The CNIL announced its plans for 2026, with sports organizations coming under scrutiny. The Commission justified this decision by citing the impact of the 2024 Olympic and Paralympic Games, which led to an increase in sports club memberships and, consequently, personal data handled by these organizations. The CNIL emphasized the sensitivity of some of this data, particularly regarding health or minors, given the numerous data leaks affecting sports organizations in recent months.
Incidents involving sports organizations have indeed multiplied, with some leaks being quite substantial. For instance, the French Football Federation suffered a leak at the beginning of 2024 affecting the data of 1.5 million licensed individuals. Smaller leaks also had significant consequences, such as the French Shooting Federation’s data being stolen at the end of 2025, impacting nearly one million current or former licensed members, including firearm owners’ addresses. This data was sold on specialized forums and used in burglaries and thefts, according to the Paris prosecutor’s office.
One suspect was indicted in early January in connection with this case, with the prosecutor’s office investigating other potentially involved parties.
In addition to these emblematic cases, numerous other leaks targeting sports organizations in various disciplines, such as athletics, judo, and gymnastics, have occurred. Over thirty French sports organizations have fallen victim to data leaks of varying volumes and sensitivity. The Commission had already issued a detailed guide in 2024 outlining the legal framework for handling personal data by sports organizations.
CNIL inspections will focus on verifying that these organizations comply with their obligations regarding the security of the personal data they collect and handle in the course of their activities.
