Special Olympics values privacy and will comply with applicable privacy, data protection, and data security laws. Special Olympics employees, contractors, and volunteers will only collect, use, and disclose personal information in accordance with this policy.
This policy governs activities of Special Olympics, Inc. (“SOI”), Special Olympics Accredited Programs and Founding Committees (“Programs”), and Special Olympics Games/Local Organizing Committees (“LOCs”), SO Europe Eurasia Foundation (“SOEEF”), and Special Olympics Asia Pacific, Ltd. (“SOAP Ltd.”) (collectively, “Special Olympics” or “Special Olympics organizations”). Each Special Olympics entity is permitted to adopt additional privacy, data protection and data security policies and procedures that are consistent with this policy and compliant with the laws of their jurisdictions.
This policy is intended to have global applicability. Special provisions applicable only to Personal Information of Data Subjects residing in the European Union, the European Economic Area, and Switzerland are included in Sections 13 to 19 below.
Questions? Contact firstname.lastname@example.org
1. PERMITTED USES OF PERSONAL INFORMATION. “Personal Information” means any information that identifies, or in combination with other information is capable of identifying, Special Olympics participants, employees, volunteers, fans, donors, and website visitors (collectively “Data Subjects”). This policy governs the following categories and permits uses of Personal Information set forth in this Section. Where Special Olympics intends to process Personal Information for a purpose other than that for which the personal data were collected, Special Olympics will provide notice to the Data Subject prior to such further processing with information on that other purpose and with any relevant further information.
- Contact Information is used to provide information to Data Subjects regarding the Special Olympics activities and our mission and to solicit donations to Special Olympics. Contact Information includes:
- Phone number
- Email address
- Parent or guardian information if Data Subject is a minor or an adult with a legal guardian
- International Event Registration Data are used to organize the World Games and other events and ensure the safety of all participants. This data includes:
- Demographic information
- Emergency contacts
- Travel information
- Physician information
- Health information on volunteer and unified partner registration forms
- Workplace or organizational affiliations
- Passport information
- Background check information
- National and Local Registration Data are used to organize local and national activities and ensure the safety of all participants. This data includes:
- Demographic information
- Emergency contacts
- Physician information
- Health information on volunteer and unified partner registration forms
- Workplace or organizational affiliations
- Identification number
- Background check information
- Participation Data are used to operate Special Olympics activities, promote Special Olympics, solicit donations, recognize Special Olympics sponsors and partners, and maintain the history of Special Olympics. Participation Data includes:
- Competition results
- Participation history
- Images and video
- Biographical information
- Health and Research Data are used to screen and treat health conditions, ensure participants are safe to participate, and understand and address trends and issues affecting the health and inclusion of people with intellectual disabilities. Health and Research Data includes:
- Health screening data
- Survey data
- Pre-participation medical form data
- Fitness data
- Donation History is used for accounting, tracking donations, and thanking donors for their gifts. Donation History includes:
- Dates of donations
- Amounts of donations
- Payment method
- Online Message Boards and similar online tools maintained by Special Olympics may allow Data Subjects to disclose information about themselves publicly.
- Employee Data are used for performing employment-related activities and communications, including activities related to the employees’ job duties, payroll and benefits administration, performance evaluations, and personnel actions. Employee Data includes:
- Contact information
- Salary, benefits, and tax information
- Bank information
- Work history and biographical information
- Operations. Special Olympics may also process Personal Information to perform computer operations, quality assurance, testing, and other operations activities necessary for the above purposes.
Special Olympics only uses Personal Information to publicly promote Special Olympics, solicit donations, and recognize Special Olympics sponsors and partners in accordance with the written consent of Data Subjects.
Where Special Olympics intends to further process Personal Information for a purpose other than that for which the personal data were collected, Special Olympics will provide notice to the Data Subject prior to that further processing with information on that other purpose and with any relevant further information.
2. SHARING OF PERSONAL INFORMATION. Personal information may only be disclosed as described in this Policy:
- Special Olympics Organizations. Personal Information may be shared among SOI, applicable Programs, applicable LOCs, SOEEF, and SOAP Ltd., including their relevant staff and volunteers, as necessary to perform permitted uses relevant to the Data Subject.
- Data Subjects. A Data Subject’s Personal Information may be disclosed to the Data Subject or his/her authorized guardian or representative.
- Payment Processing. Special Olympics uses third parties to provide credit card, bank, payment and information processing services. Such service providers are only authorized to use Personal Information as necessary to perform services on our behalf or to comply with legal requirements.
- Contractors. Special Olympics uses agents and contractors in order to help with our operations. Special Olympics organizations shall obtain satisfactory contractual assurance that contractors and data processors with access to Personal Information will appropriately safeguard such information. Each contractor or data processor shall be required to sign an agreement containing terms as set forth in Appendix A.
- Medical Emergency. Special Olympics may disclose Personal Information to medical professionals in an emergency.
- Third Party Researchers. Special Olympics may disclose Personal Information confidentially with researchers, such as universities or public health agencies, who are studying intellectual disabilities and the impact of Special Olympics activities. This kind of disclosure may only be made with the Data Subject’s written consent. Information may only be published in aggregate form without identifying any individual Data Subjects.
- Visa Assistance. Special Olympics may disclose Personal Information with government authorities for the purpose of assisting Data Subjects with any visas required for international travel to Special Olympics events.
- Necessity. Special Olympics may disclose personal information as necessary to protect the Data Subject’s vital interest, protect the vital interest of another person, protect public safety, respond to government requests, and report information as required by law.
- Donor List Exchange. Renting or exchanging donor names and contact information with non- Special Olympics organizations is permitted only in accordance with SOI’s List Management Policies and Procedures and is currently limited to the United States.
Where Special Olympics intends to further disclose Personal Information other than as described above, Special Olympics will provide notice to the Data Subject prior to that further disclosure and, if required by law, obtain the Data Subject’s written consent.
3. NOTICE OF PRIVACY PRACTICES. Special Olympics will notify Data Subjects of its privacy and data protection practices when they register with Special Olympics, provide information on a Special Olympics website, or otherwise provide Personal Information to Special Olympics. Where required by law, Special Olympics websites shall also notify website visitors of any cookies used on the website and obtain consent where necessary. Current privacy and data protection notices are posted on the Special Olympics website.
4. RIGHTS OF DATA SUBJECTS. Each Data Subject (or any authorized guardian or representative) has the right to ask to access, rectify, or erase his/her own Personal Information, or have the processing restricted, or to object to the processing. For residents of the EU, each Data Subject may also have the right to portability. Such requests will be accommodated in accordance with applicable law. Each Data Subject also has the right to lodge a complaint to a competent supervisory authority, if applicable. Where the processing of personal information is based on consent, the Data Subject has the right to withdraw consent at any time with effect to the future.
5. PRINCIPLES OF DATA PROCESSING. Special Olympics has adopted the following principles to govern its processing of Personal Information, except as specifically provided by supplementary policies or as required by applicable laws or regulations.
- Lawfulness, Fairness, and Transparency. Personal Information shall only be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject.
- Purpose Limitation. Personal Information shall be obtained only for specified, explicit, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
- Data Minimization. Personal Information shall be adequate, relevant, and not excessive in relation to the purposes for which they are processed.
- Accuracy. Personal Information shall be accurate and, if necessary, kept current, as appropriate to the purposes for which they are processed.
- Storage Limitation. Personal Information shall not be kept in a form that permits identification of the Data Subject for longer than necessary for the permitted purposes.
- Integrity and Confidentiality. Personal Information shall be processed in a manner that ensures appropriate security of the Personal Information, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- Data Protection by Design and by Default. Technical and organizational measures shall be designed to implement data protection principles and to ensure that, by default, only personal information necessary for each specific purpose of the processing are processed.
 For example, under European Union General Data Protection Regulation Article 12, actions taken in response to such requests “without undue delay and in any event within one month of receipt of the request.”
6. SAFEGUARDS. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Special Olympics will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. In particular, Special Olympics will implement and maintain appropriate measures to protect Personal Information from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored, or otherwise processed. Special Olympics shall also be able to demonstrate how data processing is being performed in compliance with applicable laws, including GDPR. The following measures should be considered and implemented as appropriate in accordance with the above principles:
- Office access control such as lock and key, swipe cards, and building security to ensure that only authorized persons are able to enter the premises;
- Paper safeguards including (i) secure storage of written or printed Personal Information to safeguard against disclosure to individuals not involved with the use of the information, and (ii) shredding when use of the printed information is complete;
- Digital storage only in data systems approved by the administration of each Special Olympics organization for the Personal Information the system holds;
- Unique login credentials used to access Personal Information with passwords of sufficient length and character types (e.g., numbers, upper case letters, lower case letters, special characters) consistent with industry best practices;
- Automatic lock of computers and devices holding Personal Information after a short period of non- use;
- Computers and devices secured when unattended in a locked house when at home or locked trunk when traveling by automobile;
- Monitoring, logging, and audit controls on computers, devices and systems holding Personal Information;
- Malicious software protection on computer systems, including regular and prompt updating of anti- virus, operating system, and application software to maintain current security features;
- Prompt access removal upon termination of an employee, contractor, or volunteer with access to Personal Information, including return of facilities keys, return of computing equipment, and removal or access to data systems by changing or terminating login credentials;
- Appropriate device and media disposal, including wiping of Personal Information and other confidential information prior to disposal or re-use;
- Remote locking and wiping capability on computers and devices holding Personal Information in order to safeguard data in the event of loss or theft;
- Pseudonymization and encryption to limit risk of unauthorized disclosure of Personal Information;
- Back-up systems to ensure the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;
- Firewalls to protect against network intrusions and configured to enforce Special Olympics policies, such as blocking prohibited websites; and
- Wireless networks configured in accordance with industry standards for wireless security.
Each Special Olympic organization should assess the security of its email system to determine if transmission of Personal Information by email should be permitted in light of the principles described in this Section.
Technical safeguards capabilities should be among criteria for continued use of and/or procurement of any new computing hardware or software.
7. IMPACT ASSESSMENT. Where a type of Personal Information processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of Data Subjects (taking into account the nature, scope, context and purposes of the processing), Special Olympics will conduct an assessment of the impact of the processing operations on the protection of Personal Information. Special Olympics should conduct this assessment before beginning the contemplated data processing.
8. DATA PRIVACY COORDINATOR. The CEO of SOI shall appoint a Global Data Privacy Coordinator to be responsible for overseeing, on behalf of SOI, ongoing activities related to the development, implementation, maintenance of, and adherence to policies and procedures covering privacy and data protection. Likewise, the CEO or National Director of each other Special Olympics organization shall appoint an organization-specific Data Protection Coordinator who will be responsible for data privacy implementation for that organization. Duties of the Data Privacy Coordinator include:
- Providing guidance and assisting in the implementation of privacy and data security policies and procedures in coordination with management and legal counsel;
- Performing periodic privacy and data security risk assessments and related ongoing compliance monitoring activities in coordination with applicable organizational departments;
- Ensuring the organization maintains appropriate privacy and confidentiality policies and notices and consent forms reflecting current Special Olympics practices and requirements;
- Ensuring delivery of privacy training and orientation to employees and volunteers with access to Personal Information;
- Investigating and addressing privacy and data security incidents and/or policy violations;
- Working cooperatively with the applicable organizational departments in overseeing Data Subjects’ right to ask to inspect, amend, and restrict access to Personal Information;
- Maintaining current knowledge of applicable laws and monitoring advancements in information privacy technologies to ensure appropriate adaptation and compliance;
- Engaging professional assistance as necessary to perform any of the duties above.
9. VIOLATIONS AND SECURITY INCIDENTS.
- Duty to Report. Any employee who becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information shall immediately report the incident to his/her supervisor and/or the Data Privacy Coordinator. Supervisors receiving reports of potential violations and/or security incidents shall immediately report the matter to the organization’s Date Privacy Coordinator.
- Incident Response. Upon learning of a potential breach of security or potential violation of this policy or applicable data protection laws, the Data privacy Coordinator shall respond appropriately based on the circumstances, according to SOI’s incident response policies and procedures, and as at all times directed by the SOI Legal Department. This response may include, but may not necessarily be limited to:
- Notification of executive management where appropriate;
- Notification of affected individuals, organizations, and/or government officials as required by applicable rules, laws, regulations and contractual obligations;
- Retraining and/or disciplinary action for responsible employees as appropriate if the incident involved a violation of this policy; and/or
- A post-incident analysis conducted by the Data Privacy Coordinator and the Legal Department to incorporate any lessons learned into SOI’s incident response policies and procedures, to evaluate Special Olympics safeguards, and to recommend to management any changes believed appropriate.
10. PRIVACY AND DATA SECURITY TRAINING. Employees and volunteers will be given privacy and data security training and/or guidance appropriate to their roles and responsibilities. The Data Privacy Coordinator shall ensure that training on this policy is provided when it is substantially changed.
11. CONTINGENCY PLANNING. Special Olympics organizations shall develop contingency plans to prepare for system failures, and to prepare procedures for maintaining critical operations in the event of system failure.
12. PERIODIC REVIEW. The Data Privacy Coordinator shall conduct periodic reviews of the organization’s privacy and data security practices. Types of evaluation may vary and may include vulnerability scanning and remediation, firewall audits, penetration tests, social engineering exercises/tests, IT asset audits, audits of policies and procedures for compliance with applicable regulations, and/or audits of compliance with policies and procedures.
PROVISIONS APPLICABLE TO PERSONAL INFORMATION OF DATASUBJECTS RESIDING IN THE EUROPEAN UNION, THE EUROPEAN ECONOMIC AREA , AND SWITZERLAND.
13. SCOPE OF SPECIAL PROVISIONS. The provisions in Sections 13 to 19 are intended to address additional requirements of the of the General Data Protection Regulation (“GDPR”) as they relate to Personal Information of Data Subjects residing in the European Union (“EU”) and European Economic Area (“EEA”), as well as similar requirements of the laws of Switzerland. As of the effective date of this policy:
- EU Member States include: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom; and
- EEA Member States include: all EU Member States and also Iceland, Liechtenstein, and Norway.
14. DEFINITIONS. For purposes of GDPR, words used in the policy shall carry the same meaning as defined in the GDPR. “Personal Information” as defined and used in this Policy carries the same meaning as “Personal Data” as defined in GDPR: “’personal data’ means any information related to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly in particular reference to an identifier such as a name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person.” GDPR, Article 4, para (1).
15. DATA CONTROLLER. For purposes of GDPR, national Special Olympics Programs are the data controllers for data collected from residents of their respective countries. SOI is also a data controller for information shared with it. Information submitted for world games and other international events are also controlled by the applicable LOCs.
16. RECORD OF DATA PROCESSING. Each Special Olympics organization that processes Personal Information of data Subjects residing in the EU, EEA, and Switzerland will maintain records of such data processing activities.
17. RETENTION OF PERSONAL INFORMATION. GDPR requires that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” GDPR, Article 5, para 1(e). Data categories are described above in Section 1. The following retention periods shall apply:
- Contact Information is retained as long as Special Olympics has an ongoing relationship with the Data Subject.
- International Event Registration Data are retained until up to six months after the event. As an exception, data collected for a test event in preparation for a later event are retained until up to six months after the later event (i.e., test games registration data are retained until up to six months after the corresponding world games).
- National and Local Registration Data are retained until up to five years after the Data Subject discontinues participating with special Olympics.
- Participation Data are retained until the Data Subject asks for his/her information to be deleted.
- Health and Research Data are retained as long as Special Olympics has an ongoing relationship with the Data Subject
- Donation History is retained in accordance with applicable accounting records retention schedules required by law.
- Employee Data are retained in accordance with applicable employment records retention schedules required by law.
18. LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION. Special Olympics only processes Personal Information for lawful purposes. Special Olympics’ legal basis for each use of Personal Information is as follows:
- Contact Information. Our legal basis for using Data Subject contact information is our legitimate interest in communicating with members of the Special Olympics movement.
- International Event Registration Data. Our legal basis for using international event registration data is or legitimate interest in the safe and effective operation of Special Olympics events that are central to our mission of providing inclusive sports competition and other activities benefiting people with intellectual disabilities.
- National and Local registration Data. Our legal basis for using national and local registration data is our legitimate interest in the safe and effective operation of Special Olympics activities and events that are central to our mission of providing inclusive sports practice and competition and other activities benefitting people with intellectual disabilities.
- Participation Data. Our legal basis for using participation data is our legitimate interest in running world-class athletic and health activities and events and highlighting our mission. Our legal basis for using Personal Information to publicly promote Special Olympics, solicit donations, and recognize Special Olympics sponsors and partners is based on the Data Subject’s written consent provided in a registration or separate release form.
- Health and Research Data. Our legal basis for processing health and research data is the public interest and our legitimate interests in ensuring safe participation and identifying and addressing trends and issues affecting people with intellectual disabilities.
- Donation History. Our legal basis for storing and processing donation information history is our legitimate interest to use and maintain information necessary for fundraising that supports our mission and in accordance with accounting standards.
- Message Boards. Our legal basis for collecting information on message boards and similar online platforms is our legitimate interest in promoting awareness and generating interest in Special Olympics’ activities and mission.
- Employee Data. Our legal basis for processing Employee Data is our legitimate interest in operating our organization.
19. INTERNATIONAL DATA TRANSFERS. Special Olympics shall comply with legal requirements for international data transfers. This includes transfers of data collected from Data Subjects in EU-member countries and exported to locations outside the EU, such as to SOI headquarters in the United States or to an LOC for World Games. For example, Programs in EU-member countries must enter data transfer agreement with SOI before exporting data to SOI. This also applies to LOCs located outside the EU.
APPENDIX A: CONTRACT TERMS FOR CONTRACTORS AND DATA PROCESSORS
Each contractor or data processor with access to Personal Information shall be required to sign an agreement containing terms that safeguard the Personal Information.
For contractors and data processors receiving or processing Personal Information of Data Subjects residing in the European Union, European Economic Area, or Switzerland, a separate data processing agreement consistent with GDPR Article 28 must be executed with the contractor. A template for this data processing agreement will be provided by the SOI Legal Department.
For contractors that will not be receiving or processing Personal Information of Data Subjects residing in the European Union, European Economic Area, or Switzerland, agreements with contractors should include provisions that are the same or substantially similar to the following:
- The relationship contemplated by this Contract may require Contractor to access individually identifiable personal information of Special Olympics participants, employees, volunteers, fans, donors, website visitors, and other people associated with Special Olympics that is held by Special Olympics, Inc., Special Olympics Accredited Programs or Founding Committees, or Special Olympics Games/Local Organizing Committees (“Personal Information”). Contractor may access, use, and disclose Personal Information only to the extent necessary to complete Contractor’s obligations outlined in this Contract. With regard to Contractor’s access, use, and disclosure of Personal Information, Contractor agrees to do the following:
- Use and/or disclose the Personal Information only as permitted by this contract or as otherwise required by law; no further use or disclosure is permitted.
- Use appropriate physical, technical and administrative safeguards to protect Personal Information, and comply with the requirements of applicable privacy and data security laws.
- Promptly report to Special Olympics any security incident, and any use or disclosure not provided by this Contract.
- Comply with all requests from Special Olympics to disclose, amend, or delete individual records.
- Return to Special Olympics or destroy, as requested by Special Olympics, within 30 days of the termination of this Contract, the Personal Information in Contractor’s possession and retain no copies or electronic back-up copies.
- Represent and warrant that all of Contractor’s employees, volunteers, contractors, and agents whose services may be used to fulfill obligations under this Contract, are or shall be appropriately informed of the Privacy and Data Security terms of this Contract and are under legal obligation to fully comply with all provisions of this Contract.
- Contractor may use and disclose Personal Information, if necessary, for the proper management and administration of Contractor’s operations; and/or to carry out the legal responsibilities of Contractor if the disclosure is required by law.
- Contractor shall defend, indemnify, and hold harmless all Special Olympics organizations against any third-party claims or government enforcement actions arising from Contractor’s noncompliance with applicable law or the privacy and data security provisions of this Contract.
- The respective rights and obligations under the privacy and data security provisions of this Contract shall survive the termination of this Contract.