Date of Issue: 1 March 2021

Our daily business as a sports federation necessarily involves the processing of personal data. However, rest assured that the protection of your personal data is important to us. This is why we endeavour to adhere as much as possible to the principle of data economy before starting any data processing, i.e. to process as little personal data as possible.This privacy policy informs you about our use of personal data and about your related rights.As we process personal data in different contexts, this privacy policy contains a general part applying to all of our processing of personal data (section A. below) before setting out specifics with respect to personal data processed in the context of our website (section B. below), athletes(section C. below), applicants for jobs (section D. below) and employees (section E. below).

A. GENERAL PART

1. Introduction

This privacy policy serves to fulfil the requirements of the General European Data ProtectionRegulation (GDPR) and applicable national law. The GDPR is applicable whenever data is processed related to citizens from a member state of the EU or by a controller inside the EU.

2. Definitions

2.1. "Personal data“ and “data subject”

The term “personal data” means all data that relate to an identified or identifiable natural person. Such person is referred to as the “data subject”. A person can be identified as far as he or she can be identified directly or indirectly (e.g. by assignment to his name, an online identifier, tophysiological characteristics etc.).

2.2. „Processing“

The term “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.3. „Controller“

The term „controller“ refers to the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or EU Member State law, the controller or the specific criteria for its nomination may be provided forby EU or EU Member State law. Pursuant there to, we, the International Wheelchair Basketball Federation (IWBF) c/o Fédération Internationale de Basketball 5 Route Suisse1295 Mies Switzerland are the responsible controller regarding the processing of your personal data. Our data protection officer is Mr. Robin Römer. You can contact him at the following email address: data.protection@iwbf.org

2.4. „Processor“

The term “processor” refers to a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. If we use processors who process data following our instructions and for the purposes we have specified, we will inform you accordingly.

2.5. „Recipient“

The term “recipient” means a natural or legal person, public authority, agency or another body, to which personal data are disclosed, whether it is a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with European EU or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

2.6. „Third party“

The term “third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

2.7. „Consent“

A “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2.8. „Data concerning health“

The term “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

3. Data Subject Rights – Your Rights

Although this privacy policy contains sub-sections for specific contexts of data processing (see section B. through E. below), you have the same rights in all contexts in which we process your personal data. These rights are explained below in more detail. You also have the possibility to contact us at any time if you have any questions about the scope of your rights. You can find our contact details above in section 2.3. Moreover, you can contact our data protection officerat any time. When we process your personal data, you have the following rights:

3.1. Right to Information and Access (Article 12, 15 GDPR)

You have the right to ask at any time whether and which of your personal data is processed byus. Furthermore, you have the right to request access to the personal data that we hold of you.

3.2. Right to Rectification and Erasure (Article 16, 17 GDPR)

You have the right to request a correction of your personal data at any time, for example if it is incorrect or incomplete. You also have the right to request that we erase your personal data, for example if it is no longer required for the original purpose of processing, if it has been incorrectly processed, or if you have revoked your consent to data processing or objected data processing. If statutory obligations conflict with your right to erasure, we will block your personal data and only keep it for the purpose of statutory storage.

3.3. Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that the processing of your personal data shall be restricted, for example if data has been incorrectly processed. We will inform you of any correction, deletion or restriction of the processing of your personal data.

3.4. Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine readable format, and the right that we transmit your personal data to another controller.

3.5. Right to Withdraw Consent

You have the right to withdraw at any time any consent that you may have granted to the processing of your personal data.

3.6. Right to Object (Article 21 GDPR)

As far as your particular situation so justifies, you have the right to object to the processing of your personal data at any time, insofar as this processing is based on Article 6 para. 1 lit. e and f GDPR. In case of your objection, we will no longer process your personal data, unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend our legal claims.

3.7. Right to Complain

You have the right to lodge a complaint with the supervisory authority responsible for you. This can be the supervisory authority located in the EU Member State in which you are staying, in which you live or in which the provisions of the GDPR may have been violated.

4. Changes to this Privacy Policy

This privacy policy is subject to change in order to adapt new legal requirements or react to changed circumstances. We will notify you immediately about any changes to our privacy policy. Such notification may be effected electronically, e.g. by posting it on our website.5. Data Transfer to Third CountriesThe data processing described in this privacy policy can lead to data transfers to third countries outside the scope of application of the GDPR. For those cases, we would like to inform you that the EU Commission has prepared standard contractual clauses or declared adequacy decisions, which can both ensure that the processing of your personal data in third countries will be dealt with the same level of protection as in the EU. In the absence of standard contract clauses or adequacy decisions, the processing of your personal data will be based on your freec onsent and can lead to a data protection level lower than applicable in the EU (Article 49GDPR).

We will inform you about any particular data transfer to third countries and ask for your consent.B. DATA PROCESSED IN THE CONTEXT OF OUR WEBSITEThe following is a full description of our information gathering and dissemination practices forwww.iwbf.org (“the website”) and the IWBF newsletter. It sets out how we collect and process any personal data that you provide to us by visiting our website or registering for our newsletter.

1. Categories of Data Processed and Why We Process It

When you visit our website, your web browser automatically transmits data to us. These datainclude the following:(i) Type and version of your browser(ii) Operating system used(iii) Referrer URL(iv) Host name of the accessing computer(v) Time of the server request(vi) IP-Address(vii) Date of the server request(viii) Name of the file requested(ix) Website from which a file was requested at a certain time(x) Status of the access (e.g. data has been transferred, data does not exist)We use your personal data to ensure the security and functionality of our website and to analyseyour user behaviour, both of which are in our legitimate interest according to Article 6 para 1lit. f GDPR and enable us to optimize the use of our website.

2. Contact Forms

You have the option of communicating with us by using the contact form on our website. In order to be able to use it, we need your e-mail address to respond to your request. We also need your name to be able to address you. The two blank spaces in which you must enter your name and email address are marked as mandatory fields. The other blank spaces do not have such an identification. The legal basis for this data processing is your voluntarily given consent in accordance with Article 6 para 1 lit. a GDPR, subsidiarily our legitimate interest according toArticle 6 para 1 lit. f GDPR in being able to respond to your communication. Your information will be stored for no longer than a month for customer service purposes. The information submitted through the contact form is not used for marketing purposes.

3. Newsletter

You have the opportunity to register for our newsletter via our website. We only need your email address to be able to send our newsletter to you. Only after successful completion of a double opt-in process you will receive our newsletter. A double-opt-in process requires in a first step your consent for receiving the newsletter and in a second step the verification of a link sent to you via e-mail to confirm that you registered for the newsletter yourself. At any time, you have the right to view your declaration of consent or to unsubscribe from the newsletter.Corresponding links are implemented in every newsletter. If you unsubscribe from our newsletter, we will immediately delete your contact details from our newsletter distribution list.The legal basis for this processing of your personal data is your voluntarily given consent according to Article 6 para 1 lit. a GDPR.

Your personal data is primarily used to send you the newsletter and to be able to prove your given consent to receiving the newsletter. In addition, we also evaluate user behaviour when sending out newsletters. In this respect, we process and save the time of the retrieval of the newsletter, the opening of links, your IP address, your browser type and your operating system. For this purpose, we use so-called web beacons, i.e. short code characters. The data is only collected in pseudonymized form, i.e. we can not establish a personal relation or reference to you. We use the data to create statistics to improve our offers and services. The legal basis for this kind of newsletter tracking is also your voluntarily given consent according to Article 6 para 1 lit. a GDPR. You can avoid this kind of tracking if you have deactivated the display of images by default in your e-mail program.

In this case, however, the newsletter will not be displayed fully and you may not be able to use all of its features.The service provider for sending our newsletter is Mail chimp (you can consult their privacy policy here: https://mailchimp.com/legal/privacy/).

This may result in the transmission of data to a so-called third country outside the EU. For this refer to the separate section “Data transfer to third countries” (see section A.5 above).

4. Cookies & Web Analytics Services

When using our website, your interaction is tracked using cookies and web analytical services to improve our website and adapt it to new developments. Cookies are small files that are stored on your hard drive. The storage of cookies enables easier navigation and a higher degree of user-friendliness of our website.When you visit our website for the first time, we will inform you immediately of all cookies we use and the purpose of using them. At the same time, we will also ask you for your consent to the use of cookies. You will have the possibility to choose between different cookie settings, e.g. between cookies necessary to use the website or cookies used for marketing purposes.

You also have the option to use our website without cookies, but this may limit its functionality. Most web browser are set to accept cookies. You can change this for the current or any future sessions in the settings of your web browser. The legal basis for processing your personal data via cookies is your voluntarily given consent according to Article 6 para 1 lit. a GDPR. a) Google AnalyticsFor the purpose of statistical analysis and optimisation of our website, we use Google Analytics, a web analysis service from Google Inc. (“Google”). The provider of this service is GoogleInc., 1600 Amphitheatre Parkway Mountain View, CA 94043 USA.

Google will use the information on our behalf to evaluate your use of the website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage.According to Google, requests regarding data protection should be addressed to Google

Ireland Limited, Barrow Street, Gordon House, Dublin 4, Ireland.

Google Analytics uses its own cookies to analyse your use of the website. The information following from this analysis is usually transferred to Google servers in the USA and stored there. In order to prevent the personalization of this data, your IP address is anonymized by shortening it. Therefore, we cannot determine to which user an IP address can be assigned. Only in exceptional cases, the full IP address is transmitted to a Google Server in the USA and will be anonymized there.Google is not allowed to merge the IP address transmitted by your browser as part of GoogleAnalytics with any personal data. That said, you can also prevent Google from storing cookies by changing your cookie settings in your web browser as described in the “Cookies” section of this data protection declaration. We would like to remind you that in this case, you might not be able to use all functions of our website.

This applies also if you withdraw your consent towards Google to set cookies, which you can do by installing a plug-in available for your browser. You can find the plug-in under “Downloads” if you follow this link:

http://tools.google.com/dlpage/gaoptout?hl=de

You can also prevent the placing of cookies by Google by using the following link. If you use this link, a so-called “Opt-Out-Cookie” will be placed on your hard drive and prevents the future placement of cookies by Google.

https://tools.google.com/dlpage/gaoptout?hl=de

The usage of Google Analytics might lead to a data transmission to the USA. For this kind of data transfer to so-called third countries, we refer to the section “Data transfer to third countries” (see section A.5 above)

‍

5. Social Media Plugins

Our website includes plugins of different social media networks as follows.

5.1. Facebook Plugins (Like & Share-Button)

The provider of this social media plugin is the Facebook Ireland Limited, 4 Grand Canal Square,Dublin 2, Ireland. According to Facebook, the data processed by plugins is also transferred to the USA and other third countries. You can identify Facebook plugins by the Facebook logo or the “Like-Button” on our website.When using this website, a direct connection will be established between your browser and theFacebook servers. Facebook therefore receives the information that you have visited our website with your IP address. By clicking the Facebook “like button” while being logged in in your Facebook account, you can link the content of this website to your Facebook profile.

Also, Facebook will be able to link your visit of our website to your Facebook account. We would like to inform you that we as the host of this website have no influence on the content transferred to Facebook and the processing of this data by Facebook. Facebook’s privacy policy can be found here:

https://www.facebook.com/policy.php.

If you would like to prevent Facebook from linking your visit of our website to your Facebook account, please make sure to log out from Facebook before visiting our website.The legal basis for our using Facebook plugins is our legitimate interest (Article 6 para 1 lit. fGDPR) to be visible in social networks.As far as we process personal data via Facebook plugins, you have all the rights mentioned in section A.3 above. As far as Facebook processes data in their own responsibility, you should address your requests regarding data protection directly to Facebook. Of course, you can also send us your request to Facebook and we will forward it for you. The usage of the Facebook plugin might lead to a data transmission to the USA. For this kind of data transfer to so-called third countries, we refer to the section “Data transfer to third countries” (see section A.5 above).

5.2. Twitter

The provider of this social media plugin is the Twitter International Company,

One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland.

According to Twitter, the data processed by plugins might also be transferred to the USA and other third countries. You can identify Twitter plugins by the Twitter logo on our website.When using this website, a direct connection will be established between your browser and theTwitter servers. Twitter therefore receives the information that you have visited our website with your IP address. Twitter will be able to link your visit of our website to your Twitter account. We would like to inform you that we as the host of this website have no influence on the content transferred to Twitter and the processing of this data by Twitter. Twitter’s privacy policy can be found here:

https://twitter.com/en/privacy.

If you would like to prevent Twitter from linking your visit of our website to your Twitter account, please make sure to log out from Twitter before visiting our website. The legal basis for our using Twitter plugins is our legitimate interest (Article 6 para 1 lit. fGDPR) to be visible in social networks. As far as we process personal data via Twitter plugins, you have all the rights mentioned in section A.3 above. As far as Twitter processes data in their own responsibility, you should address your requests regarding data protection directly to Twitter. Of course, you can also send us your request to Twitter and we will forward it for you. The usage of Twitter plugins might lead to a data transmission to the USA. For this kind of data transfer to so-called third countries, we refer to the section “Data transfer to third countries”(see section A.5 above).

5.3. Instagram

The provider of this social media plugin is the

Instagram Inc., 1601 Willow Road, MenloPark, CA 94025, USA.

According to Instagram, the data processed by plugins might also be transferred to the USA and other third countries. You can identify Instagram plugins by the Instagram logo on our website. When using this website, a direct connection is established between your browser and theInstagram servers. Instagram therefore receives the information that you have visited our website with your IP address. Instagram will be able to link your visit of our website to yourInstagram account. We would like to inform you that we as the host of this website have no influence on the content transferred to Instagram and the processing of this data by Instagram.

Instagram’s privacy policy can be found here:

https://help.instagram.com/519522125107875.

If you would like to prevent Instagram from linking your visit of our website to your Instagram account please make sure to log out from Instagram before visiting our website. The legal basis of our using Instagram plugins is our legitimate interest (Article 6 para 1 lit. fGDPR) to be visible in social networks. As far as we process personal data via Instagram plugins, you have all the rights mentioned in section A.3 above. As far as Instagram processes data in their own responsibility, you should address your requests regarding data protection directly to Instagram. Of course, you can also send us your request to Instagram and we will forward it for you. The usage of Instagram plugins might lead to a data transmission to the USA. For this kind of data transfer to so-called third countries, we refer to the section “Data transfer to third countries”(see section A. 5 above).

5.4. YouTube

Our website not only uses a plugin of the video platform YouTube but also other functions ofYouTube, such as videos from YouTube shown on our website. The provider of this service is the

Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 USA.

According to Google, any request regarding data protection should be addressed to

Google Ireland Limited, Barrow Street, Gordon House, Dublin 4, and Ireland.

According to Google, the data processed by plugins might also be transferred to the USA and other third countries. You can identify YouTube plugins and functions by the Instagram logo on our website. When using this website, a direct connection is established between your browser and the YouTube servers. YouTube therefore receives the information that you have visited our website with your IP address. YouTube will be able to link your visit of our website to your YouTube account in case you are registered at and logged onto YouTube (which also can be used without registration).

We would like to inform you that we as the host of this website have no influence on the content transferred to YouTube and the processing of this data by YouTube. YouTube’s privacy policy can be found here:

https://policies.google.com/privacy?hl=en.

If you want to prevent YouTube from assigning your visit to our website to your YouTube account, please make sure to log out from YouTube before visiting our website. The legal basis of our using YouTube plugins is our legitimate interest (Article 6 para 1 lit. fGDPR) to be visible in social networks. As far as we process personal data via YouTube plugins, you have all the rights mentioned in section A.3 above. As far as YouTube processes data in their own responsibility, you should address your requests regarding data protection directly to YouTube. Of course, you can also send us your request to Instagram and we will forward it for you.

The usage of YouTube plugins might lead to a data transmission to the USA. For this kind of data transfer to so-called third countries, we refer to the section “Data transfer to third countries”(section A.5 above).6. Embedded Content From Other WebsitesArticles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

7. Facebook Fanpage

For communication or information purposes, you can also use our Facebook Fanpage, at theFacebook Network, provided the

Facebook Ireleand Ltd., 4 Grand Canal Square Dublin 2, Ireleand.

The use of our Fanpage might lead to statistical data collection by Facebook provided to us, for example by Facebook sending us statistical data on likes, comments, etc. At the same time, Facebook can and usually does collect your personal data on its own responsibility and for its own purposes. If Facebook collects data for us, the principles listed in this privacy policy apply, in particular your rights as set out in this declaration. We use the statistical data delivered by Facebook to optimize the use of our website. This also establishes our legitimate interest for processing your data according to Article 6 para 1 lit. f GDPR.

As far as Facebook processes your personal data at its own responsibility and for its own purposes, the processing of data follows the principles and policies established by Facebook

(Facebook’s privacy policy can be found here. https://www.facebook.com/policy.php).

Any request regarding this type of data protection should be directed to Facebook. Of course, you can also contact us in this regard and we will forward your request to Facebook.8. Storage DurationWe will store your personal data for as long as necessary to fulfil the purpose of processing, in particular as far as legal or contractual obligations exist to store data. Once you withdraw your consent or object to data processing, we will delete your data immediately, unless we need your data until the expiry of the legal period in which claims can be brought to court under civil law.

9. Security

We have implemented reasonable technical and organisational measures designed to secure your personal information from accidental loss and from unauthorised access, use, alteration or disclosure. However, the internet is an open system and we cannot guarantee that unauthorised third parties will never be able to defeat those measures or use your personal information for improper purposes.If you communicate with us by e-mail, you should note that the secrecy of e-mail is not guaranteed.

By sending sensitive or confidential e-mail messages that are not encrypted, youaccept the risk of a possible lack of confidentiality.

C. DATA PROCESSED IN RELATION TO ATHLETES

As an Athlete whose Data is processed by and/or transferred to us, we would like to assure youthat we take your privacy very seriously. In particular, we are aware of the highly sensitivenature of some of the personal data transferred to us, including your sports class. However, toensure fair competition, we are obliged to process such highly sensitive data and transfer it tothird parties, in particular the IPC.

This privacy policy is meant to explain to you how we process your data.

1. Categories of Data Processed

We process the following personal data:

1.1. Data Not Concerning Health:

(i) First name

(ii) Last name

(iii) Birth Date

(iv) Gender

(v) Country

(vi) Country of Birth

(vii) Country Code(

viii) Zone

‍

1.1.1. The Purpose of the Processing

We process your data to ensure the administration of your player profile. This is necessary to enable your participation in wheelchair basketball competitions. Moreover, we need this data to contact you in case of uncertainties, administrative questions etc.

1.1.2. Legal Basis for the Processing

The legal basis for the processing is your voluntarily given consent according to Article 6 para1 lit. a GDPR. Subsidiarily, the legal basis for the processing of your data is Article 6 para 1 lit.f GDPR, since the data is needed to fulfil our legitimate interest of working as an international sports federation with administrative and organizational duties in the field of wheelchair basketball.

Moreover, the processing of the above-mentioned data is necessary for the performance of the IWBF Athlete Agreement (Article 6 para 1 lit. b GDPR).1.1.3. Storage DurationWe will store your personal data for as long as necessary to fulfil the purpose of processing, in particular as far as legal or contractual obligations exist to store data. Once you withdraw your consent or object to data processing, we will delete your data immediately, unless we need your data until the expiry of the legal period in which claims can be brought to court under civil law or in order to fulfil our duties and responsibilities as an international sports federations.

1.2. Data Concerning Health

Moreover, we process data of a highly sensitive nature, in particular data concerning health.We are aware of the highly sensitive character of these data and try to minimize the amount of such data collected, in particular in this category. However, it is necessary for us to process in particular the following data concerning health:

• Classification Level (indicates whether the athlete was classified by an international classification panel entitling her/him to participate at all IWBF events or whether the athlete was classified by a panel of an IWBF Zone not entitling her/him to participate at IWBF events of an international level)

• Year Classified (year in which the athlete was classified for the participation in competitions)

• License Number (the athlete’s license number is automatically generated by the database system)

• Card License (six-digit number indicated on the athlete’s ID card. The first two digits show the athlete’s year of classification and the last four digits display the athlete’s license number)

• Classifiers’ Code (the name initials of the members of the panel that classified the athlete when she/he started her/his career as international licensed player. These initials are indicated on the athlete’s ID card)

• Sport Class (a category of competition indicating the extent to which the athlete can perform the specific tasks and activities required by wheelchair basketball due to her/his impairment)

• Sport Class Status (indicating the extent to which the athlete may be required to have his sport class (re-)assessed, or that his sport class is subject to any objection)• Biometric or Non-Biometric Photos

• Medical History of the Athlete (but only in so far as it is relevant for the impairment)

• Information from X-Rays and MRI Data• Results of Muscle Power Testing and Range Movement

• Information on Underlying Health Condition(s)

• Information on Doping Controls (Date, Place, Result, etc.)

• Scanned Copy of the Athlete’s ID Card

• Playing Status (information on whether the athlete is still actively playing)

• Master List Consent (information on whether the athlete gave his consent to be on the classification master list [you find further information on this list below under 2.1])

• On Master List (information on whether the athlete is named on the classification masterlist)

• Master List Remark (information on the IWBF’s option to make a remark regarding the athlete on the classification master list)

1.2.1. Purpose of Processing Data Concerning Health

The purpose of processing data concerning health is to ensure fair competition among different athletes in wheelchair basketball.

1.2.2. Legal Basis

The legal basis for the processing of data concerning health is the consent of the athlete, Article9 para 2 lit. a GDPR. The consent can be withdrawn at any time. Furthermore, in particular the sport class and sport class status are made public (Article 9 lit. eGDPR) for and by every athlete who competes in competitions that feature public player presentations, box scores or live stats. Moreover, the processing of the above-mentioned data is necessary for the performance of the IWBF Athlete Agreement (Article 6 para 1 lit. b GDPR).Due to the special needs of an athlete agreement in the context of a para sport environment, we need to process the above-mentioned data to fulfil our duties as a para sports federation.

1.2.3. Storage Duration

The data concerning health transferred to us will be stored for as long as the athlete is competing on an international level in wheelchair basketball or is willing to do so. One year after the official end of the player’s international playing career the data concerning health will be deleted if there are no legal requirements that oblige the IWBF to store the data for a longer period.

2. Data transferred to the IPC; National Olympic Committees and NationalFederations

2.1. Legal Basis, Purpose of the Processing and Recipients of the Data

In order to enable athletes to compete in all wheelchair basketball competitions governed by the regulations of theInternational Paralympic Committee (Adenauerallee 212-214, 53113 Bonn, Germany),we must abide by the IPC’s regulations. According to Article 9 of the IPC Athletes Classification Code, the IWBF is obliged to assist in the process of athlete classification. This process serves to ensure that only athletes whose impairments satisfy the IPC’s eligibility requirements can compete in international competitions.

As part of this process, pursuant to Article 9.1. of the IPC Athletes Classification Code, theIWBF must maintain a so-called “Classification Master List”, which must identify all athletes that enter international competitions and should include at least the following information:

(i) Name

(ii) Gender

(iii) Year of birth

(iv) Country and

(v) Sport class (see explanation above at 1.2)(vi) Sport class status (see explanation above at 1.2)

According to Article 9.2. of the IPC Athletes Classification Code, the IWBF must make its Classification Master List available to its respective National Federations, the relevant NationalParalympic Committees and to the IPC.For personal data processing under the scope of application of the GDPR, please note the following:

2.1.1. Data (i)-(iv) (Name, Gender, Year of Birth, Country)

Any consent given by the athlete for the purpose mentioned above falls under Article 6 lit. aGDPR. The athlete is therefore free to refuse to give (or to later withdraw) such consent to the processing of the athlete’s data.

However, the IWBF has limited influence on any possible consequences of an athlete not being listed in the Classification Master List with the information required by the IPC, due to the athlete’s refusal to consent to such data processing. Possible consequences such as the exclusion from international competitions are mainly governed by the regulations of the IPC.

The IWBF also refers to Article 6 lit. f GDPR. Due to its legal duty to create the ClassificationMaster List, the IWBF has a legitimate interest to forward the above-mentioned Data (i) – (iv)to its national member federations, the relevant National Paralympic Committees and the IPC.2.1.2. Data (v)-(vi) (Sport Class and Sport Class Status)The IWBF is aware of the highly sensitive nature of the data implied in the sport class andsport class status, which fall under the category of “data concerning health” (Article 4 no 15,Article 9 GDPR).

Therefore, the sport class and the sport class status are protected and dealt with by the IWBF in accordance with Article 9 GDPR.The sport class and sport class status will only be used to maintain the IWBF Classification Master List and will only be forwarded to the IWBF’s national member federations, the relevantNational Paralympic Committees and the IPC. Pursuant to Article 9 para 2 lit. a GDPR, the sport class and sport class status of an athlete will only be forwarded to the above-mentioned addressees if the athlete explicitly and voluntarily consents thereto. The athlete is free to refuse to give (or to later withdraw) such consent to the processing of the athlete’s data.

However, theIWBF has limited influence on any possible consequences of an athlete not being listed in theClassification Master List with the information required by the IPC, due to the athlete’s refusal to consent to such data processing. Possible consequences such as the exclusion from international competitions are governed by the regulations of the IPC. The legal basis for transmitting your personal data to its national member federations, the relevant National Paralympic Committees and the IPC is, therefore, primarily your consent. However, the IWBF also notes that the sport class and sport class status of athletes are manifestly made public (Article 9 lit. e GDPR) for and by every athlete who competes in competitions that feature public player presentations, box scores or live stats. As far as you make your personal data manifestly public according to Article 9 para 2 lit. e GDPR, this serves as a second legal basis for the transmission of your personal data.

Moreover, the transmission of the above mentioned data is necessary for the performance of the IWBF Athlete Agreement (Article 6para 1 lit. b GDPR). Due to the special needs of an athlete agreement in the context of a parasport environment, we need to transmit the above-mentioned data to fulfil our duties as a parasports association.

2.2. Data Transfer to Third Countries

Since the transfer of your personal data to the recipients mentioned above can lead to data transfers to third countries, we refer to the section “Data Transfer to Third Countries” (sectionA.5 above).

D. DATA PROCESSED IN RELATION TO APPLICANTS

1. Categories of Data Processed

We assure you that we will deal with any application on a non-discriminatory basis. However, we nonetheless ask you not to send us any data that could create the risk of any (appearance of) discrimination within the meaning of anti-discrimination laws, including data related to religion, impairments, race, sexual orientation etc.

Moreover, we inform you that certain kind of data is categorized as highly sensitive under the GDPR. These data include data concerning health and personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning a natural person’s sex life or sexual orientation. We ask you not to send any such data to us with your application.

If you nonetheless do so, you thereby consent to us receiving your data according to Article 9 para 2 lit. a GDPR.

2. Purpose of the Processing and Legal Basis

The legal basis for processing your personal data as an applicant is your voluntarily given consent according to Article 6 para 1 lit. a GDPR. Moreover, your personal data is needed for the establishment, implementation and termination of a contractual relationship according toArticle 6 para 1 lit. b GDPR. Where data is processed which is neither necessary for the establishment, implementation and termination of a contractual relationship nor based on your consent, the legal basis for the processing of such data is our legitimate interest (Article 6 para 1 lit. f GDPR) to optimize your application procedure and the fulfilling of compliance and security guidelines.

3. Storage Duration

Since your personal data is only processed for the respective purpose of enabling the application process, your personal data will be deleted as soon as this process is terminated. We will store your personal data for a longer duration if legal rights or obligations allow or oblige us to do.

E. DATA PROCESSED IN RELATION TO EMPLOYEES

1. Categories of Data Processed

2. Purpose of the Processing and Legal Basis

The legal basis for processing our employee’s data is their consent according to Article 6 para1 lit. a GDPR. Moreover, our employee’s data is needed for the establishment, implementation and termination of a contractual relationship according to Article 6 para 1 lit. b GDPR.

3. Recipients of Employees

’ Data Our employees’ data is not transferred to third parties unless necessary to fulfil our legal or contractual duties. In this context, the following recipients might receive our employee’s data:- Providers of financial services (e.g. banks) to enable the payment process of wagesetc.- Tax consultants, auditors, IT-Service- Insurance companies (health, social security, pension, accident etc.)- Authorities (tax, social security, health etc.)

4. Storage Duration

Your personal data will only be stored for the time needed to process your employment contractor rights and obligations arising out of it, and no longer than legally allowed.

‍

‍