Skip to content
Enforcement · GDPRhub EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

CJEU - C‑474/24 - NADA Austria and Others

How it connects

Full text

Facts — Several data subjects were subject to suspension proceedings by the Austrian Anti-Doping Legal Commission (ÖADR). Under Austrian law, the National Anti-Doping Agency (“NADA”) publishes the names of persons who have been suspended on its website. For the duration of the suspension, the website includes information such as the athlete’s name, sport practised, infringement of anti-doping rules, and the duration of the penalty. The ÖADR publishes the same information in a press release, with the addition of the prohibited substances involved. For this summary, both authorities are referred to as the controllers. The data subjects filed a complaint with the DPA on the grounds that the controllers refused their request to cease displaying their names and practised sports. They also argued that the controllers were processing sensitive data within the meaning of Article 9 and 10 GDPR, and that the undifferentiated publication system was incompatible with Article 6(3) GDPR. The DPA dismissed the complaint. In particular, one of the data subjects’ complaints was rejected on the grounds that the relevant data had not been published yet. The data subjects appealed the decision to the Federal Administrative Court (BVwG). The controllers argued that publishing the information in their website was lawful, as it was based on the legal bases of legal obligation (Article 6(1)(c) GDPR) and public interest (Article 6(1)(e) GDPR). The BVwG stayed proceedings and requested a preliminary ruling from the CJEU. The BVwG referred the following questions: Does the GDPR apply to the making information relating to athletes’ anti-doping violations publicly available through websites? If yes: Does information that an individual has committed a specific anti-doping violation fall under the scope of data relating to health within the meaning of Article 9 GDPR? Does the GDPR preclude national legislation from publishing the information mentioned above, if it does not make it possible to infer health data of the person concerned? Does the GDPR require a balancing test between the interests of the data subject and the interest of the general public of being informed of anti-doping violations every time anti-doping violations will be published? Does information that an individual has committed a specific anti-doping violation fall under the scope of data relating to criminal convictions within the meaning of Article 10 GDPR? If yes, must the decisions of the authority processing this data be subject to judicial review? Is filing a complaint before the processing takes place (but was processed during the proceedings) permissible? Or does it become permissible provided that at the time of the complaint there were specific indications that the processing was imminent or would take place in the near future? Advocate General Opinion — The AG gave his opinion on each question separately, with the exception of the third and fourth questions that were answered together. Question 1: Does the GDPR apply to the making information relating to athletes’ anti-doping violations publicly available through websites? — The AG first considered that the GDPR was applicable to this case. Under Article 2(2)(d) GDPR a situation falls outside of the scope of the GDPR when data is processed for the prevention, detection or prosecution of criminal offenses. This is because the Law Enforcement Directive (LED) applies. According to the AG, the GDPR may apply even if personal data relating to criminal convictions is processed if the controllers are not “competent authorities” within the meaning of Article 3(7) LED. If the controllers were competent authorities, the referring court would have to decide if the GDPR applies. The main question the AG addressed is whether the exception under Article 2(2)(a) GDPR applies, meaning the processing falls outside the scope of Union law; here, the AG noted that the exceptions are interpreted narrowly, and may only apply to activities intended to safeguard national security or activities classified in the same category. The AG concluded that the aim of combating anti-doping is not related to national security. The exception did not apply even if the activity fell under the competence of a Member State. Therefore, the GDPR was applicable. Question 2: Does information that an individual has committed a specific anti-doping violation fall under the scope of data relating to health within the meaning of Article 9 GDPR? — The AG first highlighted the sensitive nature of Article 9 GDPR data, which must be interpreted broadly. The AG also noted that the legal basis of the controller does not influence whether the data falls under the scope of health data. Beyond a medical context, the AG opined that the determining factor is whether it is possible to draw inferences about the health status of the data subject. In this case, the AG agreed with the reasoning of the DPA that only specific information relating to the infringements should be considered health data. This is because not all data revealed information related to the data subjects’ health. Specifically, the information regarding the anti-doping tests and its analysis should be considered health data. The AG noted that, while the name of the substance itself may not reveal information on health status, it may be possible to make indirect inferences. However, if the name is not included, the link to the health status of the data subject would be too indirect to fall under the scope of health data. Questions 5 and 6: Does information that an individual has committed a specific anti-doping violation fall under the scope of data relating to criminal convictions within the meaning of Article 10 GDPR, and must the decisions of the authority processing this data be subject to judicial review? — The AG first noted that the GDPR does not prohibit processing this data, but rather subjects it to enhanced scrutiny. The AG assessed whether the processing fell under the scope of Article 10 GDPR based on the three “Engel” criteria in ECtHR case Engel and Others v. the Netherlands. Anti-doping offenses under national law do not fall under the “criminal” classification according to Article 10 GDPR. However, the AG opined that article 10 GDPR applies if the convictions have a punitive purpose and have a degree of severity equivalent to a criminal penalty. This is a matter for the BVwG to decide. In terms of judicial review, the AG stated that the authority at issue is an “official authority” within the meaning of Article 10 GDPR. The wording itself of Article 10 GDPR does not provide for judicial review. However, the AG opined that it must be possible for an act following a decision by an official authority to be subject to judicial review. This is in light of Article 79(1) GDPR and a contextual interpretation of Article 10 GDPR. Questions 3 and 4: Does the GDPR preclude national legislation from publishing the information mentioned in the facts, and does it require a balancing test every time anti-doping violations will be published? — The AG considered, in essence, whether Articles 5(1)(a) and (c), and Article 6(3) GDPR precluded the controllers to publish the data concerned under legal obligation. The AG also considered whether the GDPR requires a case-by-case balancing of interests, or whether the proportionality test provided by the legislator is sufficient. The AG noted that the aim to deter athletes and prevent circumventing of anti-doping rules are legitimate public interest objectives in the context of combating doping in sport. Making this information public online is appropriate in order to achieve the public interest aims, with the exception of referring to the prohibited substance in question. According to the AG, this was not expressly provided for by national law, and is not required to achieve the public interests involved. However, the AG considered the publication of the personal data involved a serious interference with the fundamental rights of the data subjects. While national law provided exceptions on the publication of data (e.g. amateur athletes or vulnerable persons), the AG opined that the publication of personal data for an unlimited amount of time could be considered excessive. Therefore, the AG concluded that making this information publicly accessible is only permitted as long as it is proportionate. Finally, the AG opined that a case-by-case analysis is necessary, as the controllers must comply with data minimisation and accountability principles under the GDPR even if they are designated by national law. Question 7: Is filing a complaint before the processing takes place permissible? — Here, the AG stated that the wording of the GDPR does not seem to preclude a priori a precautionary or preventative approach by the supervisory authorities in handling complaints. Restricting the powers of a DPA to decide on cases involving processing that has already taken place would go against the objectives of the GDPR. Nonetheless, the alleged infringement of the GDPR must be appropriate, and the processing in question cannot be purely hypothetical. In this case, it would be impossible for a controller to erase data that has not been disclosed yet, unless the complaint is interpreted as seeking to prevent the data from being published. The AG stated that it is a matter for the BVwG to decide. The AG noted that the complaint would be inadmissible if it was based on Article 17 GDPR even if the processing is imminent. However, the AG opined that a complaint requesting injunctive relief is potentially admissible under the GDPR and Austrian law in the event of a threat of imminent unlawful interference with data subjects’ rights under the GDPR. This includes requesting the DPA to review a restriction of processing based on Article 18 GDPR before the start of the processing or if the processing has started, as long as the processing is not purely hypothetical. Finally, the AG considered whether a complaint could become admissible a posteriori. Here, the AG opined that it is a matter of the national law system to settle the question, while complying with the principles of effectiveness and equivalence. Holding — The Court held that the GDPR applied to the publication of information concerning anti-doping infringements. Such processing did not fall within the exception under Article 2(2)(a) GDPR, even if anti-doping policy primarily falls within Member State competence. Information that a data subject infringed anti-doping rules and was banned from competitions does not, in principle, constitute health data under Article 9 GDPR. However, it may do so where the publication identifies a prohibited substance or method and, together with other information, allows conclusions to be drawn about the data subject’s health. The Court accepted that combating doping and protecting the fairness and integrity of sport constitute objectives of general interest. Nevertheless, publishing athletes’ identities and sanctions online constitutes a serious interference with their rights. National legislation may therefore require such publication only where the controller can assess, in each case, whether the content and duration of the publication are necessary and proportionate. Publication should not continue longer than strictly necessary and may be disproportionate where a sanction is lengthy or lifelong. The Court also held that Article 10 GDPR did not apply, as the anti-doping infringements formed part of a disciplinary regime and were not criminal in nature. Finally, Article 77 GDPR allows a data subject to lodge a complaint before processing takes place where there are specific indications that the processing is imminent and not merely hypothetical. The DPA must assess the substance of such a preventive complaint. Holding — The Court held that the GDPR applied to the publication of information concerning anti-doping infringements. Such processing did not fall within the exception under Article 2(2)(a) GDPR, even if anti-doping policy primarily falls within Member State competence. Information that a data subject infringed anti-doping rules and was banned from competitions does not, in principle, constitute health data under Article 9 GDPR. However, it may do so where the publication identifies a prohibited substance or method and, together with other information, allows conclusions to be drawn about the data subject’s health. The Court accepted that combating doping and protecting the fairness and integrity of sport constitute objectives of general interest. Nevertheless, publishing athletes’ identities and sanctions online constitutes a serious interference with their rights. National legislation may therefore require such publication only where the controller can assess, in each case, whether the content and duration of the publication are necessary and proportionate. Publication should not continue longer than strictly necessary and may be disproportionate where a sanction is lengthy or lifelong. The Court also held that Article 10 GDPR did not apply, as the anti-doping infringements formed part of a disciplinary regime and were not criminal in nature. Finally, Article 77 GDPR allows a data subject to lodge a complaint before processing takes place where there are specific indications that the processing is imminent and not merely hypothetical. The DPA must assess the substance of such a preventive complaint. Comment — Share your comments here!

Similar Content