Privacy

May a consultant take personal data to a competitor?

Joris Deene
8 months ago
611 views
10 minutes reading time

In modern soccer, data has become all-important. From player performance to injury susceptibility - everything is measured, analyzed and used to gain competitive advantages. But what happens when an independent consultant with access to this sensitive information through a service agreement switches to a competitor? A ruling from the Court of Cassation of May 6, 2025 provides interpretation in data protection law.

Set between two top Belgian clubs, Club Brugge and Royal Antwerp FC, the case revolves around whether an independent consultant was guilty of hacking and passing confidential data to a rival company.

The facts: from Club Lab to competitor

The collaboration between consultant and Club Brugge

The case begins in 2015, when C.S.., a consultant from Antwerp, and his management company entered into a service agreement with LakeSprings, the family holding company of Club Brugge chairman Bart Verhaeghe. Initially his services were mainly related to the Uplace project, but gradually he became increasingly involved in Club Brugge's "Personal Performance Center."

C.S. is said to have played an important role in the development of models that would eventually lead to the famous Club Lab - the sophisticated system that Club Brugge uses to monitor players' performance and injury susceptibility. This system contains highly sensitive information on:

  • Physical profiles of players
  • Medical records and injury susceptibility
  • Technical analyses of player performance
  • Commercial and operational information of the club

The end of cooperation and allegations

On April 7, 2017, C.S.'s services suddenly came to an end, officially because Uplace's environmental permit was suspended. He still had to give three months' notice until July 7, 2017. But already on April 9, 2017 - just two days after the notice - he allegedly addressed a cover letter to Paul Gheysens, president of Royal Antwerp FC. In this letter, he cited that he himself had developed the Club Lab and offered his services at Antwerp.

On May 19, 2017, LakeSprings' counsel sent a registered letter to C.S. accusing him of violating the non-compete clause in his service agreement by starting a business activity around sports data analysis on behalf of a direct competitor.

The discovery during the judicial inquiry

During a search of C.S.'s home, all electronic data carriers were seized. The forensic examination revealed a number of items:

  • On his former work laptop, the letter of application to Antwerp in question was found
  • His new laptop from Antwerp contained player chips with sensitive data of Club Brugge players Ruud Vormer and Brandon Mechele
  • This data had been transferred from his old laptop (from LakeSprings) to his new laptop (from Antwerp) between May 20 and Sept. 25, 2017

Importantly, this transfer occurred after May 19, 2017 - the time when he was formally declared in default and his access to the data should have ended.

The criminal procedure

Club Brugge, Lakesprings and the two players filed a criminal complaint with civil charges for, among other things, internal hacking, abuse of trust and breaches of the Belgian law on the protection of privacy with respect to the processing of personal data of Dec. 8, 1992 (This law was repealed in 2018 following the enactment of the General Data Protection Regulation - AVG/GDPR).

The Bruges Correctional Court acquitted C.S. and his management company completely. The civil parties did not stop there and appealed.

The court of appeal in Ghent ruled on October 10, 2024 that there was indeed no internal hacking, being the exceeding of access privileges to an information technology system with fraudulent intent. Since C.S. as a contractor was entitled to work with the data during the contract period, he had not exceeded his legitimate access and there could be no hacking. Nor, according to the court, was there an abuse of trust.

However, the court did find a violation of the law of December 8, 1992. The player chips undeniably contained personal data within the meaning of article 1, §1 of the law. They concerned identified natural persons (Vormer and Mechele) with information about their physical, physiological and sporting characteristics. Some of the data even concerned health data (injury susceptibility), which fall under the special protection of Article 7 of the Act. The crux of the problem was not in the access during the agreement, but in the acts after the formal notice of default dated May 19, 2017. By transferring player chips to a new laptop after that date, the consultant had processed the personal data without still being authorized to do so. The court therefore awarded the two players involved token damages of €1.00 for establishing how frivolously their data was handled.

The consultant and his management company could not agree and went to the Supreme Court.

The analysis of the Supreme Court ruling

On May 6, 2025, the Court of Cassation upheld the decision of the Ghent Court of Appeal by dismissing all cassation appeals by the consultant and his company.

1. Who is who? The crucial role of 'processor' versus 'third party'

A central argument of the consultant was that he could not be sued for a breach of data protection law because he was not a "data controller." At most, he was a "third party." The Supreme Court did not go along with this and affirmed the appeals court's analysis.

According to data protection law (both the old 1992 law and the current AVG/GDPR), there are different roles:

  • The controller is the one who determines the purposes and means of processing personal data. In this case, they were Club Brugge and Lakesprings
  • The processor is the one who processes personal data on behalf of the controller.
  • A third is anyone other than the data subject, controller or processor.

The appeals court had held that the consultant, by analyzing the players' data, was acting in performance of his service agreement. Even if that specific task was not defined in the contract in the smallest detail, in the facts it was part of the deliverables. As a result, he was not a random third party, but rather a "processor" acting with the authorization of the "controller". The Supreme Court confirmed that this reasoning is legally sound. This qualification is crucial: as a processor, the consultant had the authorization to process the data, but that authorization ended when the agreement was terminated.

2. What is a "processing"?

The most essential point of the judgment is the interpretation of the term "processing." The consultant argued that merely transferring files from one laptop to another, without using or modifying them afterwards, could not constitute "processing".

The Supreme Court upheld the very broad definition from the law.

  • First, a computer file, such as an Excel spreadsheet containing structured personal data of players, is a "file" within the meaning of the law.
  • Second, the term "processing" includes any operation or set of operations involving personal data. The law enumerates a long, non-exhaustive list, including: "preserving," "transmitting," "distributing or otherwise making available."

Thus, the Court of Appeals affirmed the Court of Appeal's view: the transfer or mere retention of such a file, even without additional processing, constitutes processing in itself. Finding the player chips on the new laptop was therefore conclusive evidence of a processing. By transferring the data to another computer after the end of his authorization, the consultant wrongfully "retained, transmitted and distributed" the data. The claim that this was done inadvertently or "in bulk" does not negate the violation found.

3. No 'personal use': the professional context is all-important

As a final lifeline, the consultant raised the point that if there was any post-contract termination processing at all, it was only for "exclusively personal or household purposes." Indeed, data protection law does not apply to such processing.

This argument, too, was rejected. The Supreme Court followed the appellate court's opinion that the context of the processing was anything but purely personal. Indeed, the data were transferred from the former work laptop to a new laptop provided by a new professional client and a competing soccer club. This professional context completely precludes the application of the domestic exception. The fact that the transfer was done in violation of the original service agreement only reinforced this judgment.

Practical lessons from this ruling

For clients (who hire consultants)

  1. Unlike a classic employment contract, with a B2B service agreement there is a lot of contractual freedom, but also less legal protection. You are therefore responsible for getting everything right down to the last detail. Think about:
    • Intellectual property: Explicitly define who the intellectual property has of the systems, analyses or tools the consultant is developing.
    • Competition: A realistic and clearly defined non-compete obligation is essential.
    • Confidentiality: Specifically define what constitutes confidential information and trade secrets falls.
  2. Most of the problems in this case arose after the termination of the collaboration. A strict procedure when a consultant leaves is indispensable:
    • Immediately revoke all physical and digital access rights.
    • Ensure the effective return of all equipment (laptops, badges, etc.).
    • Provide clear, written instructions on the mandatory and verifiable destruction of all data on consultant personal devices.
  3. As the client, you are the "data controller" under the AVG/GDPR. The consultant is merely the "processor." This means that you bear ultimate responsibility, including for your consultant's mistakes. Therefore, make sure that you are in a processing agreement contractually define how the consultant should handle the personal data made available, especially when it involves sensitive data such as the health data of the players in this case.

For consultants and independent contractors

  1. The consultant's core error was copying data from one client to a laptop of another. Work with strictly separate systems for each client. Ensure that after a contract ends, all data from that client is completely and permanently deleted unless you have explicitly different written agreements.
  2. Be aware of your role and obligations under the data protection law. You process data on behalf of your client and not for your own purposes. Document what data you process and on what basis, and take its security seriously. Good professional liability insurance is not a luxury for this type of risk.

For individuals (employees, athletes, etc.)

This ruling is also an important victory for individual rights. Soccer players Ruud Vormer and Brandon Mechele were awarded damages for careless handling of their data. It shows that:

  • Your right to data protection remains intact, even in a B2B business context.
  • You are entitled to compensation (even if it is a symbolic euro) if your rights are violated.
  • You have the right to know who has access to your data and what happens to it.
Do you have questions about the processing of personal data in your company, the drafting of service agreements or are you involved in a dispute in this regard? If so, contact our specialized lawyers in data protection law in a timely manner.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics