AEPD (Spain) - 0098/2022: Difference between revisions
From GDPRhub
No edit summary |
|||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 63: | Line 63: | ||
}} | }} | ||
In a prior consultation, the Spanish DPA held that the State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport could not rely on [[Article 9 GDPR|Article 9(2)(g) GDPR]] in order to process biometric data of football fans entering stadiums. | |||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
The State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport | The State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport (the Commission) wanted to install biometric identification systems at the entrances to sport stadiums in order to univocally identify football fans. In this regard, [https://www.boe.es/buscar/act.php?id=BOE-A-2007-13408 Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport] gives the Commission the power to implement additional security measures for high risk competitions and events. | ||
Article | The Commission asked the Spanish DPA for a prior consultation (presumably under [[Article 36 GDPR]]) regarding the compliance of the envisaged processing with the GDPR. According to the Commission, the legal basis was [[Article 6 GDPR|Article 6(1)(e) GDPR]], as processing was necessary for the performance of a task carried out in the public interest, such interest being the safety and integrity of persons attending football stadiums, as well as prevention of fundamental rights violations in the form of hate crimes and discrimination. Additionally, the Commission relied on [[Article 9 GDPR|Article 9(2)(g) GDPR]], which refers to processing of sensitive data that is necessary for reasons of a substantial public interest. | ||
The Commission indicated that it would issue a resolution defining the adequate and specific measures that clubs should undertake in order to protect the interests and fundamental rights of data subjects. The Commission also stated that it would carry out a proportionality assessment and an additional DPIA under [[Article 35 GDPR]], in order to guarantee the adherence to the principles of [[Article 5 GDPR]]. | |||
===Holding === | |||
First, the Spanish DPA stated that the installation of biometric identification systems would constitute processing of special categories of data within the meaning of [[Article 9 GDPR]]. The DPA recalled the definition of ‘biometric data’ as meaning 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data' ([[Article 4 GDPR#14|Article 4(14) GDPR]]). | |||
Second, the DPA emphasised the need to distinguish between biometric identification and biometric authentication, as defined by the Article 29 Working Party in [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf Opinion 3/2012 on developments in biometric technologies]. According to this Opinion, biometric identification means the ''identification'' of an individual by comparing biometric data acquired at the time of the identification to ''a number of biometric templates'' stored in a database, whereas biometric authentification means the ''verification'' of an individual by comparing the biometric data acquired at the time of the verification to a ''single biometric template'' stored in a device. The DPA relied in its assessment on the EDPB's [https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-052022-use-facial-recognition_en Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement] which uphold that both techniques constitute processing of special categories of data. The DPA manifested its concern for the proliferation of biometric identification systems, which are considered to be particularly intrusive for the rights and freedoms of data subjects. | |||
The | Third, with regards to the envisaged legal basis, the DPA noted that [[Article 9 GDPR|Article 9(2)(g) GDPR]] makes reference to a ''substantial'' public interest, as opposed to the (standard) public interest contained in other provisions. Hence, according to the DPA, the interpretation of public interest must be more restrictive. The DPA referred to the Spanish Constitutional Court, which ruled that any limitations of the right to data protection must be set out in law and exist prior to any processing. Further, a legitimate aim pursued by the public interest cannot be laid down by general, indeterminate, or vague concepts and the limitation must be proportionate to the aim pursued. With reference to this, the DPA concluded that such a law did not exist in the Spanish acquis. The law referred to by the Commission ([https://www.boe.es/buscar/act.php?id=BOE-A-2007-13408 Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport]) did not identify a justified substantial public interest or contain specific rules, nor did it provide for suitable and specific measures to safeguard the fundamental rights and interests of data subjects. While the provision referred to identity verification systems, it did not mention the specific possibility of using biometric systems. | ||
Therefore, the DPA concluded that the envisaged processing, as schemed by the the Commission, could not rely on the legal basis of [[Article 9 GDPR|Article 9(2)(g) GDPR]]. | |||
==Comment== | ==Comment== | ||
Latest revision as of 13:57, 1 February 2023
| AEPD - 0098/2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1)(e) GDPR Article 9(2)(g) GDPR Act Against Violence, Racism, Xenophobia and Intolerance in Sport |
| Type: | Advisory Opinion |
| Outcome: | n/a |
| Started: | |
| Decided: | |
| Published: | 20.01.2023 |
| Fine: | n/a |
| Parties: | Comisión Estatal contra la Violencia, el Racismo, la Xenofobia y la Intolerancia |
| National Case Number/Name: | 0098/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Carmen Villarroel |
In a prior consultation, the Spanish DPA held that the State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport could not rely on Article 9(2)(g) GDPR in order to process biometric data of football fans entering stadiums.
English Summary
Facts
The State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport (the Commission) wanted to install biometric identification systems at the entrances to sport stadiums in order to univocally identify football fans. In this regard, Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport gives the Commission the power to implement additional security measures for high risk competitions and events.
The Commission asked the Spanish DPA for a prior consultation (presumably under Article 36 GDPR) regarding the compliance of the envisaged processing with the GDPR. According to the Commission, the legal basis was Article 6(1)(e) GDPR, as processing was necessary for the performance of a task carried out in the public interest, such interest being the safety and integrity of persons attending football stadiums, as well as prevention of fundamental rights violations in the form of hate crimes and discrimination. Additionally, the Commission relied on Article 9(2)(g) GDPR, which refers to processing of sensitive data that is necessary for reasons of a substantial public interest.
The Commission indicated that it would issue a resolution defining the adequate and specific measures that clubs should undertake in order to protect the interests and fundamental rights of data subjects. The Commission also stated that it would carry out a proportionality assessment and an additional DPIA under Article 35 GDPR, in order to guarantee the adherence to the principles of Article 5 GDPR.
Holding
First, the Spanish DPA stated that the installation of biometric identification systems would constitute processing of special categories of data within the meaning of Article 9 GDPR. The DPA recalled the definition of ‘biometric data’ as meaning 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data' (Article 4(14) GDPR).
Second, the DPA emphasised the need to distinguish between biometric identification and biometric authentication, as defined by the Article 29 Working Party in Opinion 3/2012 on developments in biometric technologies. According to this Opinion, biometric identification means the identification of an individual by comparing biometric data acquired at the time of the identification to a number of biometric templates stored in a database, whereas biometric authentification means the verification of an individual by comparing the biometric data acquired at the time of the verification to a single biometric template stored in a device. The DPA relied in its assessment on the EDPB's Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement which uphold that both techniques constitute processing of special categories of data. The DPA manifested its concern for the proliferation of biometric identification systems, which are considered to be particularly intrusive for the rights and freedoms of data subjects.
Third, with regards to the envisaged legal basis, the DPA noted that Article 9(2)(g) GDPR makes reference to a substantial public interest, as opposed to the (standard) public interest contained in other provisions. Hence, according to the DPA, the interpretation of public interest must be more restrictive. The DPA referred to the Spanish Constitutional Court, which ruled that any limitations of the right to data protection must be set out in law and exist prior to any processing. Further, a legitimate aim pursued by the public interest cannot be laid down by general, indeterminate, or vague concepts and the limitation must be proportionate to the aim pursued. With reference to this, the DPA concluded that such a law did not exist in the Spanish acquis. The law referred to by the Commission (Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport) did not identify a justified substantial public interest or contain specific rules, nor did it provide for suitable and specific measures to safeguard the fundamental rights and interests of data subjects. While the provision referred to identity verification systems, it did not mention the specific possibility of using biometric systems.
Therefore, the DPA concluded that the envisaged processing, as schemed by the the Commission, could not rely on the legal basis of Article 9(2)(g) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Legal cabinet
N/REF: 0098/2022
The consultation asks if the adoption of an agreement of the State Commission
against Violence, Racism, Xenophobia and Intolerance, in the field of
their powers, establishing measures for the compliance of the clubs
consisting of the installation of biometric systems to control all
the accesses to the stands of animation that allows the unequivocal identification of
fans who access said stands, it would be legally viable
in accordance with the regulatory data protection regulations.
Said possibility would be protected, according to the consultation, in the competition
legally attributed by article 13.1 of Law 19/2007, of July 11,
against violence, racism, xenophobia and intolerance in sport, which
the power to decide the implementation of additional security measures
for the set of competitions or highly rated sporting events
risk, or for venues that have been subject to closure sanctions with
according to the second and third titles of this Law, including in particular that of
b) Promote systems for verifying the identity of persons who process
access to sports venues.
Therefore, in the opinion of the consultant, the treatment of the data
personal data of fans, including their biometric data, would be carried out in
application of article 6.1.e) of Regulation (EU) 2016/679 General of
Data Protection (RGPD), that is, that the processing of the data would be
necessary “for the fulfillment of a mission carried out in the public interest or
in the exercise of public powers conferred on the data controller”.
In this case, the mission carried out by the Clubs/SAD in the public interest would be the
to guarantee the safety and integrity of the people who come to the
football stadiums, as well as prevent and avoid violations of rights
of people, such as hate crimes and discrimination, to
through the measures listed above.
Likewise, when referring to the requested measure to the treatment of categories
special data, the exception regulated in article 9.2.g) of the
GDPR, that is, that the processing of biometric data "is necessary for
reasons of essential public interest, on the basis of Union law
or of the Member States, which must be proportional to the objective pursued,
essentially respect the right to data protection and establish
appropriate and specific measures to protect the interests and rights
fundamentals of the interested party." In this regard, the agreement that in your case
adopts the CEVRXID, it would also establish the appropriate measures and
that the Clubs/SAD must adopt to protect the interests and
c. Jorge Juan 6 www.aepd.es
28001 Madrid
1 Legal Office
fundamental rights of the interested parties regarding the implementation of the
additional measure required, as required by article 9.2.g) of the GDPR,
previously referred to.
It is also indicated that given that the additional measure would require the
treatment of special categories of data, the agreement adopted by the
CEVRXID in relation to the obligation to adopt the requested measure will require
also that, before implanting it, the following is carried out:
- A trial of proportionality, where it is analyzed from the point
From a data protection point of view, both the suitability of the measure and the
need for treatment and its proportionality in the sense
strict.
- An Impact Assessment on Data Protection that
meets the requirements of article 35 of the GDPR.
In short, the measure would guarantee that the treatment of
personal identification data (including biometrics) that perform
Clubs/SAD is carried out with due respect for the principles
legality, loyalty and transparency, purpose limitation, minimization
of data, accuracy, conservation, security, as well as
proactive responsibility, as established in article 5 of the GDPR.
In this way, according to the consultant, the measure would guarantee that the
processing of personally identifiable data (including biometric data)
carried out by the Clubs/SAD is carried out duly respecting the
principles of legality, loyalty and transparency, limitation of purpose,
data minimization, accuracy, conservation, security, as well as
proactive responsibility, as established in article 5 of the GDPR.
Yo
Regulation (EU) 2016/679, of the European Parliament and of the Council of
April 27, 2016 regarding the protection of natural persons in what
regarding the processing of personal data and the free circulation of these
data and which repeals Directive 95/46/EC (General Regulation of
data protection, GDPR) defines in its article 4.14 the biometric data
as “personal data obtained from a specific technical treatment,
relating to the physical, physiological or behavioral characteristics of a
natural person that allow or confirm the unique identification of said
person, such as facial images or dactyloscopic data.
Article 9 of said standard regulates the treatment of categories
special data types, including biometric data,
establishing a general prohibition of its treatment in the following
terms:
c. Jorge Juan 6 www.aepd.es
28001 Madrid
2 Legal Office
“The processing of personal data that reveals the
ethnic or racial origin, political opinions, religious convictions or
philosophical, or union affiliation, and the treatment of genetic data, data
biometrics aimed at uniquely identifying a natural person,
data relating to health or data relating to sexual life or orientation
sex of a physical person.”
In relation to the processing of biometric data, in our
Report 36/2020, analyzing article 9.1 in relation to Recital 51
of the GDPR, as well as the Protocol of amendment to the Convention for the Protection
of Individuals regarding the processing of personal data, approved
by the Committee of Ministers at its 128th session in Elsinore on the 18th of
May 2018 (108+ Agreement) we pointed out that
In order to clarify the interpretative doubts that arise
regarding the consideration of biometric data as categories
special data can resort to the distinction between identification
biometrics and biometric verification/authentication that established the
Article 29 Group in its Opinion 3/2012 on the evolution of the
biometric technologies:
Biometric identification: the identification of an individual by a
biometric system is normally the process of comparing your data
biometrics (acquired at the time of identification) with a series
of biometric templates stored in a database (i.e.,
a one-to-many mapping process).
Biometric verification/authentication: Verification of a
individual by a biometric system is normally the process of
comparison between your biometric data (acquired at the time of
verification) with a single biometric template stored in a
device (i.e., a one-to-one mapping process
to-one).
This same differentiation is included in the White Paper on the
artificial intelligence from the European Commission:
“Regarding facial recognition, by “identification”
it is understood that the facial image template of a person is
compares with many other templates stored in a database
to find out if your image is stored on it. The
"authentication" (or "verification"), for its part, usually refers to
searching for correspondences between two specific templates.
Allows the comparison of two biometric templates that, in principle,
they are supposed to belong to the same person; so, the two templates are
are compared to determine if the person in the two images is the
same. This procedure is used, for example, in the doors of
c. Jorge Juan 6 www.aepd.es
28001 Madrid
3 Legal Office
automated border control used in border controls
of the airports.
Considering the aforementioned distinction, it can be interpreted that, if
In accordance with article 4 of the GDPR, the concept of biometric data
would include both assumptions, both the identification and the
verification/authentication. However, and in general, the
biometric data will only be considered as a category
of data in the cases in which they are submitted to treatment
technique aimed at biometric identification (one-to-many) and not in the
biometric verification/authentication case (one-to-one).
However, this Agency considers that it is a question
complex, subject to interpretation, with respect to which it is not possible to
draw general conclusions, having to attend to the specific case
according to the data processed, the techniques used for its treatment and
the consequent interference in the right to data protection,
should, as long as the Committee does not rule on the matter
European Data Protection Agency or the courts,
In case of doubt, the most favorable interpretation for the
protection of the rights of those affected.”
Consequently, in said report this Agency already highlighted the
difficulty of separating the concepts of identification and authentication, which
requires to be aware of the specific case and the particular techniques used in
relation to the purpose pursued by the treatment, as well as the need
to grant maximum protection to the rights of those affected against the use
of techniques that can be more invasive to your privacy and generate more
risks to their rights and freedoms.
However, said criterion was subject to what could be
established by the European Data Protection Committee or, where appropriate, by
the courts. And, in this sense, the Guidelines 5/2022 of the Committee
European Data Protection (Guidelines 05/2022 on the use of facial
recognition technology in the area of law enforcement) pending in this
time of final adoption after completion of the consultation process
public, they clearly depart from said differentiation between
authentication/verification and identification for the purpose of determining treatment
of biometric data as a special category in section 12, concluding
that both cases imply the treatment of special categories of
data:
While both functions – authentication and identification – are
distinct, they both relate to the processing of biometric data related to an
identified or identifiable natural person and therefore constitute a
processing of personal data, and more specifically a processing of
special categories of personal data.
c. Jorge Juan 6 www.aepd.es
28001 Madrid
4 Legal Office
Consequently, if said criterion is maintained at the time the
proceeds to its final adoption, it will be necessary to review our criteria
to adapt it to that maintained by the European Committee for Data Protection,
understanding that the processing of biometric data, both in the cases of
authentication/verification as identification implies a treatment of
special categories of data, subject to the regime of general prohibition and
exceptions of article 9 of the GDPR.
In any case, in the present case there is no doubt that the consultation was
refers to biometric data processing aimed at uniquely identifying
to a natural person and, therefore, which implies the treatment of categories
personal data specials.
II
The query refers to a case of biometric data processing
with the purpose of verifying to identify, unequivocally, the fans who
access the animation stands, implying, as indicated in the
previous section, a treatment of special categories of data subject to the
general rule of prohibition of the same (art. 9.1. GDPR).
However, article 9.2 of the GDPR regulates exceptions to said
general prohibition, invoking in the consultation, specifically, the collection
in its letter g):
g) the treatment is necessary for reasons of personal interest
essential public, on the basis of Union or State law
members, which must be proportional to the objective pursued, respect in
the essential right to data protection and establish measures
adequate and specific to protect the interests and rights
fundamentals of the interested party;
It is appropriate, therefore, to analyze whether in the present case the
budgets established in article 9.2.g) to lift the prohibition of
processing of biometric data, also taking into account the
jurisprudence of the Constitutional Court, the European Court of Rights
Rights and the Constitutional Court regarding the limitations of the right
fundamental to the protection of personal data.
This Agency has had the opportunity to pronounce, on various occasions,
with respect to the requirements established by article 9.2.g) of the GDPR for
be able to cover the processing of biometric data, particularly with respect to
those based on facial recognition, given the proliferation of proposals
received in relation to them from different spheres, which shows
c. Jorge Juan 6 www.aepd.es
28001 Madrid
5 Legal Office
manifest the growing interest in using these systems and the constant
concern of this control authority, as they are systems of
very intrusive to the fundamental rights and freedoms of
natural persons. Concern that is shared by the rest of
control authorities for years, as evidenced by the
Biometrics Working Paper, adopted on August 1, 2003 by the
Group of 29, or the subsequent Opinion 3/2012 on the evolution of the
biometric technologies, adopted on April 27, 2012, and which has led to
that the Community legislator himself include these data among the categories
special data in the GDPR. Thus, being prohibited
treatment in general, any exception to said prohibition will have
to be subject to restrictive interpretation.
In this regard, it should be noted, in addition to the aforementioned report 36/2020,
referred to the use of facial recognition techniques in carrying out
online assessment tests, report 31/2019 on the incorporation of
facial recognition systems in video surveillance services under the
of article 42 of the Private Security Law or Report 97/2020 regarding the
Draft Order of the Minister of Economic Affairs and Transformation
Digital on non-presential identification methods for the issuance of
qualified electronic certificates. In all these cases it was concluded that
there was a legal standard in the Spanish legal system that met the
requirements of article 9.2.g) of the GDPR, so that the treatment only
could rely on the consent of those affected as long as it remained
guaranteed that it is free.
Analyzing the requirements of article 9.2.g) in our Report 36/2020
we pointed out the following:
V
The next question that arises in the consultation is whether the
processing of biometric data by recognition systems
facial expression in online evaluation processes could rely on the
existence of an essential public interest in accordance with article 9.2.g) of the
GDPR:
g) the processing is necessary for reasons of public interest
essential, on the basis of Union or Member States law
members, which must be proportional to the objective pursued, respect in
the essential right to data protection and establish measures
adequate and specific to protect the interests and rights
fundamentals of the interested party.
As we indicated previously, the data processing
personnel necessary for the provision of the public service of
c. Jorge Juan 6 www.aepd.es
28001 Madrid
6 Legal Office
Higher education is legitimized, in general, in the existence of
a public interest under the provisions of article 6.1.e) of the
GDPR. However, in the case of special categories of data, the
case contemplated in letter g) of article 9.2. does not refer only to
the existence of a public interest, as it does in many other of
its precepts the RGPD, but it is the only precept of the RGPD that
requires that it be "essential", an adjective that comes to qualify
said public interest, taking into account the importance and necessity of
greater protection of the data processed.
Said precept finds its precedent in article 8.4 of the
Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995, regarding the protection of natural persons in terms of
that respects the processing of personal data and the free movement of
these data: “4. As long as they have adequate guarantees, the
Member States may, for reasons of important public interest,
establish other exceptions, in addition to those provided for in section 2,
either through their national legislation, or by decision of the authority
of control". However, its reading results in greater rigor in a new
regulation by the GDPR, since the adjective "important" is replaced by
"essential" and it is not allowed that the exception can be established by the
control authorities.
In relation to what should be understood by public interest
essential, the Jurisprudence of the
European Court of Human Rights, which under Article 8
of the European Convention on Human Rights, has been considering that
the processing of personal data constitutes a lawful interference in the
right to respect for private life and can only be carried out if
performed in accordance with the law, serves a legitimate purpose, respects the
essence of fundamental rights and freedoms and it is necessary and
provided in a democratic society to achieve an end
legitimate ( D.L. against Bulgaria, nº 7472/14, May 19, 2016,
Dragojević v. Croatia, no. 68955/11, January 15, 2015, Peck
v. United Kingdom, No. 44647/98, January 28, 2003, Leander v.
Sweden, no. 9248/81, March 26, 1987, among others). As he points out
In the last sentence cited, "the concept of necessity implies that the
interference responds to a pressing social need and, in particular,
that is proportionate to the legitimate aim that it pursues”.
Likewise, the doctrine of the Court must be taken into account
Constitutional regarding the restrictions to the fundamental right to
data protection, which is summarized in judgment 292/2000, dated 30
November, in which after configuring the fundamental right to
protection of personal data as an autonomous right and
independent power that consists of a power of disposition and control
on personal data that empowers the person to decide which
c. Jorge Juan 6 www.aepd.es
28001 Madrid
7 Legal Office
of these data to provide to a third party, be it the State or an individual, or
which this third party can collect, and which also allows the individual
know who owns that personal data and for what, being able to
oppose that possession or use, analyzes its limits, pointing out
in the following:
More specifically, in the Judgments mentioned regarding the
data protection, this Court has declared that the right to
Data protection is not unlimited, and although the Constitution does not
expressly impose specific limits, nor refer to the Powers
Public for its determination as it has done with other rights
fundamental, there is no doubt that they will find them in the
remaining fundamental rights and legal rights
constitutionally protected, as required by the principle of unity
of the Constitution (SSTC 11/1981, of April 8, F. 7; 196/1987, of April 11,
December [RTC 1987, 196], F. 6; and regarding art. 18, JTS
110/1984, F. 5). These limits may either be direct restrictions of the
fundamental right itself, which has been alluded to before, or
may be restrictions on the way, time or place of exercise of the
fundamental right. In the first case, regulating those limits is a
form of development of the fundamental right. In the second, the limits
that are fixed are to the concrete form in which it is possible to exert the beam of
faculties that make up the content of the fundamental right in
matter, constituting a way of regulating its exercise, which
The ordinary legislator can do in accordance with the provisions of art. 53.1
EC. The first observation that must be made, which is not obvious, is
less capital, is that the Constitution has wanted the Law, and only the
Law, can set the limits to a fundamental right. Rights
Fundamentals can, of course, yield to goods, and even
constitutionally relevant interests, provided that the cut that
undergo is necessary to achieve the intended legitimate purpose,
provided to achieve it and, in any case, be respectful of the
essential content of the restricted fundamental right (SSTC 57/1994,
of February 28 [RTC 1994, 57], F. 6; 18/1999, of February 22 [RTC
1999, 18], F. 2).
Precisely, if the Law is the only one authorized by the Constitution
to set limits to fundamental rights and, in the case
present, to the fundamental right to data protection, and those
limits cannot be different from those constitutionally established, which
for the case are none other than those derived from the coexistence of this
fundamental right with other legal rights and goods of rank
constitutional, the legal empowerment that allows a Public Power
collect, store, process, use and, where appropriate, transfer personal data,
it is only justified if it responds to the protection of other rights
constitutionally protected assets or assets. So if
those operations with the personal data of a person are not
c. Jorge Juan 6 www.aepd.es
28001 Madrid
8 Legal Office
carried out with strict observance of the norms that regulate it,
violates the right to data protection, since limits are imposed
constitutionally illegitimate, either to its content or to the exercise of the
bundle of faculties that compose it. How will that violate it too?
Limitative law if it regulates the limits in such a way that they make the
fundamental right affected or ineffective the guarantee that the Constitution
grants you And so it will be when the Law, which should regulate the limits to
fundamental rights with scrupulous respect for their content
essential, is limited to empowering another Public Power to establish in each
the restrictions that may be imposed on the rights
fundamentals, whose unique determination and application will be at risk
of the decisions adopted by that Public Power, who may decide, in
what interests us now, about obtaining, storing,
treatment, use and transfer of personal data in the cases that it deems
convenient and brandishing, even, interests or assets that are not
protected with constitutional rank […]”. (Legal Basis 11)
“On the one hand, because although this Court has declared that the
The Constitution does not prevent the State from protecting legal rights or assets to
cost of the sacrifice of others equally recognized and, therefore, that the
legislator may impose limitations on the content of rights
fundamentals or their exercise, we have also specified that, in such
assumptions, these limitations must be justified in the protection
of other rights or constitutional goods (SSTC 104/2000, of 13 December
April [ RTC 2000, 104] , F. 8 and those cited there) and, in addition, they must be
proportionate to the purpose pursued with them (SSTC 11/1981, F. 5, and
196/1987, F. 6). Well, otherwise they would incur in arbitrariness
proscribed by art. 9.3 EC.
On the other hand, even having a constitutional foundation and
being proportionate the limitations of the fundamental right
established by Law ( STC 178/1985 [ RTC 1985, 178] ), these
may violate the Constitution if they suffer from a lack of certainty and
predictability in the very limits they impose and their way of
application. Conclusion that is corroborated by the Court's jurisprudence
European Commission on Human Rights that has been cited in F. 8 and that here
must be reproduced. And it should also be noted that not only
would harm the principle of legal certainty (art. 9.3 CE), conceived
as certainty about the applicable law and expectation
reasonably founded of the person on what should be the performance
of power applying the Law (STC 104/2000, F. 7, for all), but
that at the same time said Law would be harming the essential content
of the fundamental right thus restricted, given that the way in which it is
have set their limits make it unrecognizable and make it impossible, in the
practice, its exercise (SSTC 11/1981, F. 15; 142/1993, of April 22
[ RTC 1993, 142] , F. 4, and 341/1993, of November 18 [ RTC 1993,
c. Jorge Juan 6 www.aepd.es
28001 Madrid
9 Legal Office
341], F. 7). So that the lack of precision of the Law in the
material assumptions of the limitation of a fundamental right is
likely to generate an indeterminacy about the cases to which
apply such a restriction. And when this result occurs, beyond all
reasonable interpretation, the Law no longer fulfills its function of guaranteeing the
own fundamental right that it restricts, since it allows instead
simply operate the will of who has to apply it, undermining
thus both the effectiveness of the fundamental right and the legal certainty
[…]”. (FJ 15).
“More specifically, in relation to the fundamental right to
privacy we have highlighted not only the need for your
possible limitations are based on a legal provision that has
constitutional justification and that they be proportionate (SSTC 110/1984,
F. 3, and 254/1993, F. 7) but the Law that restricts this right must
accurately express each and every material budget
of the limiting measure. Otherwise, it is wrong to understand that the
judicial resolution or the administrative act that applies it are founded
in the Law, since what it has done, making abandonment of its
functions, is to empower other Public Powers so that they are
who set the limits to the fundamental right (SSTC 37/1989, of 15
of February [RTC 1989, 37], and 49/1999, of April 5 [RTC 1999, 49]).
Similarly, regarding the right to data protection
personal, it can be estimated that the constitutional legitimacy of the
restriction of this right cannot be based, by itself, on the
activity of the Public Administration. Nor is it enough that the Law
empowers it to specify its limits in each case, limiting itself to
indicate that you must make such precision when there is any right or
well constitutionally protected. It is the legislator who must
determine when that good or right that justifies the
restriction of the right to the protection of personal data and in what
circumstances can be limited and, furthermore, it is he who must do it
by means of precise rules that make the interested party foreseeable
imposition of such limitation and its consequences. Well, in another case
legislator would have transferred to the Administration the performance of a
function that only corresponds to him in terms of fundamental rights in
By virtue of the legal reservation of art. 53.1 CE, that is, establish
clearly the limit and its regulation. […] (FJ 16)”.
Likewise, our Constitutional Court has already had the opportunity
to rule specifically on article 9.2.g) of the GDPR,
as a consequence of the challenge of article 58 bis of the Law
Organic 5/1985, of June 19, of the General Electoral Regime,
introduced by the third final provision of Organic Law 3/2018, of
December 5, Protection of Personal Data and guarantee of the
digital rights, regarding the legitimacy of data collection
c. Jorge Juan 6 www.aepd.es
28001 Madrid
10 Legal Office
personal information relating to the political opinions of the persons who carry
carried out by political parties in the framework of their electoral activities,
precept that was declared unconstitutional by Judgment no.
76/2019 of May 22.
Said sentence analyzes, firstly, the legal regime to which
that is subject to the treatment of the special categories
of data in the GDPR:
In accordance with paragraph 1 of art. 9 GDPR, the
processing of personal data that reveal political opinions,
in the same way as the processing of personal data that reveals
ethnic or racial origin, religious or philosophical convictions or
trade union membership and processing of genetic data, biometric data
aimed at uniquely identifying a natural person, data
relating to health or data relating to sexual life or orientation
sex of a natural person. However, section 2 of the same
precept authorizes the processing of all such data when concurs
any of the ten circumstances provided therein [letters a) to j)]. Some of
These circumstances have a limited scope of application (labor,
social, associative, health, judicial, etc.) or respond to a purpose
determined, therefore, in themselves, delimit the treatments
that authorize as an exception to the general rule. Besides, the
enabling efficacy of several of the assumptions provided therein is
conditioned to the fact that the Law of the Union or that of the States
members expressly foresee and regulate them in their scope of
competences: this is the case of the circumstances included in letters
a), b), g), h), i) and j).
Processing of special categories of personal data
is one of the areas in which the Regulation expressly
General of Data Protection has recognized the Member States
"room for manoeuvre" when it comes to "specifying its rules", as
qualifies its recital 10. This margin of legislative configuration
extends both to the determination of the enabling causes for
the processing of specially protected personal data -is
that is, to the identification of the purposes of essential public interest and the
assessment of the proportionality of the treatment to the end
persecuted, essentially respecting the right to protection of
data - such as the establishment of "adequate measures and
to protect the interests and fundamental rights
of the interested party" [art. 9.2 g) GDPR]. The Regulation contains, for
Therefore, a concrete obligation of the Member States of
establish such guarantees, in the event that they enable to treat
specially protected personal data.
In relation to the first of the requirements demanded by article
9.2.g), the invocation of an essential public interest and the necessary
c. Jorge Juan 6 www.aepd.es
28001 Madrid
11 Legal Office
specification thereof, the High Court recalls what was stated in its
judgment 292/2000 in which it was rejected that the identification of the
legitimate purposes of the restriction could be done through concepts
generic or vague formulas, considering that the restriction of the right
fundamental to the protection of personal data cannot be based,
by itself, in the generic invocation of an indeterminate "interest
public" :
In the aforementioned STC 292/2000 (RTC 2000, 292), in which
Legislative interference in the right to
protection of personal data, we reject that the identification of the
legitimate purposes of the restriction could be done through concepts
generic or vague formulas:
"16. [...] In the same way, regarding the right to the protection of
personal data, it can be estimated that the constitutional legitimacy of the
restriction of this right cannot be based, by itself, on the
activity of the Public Administration. Nor is it enough that the Law
empowers it to specify its limits in each case, limiting itself to
indicate that you must make such precision when there is any right or
well constitutionally protected. It is the legislator who must
determine when that good or right that justifies the
restriction of the right to the protection of personal data and in what
circumstances can be limited and, furthermore, it is he who must do it
by means of precise rules that make the interested party foreseeable
imposition of such limitation and its consequences. Well, in another case
legislator would have transferred to the Administration the performance of a
function that only corresponds to him in terms of fundamental rights in
By virtue of the legal reservation of art. 53.1 CE, that is, establish
clearly the limit and its regulation.
17. In the present case, employment by the LOPD (RCL 2018, 1629)
in his art. 24.1 of the expression "control and verification functions", opens
a space of uncertainty so wide that it causes a double and
perverse consequence. On the one hand, by enabling the LOPD to the
Administration to restrict fundamental rights invoking
such an expression is renouncing to set the limits itself,
empowering the Administration to do so. And in such a way that
As the Ombudsman points out, it allows redirecting the same
practically all administrative activity, since all activity
administration that involves establishing a legal relationship with a
administered, which will be the case in practically all cases in which
the Administration needs someone's personal data, it will entail
Ordinarily the authority of the Administration to verify and control that this
administered has acted in accordance with the administrative legal regime of
the legal relationship established with the Administration. which, in view of
reason for restriction of the right to be informed of art. 5 LOPD, leave
in the most absolute uncertainty to the citizen about in which cases
this circumstance will occur (if not in all) and add to the inefficiency
c. Jorge Juan 6 www.aepd.es
28001 Madrid
12 Legal Office
any jurisdictional guardianship mechanism that must prosecute
Such an assumption of restriction of fundamental rights without another
complementary criterion that comes to the aid of its control of the
administrative action in this matter.
The same reproaches also deserve the use in art. 24.2
LOPD of the expression "public interest" as the basis of the
imposition of limits to the fundamental rights of art. 18.1 and 4 CE,
because it contains an even greater degree of uncertainty. just notice
that all administrative activity, ultimately, pursues the
safeguarding of general interests, the achievement of which constitutes the
purpose to which the Administration must objectively serve with
according to art. 103.1 CE."
This argument is fully transferable to the present
prosecution. Similarly, therefore, we must conclude that the
constitutional legitimacy of the restriction of the fundamental right to
personal data protection cannot be based, by itself, on the
generic invocation of an indeterminate "public interest". well in another
case, the legislator would have transferred the political parties -whom the
challenged provision empowers to collect personal data relating to
to the political opinions of people in the framework of their activities
elections - the performance of a function that is the sole responsibility of him in
matter of fundamental rights by virtue of the reservation of the Law of the
art. 53.1 CE, that is, clearly establish its limits and its regulation.
Nor can it be accepted, as equally imprecise, the purpose
adduced by the lawyer of the State, which refers to the functioning of the
democratic system, since it also contains a high degree of
uncertainty and may involve circular reasoning. On the one hand,
political parties are by themselves "necessary channels for the
functioning of the democratic system" (for all, STC 48/2003, of
March 12 (RTC 2003, 48), FJ 5); and, on the other hand, all
functioning of the democratic system pursues, ultimately, the
safeguarding of constitutional aims, values and assets, but this does not
reaches to identify the reason why the right should be restricted
fundamental affected.
Finally, it should be specified that it is not necessary to be able to
suspect, with greater or lesser grounds, that the restriction pursues
an unconstitutional purpose, or that the data collected and
processed will be harmful to the private sphere and the exercise of rights.
rights of individuals. It is enough to note that, by not
to be able to identify with sufficient precision the purpose of the treatment
of data, the constitutional character cannot be prosecuted
legitimate use of that purpose, nor, where appropriate, the proportionality of the
measure provided in accordance with the principles of suitability, necessity and
proportionality in the strict sense.
c. Jorge Juan 6 www.aepd.es
28001 Madrid
13 Legal Office
On the other hand, regarding the guarantees that the
legislator, the aforementioned judgment no. 76/2019 of May 22, after
remember that "In view of the potential intrusive effects on the
affected fundamental right resulting from data processing
personal data, the jurisprudence of this Court requires the legislator to,
In addition to meeting the aforementioned requirements, you also
establish adequate guarantees of a technical, organizational and
procedural, that prevent risks of different probability and
severity and mitigate its effects, because only in this way can the
respect for the essential content of the fundamental right itself”, analyzes
What is the norm that must contain the aforementioned guarantees:
"Therefore, the resolution of this challenge requires that
clarify a doubt raised regarding the scope of our
doctrine on adequate guarantees, which consists of determining whether
adequate guarantees against the use of information technology must
be contained in the law that authorizes and regulates that use or may
can also be found in other normative sources.
The question can only have a constitutional answer. The
provision of adequate guarantees cannot be deferred to a moment
after the legal regulation of the processing of personal data of
in question Appropriate safeguards should be built into the
own legal regulation of the treatment, either directly or through
express and perfectly delimited reference to external sources that
have the appropriate regulatory status. Only that understanding is
compatible with the double requirement arising from art. 53.1 EC (RCL
1978, 2836) for the legislator of fundamental rights: the reservation
of law for the regulation of the exercise of fundamental rights
recognized in the second chapter of the first title of the Constitution
and respect for the essential content of said fundamental rights.
According to reiterated constitutional doctrine, the reserve of law is not
limited to requiring that a law enable the restrictive measure of rights
fundamental, but it is also necessary, according to both
requirements called -sometimes- normative predetermination and
-others- regarding the quality of the law as well as respect for the essential content of the
law, that in this regulation the legislator, who is obliged to
primary way to weigh the rights or interests in conflict,
predetermine the assumptions, conditions and guarantees in which
the adoption of restrictive measures of rights is appropriate
fundamental. That mandate of predetermination regarding
essential elements, also ultimately linked to the judgment of
proportionality of the limitation of the fundamental right, cannot
be deferred to a subsequent legal or regulatory development, nor
it can be left in the hands of the individuals themselves” (FJ 8).
Therefore, the processing of biometric data to the
under article 9.2.g) requires that it be provided for in a standard
c. Jorge Juan 6 www.aepd.es
28001 Madrid
14 Legal Office
of European or national law, having in the latter case
said norm, according to the aforementioned constitutional doctrine and the provisions
in article 9.2 of the LOPDGDD, rank of law. Said law shall,
also specify the essential public interest that justifies the
restriction of the right to the protection of personal data and in
what circumstances can be limited, establishing the rules
that make the imposition of such a law foreseeable to the interested party
limitation and its consequences, without it being sufficient, to these
effects, the generic invocation of a public interest. and said law
must also establish the appropriate type of guarantees
technical, organizational and procedural, that prevent risks
of different probability and severity and mitigate their effects.
In addition, said law must in all cases respect the principle
of proportionality, as recalled in the Judgment of the Court
Constitutional 14/2003, of January 28:
In other words, pursuant to a settled doctrine of
this Court, the constitutionality of any restrictive measure of
fundamental rights is determined by the strict observance
of the principle of proportionality. For the purposes that matter here enough
remember that, in order to check whether a restrictive measure of a
fundamental right overcomes the proportionality judgment, it is necessary
verify if it meets the following three requirements or conditions: if the
measure is capable of achieving the proposed objective (judgment of
suitability); if, moreover, it is necessary, in the sense that there is no other
more moderate measure for the achievement of such purpose with the same
effectiveness (judgment of necessity); and, finally, if it is weighted or
balanced, because it derives from it more benefits or advantages for the
general interest than damages to other goods or values in conflict
(judgment of proportionality in the strict sense; SSTC 66/1995, of 8
May [RTC 1995, 66], F. 5; 55/1996, of March 28 [RTC 1996, 55]
, FF. 7, 8 and 9; 270/1996, of December 16 [RTC 1996, 270], F. 4.e;
37/1998, of February 17 [RTC 1998, 37], F. 8; 186/2000, of 10
July [ RTC 2000, 186] , F. 6).”
The conclusions reached in the aforementioned case are transferable to the
present, since the treatment of the special categories of data
seeks to rely on the power of the Commission to promote systems of
verification of the identity of the people who try to access the premises
sports, under the terms provided in article 13.1. of Law 19/2007, of
July 11.
Said precept is developed by article 15.3 of the Royal Decree
203/2010, of February 26, which approves the Regulation of
c. Jorge Juan 6 www.aepd.es
28001 Madrid
15 Legal Office
prevention of violence, racism, xenophobia and intolerance in the
sport:
3. In the cases contemplated in article 13.1 of the Law
19/2007, of July 11, verification and monitoring of identity
of those who purchase tickets or control the distribution of
localities will be carried out by implementing ticket sales systems
nominative and developing procedures that allow to supervise the
distribution of assigned locations and to know the identity of the
holders of access titles to sports facilities.
The treatment of the data obtained in accordance with these
procedures will be limited to providing information on who
access or attempt to access sports venues, with the purpose of
to ensure compliance with existing prohibitions and, where appropriate,
case, purge the responsibilities that may arise.
The organizers will cancel the data of the people who
they would have accessed the sporting event when it concludes,
keeping exclusively the data necessary to identify
who may have engaged in conduct prohibited by law
19/2007, of July 11, which may only be transferred to the authorities or
competent bodies in matters of public safety.
As can be seen, article 13.1 of Law 19/2007, of 11 December
July refers to identity verification systems, but does not
considers the possibility that said systems may involve treatments
of biometric data, nor does it establish the pertinent and adequate guarantees for
the protection of the fundamental right to the protection of personal data.
This possibility is not provided for in article 15.3 of the Royal Decree either.
203/2010, of February 26, although it should be noted that said standard
would lack, as has been explained, the appropriate legal status for
proceed to the regulation of the treatment of special categories of data
personal.
Therefore, claiming in the processing of personal data
included in the special categories of data referred to in the article
9.1. of the RGPD, since it is about biometric data directed to the
identification of natural persons, it is a prerequisite that some
of the circumstances contemplated in section 2 that lifts the prohibition
of treatment of said data, established in general in its
section 1, requiring article 9.2. of the LOPDGDD that "Treatments of
data referred to in letters g), h) and i) of article 9.2 of Regulation (EU)
2016/679 founded on Spanish law must be covered by a
standard with the force of law, which may establish additional requirements relating to
your security and confidentiality. not existing, as indicated, norm
that enables said treatment under article 9.2.g) of the GDPR, since
c. Jorge Juan 6 www.aepd.es
28001 Madrid
16 Legal Office
that article 13.1. does not meet the legal requirements and
jurisprudentially, as has been analyzed in the present
report.
And without said gap being able to be filled by means of an agreement of the
CEVRXID, as it does not have the appropriate regulatory range. In this sense, as already
As indicated, the jurisprudence of the Constitutional Court is clear regarding
of the norm that must contain the adequate guarantees that cannot be
be deferred to a time after the legal regulation of data processing
personal in question. Adequate safeguards must be incorporated
to the legal regulation of the treatment itself, either directly or by referral
expressly and perfectly delimited to external sources that have the rank
adequate normative (Ruling 76/2019 of May 22, FJ 8)
Consequently, it must be concluded that the adoption of an agreement
of the State Commission against Violence, Racism, Xenophobia and
Intolerance, within the scope of its powers, establishing measures
for the compliance of the clubs consisting of the installation of
biometric systems for the control of all access to the stands of
animation that allows the unequivocal identification of the fans who
access said stands, is not in accordance with the regulations governing
Data Protection.
c. Jorge Juan 6 www.aepd.es
28001 Madrid
17
