AEPD (Spain) - 0098/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=0098/...") |
No edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 42: | Line 42: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1= | |National_Law_Name_1=Act Against Violence, Racism, Xenophobia and Intolerance in Sport | ||
|National_Law_Link_1= | |National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2007-13408 | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
Line 63: | Line 63: | ||
}} | }} | ||
[in | In a prior consultation, the Spanish DPA held that the State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport could not rely on [[Article 9 GDPR|Article 9(2)(g) GDPR]] in order to process biometric data of football fans entering stadiums. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
[in | The State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport (the Commission) wanted to install biometric identification systems at the entrances to sport stadiums in order to univocally identify football fans. In this regard, [https://www.boe.es/buscar/act.php?id=BOE-A-2007-13408 Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport] gives the Commission the power to implement additional security measures for high risk competitions and events. | ||
The Commission asked the Spanish DPA for a prior consultation (presumably under [[Article 36 GDPR]]) regarding the compliance of the envisaged processing with the GDPR. According to the Commission, the legal basis was [[Article 6 GDPR|Article 6(1)(e) GDPR]], as processing was necessary for the performance of a task carried out in the public interest, such interest being the safety and integrity of persons attending football stadiums, as well as prevention of fundamental rights violations in the form of hate crimes and discrimination. Additionally, the Commission relied on [[Article 9 GDPR|Article 9(2)(g) GDPR]], which refers to processing of sensitive data that is necessary for reasons of a substantial public interest. | |||
[in | |||
== Comment == | The Commission indicated that it would issue a resolution defining the adequate and specific measures that clubs should undertake in order to protect the interests and fundamental rights of data subjects. The Commission also stated that it would carry out a proportionality assessment and an additional DPIA under [[Article 35 GDPR]], in order to guarantee the adherence to the principles of [[Article 5 GDPR]]. | ||
===Holding === | |||
First, the Spanish DPA stated that the installation of biometric identification systems would constitute processing of special categories of data within the meaning of [[Article 9 GDPR]]. The DPA recalled the definition of ‘biometric data’ as meaning 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data' ([[Article 4 GDPR#14|Article 4(14) GDPR]]). | |||
Second, the DPA emphasised the need to distinguish between biometric identification and biometric authentication, as defined by the Article 29 Working Party in [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf Opinion 3/2012 on developments in biometric technologies]. According to this Opinion, biometric identification means the ''identification'' of an individual by comparing biometric data acquired at the time of the identification to ''a number of biometric templates'' stored in a database, whereas biometric authentification means the ''verification'' of an individual by comparing the biometric data acquired at the time of the verification to a ''single biometric template'' stored in a device. The DPA relied in its assessment on the EDPB's [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-052022-use-facial-recognition_en Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement] which uphold that both techniques constitute processing of special categories of data. The DPA manifested its concern for the proliferation of biometric identification systems, which are considered to be particularly intrusive for the rights and freedoms of data subjects. | |||
Third, with regards to the envisaged legal basis, the DPA noted that [[Article 9 GDPR|Article 9(2)(g) GDPR]] makes reference to a ''substantial'' public interest, as opposed to the (standard) public interest contained in other provisions. Hence, according to the DPA, the interpretation of public interest must be more restrictive. The DPA referred to the Spanish Constitutional Court, which ruled that any limitations of the right to data protection must be set out in law and exist prior to any processing. Further, a legitimate aim pursued by the public interest cannot be laid down by general, indeterminate, or vague concepts and the limitation must be proportionate to the aim pursued. With reference to this, the DPA concluded that such a law did not exist in the Spanish acquis. The law referred to by the Commission ([https://www.boe.es/buscar/act.php?id=BOE-A-2007-13408 Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport]) did not identify a justified substantial public interest or contain specific rules, nor did it provide for suitable and specific measures to safeguard the fundamental rights and interests of data subjects. While the provision referred to identity verification systems, it did not mention the specific possibility of using biometric systems. | |||
Therefore, the DPA concluded that the envisaged processing, as schemed by the the Commission, could not rely on the legal basis of [[Article 9 GDPR|Article 9(2)(g) GDPR]]. | |||
==Comment== | |||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | == English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
Latest revision as of 13:57, 1 February 2023
AEPD - 0098/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(e) GDPR Article 9(2)(g) GDPR Act Against Violence, Racism, Xenophobia and Intolerance in Sport |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | 20.01.2023 |
Fine: | n/a |
Parties: | Comisión Estatal contra la Violencia, el Racismo, la Xenofobia y la Intolerancia |
National Case Number/Name: | 0098/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
In a prior consultation, the Spanish DPA held that the State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport could not rely on Article 9(2)(g) GDPR in order to process biometric data of football fans entering stadiums.
English Summary
Facts
The State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport (the Commission) wanted to install biometric identification systems at the entrances to sport stadiums in order to univocally identify football fans. In this regard, Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport gives the Commission the power to implement additional security measures for high risk competitions and events.
The Commission asked the Spanish DPA for a prior consultation (presumably under Article 36 GDPR) regarding the compliance of the envisaged processing with the GDPR. According to the Commission, the legal basis was Article 6(1)(e) GDPR, as processing was necessary for the performance of a task carried out in the public interest, such interest being the safety and integrity of persons attending football stadiums, as well as prevention of fundamental rights violations in the form of hate crimes and discrimination. Additionally, the Commission relied on Article 9(2)(g) GDPR, which refers to processing of sensitive data that is necessary for reasons of a substantial public interest.
The Commission indicated that it would issue a resolution defining the adequate and specific measures that clubs should undertake in order to protect the interests and fundamental rights of data subjects. The Commission also stated that it would carry out a proportionality assessment and an additional DPIA under Article 35 GDPR, in order to guarantee the adherence to the principles of Article 5 GDPR.
Holding
First, the Spanish DPA stated that the installation of biometric identification systems would constitute processing of special categories of data within the meaning of Article 9 GDPR. The DPA recalled the definition of ‘biometric data’ as meaning 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data' (Article 4(14) GDPR).
Second, the DPA emphasised the need to distinguish between biometric identification and biometric authentication, as defined by the Article 29 Working Party in Opinion 3/2012 on developments in biometric technologies. According to this Opinion, biometric identification means the identification of an individual by comparing biometric data acquired at the time of the identification to a number of biometric templates stored in a database, whereas biometric authentification means the verification of an individual by comparing the biometric data acquired at the time of the verification to a single biometric template stored in a device. The DPA relied in its assessment on the EDPB's Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement which uphold that both techniques constitute processing of special categories of data. The DPA manifested its concern for the proliferation of biometric identification systems, which are considered to be particularly intrusive for the rights and freedoms of data subjects.
Third, with regards to the envisaged legal basis, the DPA noted that Article 9(2)(g) GDPR makes reference to a substantial public interest, as opposed to the (standard) public interest contained in other provisions. Hence, according to the DPA, the interpretation of public interest must be more restrictive. The DPA referred to the Spanish Constitutional Court, which ruled that any limitations of the right to data protection must be set out in law and exist prior to any processing. Further, a legitimate aim pursued by the public interest cannot be laid down by general, indeterminate, or vague concepts and the limitation must be proportionate to the aim pursued. With reference to this, the DPA concluded that such a law did not exist in the Spanish acquis. The law referred to by the Commission (Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport) did not identify a justified substantial public interest or contain specific rules, nor did it provide for suitable and specific measures to safeguard the fundamental rights and interests of data subjects. While the provision referred to identity verification systems, it did not mention the specific possibility of using biometric systems.
Therefore, the DPA concluded that the envisaged processing, as schemed by the the Commission, could not rely on the legal basis of Article 9(2)(g) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Legal cabinet N/REF: 0098/2022 The consultation asks if the adoption of an agreement of the State Commission against Violence, Racism, Xenophobia and Intolerance, in the field of their powers, establishing measures for the compliance of the clubs consisting of the installation of biometric systems to control all the accesses to the stands of animation that allows the unequivocal identification of fans who access said stands, it would be legally viable in accordance with the regulatory data protection regulations. Said possibility would be protected, according to the consultation, in the competition legally attributed by article 13.1 of Law 19/2007, of July 11, against violence, racism, xenophobia and intolerance in sport, which the power to decide the implementation of additional security measures for the set of competitions or highly rated sporting events risk, or for venues that have been subject to closure sanctions with according to the second and third titles of this Law, including in particular that of b) Promote systems for verifying the identity of persons who process access to sports venues. Therefore, in the opinion of the consultant, the treatment of the data personal data of fans, including their biometric data, would be carried out in application of article 6.1.e) of Regulation (EU) 2016/679 General of Data Protection (RGPD), that is, that the processing of the data would be necessary “for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller”. In this case, the mission carried out by the Clubs/SAD in the public interest would be the to guarantee the safety and integrity of the people who come to the football stadiums, as well as prevent and avoid violations of rights of people, such as hate crimes and discrimination, to through the measures listed above. Likewise, when referring to the requested measure to the treatment of categories special data, the exception regulated in article 9.2.g) of the GDPR, that is, that the processing of biometric data "is necessary for reasons of essential public interest, on the basis of Union law or of the Member States, which must be proportional to the objective pursued, essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and rights fundamentals of the interested party." In this regard, the agreement that in your case adopts the CEVRXID, it would also establish the appropriate measures and that the Clubs/SAD must adopt to protect the interests and c. Jorge Juan 6 www.aepd.es 28001 Madrid 1 Legal Office fundamental rights of the interested parties regarding the implementation of the additional measure required, as required by article 9.2.g) of the GDPR, previously referred to. It is also indicated that given that the additional measure would require the treatment of special categories of data, the agreement adopted by the CEVRXID in relation to the obligation to adopt the requested measure will require also that, before implanting it, the following is carried out: - A trial of proportionality, where it is analyzed from the point From a data protection point of view, both the suitability of the measure and the need for treatment and its proportionality in the sense strict. - An Impact Assessment on Data Protection that meets the requirements of article 35 of the GDPR. In short, the measure would guarantee that the treatment of personal identification data (including biometrics) that perform Clubs/SAD is carried out with due respect for the principles legality, loyalty and transparency, purpose limitation, minimization of data, accuracy, conservation, security, as well as proactive responsibility, as established in article 5 of the GDPR. In this way, according to the consultant, the measure would guarantee that the processing of personally identifiable data (including biometric data) carried out by the Clubs/SAD is carried out duly respecting the principles of legality, loyalty and transparency, limitation of purpose, data minimization, accuracy, conservation, security, as well as proactive responsibility, as established in article 5 of the GDPR. Yo Regulation (EU) 2016/679, of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons in what regarding the processing of personal data and the free circulation of these data and which repeals Directive 95/46/EC (General Regulation of data protection, GDPR) defines in its article 4.14 the biometric data as “personal data obtained from a specific technical treatment, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or dactyloscopic data. Article 9 of said standard regulates the treatment of categories special data types, including biometric data, establishing a general prohibition of its treatment in the following terms: c. Jorge Juan 6 www.aepd.es 28001 Madrid 2 Legal Office “The processing of personal data that reveals the ethnic or racial origin, political opinions, religious convictions or philosophical, or union affiliation, and the treatment of genetic data, data biometrics aimed at uniquely identifying a natural person, data relating to health or data relating to sexual life or orientation sex of a physical person.” In relation to the processing of biometric data, in our Report 36/2020, analyzing article 9.1 in relation to Recital 51 of the GDPR, as well as the Protocol of amendment to the Convention for the Protection of Individuals regarding the processing of personal data, approved by the Committee of Ministers at its 128th session in Elsinore on the 18th of May 2018 (108+ Agreement) we pointed out that In order to clarify the interpretative doubts that arise regarding the consideration of biometric data as categories special data can resort to the distinction between identification biometrics and biometric verification/authentication that established the Article 29 Group in its Opinion 3/2012 on the evolution of the biometric technologies: Biometric identification: the identification of an individual by a biometric system is normally the process of comparing your data biometrics (acquired at the time of identification) with a series of biometric templates stored in a database (i.e., a one-to-many mapping process). Biometric verification/authentication: Verification of a individual by a biometric system is normally the process of comparison between your biometric data (acquired at the time of verification) with a single biometric template stored in a device (i.e., a one-to-one mapping process to-one). This same differentiation is included in the White Paper on the artificial intelligence from the European Commission: “Regarding facial recognition, by “identification” it is understood that the facial image template of a person is compares with many other templates stored in a database to find out if your image is stored on it. The "authentication" (or "verification"), for its part, usually refers to searching for correspondences between two specific templates. Allows the comparison of two biometric templates that, in principle, they are supposed to belong to the same person; so, the two templates are are compared to determine if the person in the two images is the same. This procedure is used, for example, in the doors of c. Jorge Juan 6 www.aepd.es 28001 Madrid 3 Legal Office automated border control used in border controls of the airports. Considering the aforementioned distinction, it can be interpreted that, if In accordance with article 4 of the GDPR, the concept of biometric data would include both assumptions, both the identification and the verification/authentication. However, and in general, the biometric data will only be considered as a category of data in the cases in which they are submitted to treatment technique aimed at biometric identification (one-to-many) and not in the biometric verification/authentication case (one-to-one). However, this Agency considers that it is a question complex, subject to interpretation, with respect to which it is not possible to draw general conclusions, having to attend to the specific case according to the data processed, the techniques used for its treatment and the consequent interference in the right to data protection, should, as long as the Committee does not rule on the matter European Data Protection Agency or the courts, In case of doubt, the most favorable interpretation for the protection of the rights of those affected.” Consequently, in said report this Agency already highlighted the difficulty of separating the concepts of identification and authentication, which requires to be aware of the specific case and the particular techniques used in relation to the purpose pursued by the treatment, as well as the need to grant maximum protection to the rights of those affected against the use of techniques that can be more invasive to your privacy and generate more risks to their rights and freedoms. However, said criterion was subject to what could be established by the European Data Protection Committee or, where appropriate, by the courts. And, in this sense, the Guidelines 5/2022 of the Committee European Data Protection (Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement) pending in this time of final adoption after completion of the consultation process public, they clearly depart from said differentiation between authentication/verification and identification for the purpose of determining treatment of biometric data as a special category in section 12, concluding that both cases imply the treatment of special categories of data: While both functions – authentication and identification – are distinct, they both relate to the processing of biometric data related to an identified or identifiable natural person and therefore constitute a processing of personal data, and more specifically a processing of special categories of personal data. c. Jorge Juan 6 www.aepd.es 28001 Madrid 4 Legal Office Consequently, if said criterion is maintained at the time the proceeds to its final adoption, it will be necessary to review our criteria to adapt it to that maintained by the European Committee for Data Protection, understanding that the processing of biometric data, both in the cases of authentication/verification as identification implies a treatment of special categories of data, subject to the regime of general prohibition and exceptions of article 9 of the GDPR. In any case, in the present case there is no doubt that the consultation was refers to biometric data processing aimed at uniquely identifying to a natural person and, therefore, which implies the treatment of categories personal data specials. II The query refers to a case of biometric data processing with the purpose of verifying to identify, unequivocally, the fans who access the animation stands, implying, as indicated in the previous section, a treatment of special categories of data subject to the general rule of prohibition of the same (art. 9.1. GDPR). However, article 9.2 of the GDPR regulates exceptions to said general prohibition, invoking in the consultation, specifically, the collection in its letter g): g) the treatment is necessary for reasons of personal interest essential public, on the basis of Union or State law members, which must be proportional to the objective pursued, respect in the essential right to data protection and establish measures adequate and specific to protect the interests and rights fundamentals of the interested party; It is appropriate, therefore, to analyze whether in the present case the budgets established in article 9.2.g) to lift the prohibition of processing of biometric data, also taking into account the jurisprudence of the Constitutional Court, the European Court of Rights Rights and the Constitutional Court regarding the limitations of the right fundamental to the protection of personal data. This Agency has had the opportunity to pronounce, on various occasions, with respect to the requirements established by article 9.2.g) of the GDPR for be able to cover the processing of biometric data, particularly with respect to those based on facial recognition, given the proliferation of proposals received in relation to them from different spheres, which shows c. Jorge Juan 6 www.aepd.es 28001 Madrid 5 Legal Office manifest the growing interest in using these systems and the constant concern of this control authority, as they are systems of very intrusive to the fundamental rights and freedoms of natural persons. Concern that is shared by the rest of control authorities for years, as evidenced by the Biometrics Working Paper, adopted on August 1, 2003 by the Group of 29, or the subsequent Opinion 3/2012 on the evolution of the biometric technologies, adopted on April 27, 2012, and which has led to that the Community legislator himself include these data among the categories special data in the GDPR. Thus, being prohibited treatment in general, any exception to said prohibition will have to be subject to restrictive interpretation. In this regard, it should be noted, in addition to the aforementioned report 36/2020, referred to the use of facial recognition techniques in carrying out online assessment tests, report 31/2019 on the incorporation of facial recognition systems in video surveillance services under the of article 42 of the Private Security Law or Report 97/2020 regarding the Draft Order of the Minister of Economic Affairs and Transformation Digital on non-presential identification methods for the issuance of qualified electronic certificates. In all these cases it was concluded that there was a legal standard in the Spanish legal system that met the requirements of article 9.2.g) of the GDPR, so that the treatment only could rely on the consent of those affected as long as it remained guaranteed that it is free. Analyzing the requirements of article 9.2.g) in our Report 36/2020 we pointed out the following: V The next question that arises in the consultation is whether the processing of biometric data by recognition systems facial expression in online evaluation processes could rely on the existence of an essential public interest in accordance with article 9.2.g) of the GDPR: g) the processing is necessary for reasons of public interest essential, on the basis of Union or Member States law members, which must be proportional to the objective pursued, respect in the essential right to data protection and establish measures adequate and specific to protect the interests and rights fundamentals of the interested party. As we indicated previously, the data processing personnel necessary for the provision of the public service of c. Jorge Juan 6 www.aepd.es 28001 Madrid 6 Legal Office Higher education is legitimized, in general, in the existence of a public interest under the provisions of article 6.1.e) of the GDPR. However, in the case of special categories of data, the case contemplated in letter g) of article 9.2. does not refer only to the existence of a public interest, as it does in many other of its precepts the RGPD, but it is the only precept of the RGPD that requires that it be "essential", an adjective that comes to qualify said public interest, taking into account the importance and necessity of greater protection of the data processed. Said precept finds its precedent in article 8.4 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, regarding the protection of natural persons in terms of that respects the processing of personal data and the free movement of these data: “4. As long as they have adequate guarantees, the Member States may, for reasons of important public interest, establish other exceptions, in addition to those provided for in section 2, either through their national legislation, or by decision of the authority of control". However, its reading results in greater rigor in a new regulation by the GDPR, since the adjective "important" is replaced by "essential" and it is not allowed that the exception can be established by the control authorities. In relation to what should be understood by public interest essential, the Jurisprudence of the European Court of Human Rights, which under Article 8 of the European Convention on Human Rights, has been considering that the processing of personal data constitutes a lawful interference in the right to respect for private life and can only be carried out if performed in accordance with the law, serves a legitimate purpose, respects the essence of fundamental rights and freedoms and it is necessary and provided in a democratic society to achieve an end legitimate ( D.L. against Bulgaria, nº 7472/14, May 19, 2016, Dragojević v. Croatia, no. 68955/11, January 15, 2015, Peck v. United Kingdom, No. 44647/98, January 28, 2003, Leander v. Sweden, no. 9248/81, March 26, 1987, among others). As he points out In the last sentence cited, "the concept of necessity implies that the interference responds to a pressing social need and, in particular, that is proportionate to the legitimate aim that it pursues”. Likewise, the doctrine of the Court must be taken into account Constitutional regarding the restrictions to the fundamental right to data protection, which is summarized in judgment 292/2000, dated 30 November, in which after configuring the fundamental right to protection of personal data as an autonomous right and independent power that consists of a power of disposition and control on personal data that empowers the person to decide which c. Jorge Juan 6 www.aepd.es 28001 Madrid 7 Legal Office of these data to provide to a third party, be it the State or an individual, or which this third party can collect, and which also allows the individual know who owns that personal data and for what, being able to oppose that possession or use, analyzes its limits, pointing out in the following: More specifically, in the Judgments mentioned regarding the data protection, this Court has declared that the right to Data protection is not unlimited, and although the Constitution does not expressly impose specific limits, nor refer to the Powers Public for its determination as it has done with other rights fundamental, there is no doubt that they will find them in the remaining fundamental rights and legal rights constitutionally protected, as required by the principle of unity of the Constitution (SSTC 11/1981, of April 8, F. 7; 196/1987, of April 11, December [RTC 1987, 196], F. 6; and regarding art. 18, JTS 110/1984, F. 5). These limits may either be direct restrictions of the fundamental right itself, which has been alluded to before, or may be restrictions on the way, time or place of exercise of the fundamental right. In the first case, regulating those limits is a form of development of the fundamental right. In the second, the limits that are fixed are to the concrete form in which it is possible to exert the beam of faculties that make up the content of the fundamental right in matter, constituting a way of regulating its exercise, which The ordinary legislator can do in accordance with the provisions of art. 53.1 EC. The first observation that must be made, which is not obvious, is less capital, is that the Constitution has wanted the Law, and only the Law, can set the limits to a fundamental right. Rights Fundamentals can, of course, yield to goods, and even constitutionally relevant interests, provided that the cut that undergo is necessary to achieve the intended legitimate purpose, provided to achieve it and, in any case, be respectful of the essential content of the restricted fundamental right (SSTC 57/1994, of February 28 [RTC 1994, 57], F. 6; 18/1999, of February 22 [RTC 1999, 18], F. 2). Precisely, if the Law is the only one authorized by the Constitution to set limits to fundamental rights and, in the case present, to the fundamental right to data protection, and those limits cannot be different from those constitutionally established, which for the case are none other than those derived from the coexistence of this fundamental right with other legal rights and goods of rank constitutional, the legal empowerment that allows a Public Power collect, store, process, use and, where appropriate, transfer personal data, it is only justified if it responds to the protection of other rights constitutionally protected assets or assets. So if those operations with the personal data of a person are not c. Jorge Juan 6 www.aepd.es 28001 Madrid 8 Legal Office carried out with strict observance of the norms that regulate it, violates the right to data protection, since limits are imposed constitutionally illegitimate, either to its content or to the exercise of the bundle of faculties that compose it. How will that violate it too? Limitative law if it regulates the limits in such a way that they make the fundamental right affected or ineffective the guarantee that the Constitution grants you And so it will be when the Law, which should regulate the limits to fundamental rights with scrupulous respect for their content essential, is limited to empowering another Public Power to establish in each the restrictions that may be imposed on the rights fundamentals, whose unique determination and application will be at risk of the decisions adopted by that Public Power, who may decide, in what interests us now, about obtaining, storing, treatment, use and transfer of personal data in the cases that it deems convenient and brandishing, even, interests or assets that are not protected with constitutional rank […]”. (Legal Basis 11) “On the one hand, because although this Court has declared that the The Constitution does not prevent the State from protecting legal rights or assets to cost of the sacrifice of others equally recognized and, therefore, that the legislator may impose limitations on the content of rights fundamentals or their exercise, we have also specified that, in such assumptions, these limitations must be justified in the protection of other rights or constitutional goods (SSTC 104/2000, of 13 December April [ RTC 2000, 104] , F. 8 and those cited there) and, in addition, they must be proportionate to the purpose pursued with them (SSTC 11/1981, F. 5, and 196/1987, F. 6). Well, otherwise they would incur in arbitrariness proscribed by art. 9.3 EC. On the other hand, even having a constitutional foundation and being proportionate the limitations of the fundamental right established by Law ( STC 178/1985 [ RTC 1985, 178] ), these may violate the Constitution if they suffer from a lack of certainty and predictability in the very limits they impose and their way of application. Conclusion that is corroborated by the Court's jurisprudence European Commission on Human Rights that has been cited in F. 8 and that here must be reproduced. And it should also be noted that not only would harm the principle of legal certainty (art. 9.3 CE), conceived as certainty about the applicable law and expectation reasonably founded of the person on what should be the performance of power applying the Law (STC 104/2000, F. 7, for all), but that at the same time said Law would be harming the essential content of the fundamental right thus restricted, given that the way in which it is have set their limits make it unrecognizable and make it impossible, in the practice, its exercise (SSTC 11/1981, F. 15; 142/1993, of April 22 [ RTC 1993, 142] , F. 4, and 341/1993, of November 18 [ RTC 1993, c. Jorge Juan 6 www.aepd.es 28001 Madrid 9 Legal Office 341], F. 7). So that the lack of precision of the Law in the material assumptions of the limitation of a fundamental right is likely to generate an indeterminacy about the cases to which apply such a restriction. And when this result occurs, beyond all reasonable interpretation, the Law no longer fulfills its function of guaranteeing the own fundamental right that it restricts, since it allows instead simply operate the will of who has to apply it, undermining thus both the effectiveness of the fundamental right and the legal certainty […]”. (FJ 15). “More specifically, in relation to the fundamental right to privacy we have highlighted not only the need for your possible limitations are based on a legal provision that has constitutional justification and that they be proportionate (SSTC 110/1984, F. 3, and 254/1993, F. 7) but the Law that restricts this right must accurately express each and every material budget of the limiting measure. Otherwise, it is wrong to understand that the judicial resolution or the administrative act that applies it are founded in the Law, since what it has done, making abandonment of its functions, is to empower other Public Powers so that they are who set the limits to the fundamental right (SSTC 37/1989, of 15 of February [RTC 1989, 37], and 49/1999, of April 5 [RTC 1999, 49]). Similarly, regarding the right to data protection personal, it can be estimated that the constitutional legitimacy of the restriction of this right cannot be based, by itself, on the activity of the Public Administration. Nor is it enough that the Law empowers it to specify its limits in each case, limiting itself to indicate that you must make such precision when there is any right or well constitutionally protected. It is the legislator who must determine when that good or right that justifies the restriction of the right to the protection of personal data and in what circumstances can be limited and, furthermore, it is he who must do it by means of precise rules that make the interested party foreseeable imposition of such limitation and its consequences. Well, in another case legislator would have transferred to the Administration the performance of a function that only corresponds to him in terms of fundamental rights in By virtue of the legal reservation of art. 53.1 CE, that is, establish clearly the limit and its regulation. […] (FJ 16)”. Likewise, our Constitutional Court has already had the opportunity to rule specifically on article 9.2.g) of the GDPR, as a consequence of the challenge of article 58 bis of the Law Organic 5/1985, of June 19, of the General Electoral Regime, introduced by the third final provision of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of the digital rights, regarding the legitimacy of data collection c. Jorge Juan 6 www.aepd.es 28001 Madrid 10 Legal Office personal information relating to the political opinions of the persons who carry carried out by political parties in the framework of their electoral activities, precept that was declared unconstitutional by Judgment no. 76/2019 of May 22. Said sentence analyzes, firstly, the legal regime to which that is subject to the treatment of the special categories of data in the GDPR: In accordance with paragraph 1 of art. 9 GDPR, the processing of personal data that reveal political opinions, in the same way as the processing of personal data that reveals ethnic or racial origin, religious or philosophical convictions or trade union membership and processing of genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or data relating to sexual life or orientation sex of a natural person. However, section 2 of the same precept authorizes the processing of all such data when concurs any of the ten circumstances provided therein [letters a) to j)]. Some of These circumstances have a limited scope of application (labor, social, associative, health, judicial, etc.) or respond to a purpose determined, therefore, in themselves, delimit the treatments that authorize as an exception to the general rule. Besides, the enabling efficacy of several of the assumptions provided therein is conditioned to the fact that the Law of the Union or that of the States members expressly foresee and regulate them in their scope of competences: this is the case of the circumstances included in letters a), b), g), h), i) and j). Processing of special categories of personal data is one of the areas in which the Regulation expressly General of Data Protection has recognized the Member States "room for manoeuvre" when it comes to "specifying its rules", as qualifies its recital 10. This margin of legislative configuration extends both to the determination of the enabling causes for the processing of specially protected personal data -is that is, to the identification of the purposes of essential public interest and the assessment of the proportionality of the treatment to the end persecuted, essentially respecting the right to protection of data - such as the establishment of "adequate measures and to protect the interests and fundamental rights of the interested party" [art. 9.2 g) GDPR]. The Regulation contains, for Therefore, a concrete obligation of the Member States of establish such guarantees, in the event that they enable to treat specially protected personal data. In relation to the first of the requirements demanded by article 9.2.g), the invocation of an essential public interest and the necessary c. Jorge Juan 6 www.aepd.es 28001 Madrid 11 Legal Office specification thereof, the High Court recalls what was stated in its judgment 292/2000 in which it was rejected that the identification of the legitimate purposes of the restriction could be done through concepts generic or vague formulas, considering that the restriction of the right fundamental to the protection of personal data cannot be based, by itself, in the generic invocation of an indeterminate "interest public" : In the aforementioned STC 292/2000 (RTC 2000, 292), in which Legislative interference in the right to protection of personal data, we reject that the identification of the legitimate purposes of the restriction could be done through concepts generic or vague formulas: "16. [...] In the same way, regarding the right to the protection of personal data, it can be estimated that the constitutional legitimacy of the restriction of this right cannot be based, by itself, on the activity of the Public Administration. Nor is it enough that the Law empowers it to specify its limits in each case, limiting itself to indicate that you must make such precision when there is any right or well constitutionally protected. It is the legislator who must determine when that good or right that justifies the restriction of the right to the protection of personal data and in what circumstances can be limited and, furthermore, it is he who must do it by means of precise rules that make the interested party foreseeable imposition of such limitation and its consequences. Well, in another case legislator would have transferred to the Administration the performance of a function that only corresponds to him in terms of fundamental rights in By virtue of the legal reservation of art. 53.1 CE, that is, establish clearly the limit and its regulation. 17. In the present case, employment by the LOPD (RCL 2018, 1629) in his art. 24.1 of the expression "control and verification functions", opens a space of uncertainty so wide that it causes a double and perverse consequence. On the one hand, by enabling the LOPD to the Administration to restrict fundamental rights invoking such an expression is renouncing to set the limits itself, empowering the Administration to do so. And in such a way that As the Ombudsman points out, it allows redirecting the same practically all administrative activity, since all activity administration that involves establishing a legal relationship with a administered, which will be the case in practically all cases in which the Administration needs someone's personal data, it will entail Ordinarily the authority of the Administration to verify and control that this administered has acted in accordance with the administrative legal regime of the legal relationship established with the Administration. which, in view of reason for restriction of the right to be informed of art. 5 LOPD, leave in the most absolute uncertainty to the citizen about in which cases this circumstance will occur (if not in all) and add to the inefficiency c. Jorge Juan 6 www.aepd.es 28001 Madrid 12 Legal Office any jurisdictional guardianship mechanism that must prosecute Such an assumption of restriction of fundamental rights without another complementary criterion that comes to the aid of its control of the administrative action in this matter. The same reproaches also deserve the use in art. 24.2 LOPD of the expression "public interest" as the basis of the imposition of limits to the fundamental rights of art. 18.1 and 4 CE, because it contains an even greater degree of uncertainty. just notice that all administrative activity, ultimately, pursues the safeguarding of general interests, the achievement of which constitutes the purpose to which the Administration must objectively serve with according to art. 103.1 CE." This argument is fully transferable to the present prosecution. Similarly, therefore, we must conclude that the constitutional legitimacy of the restriction of the fundamental right to personal data protection cannot be based, by itself, on the generic invocation of an indeterminate "public interest". well in another case, the legislator would have transferred the political parties -whom the challenged provision empowers to collect personal data relating to to the political opinions of people in the framework of their activities elections - the performance of a function that is the sole responsibility of him in matter of fundamental rights by virtue of the reservation of the Law of the art. 53.1 CE, that is, clearly establish its limits and its regulation. Nor can it be accepted, as equally imprecise, the purpose adduced by the lawyer of the State, which refers to the functioning of the democratic system, since it also contains a high degree of uncertainty and may involve circular reasoning. On the one hand, political parties are by themselves "necessary channels for the functioning of the democratic system" (for all, STC 48/2003, of March 12 (RTC 2003, 48), FJ 5); and, on the other hand, all functioning of the democratic system pursues, ultimately, the safeguarding of constitutional aims, values and assets, but this does not reaches to identify the reason why the right should be restricted fundamental affected. Finally, it should be specified that it is not necessary to be able to suspect, with greater or lesser grounds, that the restriction pursues an unconstitutional purpose, or that the data collected and processed will be harmful to the private sphere and the exercise of rights. rights of individuals. It is enough to note that, by not to be able to identify with sufficient precision the purpose of the treatment of data, the constitutional character cannot be prosecuted legitimate use of that purpose, nor, where appropriate, the proportionality of the measure provided in accordance with the principles of suitability, necessity and proportionality in the strict sense. c. Jorge Juan 6 www.aepd.es 28001 Madrid 13 Legal Office On the other hand, regarding the guarantees that the legislator, the aforementioned judgment no. 76/2019 of May 22, after remember that "In view of the potential intrusive effects on the affected fundamental right resulting from data processing personal data, the jurisprudence of this Court requires the legislator to, In addition to meeting the aforementioned requirements, you also establish adequate guarantees of a technical, organizational and procedural, that prevent risks of different probability and severity and mitigate its effects, because only in this way can the respect for the essential content of the fundamental right itself”, analyzes What is the norm that must contain the aforementioned guarantees: "Therefore, the resolution of this challenge requires that clarify a doubt raised regarding the scope of our doctrine on adequate guarantees, which consists of determining whether adequate guarantees against the use of information technology must be contained in the law that authorizes and regulates that use or may can also be found in other normative sources. The question can only have a constitutional answer. The provision of adequate guarantees cannot be deferred to a moment after the legal regulation of the processing of personal data of in question Appropriate safeguards should be built into the own legal regulation of the treatment, either directly or through express and perfectly delimited reference to external sources that have the appropriate regulatory status. Only that understanding is compatible with the double requirement arising from art. 53.1 EC (RCL 1978, 2836) for the legislator of fundamental rights: the reservation of law for the regulation of the exercise of fundamental rights recognized in the second chapter of the first title of the Constitution and respect for the essential content of said fundamental rights. According to reiterated constitutional doctrine, the reserve of law is not limited to requiring that a law enable the restrictive measure of rights fundamental, but it is also necessary, according to both requirements called -sometimes- normative predetermination and -others- regarding the quality of the law as well as respect for the essential content of the law, that in this regulation the legislator, who is obliged to primary way to weigh the rights or interests in conflict, predetermine the assumptions, conditions and guarantees in which the adoption of restrictive measures of rights is appropriate fundamental. That mandate of predetermination regarding essential elements, also ultimately linked to the judgment of proportionality of the limitation of the fundamental right, cannot be deferred to a subsequent legal or regulatory development, nor it can be left in the hands of the individuals themselves” (FJ 8). Therefore, the processing of biometric data to the under article 9.2.g) requires that it be provided for in a standard c. Jorge Juan 6 www.aepd.es 28001 Madrid 14 Legal Office of European or national law, having in the latter case said norm, according to the aforementioned constitutional doctrine and the provisions in article 9.2 of the LOPDGDD, rank of law. Said law shall, also specify the essential public interest that justifies the restriction of the right to the protection of personal data and in what circumstances can be limited, establishing the rules that make the imposition of such a law foreseeable to the interested party limitation and its consequences, without it being sufficient, to these effects, the generic invocation of a public interest. and said law must also establish the appropriate type of guarantees technical, organizational and procedural, that prevent risks of different probability and severity and mitigate their effects. In addition, said law must in all cases respect the principle of proportionality, as recalled in the Judgment of the Court Constitutional 14/2003, of January 28: In other words, pursuant to a settled doctrine of this Court, the constitutionality of any restrictive measure of fundamental rights is determined by the strict observance of the principle of proportionality. For the purposes that matter here enough remember that, in order to check whether a restrictive measure of a fundamental right overcomes the proportionality judgment, it is necessary verify if it meets the following three requirements or conditions: if the measure is capable of achieving the proposed objective (judgment of suitability); if, moreover, it is necessary, in the sense that there is no other more moderate measure for the achievement of such purpose with the same effectiveness (judgment of necessity); and, finally, if it is weighted or balanced, because it derives from it more benefits or advantages for the general interest than damages to other goods or values in conflict (judgment of proportionality in the strict sense; SSTC 66/1995, of 8 May [RTC 1995, 66], F. 5; 55/1996, of March 28 [RTC 1996, 55] , FF. 7, 8 and 9; 270/1996, of December 16 [RTC 1996, 270], F. 4.e; 37/1998, of February 17 [RTC 1998, 37], F. 8; 186/2000, of 10 July [ RTC 2000, 186] , F. 6).” The conclusions reached in the aforementioned case are transferable to the present, since the treatment of the special categories of data seeks to rely on the power of the Commission to promote systems of verification of the identity of the people who try to access the premises sports, under the terms provided in article 13.1. of Law 19/2007, of July 11. Said precept is developed by article 15.3 of the Royal Decree 203/2010, of February 26, which approves the Regulation of c. Jorge Juan 6 www.aepd.es 28001 Madrid 15 Legal Office prevention of violence, racism, xenophobia and intolerance in the sport: 3. In the cases contemplated in article 13.1 of the Law 19/2007, of July 11, verification and monitoring of identity of those who purchase tickets or control the distribution of localities will be carried out by implementing ticket sales systems nominative and developing procedures that allow to supervise the distribution of assigned locations and to know the identity of the holders of access titles to sports facilities. The treatment of the data obtained in accordance with these procedures will be limited to providing information on who access or attempt to access sports venues, with the purpose of to ensure compliance with existing prohibitions and, where appropriate, case, purge the responsibilities that may arise. The organizers will cancel the data of the people who they would have accessed the sporting event when it concludes, keeping exclusively the data necessary to identify who may have engaged in conduct prohibited by law 19/2007, of July 11, which may only be transferred to the authorities or competent bodies in matters of public safety. As can be seen, article 13.1 of Law 19/2007, of 11 December July refers to identity verification systems, but does not considers the possibility that said systems may involve treatments of biometric data, nor does it establish the pertinent and adequate guarantees for the protection of the fundamental right to the protection of personal data. This possibility is not provided for in article 15.3 of the Royal Decree either. 203/2010, of February 26, although it should be noted that said standard would lack, as has been explained, the appropriate legal status for proceed to the regulation of the treatment of special categories of data personal. Therefore, claiming in the processing of personal data included in the special categories of data referred to in the article 9.1. of the RGPD, since it is about biometric data directed to the identification of natural persons, it is a prerequisite that some of the circumstances contemplated in section 2 that lifts the prohibition of treatment of said data, established in general in its section 1, requiring article 9.2. of the LOPDGDD that "Treatments of data referred to in letters g), h) and i) of article 9.2 of Regulation (EU) 2016/679 founded on Spanish law must be covered by a standard with the force of law, which may establish additional requirements relating to your security and confidentiality. not existing, as indicated, norm that enables said treatment under article 9.2.g) of the GDPR, since c. Jorge Juan 6 www.aepd.es 28001 Madrid 16 Legal Office that article 13.1. does not meet the legal requirements and jurisprudentially, as has been analyzed in the present report. And without said gap being able to be filled by means of an agreement of the CEVRXID, as it does not have the appropriate regulatory range. In this sense, as already As indicated, the jurisprudence of the Constitutional Court is clear regarding of the norm that must contain the adequate guarantees that cannot be be deferred to a time after the legal regulation of data processing personal in question. Adequate safeguards must be incorporated to the legal regulation of the treatment itself, either directly or by referral expressly and perfectly delimited to external sources that have the rank adequate normative (Ruling 76/2019 of May 22, FJ 8) Consequently, it must be concluded that the adoption of an agreement of the State Commission against Violence, Racism, Xenophobia and Intolerance, within the scope of its powers, establishing measures for the compliance of the clubs consisting of the installation of biometric systems for the control of all access to the stands of animation that allows the unequivocal identification of the fans who access said stands, is not in accordance with the regulations governing Data Protection. c. Jorge Juan 6 www.aepd.es 28001 Madrid 17