As an organisation registered in Germany, IBSA complies with the European General Data Protection Regulation (GDPR).
IBSA is committed to protecting information and your privacy. This statement is made in order to comply with best practice regarding Data Protection and to inform on IBSA’s data processing practices which will govern the processing of personal data.
As a membership organisation, IBSA also expects and encourages all Member Organisations, Local Organising Committees and other organisations who conduct activity on behalf of IBSA to comply with the relevant local legislation and good practice in their area.
2 How does IBSA collect information?
IBSA will obtain personal information in a number of ways. This might include:
- when registering as a member organisation representative
- when applying for athlete classification
- when entering an event, competition, conference or meeting
- when elected to or applying for, an official position within the organisation
- when making a donation, general enquiry or complaint
- when participating in a research programme or activity
- when involved in mandatory programmes such as anti-doping
- when visiting IBSA social media pages
3 What information does IBSA collect?
The types of information IBSA collects will be relevant and proportional to the purpose for which it is being collected and may include names, addresses, dates of birth, gender, email addresses, telephone numbers, sport history, medical information relating to classification, medical conditions that may affect safe participation in events, credit/debit card or bank account information, work history/qualifications and experience.
4 How does IBSA use personal information?
IBSA will use personal information:
- to provide the information or service a person has requested
- to uphold the principles of athlete classification
- to ensure compliance with doping control and uphold the principles of fair sport
- to ensure the successful and safe delivery of events and competition
- for administration and membership management purposes
- to further IBSA’s charitable aims and to comply with the law.
- as part of research programmes
IBSA will not share personal information with other third-party organisations including corporate and media partners that we may work with, unless we have a persons specific consent.
However, in certain circumstances, and where it is an essential part of providing the service requested (for example event entry or managing athlete eligibility and classification) IBSA may share personal information with specific partner organisations, member organisations and legal authorities.
IBSA will never sell personal details or the information we hold.
IBSA will publish certain athlete information (name, nationality, date of birth, gender, sport and classification status) in the IBSA Classification Master List which is an essential service.
5 Data controller
The IBSA Executive Director will be the person with responsibility for data protection and management within the organisation.
6 Data storage and external processors
IBSA uses third party organisations to store and manage data, for example cloud-based services. We will only use reputable suppliers and ensure that all such services are compliant with the GDPR and that appropriate security measures are implemented.
Where personal information is used by Local Organising Committee, we will require that organisation to develop suitable data protection policies, and to destroy all information held (unless needed for any insurance or legal purposes) within 12 months of the conclusion of that event except where consent to retain data has been given.
7 The IBSA website, use of ‘cookies’ and analytics
‘Cookies’ are small pieces of information sent to a computer and stored on a hard drive when visiting the IBSA website.
Analytics information allows IBSA to track visitors to the IBSA website and social media channels.
Both cookies and analytics information collected by IBSA is non-identifiable, i.e. we cannot identify an individual person, however in line with good practice we will only collect cookies where a visitor has given us permission to do so when entering the site.
A visitor can change their cookie preferences at any time by amending the settings in their web browser.
IBSA will retain analytics information for up to 50 months from the most recent visit.
8 Data retention
IBSA takes appropriate measures to ensure that the information we hold is kept secure, accurate and up to date and kept only for so long as is necessary and for the purposes for which it is used.
When data is destroyed, it will be destroyed securely in accordance with best practice at the time of destruction.
For some legal processes and essential services (such as information regarding athlete eligibility, doping control and competition results) it is necessary for IBSA to retain data indefinitely.
Information relating to officers and staff will be retained for the legally necessary period or five years after the person has left, whichever is the longer.
9 Under 18-year olds
The parent/guardian’s, or the persons legal representative, will normally need to give permission before IBSA can hold information concerning anyone under the age of 18.
10 Informed consent
The parent/guardian’s, or the persons representative, will normally need to give permission before IBSA can hold information concerning anyone who is above the age of 18, but is without legal capacity to give informed consent.
In many cases the representative will be the IBSA member organisation representative.
12 Right of access and rectification
Individuals have the right to ask for a copy of the information held (for which IBSA may charge a small administration fee) and to have any inaccuracies corrected. Such requests should be made in writing to the data controller.
13 Right to be ‘forgotten’
Subject to the provisions regarding essential services described above, individuals have the right to request IBSA to delete all personal information we hold about that person any time with the exception of the data mentioned under article 8. This request must be made in writing to the data controller.
14 Changes to this policy