IIHF Privacy Policy
Privacy Policy for IIHF Event Participants
1.Responsibility for the processing of personal data
The IIHF is the sole governing body for the sport of Ice Hockey and recognized by the IOC. In this role, the IIHF recognizes the importance of ensuring that the privacy rights of persons subject (including sensitive personal data/special category data, such as data relating to a player’s health and physical condition) to its jurisdiction.
Personal Data of Data Subjects will be Processed by the IIHF for the purposes and in the manner described in this Privacy Policy. Where deemed necessary for the Authorized Purposes (e.g. in relation to Data Subjects who are minors or do not have legal capacity under the laws of their country of residence), the IIHF may also Process Personal Data which relate to Data Subjects’ parents, legal guardians, or entourage. Data Subjects are requested to inform these third parties about the contents of this Privacy Policy.
2.Applicable privacy & data protection laws
The IIHF is based in Zurich, Switzerland. Switzerland is not an EU member, and nor is it a member of the larger European Economic Area (EEA). An entity that collects personal data from within the EEA cannot normally transfer it to another entity outside of the EAA without proper safeguards in place. However, Switzerland, along with twelve other non-EEA countries, has received an "adequacy decision" from the European Commission.
Under the territorial scope of the General Data Protection Regulation (GDPR), Swiss entities like the IIHF obey the GDPR when they are operating in the EEA. In addition, being based in Switzerland, the IIHF adheres to the main data protection law of Switzerland, the Federal Act on Data Protection.
3.Collection of personal data of Data Subjects
Personal Data of Data Subjects is collected on separate occasions as required for the preparation, promotion, operation or otherwise necessary for success IIHF Events and, in particular, when Data Subjects:
- are provided services such as accommodation, transport, meals, assistance, or healthcare;
- are photographed or filmed at the occasion of IIHF Events or otherwise as part of the media coverage of IIHF Events;
- are involved in any disciplinary procedure related to a suspected or actual breach of the rules applicable to Data Subjects or other legal procedure in connection with IIHF Events;
- take part in any activity in connection with IIHF Events;
- compete at IIHF Events;
- are subject to anti-doping controls and procedures.
As a general principle, the IIHF will receive Personal Data of Data Subjects through the intermediary of the Responsible National Member Association of the Data Subjects. In addition, in certain circumstances, the IIHF may receive Personal Data of Data Subjects from any third parties where such Personal Data is necessary for the Authorised Purposes set out in Article 5.
4. Categories of personal data processed
Personal Data Processed by the IIHF for the Authorised Purposes can be categorised as follows:
- biographical information such as family and given names, nationality, date of birth, gender, photograph, passport information;
- contact and travel details such as postal address, email addresses, phone number, public social media accounts, booking number, arrival, and departure information;
- physiological information such as height, weight, biometrics, blood and urine samples, illnesses, injuries, and facial data including facial features for facial recognition access control systems;
- information related to the participation in IIHF Events such as accreditation number, team, performances, results, position, or National Member Association;
- health data related to the health status of a person including medical data (doctor referrals and prescriptions, medical examination reports, laboratory tests, radiographs, etc.);
- other relevant information necessary for or in relation to the protection of the life, body or property of a person, the security, the preparation, promotion, presentation and operation of IIHF Events, the prevention of the manipulation of competitions or the conduct of the anti-doping programme (whereabouts, etc.).
5. Authorized purposes
Personal Data of Data Subjects will be Processed by the IIHF for the following Authorised Purposes:
- allowing the Participants’ participation in, and the management of, sport competitions and other activities organised at IIHF Events (including cultural and educational activities) and more generally enabling Data Subjects to fulfil their role at IIHF Events
- Key activities include: review of applications for and management of Accreditation and Guest passes for IIHF Events, sports entries, and verification that Data Subjects fulfil admission requirements, planning and scheduling, display of information within IIHF Event venues for the presentation of the Participants;
- Based on: the legitimate interest of the IIHF to allow participation in IIHF Events
- ensuring the safety of Data Subjects and the security of IIHF Events
- Key activities include: security risk assessments, identity verification, and access control;
- Based on: the legitimate interest of the IIHF to ensure the security of IIHF Events and Data Subjects in participation of the Event
- protecting the health and wellbeing of Data Subjects
- Key activities include: the provision of healthcare, insurance, and medical services to Data Subjects at the occasion of IIHF Events, the monitoring and treatment of athlete injuries, illnesses, diseases, or any other health states at IIHF Events;
- Based on: the legitimate interest of the IIHF to protect the health and well-being of Data Subjects at IIHF Events
- protecting the integrity of IIHF Events and ensuring the compliance of activities occurring at such Events with IIHF Rules and Regulations, applicable to Participants and, where applicable, other Data Subjects
- Key activities include: anti-doping procedure of IIHF Events (including but not limited to investigation, search and/or preservation of evidence in relation to suspected breach of the World Anti-Doping Code and IIHF Anti-Doping Code), prevention of manipulation of competitions and more generally the identification, investigation, and prosecution of suspected or actual breaches of the IIHF Integrity Code and other rules applicable to Participants;
- Based on: the legitimate interest of the IIHF to ensure the security of IIHF Events and the compliance of Data Subjects with rules in relation to their participation
- managing sport competitions results and keeping official records of and other relevant information about IIHF Events and its Participants
- Key activities include timing and scoring services, compilation, verification and publication of official sports results, development of statistics, conducted during and after IIHF Events;
- Based on: the legitimate interest of the IIHF to facilitate and promote IIHF Events
- preparing, promoting, and operating IIHF Events, and ensuring the widest possible media coverage and their legacy
- Key activities include: broadcast, publication, or transmission of any content in connection with IIHF Events and their legacy, in any format and through any media or technology, operated the IIHF, the Event Host, or by authorised rights-holding broadcasters and other media;
- Based on: the legitimate interest of the IIHF to promote IIHF Events
- performing legal obligations
- Key activities include: disclosing Personal Data to authorities on the basis of the IIHF`s good faith belief of being under a legal obligation to do so;
- Based on: legal obligations to which the IIHF is subject
- communicating with Data Subjects and informing them about the relevant IIHF Event
- Key activities include: sending of communications via email, answering queries from Data Subjects, providing promotional or marketing communications.
- Based on: the Data Subjects’ consent, where required by applicable law, otherwise based on the legitimate interest of the IIHF to communicate relevant information about IIHF Events.
6.Personal data recipients
The IIHF may share Personal Data including but not limited to those categorised in Article 4 between them and with other service providers or third parties acting on their behalf, for conducting the Authorised Purposes. Moreover, the following recipients may have access to such Personal Data where required by their respective operations, and responsibilities in connection with IIHF Events, and the IIHF shall be authorised to share such Personal Data with these recipients, where necessary for the Authorised Purposes:
- National Member Associations, who select and send Participants to the IIHF Events;
- relevant authorities, including any national authorities, who are responsible for ensuring the security of IIHF Events and admission in the host country and more generally accomplish their mission to support the preparation, promotion, and operation of the Events in accordance with applicable laws;
- the IIHF Judicial Bodies who are authorized by the IIHF to settle disputes in connection with, and occurring at, IIHF Events;
- the World Anti-Doping Agency (“WADA”) and other Anti-Doping Organisations who fulfil their mission to fight against doping in accordance with the World Anti-Doping Code and the relevant laws, regulations, or guidelines;
- insurance providers who may provide insurance services to Data Subjects;
- healthcare and medical service providers who may provide treatment to Data Subjects during their stay at IIHF Events;
- rights-holding broadcasters and other media, who report on the IIHF Event and inform the general public; and
- travel and accommodation service providers, who provide services to Data Subjects.
Where the above-mentioned recipients consider such measure necessary for the Authorised Purposes, they may combine or supplement any Personal Information of Data Subjects received from the IIHF with any other information in their possession. Data Subjects are invited to consult the websites or other official information sources made available by the above-mentioned recipients for additional information regarding their respective operations and activities and related Processing of Personal Data.
Personal Data will normally be Processed in a confidential manner. Some of the Personal Data, such as some biographical information and information related to the participation of Participants in the competitions IIHF Events or related to breaches of rules applicable to Data Subjects may be publicly disclosed.
7.Grounds for processing personal data
Processing of Personal Data of Data Subjects is based on the following grounds:
- the necessity in view of allowing and facilitating the Participants’ participation in IIHF Events and more generally the performance by Data Subjects of their respective operations and responsibilities in connection with IIHF Events;
- the substantial public interest to guarantee the security at IIHF Events, conduct anti-doping activities, protect clean athletes, and prevent manipulations of competitions;
- the legitimate interests of the IIHF to ensure that Data Subjects respect their covenant to comply with the provisions applicable to Data Subjects (including the IIHF Disciplinary Regulations, Event Codes, as well as for Participants the IIHF Anti-Doping Regulations, and the World Anti-Doping Code);
- applicable legal provisions authorising the Processing of Personal Data for the Authorised Purposes;
- protection of the vital interests of Participants or of another natural person when providing healthcare services; and
- Data Subjects’ consent, where expressly granted.
8.Retention period of personal data
As a general rule, The IIHF retains personal data of Data Subjects no longer than necessary for the purposes described in this Policy. Personal Data of Data Subjects may be kept for a longer period of time where necessary to fulfil the Authorised Purposes including, without limitation, information deemed of historical interest (such as sports results, key biographical information) which may be kept as long as necessary.
Retention periods applicable to anti-doping activities are specified in the Annex A of the International Standard on Protection of Privacy and Personal Information, forming part of the World Anti-Doping Code, which provides that Personal Data of Participants may be retained over time by WADA and the IIHF for a period up to 10 years or indefinitely.
In addition, the IIHF securely disposes of such personal data when it is no longer required. Namely, once personal data no longer serves the above purposes, it will be deleted, destroyed, or permanently anonymized.
9.Security of personal data
The IIHF will use technical and organisational measures to protect Personal Data against the risks of damage, destruction, loss, or unauthorised access, in accordance with applicable laws.
To this end, the IIHF regularly performs professional IT security tests (penetration tests) with a specialized company. In addition, the IIHF recently underwent an IT audit specifically aimed at identifying data protection issues. Further, the IIHF conducts a by-yearly risk assessment with a specialized company to assess the risks that the IIHF faces, including in the data protection field.
10.Rights of Data Subjects
Data Subjects have the following rights over their Personal Data:
- The right to obtain confirmation as to whether or not their Personal Data are being Processed and, when it is the case, the right to access these Personal Data, as well as the right to obtain more information on the Processing;
- The right to rectify inaccurate Personal Data;
- In certain specific cases, the right to obtain the erasure of certain Personal Data;
- The right to restrict Processing in some cases;
- In certain cases, the right to object to the Processing of their Personal Data, for reasons relating to their particular situation, or, regardless of their particular situation, the right to object to the use of their Personal Data for marketing purposes;
- The right to withdraw their consent at any time, without affecting the lawfulness of the Processing if it is based on their consent, with regard to Processing or data transfers that are subject to their consent;
- The right to receive the Personal Data they have provided and/or the right to ask to transmit them to another controller if the Processing is based on their consent or on a contract and the Processing is automated.
In case Data Subjects wish to exercise any of these rights, or have any questions related to this Privacy Policy, they can contact the IIHF at privacy@iihfoffice.com.