2.1 This Personal Data Protection Policy sets out how the Saudi Arabian Anti-Doping Committee (“SAADC“) may deal with the personal information it collects from you within its Anti-Doping Program in accordance with the Saudi Arabia Personal Data Protection Law (SAPDPL) and the applicable rules in Saudi Arabia. This privacy policy is also informed by the World Anti-Doping Code (Code) and the International Standard for the Protection of Privacy and Personal Information (ISPPPI).

This Policy, also sets out in general terms how Personal Information for anti-doping purposes will be processed by the SAADC in the course of administrating and implementing the Saudi Anti-Doping Program.

SAADC compliance with this Data Protection Policy is mandatory. Any breach of this Data Protection Policy may result in disciplinary action.

2.2 This Data Protection Policy is an internal document and cannot be shared with third parties, clients, or regulators without prior authorisation from the SAADC.

3. Scope

3.1 SAADC recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that SAADC always takes seriously.

3.2 All SAADC’s Personnel must comply with this Data Protection Policy and need to implement appropriate practices, processes, controls, and training to ensure that compliance.

3.3 The SAADC’s Legal Unit is responsible for overseeing this Data Protection Policy and, if applicable, developing Related Policies and Privacy Guidelines.

3.4 Please contact the SAADC for any questions about the operation of this Data Protection Policy or if you have any concerns that this Data Protection Policy is not being or has not been followed.

4. Personal data protection principles

4.1 SAADC adheres to the principles relating to Processing of Personal Data set out in the SAPDPL which require Personal Data to be:

4.1.1 processed lawfully, fairly and in a transparent manner;

4.1.2 collected only for specified, explicit and legitimate purposes and in a manner compatible with the purpose;

4.1.3 adequate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed;

4.1.4 accurate and where necessary kept up to date;

4.1.5 not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed;

4.1.6 Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction, or damage;

4.1.7 not transferred to another country without appropriate safeguards being in place; and

4.1.8 made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data.

5. Lawfulness, fairness, transparency

5.1 Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

5.2 The SAADC shall collect and process data for specific purposes, some of which are set out below:

5.2.1 To meet SAADC legal compliance obligations;

5.2.2 To protect the Data Subject’s vital interests;

5.2.3 To pursue SAADC legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects.

5.2.4 The performance of any task carried out by a public authority;

5.2.5 The purpose of historical, statistical, journalistic, literature and art or scientific research.

5.3 SAADC must identify and document the legal ground being relied on for each Processing activity in accordance with the laws for Processing Personal Data.

5.4 SAADC must also check that the Personal Data was collected by the third party in accordance with the SAPDPL and on a basis which contemplates SAADC proposed Processing of that Personal Data.

5.4.1 Collected PD will be used in the process of evaluation and investigation. it could be used for other purposes in accordance with the World Anti-Doping Code (Code), the International Standards, and the anti-doping rules of ADOs with authorities that are involved in the Anti-Doping program including;- Results management in case of adverse analytical findings and in investigations

• For the Eligibility for a TUE
• For testing criteria and target testing
• For publishing on the EGYNADO website AFTER FINAL decisions of an ADRV including (Name, Sport, Sanction duration and prohibited substance found)

6. Consent

6.1 If consent, legitimate interest, or executing an agreement in which the Data Subject is a party is the legal basis for processing Personal Data as provided in the SAPDPL.

6.2 Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured.

6.3 SAADC needs to evidence Consent captured and keep records of all Consents so that the SAADC can demonstrate compliance with Consent requirements.

7. Purpose limitation

7.1  Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

8. Use

8.1 Providing anti-doping education to you

8.2 Planning and conducting anti-doping tests, and locating you for these tests using the whereabouts information you submit.

8.3 Analyzing the results from your biological samples

8.4 Analyzing and following up on the recommendations and results of your passport (Athlete Biological Passport or ABP).

8.5  Enforcing the Saudi Anti-Doping Rules in Sport by identifying anti-doping rule violations, issuing charges, and managing related proceedings.

8.6 Processing requests to grant or recognize any therapeutic use exemptions (TUE) you apply for.

8.7 Gathering intelligence and conducting investigations to better target testing activities and identify anti-doping rule violations, including cooperating with law enforcement.

8.8 Communicating with you for the purposes described above.

8.9 Coordinating and collaborating with other ADOs, for example, by sharing intelligence to better target our testing activities or by sharing information about our education program to avoid duplication

8.10 Reporting on our anti-doping activities to WADA to demonstrate our compliance with the Code and International Standards

9. TYPES OF RECIPIENTS

9.1 Your Personal Data, including your medical or health information and records and any results included in the ADAMS or Sample collection data, may be shared with the following:

• ADO(s) responsible for making a decision and will also be made available to ADOs with testing authority and/or results management authority over you;
• WADA authorized staff;
• Laboratories and Athlete Passport Management Units that analyze anti-doping samples and the Athlete Biological Passport. They are subject to the International Standard for Laboratories, and only have access to coded data (based on sample codes or passport IDs);
• Delegated third parties and other service providers that we hire to help us carry out anti-doping activities and maintain our operations. We require delegated third parties and service providers to agree to strict contractual controls designed to protect your personal information.
• Members of the TUE Committees (TUECs) of each relevant ADO and WADA; and
• Other independent medical, scientific, or legal experts, if needed in case of TUE request.
• Major Game Organizers when relevant.
• Public authorities responsible for enforcing sport and anti-doping laws and for investigating offences tied to doping in sport.
• If Data Subject is found to have committed an anti-doping rule violation and receives a sanction as a result, then SAADC may need to publish his/her name, sport, the anti-doping rule violated and why it was violated, as well as the consequences.
• Due to the Sensitivity of Personal information only a limited number of ADO and / or WADA staff will receive access to Personal information according to the process needs. ADOs (including WADA) must handle Personal Data in accordance with the International Standard for the Protection of Privacy and Personal Information (ISPPPI).
• Athlete’s Personal Data will also be uploaded to ADAMS by the SAADC staff who receives Athlete’s application and are only approved to do so after signing a privacy agreement and if access is needed by other parties through ADAMS when necessary.

10. Data minimisation

10.1 Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is Processed.

10.2 SAADC may only Process Personal Data when performing job duties requires it, where it cannot Process Personal Data for any reason unrelated to anti-doping purposes.

10.3 SAADC must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the SAADC’s Data Retention Policy.

11. Accuracy

11.1 Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

11.2 SAADC must be sure that the Personal Data it uses and holds is accurate, complete, kept up to date and relevant to the purpose for which it was collected. SAADC must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

12. Retention

12.1 Personal Data will be kept in accordance with the criteria and retention periods set out in Annex A of the ISPPPI . Retention periods can be extended where required by law or for the purpose of conducting an anti-doping investigation or proceeding.

12.2 Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

12.3 The SAADC will maintain retention policies and procedures to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires that data to be kept for a minimum time.

12.4 SAADC must keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which SAADC originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

12.5 SAADC shall take all reasonable steps to destroy or erase from its systems all Personal Data that no longer requires in accordance with all the ISPPPI retention policies.

13. Security integrity, confidentiality, and Protecting Personal Data

13.1 All the personal information, including medical information, findings and records, and any other information related to the Athlete must be handled carefully in accordance with rules in the ISPPPI.

13.2 Data must be secured by appropriate technical and organisational measures Personal against unauthorised or unlawful Processing, and against accidental loss, destruction, or damage.

13.3 SAADC will develop, implement, and maintain safeguards appropriate to SAADC size, scope, business, available resources, the amount of Personal Data that SAADC owns or maintains on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). SAADC will regularly evaluate and test the effectiveness of those safeguards to ensure security of SAADC Processing of Personal Data. The SAADC is responsible for protecting the Personal Data it holds. It must implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. It must also exercise particular care in protecting Special Categories of Personal Data from loss and unauthorised access, use or disclosure.

13.4 All of SAADC’s personnel and other third parties who may have access to Personal information of an athlete according to case-by-case basis must sign confidentiality and privacy agreements to ensure privacy and trust.

13.5 SAADC must adopt measures, including administrative, technical, physical and contractual measures, to protect personal information in its custody and control against theft, loss and unauthorized access, use, modification or disclosure.

13.6 The SAADC shall restrict access to personal information on a need-to-know basis to employees and authorized delegated third parties and service providers who require access to fulfil their designated functions. The anti-doping organizations sharing personal information with the SAADC are bound by the same standards as SAADC when they handle Personal Data. These standards are described in the International Standard for the Protection of Privacy and Personal Information

13.7 The SAADC shall maintain data security by protecting the confidentiality, integrity, and availability of the Personal Data, defined as follows:

13.7.1 Confidentiality means that only people who have a need to know and are authorised to use the Personal Data can access it;

13.7.2 Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed; and

13.7.3 Availability means that authorised users are able to access the Personal Data when they need it for authorised purposes.

14. Personal Data Breach

14.1 The SAADC must put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable authority where SAADC is legally required to do so.

15. Your Rights

15.1 Data Subjects have rights when it comes to how SAADC handles their Personal Data. These include rights to:

15.1.1 Revoke Consent to Processing at any time;

Data Subject has the right to evoke the use of personal information at any time, including the authorization to their physician to release medical information for example (as described in the Athlete Declaration in the TUE. To do so, Data Subject must notify his/her ADO. If Data Subject withdraws consent or objects to the PI processing, TUE will likely be rejected) and can cause the Athlete ineligibility for future sports participation as ADOs will be unable to properly assess PI in accordance with the Code and International Standards.

In rare cases, it may also be necessary for ADOs to continue to process PI to fulfil obligations under the Code and the International Standards, despite Data Subjects objection to such processing or withdrawal of consent (where applicable). This includes processing for investigations or proceedings related to ADRV, as well as processing to establish, exercise or defend against legal claims involving Data Subject, WADA and/or an ADO.

15.1.2 Request access to their Personal Data that SAADC holds;

15.1.3 Ask to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;

15.1.4 Restrict Processing in specific circumstances;

15.1.5 Request a copy of your Personal Data

15.2 SAADC must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation).

16. Changes to this Data Protection Policy

16.1 SAADC shall keep this Data Protection Policy under regular review.

16.2 This Data Protection Policy does not override any applicable national data privacy laws and regulations.