintain the accuracy, integrity,
confidentiality and relevance of Personal Data based on the processing purpose. Adequate
security mechanisms designed to protect Personal Data shall be used to prevent Personal Data from being stolen, misused, or abused, and prevent personal data breaches.

4.4.2. Once Personal Data is no longer needed to fulfil SLOADO’s obligations, or no longer needed to be kept by law, either national or international, Personal Data shall be deleted, destroyed, or anonymized. For details, please refer to to SLOADO Uniform Information Security Policy.

4.5. Disclosure to Third Parties

4.5.1. Whenever SLOADO uses a third-party (i.e. other anti-doping organization,
third-party agent or other third party) to process Personal Data on its behalf, Data Protection Officer shall ensure that this Processor will provide security measures to safeguard Personal Data that are appropriate to the associated risks. For this purpose, an assessment on sufficient guarantees with respect to the
technical and organizational measures of the third-party shall be made in advance.

4.5.2. SLOADO shall contractually require the partner to provide the same level of data protection as SLOADO. The partner shall only process Personal Data to carry out its contractual obligations towards SLOADO or upon the instructions of SLOADO and not for any other purposes. When SLOADO processes Personal Data jointly with an independent third party, SLOADO shall explicitly specify its respective
responsibilities of itself and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement.

4.5.3. Regarding the publication of antidoping results, SLOADO must act in accordance with the provisions of the Code and international standards. SLOADO is obliged to publish the identity of the athlete who committed anti-doping offence according to the decision of the disciplinary body on its
website.

4.6. Cross-border Transfer of Personal Data

4.6.1. Before transferring Personal Data out of the European Economic Area (EEA) adequate safeguards shall be used, and, if required, authorization from the relevant Data Protection Authority shall be obtained.

4.7. Rights of Access by Data Subjects

4.7.1. When acting as a Data Controller, Data Protection Officer is responsible to provide Data Subjects with a reasonable access mechanism to enable them to access their Personal
Data, and shall allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or
required by law.

4.7.3. In some cases, due to lawful limitations (e.g. ongoing procedure against such a person) it will not be
possible to enforce such rights. The individual will be informed regarding this with sufficient information.

4.8. Data Portability

4.8.1. Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a
structured format and to transmit those data to another Controller, for free. Data Protection Officer is
responsible to ensure that such requests are processed within one month and do not affect the rights to
Personal Data of other individuals. In some cases, due to lawful limitations (e.g. ongoing procedure against such a person) it will not be possible to enforce such right. The individual will be informed regarding this with sufficient information.

4.9. Right to be Forgotten

4.9.1. Upon request, Data Subjects have the right to obtain from SLOADO the erasure of its Personal Data. When the Company is acting as a Controller, Data Protection Officer shall take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request. In some cases, due to lawful limitations (e.g. ongoing procedure against such a person) it will not be possible to enforce such right. The individual will be informed regarding this with sufficient information.

5 . Fair Processing Guidelines

5.1. Personal Data shall only be processed when authorised by Data Protection Officer.

5.2. SLOADO shall decide whether to perform the Data Protection Impact Assessment for each data processing activity. Data Protection Impact Assessment shall generally be required for processing of
whereabouts information and Sensitive Personal Data.

5.3. SLOADO shall regularly perform Data Protection Impact Assessments.

5.4. Notices to Data Subjects

5.4.1. At the time of collection or before collecting Personal Data for any kind of processing activities, SLOADO shall be responsible to properly inform Data Subjects of the following: the types of Personal Data collected, the purposes of the processing, processing methods, the Data Subjects’ rights with respect to their Personal Data, the retention period, potential international data transfers, if Personal Data will be shared with third parties and the SLOADO’s security measures to protect Personal
Data. This information is provided through Privacy Notice.

5.4.2. Where Personal Data is being shared with a third-party agent, Data Protection Officer ensure that Data Subjects have been notified of this through a Privacy Notice.

5.4.3. Where Personal Data is being transferred to a third country, the Privacy Notice should reflect this and clearly state to where, and to which entity Personal Data is being transferred.

5.4.4. Where Sensitive Personal Data is being collected, Data Protection Officer shall make sure that the
Privacy Notice explicitly states the purpose for which this Sensitive Personal Data is being collected.

5.5. Obtaining Consents

5.5.1. Whenever Personal Data processing is based on the Data Subject’s consent, or other lawful grounds, Data Protection Officer is responsible for retaining a record of such consent. Data Protection Officer is responsible for providing Data Subjects with options to provide the consent and shall inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.

5.5.2. Where collection of Personal Data relates to a child under the age of 18 or protected persons, Data Protection Officer shall ensure that parental/custodian consent is given prior to the collection.

5.5.3. When requests to correct, amend or destroy Personal Data records, Data Protection Officer shall ensure that these requests are handled within a reasonable time frame. Data Protection Officer shall also record the requests and keep a log of these.

5.5.4. Personal Data shall only be processed for the purpose for which they were originally collected. In the event that SLOADO wants to process collected Personal Data for another purpose, SLOADO shall seek the consent of its Data Subjects in clear and concise writing. Any such request should include the original purpose for which Personal Data was collected, and also the new, or additional, purpose(s). The request shall also include the reason for the change in purpose(s).

5.5.6. Now and in the future, Data Protection Officer shall ensure that collection methods are compliant with relevant law, good practices and industry standards.

6. Processing of Personal Data by Processors

6.1. SLOADO may entrust individual tasks related to the processing of personal data by contract to a contractual Processor who is registered to perform such activity and provides appropriate procedures and
measures in accordance with this Policy and the GDPR.

6.2. The contractual Processor may perform individual tasks related to the processing of Personal data within the scope of the client’s authorizations and may not process Personal data for any other purpose.

6.3. Mutual rights and obligations shall be regulated by a contract, which must be concluded in writing and must also contain an agreement on procedures and measures.

6.4. The Data Controller supervises the implementation of procedures and measures.

6.5. In the event of a dispute between the Data Controller and the contractual Processor, the contractual Processor shall, at the request of the Data Controller, return the Personal Data which he has contractually processed to the Data Controller. Any copies of this information must be destroyed immediately or forwarded to the state authority competent in accordance with the law to detect or prosecute criminal offenses, to a court or other state authority, if so provided by law.

6.6. In the event of termination of the contractual processing, the contractual Processor must return
SLOADO Personal Data without undue delay.

6.7. In the event that SLOADO under the contract performs individual tasks related to the processing of Personal Data for another Data Controller, the provisions of the law, these rules and the contract bind all employees involved in these tasks, or in any way acquainted with the processed data, to personal data protection.

6.8. Personal Data is stored as is set in Appendix 1.

7. Organization and Responsibilities

7.1. The responsibility for ensuring appropriate Personal Data Processing lies with everyone who works for or with SLOADO and has access to Personal Data processed by SLOADO.

7.2. The key areas of responsibilities for processing Personal Data lie with the following organisational roles:

7.2.1. the management board makes decisions about and approves the SLOADO’s general strategies on
Personal Data protection.

7.2.2. the Data Protection Officer is responsible for:

  • managing the Personal Data protection program;
  • development and promotion of end-to-end Personal Data protection policies;
  • monitoring and analysing Personal Data laws and changes to regulations;
  • developing compliance requirements;
  • improving awareness of user Personal Data protection within SLOADO; and
  • organizing Personal Data protection expertise and awareness training for personnel working with Personal Data.

7.2.3. the IT manager is responsible for:

  • ensuring all systems, services and equipment used for storing data meet acceptable security standards; and
  • performing regular checks and scans to ensure security hardware and software is functioning properly.

8. Response to Personal Data Breach Incidents

8.1. When SLOADO learns of a suspected or actual Personal Data Breach, Data Protection Officer together with Data Breach Response Team performs an internal investigation and takes appropriate remedial measures in a timely manner, according to the Security Breach Procedure. Where there is any risk to the rights and freedoms of Data Subjects, SLOADO shall notify the relevant Supervisory Authority without undue delay and, when possible, within 72 hours.

9. Confidentiality

9.1. As confidential are regarded documents and data of a business or civil nature, which have been declared confidential by law, other general acts, the SLOADO Statute, the SLOADO Rules or by a decision of the SLOADO Board of Directors, or which are so important that their issuance would obviously create or could cause serious damage consequences for SLOADO.

9.2. For the security of data designated as confidential, the level of confidentiality shall be determined: confidential. The level of confidentiality is determined by the Director of SLOADO.

9.3. The following may be determined as confidential under the conditions specified in the first paragraph of this Clause:

a) professional instructions for performing work tasks;

b) Personal Data relating to anti-doping activities;

c) SLOADO working materials;

d) working materials for the SLOADO Management Board, for the SLOADO Expert Council, the SLOADO
Disciplinary Commission and the SLOADO Arbitration;

e) financial data

f) records of user passwords

g) personnel and health documentation of an individual employee, contractual co-worker or official of the institution.

9.5. The processing and protection of Sensitive Personal Data must be carried out with special diligence and care.

9.7. Special types of Personal Data must be specially marked and protected during processing in such a way as to prevent unauthorized persons from accessing them.

9.9. SLOADO must protect and process as confidential all data, facts and circumstances at its disposal and
necessary for the performance of its tasks, regardless of how it obtained them.

9.11. All SLOADO employees and contractual co-workers are obliged to protect confidential information in accordance with this Clause.

10. Conflicts of Law

10.2. This Policy is intended to comply with the laws and regulations of the Republic of Slovenia. In the event of any conflict between this Policy andapplicable laws and regulations, the latter shall prevail.

Celovška 25, 1000 Ljubljana
Slovenija, EU

Uporabne povezave

Skladnost podatkov: V primeru kakršnekoli neskladnosti med dokumenti na SLOADO spletni strani in Svetovnim protidopinškim kodeksom, Kodeks prevlada.Vsi dokumenti na tej spletni strani se lahko kadarkoli spremenijo.”