Controller: Confédération Mondiale des Activités Subaquatiques (CMAS)
Address: Viale Tiziano 74, 00196, Rome, Italy
Contact for data sharing matters: This email address is being protected from spambots. You need JavaScript enabled to view it.
Effective date: June 10th, 2026 Last updated: December 9th, 2023

1. Purpose of This Policy 

The CMAS World platform (the "Platform") is a multi-tier system. The same individual's data may be visible to their dive centre, their national federation, CMAS itself, and the organisers of any event they enrol in. This policy explains:

  • Who the parties are.
  • What categories of personal data are shared between them.
  • Why the sharing happens and on what legal basis.
  • What each party may and may not do with the data they receive.

2. The Parties

Party Role
Individual The data subject — a diver, athlete, instructor, judge, or official.
Entity A dive centre, club, or similar organisation affiliated with a national federation.
National Federation A CMAS-affiliated federation, typically one per country.
CMAS The international controller and operator of the Platform.
Event Organiser A federation, entity, or CMAS body running a specific event.
Timing & Results Partner External provider processing live results for events.
Payment Processor Cards, Bank debits, handling transactions.
Infrastructure Providers Hosting, email delivery, and error monitoring (see Privacy Policy §4).

3. Data Flows

3.1 Individual → Entity

What: Full registration data, identity documents, certifications, medical certificate validity, contact details. Why: The entity manages its members' diving activity, training, and entity-level enrolments. Visibility: Entity administrators only see individuals affiliated with their entity.

3.2 Individual → National Federation

What: All data shared with the entity, plus federation-level licence and membership status. Why: The federation administers national-level membership, issues licences, validates passports, and represents the individual to CMAS. Visibility: Federation administrators see all individuals affiliated to entities within their federation. CONFIRM: can an individual be affiliated to a federation without being affiliated to an entity? (Self-enrolment case.)

3.3 Entity → National Federation

What: Entity registration data, affiliated members list, entity-level documents. Why: Federations authorise and oversee entities within their country.

3.4 National Federation → CMAS

What: All federation, entity, and individual data within that federation. Why: CMAS is the global controller and operates the Platform. CMAS validates federation membership, certifications, and event eligibility globally. Visibility: CMAS administrators have global visibility for governance, audit, and platform operation purposes.

3.5 Individual → Event Organiser (via enrolment)

What: Name, date of birth, nationality, federation/entity affiliation, relevant certifications, medical certificate validity, event-specific data (category, team, etc.). Why: The event organiser must verify eligibility, produce start lists, manage accreditations, and publish results. Trigger: Enrolment is the individual's (or their entity's / federation's) explicit action — it is the basis on which data is shared with the organiser. CONFIRM: does the individual see a clear notice at the point of enrolment listing the organiser and what will be shared?

3.6 Event Organiser → Timing & Results Partner

What: Minimum data required for results processing — typically name, federation, category, bib/team identifier, date of birth. Why: Live timing and results publication for the event. Mechanism: Secure API (IP-whitelisted; see staging at cmas.getcode.pt and production endpoint). Safeguards: Data Processing Agreement with the partner; partner acts as processor on behalf of CMAS / the organiser.

3.7 CMAS → Public (results, rankings, certifications)

What: Selected event results, rankings, and the public certification registry — typically name, nationality, federation, category, result, certification level. Why: Sport transparency, certification verification by third parties (dive shops, employers). CONFIRM: which fields are public by default; whether individuals can opt out of public listing.

3.8 CMAS / Federations / Entities → Payment Processor

What: Billing name, address, transaction amount. Why: Processing of membership fees, licence fees, event registration fees. Note: Card data is handled directly by [Stripe / other] and is not stored on the Platform.

3.9 CMAS → Infrastructure Processors

  • Hosting: [provider, region].
  • Email delivery: [provider].
  • Error monitoring (Sentry): receives error context (URL, browser, IP, authenticated user identifier) when an exception occurs.


All infrastructure providers act as data processors under Data Processing Agreements.

4. Roles Under GDPR

  • CMAS is the controller for platform-wide data (account data, certifications, global event records).
  • National Federations are joint controllers with CMAS for the data of their affiliated individuals and entities.
  • Entities are joint controllers with their federation and CMAS for the data of their affiliated members.
  • Event Organisers are controllers for the event data they collect through enrolment.
  • Timing partners, payment processors, hosting, email, and Sentry are processors acting on documented instructions.


CONFIRM: joint-controller arrangement and that Art. 26 GDPR joint-controller agreements are in place between CMAS and federations.

5. International Transfers

  • Federations and entities are located worldwide, including outside the EU/EEA.
  • When data is shared with a non-EU federation or entity, transfers rely on [Standard Contractual Clauses / adequacy decision / other Art. 46 safeguard — CONFIRM].
  • Event organisers and timing partners located outside the EU are subject to the same safeguards.  

6. Restrictions on Recipients

Each party that receives personal data through the Platform agrees that they:

  • Will use the data only for the purpose for which it was shared (membership administration, event management, certification verification, etc.).
  • Will not sell or otherwise commercialise the data.
  • Will not share the data with further third parties without CMAS's written authorisation, except where required by law.
  • Will apply appropriate technical and organisational security measures.
  • Will respect data subject rights (access, rectification, erasure) and forward such requests to CMAS without undue delay.
  • Will notify CMAS of any data breach within 24 hours of detection.

These obligations are reflected in the Platform Terms of Use and, where relevant, in dedicated Data Processing Agreements or Joint Controller Agreements.

7. What Each User Can See — Quick Reference

Viewer Can see
Individual Their own data; their own certifications, enrolments, results, documents.
Entity admin All individuals affiliated with that entity; entity-level documents.
Federation admin All entities and individuals within that federation.
Event organiser Participants enrolled in their event(s) only.
CMAS admin Global visibility across the Platform.
Timing partner Only the participant data required for results, via API.
Public Published results, rankings, and verified certifications (limited fields).

8. Individual Rights in the Context of Sharing

You may at any time:

  • Request a list of which federations, entities, and event organisers have received your data through the Platform.
  • Request that an entity or federation stop processing your data, subject to your withdrawing affiliation.
  • Object to public listing of results or certifications (CONFIRM mechanism — opt-out or opt-in).


Requests should be directed to [privacy contact email]. CMAS will coordinate with federations and entities as joint controllers.

9. Changes to This Policy

We may update this Data Sharing Policy when relationships, processors, or data flows change. Material changes will be notified to users by email or via a Platform banner. The "Last updated" date at the top reflects the most recent change.

10. Contact

Appendix — Items still needed from CMAS

  1. Official CMAS HQ address and data-sharing contact email.
  2. Confirmation of whether individuals can be federation-affiliated without an entity (self-enrolment case).
  3. Confirmation of the enrolment-time notice shown to individuals when their data goes to an event organiser.
  4. Which fields are publicly listed (results, certification registry) and the opt-out mechanism.
  5. Payment processor name(s).
  6. Hosting region and email provider names.
  7. International transfer safeguards (SCCs / other Art. 46 mechanisms) for non-EU federations.
  8. Confirmation of joint-controller agreements (GDPR Art. 26) between CMAS and federations.
  9. Confirmation of Data Processing Agreements with: timing partners, payment processor, hosting, email, Sentry.
  10. Breach notification window expected from federations / entities: 24h.
CMAS-data-sharing-policy_2026_06_10
144 kb
Download Files