AEPD (Spain) - EXP202213792: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202213792 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00483-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...") |
mNo edit summary |
||
Line 87: | Line 87: | ||
=== Holding === | === Holding === | ||
The AEPD | The AEPD recommended sanction proceedings against the controller, finding likely violations of [[Article 5 GDPR#1c|Article 5(1)(c)]], [[Article 8 GDPR|8]], [[Article 9 GDPR|9]], [[Article 13 GDPR|13]] and [[Article 35 GDPR|35 GDPR]]. | ||
Article 35 GPDR requires that a data protection impact assessment take place prior to the processing of high-risk data, which biometric data is always considered to be pursuant to [[Article 35 GDPR#4|Article 35(4) GDPR]]. The AEPD noted that while the controller provided a data protection impact assessment dated 15 February 2023, the processing was initiated on 4 November 2022. The assessment thus took place months after the processing occurred, indicating that for over 3 months biometric data was being processed in violation of [[Article 35 GDPR|Article 35 GDPR]]. The AEPD thus determined that the controller violated [[Article 35 GDPR|Article 35 GDPR]]. | Article 35 GPDR requires that a data protection impact assessment take place prior to the processing of high-risk data, which biometric data is always considered to be pursuant to [[Article 35 GDPR#4|Article 35(4) GDPR]]. The AEPD noted that while the controller provided a data protection impact assessment dated 15 February 2023, the processing was initiated on 4 November 2022. The assessment thus took place months after the processing occurred, indicating that for over 3 months biometric data was being processed in violation of [[Article 35 GDPR|Article 35 GDPR]]. The AEPD thus determined that the controller violated [[Article 35 GDPR|Article 35 GDPR]]. | ||
Second, the AEPD found that the controller also lacked a legal basis to process the biometric data as it had not triggered an exception under [[Article 9 GDPR#2|Article 9(2) GDPR]]. Prior to 15 February 2023, the controller indicated that the processing was required to fulfill a legal obligation, establishing a legal basis for processing under Articles 6(1)(c) and 9(2)(b) and (g) GDPR. In light of the AEPD’s opinion on 98/22, the controller changed its legal basis after 15 February 2023 to consent pursuant to Articles 6(1)(a) and 9(2)(a) GDPR. The controller did not dispute that the processing of data prior to 15 February 2023 lacked a legal basis. | Second, the AEPD found that the controller also lacked a legal basis to process the biometric data as it had not triggered an exception under [[Article 9 GDPR#2|Article 9(2) GDPR]]. Prior to 15 February 2023, the controller indicated that the processing was required to fulfill a legal obligation, establishing a legal basis for processing under [[Article 6 GDPR#1c|Articles 6(1)(c)]] and [[Article 9 GDPR#2b|9(2)(b)]] and [[Article 9 GDPR#2g|9(2)(g) GDPR]]. In light of the AEPD’s opinion on 98/22, the controller changed its legal basis after 15 February 2023 to consent pursuant to [[Article 6 GDPR#1a|Articles 6(1)(a)]] and [[Article 9 GDPR#2a|9(2)(a) GDPR]]. The controller did not dispute that the processing of data prior to 15 February 2023 lacked a legal basis. | ||
Third, the AEPD found that the processing both prior to and after 15 February 2023 violated data minimisation principles. It noted that the classification as a special category of data requires special caution in addition to Article 5(1)(c)'s obligations. Pursuant to [[Article 35 GDPR#7|Article 35(7) GDPR]](b), controllers must also analyse the necessity, suitability and proportionality of processing prior to processing special categories of data. The AEPD emphasises this jurisprudence-based analysis, which it calls the triple judgment of proportionality. Whether other non-biometric options exist which serve the same purpose, it notes, it is not necessary to process special categories of data and doing so violates the GDPR. In this case, processing was neither necessary nor proportional because the security purposes could have been served by the previous ID-review system. The AEPD rejected the controller’s argument that that the biometric data system was more efficacious because it was more reliable, finding the claim unsupported. The AEPD also stated that the State Commission’s order to establish the fingerprinting system imposed an obligation was insufficient to justify a system as suitable, necessary or proportionate. To establish necessity, a system must be supported by tests that describe the problem and efficacy of the measures adopted. These shortcomings constituted a violation of Article 5(1)(c). | Third, the AEPD found that the processing both prior to and after 15 February 2023 violated data minimisation principles. It noted that the classification as a special category of data requires special caution in addition to [[Article 5 GDPR#1c|Article 5(1)(c) GDPR']]<nowiki/>s obligations. Pursuant to [[Article 35 GDPR#7|Article 35(7) GDPR]](b), controllers must also analyse the necessity, suitability and proportionality of processing prior to processing special categories of data. The AEPD emphasises this jurisprudence-based analysis, which it calls the triple judgment of proportionality. Whether other non-biometric options exist which serve the same purpose, it notes, it is not necessary to process special categories of data and doing so violates the GDPR. In this case, processing was neither necessary nor proportional because the security purposes could have been served by the previous ID-review system. The AEPD rejected the controller’s argument that that the biometric data system was more efficacious because it was more reliable, finding the claim unsupported. The AEPD also stated that the State Commission’s order to establish the fingerprinting system imposed an obligation was insufficient to justify a system as suitable, necessary or proportionate. To establish necessity, a system must be supported by tests that describe the problem and efficacy of the measures adopted. These shortcomings constituted a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | ||
In addition, the controller was found to be in violation of [[Article 8 GDPR|Article 8 GDPR]] both prior to and after 15 February 2023 because it permitted minors to use biometric data to enter the cheering stands without establishing a minimum age. | In addition, the controller was found to be in violation of [[Article 8 GDPR|Article 8 GDPR]] both prior to and after 15 February 2023 because it permitted minors to use biometric data to enter the cheering stands without establishing a minimum age. | ||
Finally, the AEPD held that controller failed to comply with informational obligations under [[Article 13 GDPR|Article 13 GDPR]] in its processing prior to 15 February 2023. The controller's informational documents indicated that it was necessary for data subjects to agree to biometric processing in order to gain entry into the cheering stands. Given that, as discussed previously, there was no legal basis for the processing of the data prior to 15 February 2023, the AEPD found that the inaccurate statement of legal obligation constituted a failure to adequately inform data subjects of the processing of their data and was thus a violation of [[Article 13 GDPR|Article 13 GDPR]]. | Finally, the AEPD held that controller failed to comply with informational obligations under [[Article 13 GDPR|Article 13 GDPR]] in its processing prior to 15 February 2023. The controller's informational documents indicated that it was necessary for data subjects to agree to biometric processing in order to gain entry into the cheering stands. Given that, as discussed previously, there was no legal basis for the processing of the data prior to 15 February 2023, the AEPD found that the inaccurate statement of legal obligation constituted a failure to adequately inform data subjects of the processing of their data and was thus a violation of [[Article 13 GDPR|Article 13 GDPR]]. | ||
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 200,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000. | |||
== Comment == | == Comment == |
Revision as of 11:57, 7 May 2024
AEPD - EXP202213792 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 8 GDPR Article 9 GDPR Article 13 GDPR Article 35 GDPR Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.11.2022 |
Decided: | 09.04.2024 |
Published: | |
Fine: | 120,000 EUR |
Parties: | Burgos Club de Fútbol, S.A.D. |
National Case Number/Name: | EXP202213792 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a football club €200,000 for lacking a legal basis to process fingerprint data and violating obligations of necessity and proportionality. The controller acknowledged its fault and paid a reduced fine of €120,000 in accordance with national law.
English Summary
Facts
On 4 November 2022, the Burgos Club de Fútbol, S.A.D. (the controller) implemented a biometric data collection system which required the approximately 700 members of the cheering stands to provide their fingerprints in order to gain entry. The biometric processing was imposed due to an agreement adopted by the State Commission against violence, racism, xenophobia and intolerance in sports, which obligated such a system. The system, which was distributed to football clubs by the Spanish Football League (La Liga), collected data subjects’ names, national identification card numbers, system identification numbers, and fingerprint patterns. It replaced the previous entry system, which allowed entry after verifying identification cards.
The controller published a communication concerning the system and its basis on the State Commission's agreement on its website on November 4, 2022. The system was first used during a game on 8 December 2022. This was mandatory in order to enter the cheering stands. The system did not set a minimum age, permitting the collection of biometric data from any minors whose parents or guardians consented.
On 4 and 7 November 2022, complaints were filed with the Spanish DPA (AEPD) arguing that the biometric control was excessive and failed to adequately inform data subjects.
On 15 February 2023, the controller ceased the mandatory collection of biometric data and instead gave data subjects the option of entering with their ID cards or with fingerprints. On 19 February 2023, the controller notified members of the change in policy and implemented the change at a football game. On the same day, the controller received a copy of Dictamen 98/22, initially circulated to La Liga, in which the AEPD declared that the State Commission's biometric processing obligations did not conform with the GDPR.
The controller identified itself as the controller for the biometric data obtained to access the cheering stands. It stated its purpose for processing was fulfilling the requirements established by the State Commission aiming towards violence prevention, and argued that this system was more efficacious and reliable than the use of ID cards. No copy was provided of the alleged protocol in case of security breaches. The controller expressed that there is no specific measure being applied, but that it instead plans for future measures given that currently no new biometric data is being captured.
Holding
The AEPD recommended sanction proceedings against the controller, finding likely violations of Article 5(1)(c), 8, 9, 13 and 35 GDPR.
Article 35 GPDR requires that a data protection impact assessment take place prior to the processing of high-risk data, which biometric data is always considered to be pursuant to Article 35(4) GDPR. The AEPD noted that while the controller provided a data protection impact assessment dated 15 February 2023, the processing was initiated on 4 November 2022. The assessment thus took place months after the processing occurred, indicating that for over 3 months biometric data was being processed in violation of Article 35 GDPR. The AEPD thus determined that the controller violated Article 35 GDPR.
Second, the AEPD found that the controller also lacked a legal basis to process the biometric data as it had not triggered an exception under Article 9(2) GDPR. Prior to 15 February 2023, the controller indicated that the processing was required to fulfill a legal obligation, establishing a legal basis for processing under Articles 6(1)(c) and 9(2)(b) and 9(2)(g) GDPR. In light of the AEPD’s opinion on 98/22, the controller changed its legal basis after 15 February 2023 to consent pursuant to Articles 6(1)(a) and 9(2)(a) GDPR. The controller did not dispute that the processing of data prior to 15 February 2023 lacked a legal basis.
Third, the AEPD found that the processing both prior to and after 15 February 2023 violated data minimisation principles. It noted that the classification as a special category of data requires special caution in addition to Article 5(1)(c) GDPR's obligations. Pursuant to Article 35(7) GDPR(b), controllers must also analyse the necessity, suitability and proportionality of processing prior to processing special categories of data. The AEPD emphasises this jurisprudence-based analysis, which it calls the triple judgment of proportionality. Whether other non-biometric options exist which serve the same purpose, it notes, it is not necessary to process special categories of data and doing so violates the GDPR. In this case, processing was neither necessary nor proportional because the security purposes could have been served by the previous ID-review system. The AEPD rejected the controller’s argument that that the biometric data system was more efficacious because it was more reliable, finding the claim unsupported. The AEPD also stated that the State Commission’s order to establish the fingerprinting system imposed an obligation was insufficient to justify a system as suitable, necessary or proportionate. To establish necessity, a system must be supported by tests that describe the problem and efficacy of the measures adopted. These shortcomings constituted a violation of Article 5(1)(c) GDPR.
In addition, the controller was found to be in violation of Article 8 GDPR both prior to and after 15 February 2023 because it permitted minors to use biometric data to enter the cheering stands without establishing a minimum age.
Finally, the AEPD held that controller failed to comply with informational obligations under Article 13 GDPR in its processing prior to 15 February 2023. The controller's informational documents indicated that it was necessary for data subjects to agree to biometric processing in order to gain entry into the cheering stands. Given that, as discussed previously, there was no legal basis for the processing of the data prior to 15 February 2023, the AEPD found that the inaccurate statement of legal obligation constituted a failure to adequately inform data subjects of the processing of their data and was thus a violation of Article 13 GDPR.
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 200,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/54 File No.: EXP202213792 Sanctioning Procedure PS/00483/2023. RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On December 29, 2023, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning proceedings against BURGOS CLUB DE FÚTBOL, S.A.D. (hereinafter, the claimed party), through the Agreement that is transcribes: File No.: EXP202213792. Sanctioning Procedure No.: PS/00483/2023. AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following: FACTS................................................. .................................................. ....................2 FIRST:................................................ .................................................. ...............2 SECOND:................................................ .................................................. ..............3 THIRD:................................................ .................................................. ...............4 ROOM:................................................ .................................................. .................4 FIFTH:................................................ .................................................. ..................4 5.1. Intervening parties and documents that form part of the file..........4 5.2. On the origin and current situation of the implementation of biometric systems in first and second division soccer stadiums................................................ .5 5.3. Facts related to BURGOS CF................................................ ...........8 5.4 Conclusions................................................ .................................................. 12 LEGAL FUNDAMENTALS................................................. ...................................13 I Competition................................................ .................................................. ........13 II Biometric data as special category personal data...................................13 2.1. Definition and characteristics of biometric data...................................................13 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/54 2.2. Biometric templates as special and high category personal data risk................................................. .................................................. .................fifteen 23. BURGOS CF as responsible for data processing operations biometrics................................................. .................................................. ........17 III. On the need to carry out a prior and appropriate impact evaluation to the treatment................................................. .................................................. ............18 5.1. Obligation and legal requirements of the impact assessment (EIPD) in high-risk treatments................................................... ....................................18 5.2. Breach of the duty to present a DPIA by BURGOS CF. .................................................. .................................................. .........................twenty IV Concurrence of an exception to article 9 of the RGPD, and legitimizing basis of the Article 6 of the GDPR................................................ .................................................. .twenty 4.1. Regarding the need for an exception to the prohibition of processing of biometric data................................................ ............................twenty 4.2. Necessity of the basis of legality of the treatment of article 6.1................................22 4.3. Analysis of the concurrence of an exception and a basis of legality in the present assumption................................................ ................................................2. 3 V Regarding the requirement that the treatment be necessary, appropriate and proportional...25 VI About the consent of minors................................................ ....................31 VII On the information duties of article 13 of the RGPD................................33 VIII Classification of infractions and qualification for the purposes of prescription....36 8.1. Violation of article 35 of the GDPR................................................ ...................36 8.2. Violation of article 9 of the GDPR................................................ .....................36 8.3. Violation of article 5.1.c of the RGPD................................................ .................37 8.4. Violation of article 8 of the GDPR................................................ .....................37 8.5. Violation of article 13 of the GDPR................................................ ...................38 X Determination of sanctions............................................... ................................38 XI Adoption of corrective measures................................................... ............................43 XI. Provisional measures................................................ ............................................44 HE REMEMBERS:............................................... .................................................. ............46 FACTS FIRST: With dates of November 4 and 7, 2022, they are received at this Spanish Agency of Data Protection complaint and claim against the implementation of systems C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/54 biometrics for access control to the entertainment stands of the stadium BURGOS CLUB DE FÚTBOL, S.A.D. with NIF A09012428 (hereinafter, “the club”/BURGOS CF). - Firstly, a complaint was received on November 4, 2022 stating the State Commission against violence, racism, xenophobia and intolerance in The sport adopted an agreement according to which access to the cheering stands of football stadiums was to be carried out through biometric control. In Consequently, some football teams are already adopting these forms of action. cess for its stands, such as BURGOS CF. The complaining party considers that the aforementioned treatment is excessive. In this sense, it indicates that They can carry out the same controls by requesting nominal payments and, if by chance security issues were necessary, by requesting the exhibition of the National identity document. The complainant does not attach any documentation to his writing. - Subsequently, a claim is received on November 7 of the same year. nifiesta that BURGOS CF is requesting, compulsorily, to access the Football field animation stand, the use of fingerprint. Literally states the following: “When you become a member of the cheering tier, in no way moment you sign anything about data protection and they do not tell you that it will be able to tender, for access to the field, biometric data. Until now the system The key to access the field is: first they ask for your DNI and MEMBER CARD to verify that you are the subscriber, and then you go through a turnstile in which you have to Enter your membership card and you are registered. Therefore, the justification of that it is for security is unjustified, since there is a less invasive means. Is discriminatory that only one stand is requiring this measure of access control to the field, since none of the subscribers in another stand will be imposed on you, nor on people who enter punctually with a ticket. If Ale- “They gain security, where security is in the rest of the field.” The claimant accompanies the official statement published on November 4, 2002 on the burgoscf.es website about “Official statement | Access biometric in animation stands carried out by BURGOS CF” in which states the following: “The Burgos Football Club, in compliance with Law 19/2007, of July 11, lio, Royal Decree 203/2010, of February 26, and Book General of LaLiga, after an audit carried out by LaLiga, and after the agreement adopted by the State Commission against violence, racism, xenophobia and intolerance in sport, communicates that access to its animation stand will have to be done through biometric control. In this sense, all the LaLiga clubs, among which also Burgos CF is located, they have been warned that failure to comply This regulation will give rise to the action of the commission through the co- rresponding proposals for opening disciplinary proceedings in under current legislation. In this way, LaLiga has installed a pro- fingerprint detection program so that all subscribers of this area of the stadium go to the club offices to establish their fingerprint and thus act give in to the El Plantío Stadium with this method. (…) This movement is only a first step, since the Burgos entity has the objective and ad- wants the commitment to implement this biometric access mechanism C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/54 for the entire stadium in an estimated period of two seasons. Actually yes- guiding the line of action of other reference clubs in Spanish football, The entity intends to develop facial identification processes, in favor of speed and accessibility, when these systems are more developed.” None of the complainants provides evidence that suggests that collected your biometric data. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), on December 1, 2022, said transfer was made claim to BURGOS CF so that it could proceed with its analysis and inform this Agency within one month, of the actions carried out to adapt to the requirements provided for in data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on December 2, 2022, as It appears in the acknowledgment of receipt that is in the file. However, BURGOS CF did not respond to this first transfer. THIRD: On January 2, 2023, the Director of the Spanish Protection Agency of Data urged the Subdirectorate General of Data Inspection (SGID) to initiate the prior investigative actions referred to in article 67 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD) to analyze the implications that could have in terms of personal data protection the practical application of the aforementioned biometric system in football stadiums, one of which was the BURGOS CF. ROOM: On February 3, 2023, in accordance with article 65 of the LOPDGDD, They were accepted for processing and acknowledged receipt of the complaint and claim. FIFTH: Following instructions from the agreement of the Director of the AEPD, the Subdirectorate General Data Inspection initiated a file of previous actions of investigation (AI/00444/2022) to clarify the facts contained in the complaint of November 4 and in the complaint of November 7, 2022. All this, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD. 5.1. Intervening parties and documents that are part of the file. To clarify the facts, it was necessary to make various requirements information and documentation aimed at all those entities that participated in the implementation of the biometric system in the first and second football stadiums C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/54 division at the state level, and specifically, in the Plantío stadium of BURGOS CF, such as: - HIGHER SPORTS COUNCIL (hereinafter, CSD). - STATE COMMISSION AGAINST VIOLENCE, RACISM, XENOPHOBIA AND INTOLERANCE IN SPORTS (hereinafter, CEVRXID). - NATIONAL PROFESSIONAL FOOTBALL LEAGUE (hereinafter, LALIGA) - SOCIEDAD ESPAÑOLA DE FÚTBOL PROFESIONAL, S.A.U (hereinafter, SEFPSA) - BURGOS CF. On September 22, 2023, a report is issued on previous actions of investigation, according to which they are made aware and attached to the file the following documents and actions carried out: - Those carried out before the start of the previous actions, with the complaint and claim and documents that have already been mentioned in the background first to fourth of this agreement. - Regarding BURGOS CF, 3 requirements are made that run as follows: luck: 1. On 02-16-2023, BURGOS CF is requested for the first time, which is notified by electronic and postal means. BURGOS CF responds to same dated 03-16-23 (hereinafter, WrittenBurgos1). 2. On 07-06-2023 the request to BURGOS CF is reiterated, to which he responds by writing of 07-27-23 (hereinafter, WrittenBurgos2). 3. On 08-22-2023, BURGOS CF is required to provide certain additional documentation, and he responds in writing dated 04-09- 2023 (hereinafter, WrittenBurgos3). - Regarding LALIGA, two information requirements are made. The first of 02-17-23, is answered dated 03-10-23 (WrittenLaliga1). The second was carried out on 07-06-23, LALIGA requesting an extension of the deadline to be granted gave on 07-13-23. Finally, LALIGA presented allegations in response to the same mo dated 07-27-23 (WrittenLaliga2). - Regarding the CSD, a first request was formulated on 02-23-2023 and a second on 6-07-23. In response to them, the CSD presents three written documents with on 03-28-2023 (Written CSD1), 07-21-23 (Written CSD2), and 07-24-23 (Written toCSD3). And a second request on 07-06-2023, to which in response this one on 07-21-23. - Finally, on 08-22-2023 information is required from SEFPSA, reiterate- issued on 09-04-2023, which received a response on 09-15-2023 (WrittenSEFPSA1). 5.2. On the origin and current situation of the implementation of biometric systems in first and second division football stadiums. In accordance with the information collected, and before analyzing the particular case of the BURGOS CF, a succinct reference must be made to the actions (chronologically C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/54 ordered) carried out by the inspector in order to elucidate what was the origin and what is the current status of the implementation of biometric fingerprint or fingerprint systems facial recognition that was carried out in a general way to be able to access the football stadiums of LALIGA's first and second division clubs. - On September 23, 2015, the CSD authorized the new version of Book XII of the League Regulations (hereinafter, RGLALIGA), which is currently in force, whose article XII establishes the following in its sections 2, 3, and 4: ” 2. The sale of season or half-season access titles or documents, regardless of its name, in the cheering stands with the characteristics described in section 1, will require that the fan provide, together with the data referred to in article 1 of this Regulation, that biometric data determined, and the consent of the interested party must be obtained, informing clearly of the specific purposes for the processing of the aforementioned data. personal nature, in accordance with current regulations on protection of personal data. At the time of acquiring the access title, by the affiliated Club/SAD, the fan will be associated with the affiliation provided and the biometric data. 3. ACCESS TITLES for season or half-season stands animation will be personal and non-transferable, regardless of the policy that the Club/SAD has on these for the rest of the venue. To this end, the Club/SAD will establish, both in the document of acquisition of the access title so, as in the corresponding internal regulations that, in said areas, the Pectators will undergo all those identity verification controls current at all times, including those related to automatic systems. biometric data, as well as the display of the access title next to the document proving your identity. 4. Only fans will be allowed access to the cheering stands. two who have obtained the title of access to said area and who, at the time at the entrance, submit to the reading of their biometric data. Access will be denied cess in the event that the person does not contribute, if required to do so, along with biometric data, a document proving your identity that matches the affiliation associated with the biometric data and the access title.” - There is no evidence that LALIGA had adopted measures aimed at demand compliance with the obligations provided for in the aforementioned article of the RGLALIGA until CEVRXID urged him to do so. Specifically, it is proven that the CEVRXID urged LALIGA on two occasions to promote the implementation by the clubs of the biometric control measures indicated in Book XII of their General Regulations, exclusively for the animation stands in first and second division. In its agreements it also refers to the fact that its non-compliance will give rise to “the corresponding proposals for opening files sanctioners in the exercise of their surveillance and control function provided for in the Law.” - The first agreement directed by CEVRXID to LALIGA was on March 15, 2022, and gave rise to the beginning of the implementation of these systems by various clubs, warning them of the possibility of incurring sanctioning responsibility, the that this agreement was communicated by LALIGA. - Once its first agreement was issued on March 15, 2022, the CEVRXID, in At its meeting on October 20, 2022, it agreed to consult the AEPD C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/54 only a question related to compliance with protection regulations of data. Specifically, on the legitimizing cause and exception applicable to These biometric treatments referred to could be carried out under the protection of the articles 6.1.e and 9.2.g of the personal data protection regulations in consideration with the competence attributed to the CEVRXID by article 13.1 of Law 19/2007, of July 11, against violence, racism, xenophobia and intolerance in sport. There was no consultation about the need and proportionality of the processing of biometric data or compliance with the rest of the principles and obligations provided for in the regulations for the protection of data. - On December 22, 2022, the AEPD legal office issued the Report 98/2022 in response to the previous consultation (joined by the inspector in the Reference Diligence mentioned above). The report is based on several previously reported background, and maintains that in the present case “there was no legal norm in the Spanish legal system that brought together the requirements of article 9.2.g) of the RGPD, so the treatment only could rely on the consent of those affected as long as it was guaranteed that he is free.” - After receiving the aforementioned report, the CEVRXID communicated on March 21, 2023 to LALIGA that “in accordance with what was reported by the AEPD, access to the animation stands using biometric data will be carried out with the consent of the interested party" so that, "in the case of not having the consent of the interested party to access the animation stands through biometric data, it will be mandatory for clubs/SAD to have a procedure that allows the identification of all those who access outside of biometric control.” - Having received the previous statement, LALIGA adopted on March 23, 2023 the “Circular No. 19 of the 2022/2023 Season, which transferred the clubs as indicated by the aforementioned Commission, also informing of the report of that AEPD of December 22, 2022.” The Circular informs the clubs that “Access to the cheering stands through biometric data can maintained but provided that there is free consent of the interested party, prior information on the specific purposes for the processing of data personal character. If you do not have the consent of the interested, the CEVRXID reminds that the spectators in these stands do not will be exempt from undergoing all verification checks identity that are in force at all times and, to this end, it is It is mandatory that the Club or SAD has a procedure that allows identify them.” Additionally, in the phase of previous actions, the following information on the effective implementation of biometric systems to access control to the stadiums of LALIGA members. In this regard, it highlights the following: - LALIGA states that it is aware that 18 of its members have implemented a biometric system to control access to their stadiums, one of them being BURGOS CF. The moment when they would have launched differs from one to another, with the 2015-2016 season being oldest referred to and 2022-2023 the most recent. Furthermore, according to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/54 the information provided by the League, in all cases but one the implementation of these access controls would have only occurred in the “entertainment stands”. - The League, through the SEFPSA entity, provides members who request it the different devices for operating the entrance turnstiles to the sports venues, including, where appropriate, biometric systems fingerprint recognition. Clubs are free to contract the system fingerprint from SEFPSA or any other, as long as they have a biometric system for the sale of season tickets and access control to its stands. animation. - According to the information provided, SEFPSA states that it has provided its biometric solution for 15 League members, the system being identical for everyone, and considers that he acts neither as responsible nor as manager of treatment in this context, since its work is limited to the supply of necessary hardware and software without accessing personal data. In this situation indicates that it has not carried out risk analysis or evaluations of impact regarding the treatments derived from the use of its supplies. - Upon receipt of League Circular 19 of March 23, 2023, the clubs that had biometric recognition systems implemented adopted measures aimed at suspending this procedure of access, either to maintain it as voluntary and complementary of others. - BURGOS CF installed the biometric fingerprint detection system in the animation stand, door 15, through three turnstiles, hiring the system developed by SEFPSAU, which seems to correspond to SEFPSA. Starting on February 15, 2023, before receiving LALIGA Circular 19, I would choose for maintaining the fingerprint as a voluntary access system, sending a statement to its partners that informed of this, as well as the possibility to request the deletion of your biometric data. This was applied from match against Albacete held on February 19, 2023, as stated in the Minutes provided in the WrittenBurgos1. 5.3. Facts related to BURGOS CF. Regarding the particular case of BURGOS CF, to which this file refers sanctioning, it is worth briefly pointing out the main aspects and documents contributed by him so far during the phase of previous actions of investigation: 1. Response dated March 16, 2023 (WrittenBurgos1). In response to the request made on February 16, 10 Annexes are attached, and The following manifestations are carried out that must be highlighted: - BURGOS CF began to implement the biometric fingerprint system as a mandatory means of accessing the entertainment stands on November 4 2022, following an audit carried out by LALIGA on July 27, 2022. In Proof of this is said to accompany the audit as Annex 1, but the aforementioned Annex does not correspond to the audit, but to the “System Technical Report C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/54 El Plantío Stadium Access Control developed by SEFPSAU, with the logo of LALIGA, which appears undated and unsigned. - The CEVRXID agreement dated 03/15/22 is attached as Annex II, previously referenced. - Burgos has provided the Impact Assessment as Annex V of Document 1 Relating to the Data Protection of the system, dated February 16, 2023 (EIPD Report), signed by the entity DATAINFO CONSULTORÍA Y CONSULTING, S.L. (hereinafter, DATA CONSULTING). It is well observed that his realization was considerably later than the start of treatment (4 of November 2022). Its content and adaptation to what is required by the regulations of Data protection will be analyzed in detail in the fundamentals of right of this startup agreement. - Responding to several of the questions asked in the first request of information, BURGOS CF is identified as responsible for the treatment of biometric data for access to the El Plantío stadium, informing of the following regarding compliance with data protection regulations: -Source of the data: The interested party himself provides them. - Collection procedure: In person through fingerprint reader fingerprint. - Deletion period: Once the season ends. - Recipients: They are the 700 members of the entertainment tier, which is at door 15. No transfer is planned, except for possible compliance with legal obligations. -International transfers: No transfers are planned international except possible compliance with legal obligations. -The purpose of biometric processing, according to the EscritoBurgos1, was “meet the requirements established by La Liga and the Commission Permanent of the State Commission against violence, racism, xenophobia and intolerance in sport.” -Data conservation period: per season, waiting for that the AEPD decides whether it should proceed with its conservation or destruction. The partners are informed of this in Annex VII, and they were given the possibility of requesting deletion in the statement of Annex IV. -Those in charge of processing special category data: they do not exist. -Those in charge of processing other data: LALIGA, the Company Española de Fútbol Profesional S.A, and Ligatech S.L. - The BURGOS CF has identified the following relevant dates regarding the treatment: November 4, 2022 as the start date of collection biometric data; December 8, 2022 as the date of the first match in which the treatment was carried out to control access to the stands animation; February 15, 2023 as the end date of the treatment (mandatory) to control access to the stands animation; and on February 19, 2023 as the first match in which Only those who had access entered the stadium with a fingerprint voluntarily, the rest entering, about 60 with the card. In this regard, the 9 minutes are attached as Annex III of the EscritoBurgos1 signed by the Security Director of BURGOS CF and the Coordinator of Security belonging to the Ministry of the Interior on the matches held in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/54 the El Plantío Stadium during the years 2022 and 2023, where the need to carry out biometric controls of the animation stand. Some of These minutes state that the stadium did not have an identification system biometric for access, without prejudice to the fact that the collection has already been carried out of fans' footprint (e.g. minutes of the following dates: August 14, 16 October, October 29, November 27, 2022). In others it is stated that this control has been used for access. The completion of the biometric system as a mandatory access system and its continuation as a volunteer is accredited by means of the communication addressed to their partners on February 16, 2023, as Annex IV of the EscritoBurgos1, in which informs that, in view of Report 98/2022 of the AEPD, the fingerprint system fingerprint would be maintained for use on a voluntary basis, providing the One-way partners to request deletion of recorded biometric data in the system. What is corroborated in the Minutes of the match played between Burgos and Albacete on February 19, 2023, which states the following: “The Security Director DELIVERS to the security coordinator a copy of a writing addressed to the League in which he requests allegations in relation to opinion 98/22 of the Spanish data protection agency dated January 20, 2023 declaring the non-conformity with current regulations regulating data protection, of which copy attached. Therefore, in this match the club has decided that only the partners who have voluntarily agreed to transfer said data, with the rest entering, some sixty, simply with meat.” - Consequently, BURGOS CF has indicated that currently the treatment is suspended “pending the completion of this process before the AEPD to be able to implement it with the technical, legal, and security measures “adequate.” Specifically, it is specified in the EscritoBurgos2: “this treatment of data has not yet been implemented and is not currently operational since BURGOS CLUB DE FÚTBOL, S.A.D. is waiting for the completion of this process before the AEPD to be able to implement it with the measures appropriate technical, legal and security measures. Therefore, currently it is not collects no biometric data from the Controller, constituting the exposed measures planning for the future.” Additionally, Burgos states that “it is waiting for the decision of the Spanish Agency of Data Protection on whether to continue retaining said data or proceed to its destruction” and that “affected people have been given the option to suppress it.” - The documents that prove the consent of the interested parties for the processing of your personal data, or document that proves that they have been provided the information provided for in article 13 of the GDPR, before collecting Your personal data (biometric and others whose contribution is mandatory), were required by the inspector on two occasions. However, BURGOS CF has only provided as Annexes VI and VII of the EscritoBurgos1 the two models which it says were provided to interested parties before and after February 15, 2023. - Annex VI. Conditions of membership, access and permanence in the animation stands for the 22-23 season. Used before 02/15/23. It is not a personal data consent model but a contractual document, which requires the provision of personal data biometric and non-biometric (nominative, ID, contact information...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/54 - Annex VII. Information about access to the cheering stands through biometric data (fingerprint). Model used after 02/15/23. In which a specific consent is signed regarding processing of biometric data. - To prove what security measures have been adopted regarding data protection, provide as Annex VIII the document prepared by the SEFPSAU entity, as the supplier of the hardware and software on which executes the processing of biometric data. This document provides information descriptive description of the operation of the biometric system installed in the stadium of the Burgos, from which the following main points are extracted: . -The personal data collected from each interested party in the process of registration (registration in the system) are name, surname, DNI number, a identifier generated by the system, and the biometric pattern of the fingerprint fingerprint. -The registration of the biometric fingerprint pattern is carried out in the microcomputer positions serving members. Access to the animation stand is carried out through a single door that has three turnstiles with the possibility of access by identification biometric. Each of these lathes has several methods of access (in addition to biometric reading): optical reading of access codes bars or QR, and wireless card reading with built-in chip. -The comparison process carried out is “identification biometric” (one to many). Thus, the readers installed on the turnstiles send the encrypted biometric pattern of the fingerprint of the interested party that is accessing the stadium to the Identification Management Server Biometric (SGI) located in the club facilities, and to which only the club has access. The comparison performed on this server returns the positive or negative identification result. -Biometric patterns are encrypted at all times with the keys of the device manufacturer. The latter proves that the Decryption keys are only kept by him and are not are available to their clients. Additionally, it certifies that Once the fingerprint image template has been extracted, the latter is suppressed. -In point 6 it refers only to security measures specific to the elements or technical equipment. - Burgos has also provided (annex IX of the EscritoBurgos1) the content of the record of processing activities related to “Access control through biometric data (fingerprint) to Grada de Animación”. 1. Response dated July 27, 2023 (WrittenBurgos2). On July 6, 2023, the inspector formulates a new requirement in which requests that the action plan of security measures mentioned be provided but they are not provided in the EIPD or in any other document of the EscritoBurgos1, and the documentation accrediting the technical detail of the measures described in the heading “regarding the biometric vector”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/54 Responding to the new requirement, BURGOS CF provides as Document 1 the consent model that is signed at the time of fingerprint collection (not consents signed by subscribers). As Document 2, it provides the document from the system provider that explains the security measures related to the biometric vectors obtained by the system, to which 3 Annexes are attached, issued by various system providers installed: NITGEN (sensor manufacturer), KIMALDI (guide for the integrator of biometric solutions), and SETELSA SECURITY (fingerprint control system in CONACWIN client position). From these only some of the technical specifications and characteristics of the biometric system used, such as which uses a biometric vector encrypted with AES algorithm proprietary to the manufacturer NITGEN of an irreversible nature for its own employees, clients (including the Club) and their suppliers (SEFPSAU). These documents do not constitute no elaborate plan of security measures for the purposes provided for in the article 32 or 35.7.d) of the GDPR, aimed at addressing risks, including guarantees, security measures security and mechanisms that guarantee the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of the interested parties and other affected persons. Various statements are also made regarding compliance with the principles provided for in article 5 of the RGPD, the operation of the system through of encrypted vectors that capture part of the fingerprint and generate a template, and the protocol applied in case of security breaches, of which no copy is provided some. And it is expressly said that currently no measure, but rather it is a plan of future measures given that they are not being capturing new biometric data. 2. Response dated September 4, 2023 (WrittenBurgos3). Finally, on August 22, the inspector requests and the BURGOS CF responds the following, without accompanying any document: - Present the risk analysis document: refer to the content in the DPIA provided in Document 1. - Provide information about the places where the patterns are stored biometrics (club servers -SGI- or Tornos): they are stored only on the server of the club. It states, among other things, that “The normal thing is to collect 2 templates per finger and 2 fingers per subscriber. Enrollment is done through a reader desktop USB fingerprint scanner, which is interacted with and managed from the client application installed on the Club's equipment. − Once the enrollment process is completed, the "client application transmits the metadata to the Club Server (SGI) that stores it." (…).“The lathe (reader) does not store the biometric pattern, it only serves as an issuer, collects the subscriber's template through the fingerprint reader and transmits it in raw (vLan over Private IP with HTTPS encryption) to the club server (SGI)”. - That the security measures applied for storage be indicated. A specific detail of measures is not found in the response, but rather a explanation of the authorization process. The club explains when it considers a user as “unauthorized”, the possibility of authorizing it manually in case of errors. Something important that is said is that being “unauthorized” does not imply delete your data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/54 - Describe how their suppression occurs, stating that: "when a authorized employee of the club, decides to delete one or all biometric patterns, You can do it from the Conacwin system, eliminating them from the only place in the which are stored, the Club Server (SGI); This process is irreversible, Therefore, once eliminated, recovery is not possible.” Mention is made also to the different causes of withdrawal for which employees can be disavowed. someone, or data deletion. 5.4 Conclusions. In view of the actions carried out, it is considered that initially various evidences that justify the opening of sanctioning proceedings against the BURGOS CF, for having implemented a biometric system based on the detection of fingerprint to access the cheering stands of your stadium on November 4 of 2022 that did not comply with several requirements and principles required by the regulations of data protection, both when it was required as the only system for purchasing tickets and access to the stadium, as when he became a volunteer on February 15, 2023. All this without prejudice to the fact that the previous actions carried out may lead to the initiation of sanctioning procedures against other possible persons responsible for the implementation of these biometric systems in first-class soccer stadiums and second division, when the concurrence of other infractions of the present regulations. FIFTH: According to the report collected from the AXESOR tool, the entity BURGOS CLUB DE FÚTBOL, S.A.D. is an SME that acts as a Company Anonymous sports company associated with LALIGA, established in 2018, and with a volume of business of €1,451,967 euros in 2021. FOUNDATIONS OF LAW I Competition In accordance with the powers provided by article 58.2 of the GDPR and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter, LOPDGDD), is competent to initiate and resolve this procedure Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Biometric data as special category personal data 2.1. Definition and characteristics of biometric data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/54 Biometric data processing systems are based on collecting and processing personal data relating to the physical, physiological or behavioral characteristics of natural persons, which may include their neural characteristics, through devices or sensors, creating biometric templates (also called signatures or patterns) that make it possible to identify, track or profiling of said people. The GDPR defines art.4.14 biometric data as “personal data obtained through based on a specific technical treatment, related to the physical characteristics, physiological or behavioral characteristics of a natural person that (…) unique to said person, such as facial images or fingerprint data.” As already pointed out in Opinion 4/2007 of the working group of article 29 (ART. 29 of the Directive 95/46 EC, as an EU body, of consultative and independent character), on the concept of personal data (WP136), of 06/20/2007, biometric data can be defined as: “… biological properties, physiological characteristics, personality traits or tics, which are, at the same time, attributable to a single person and measurable, even whether the models used in practice to technically measure them imply a certain degree of probability. Typical examples of biometric data are those that provide fingerprints, retinal patterns, facial structure, voices, but also the geometry of the hand, the venous structures and even certain ha- deep-seated ability or other behavioral characteristic (such as handwriting, heartbeats, a particular way of walking or talking, etc.). A particularity of biometric data is that they can be considered both content of information about a certain person (So-and-so has these bones- fingerprints) as an element to link information to a specific person (this object has been touched by someone who has these fingerprints and these fingerprints correspond to so-and-so; Therefore, So-and-So has touched this object). As such, they can serve as "identifiers." In effect, as it corresponds to a single each person, biometric data can be used to identify that person. This dual character also occurs in the case of DNA data, which provides tion information about the human body and allow unequivocal identification of one, and only one, person.” Every biometric access control system to the stadium, in order to be used, must first register the user's identity in the system by capturing a security series of biometric parameters (in this case, the fingerprint of subscribers who purchase tickets) access tickets for the entertainment stands of the BURGOS CF stadium). Of what What we are trying to achieve is to carry out processing on those parameters to identify tify the person each time they then re-enter and exit through the access point. A biometric data contained in a system is stored in the form of a template or pa- biometric tron, commonly called “vector”. A biometric template is a form writing method of a human biometric characteristic, such as a face or fingerprint fingerprint, so that it is interpretable by a machine efficiently and effectively for a specific purpose or purposes. The biometric template is not aimed at be interpreted by a person, like a photograph, but is oriented to be processed ted in an automated process, that is, be efficiently and effectively interpretable by a machine. This form of storage would allow an individual to be singled out and executed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/54 cut actions automatically, profile or infer information about a subject such as attitudes or patterns of behavior, etc. This technology can be really intrusive and requires an ethical and legal debate calm, since it can have very adverse effects on the fundamental values them and human integrity. Look at just a few of its special features and think Consider the significant impact that occurs when this data is compromised, in comparison to when other types of personal data are processed: - Biometric systems are closely linked to a person, given that can use a certain unique property of an individual to identify them. tion. Each individual has unique fingerprints that show characteristics that can be measured to decide whether a fingerprint corresponds to a recorded sample. Therefore, they are unique, permanent or definitive in time. and the person cannot free himself from them, they can never be changed, not even with age, so the damage created in case of compromise-loss or intrusion into the system is irreparable in this case. Unlike a password, if lost, the data of our fingerprint or face cannot be changed. - Furthermore, because biometric data is specific to a person and per- petuos, the user can use the same data in different systems. - While traditional authentication methods such as passwords require a 100% character-for-character match to allow the user to rio accesses, for example, an account or application (deterministic methods), the methods Biometrics are called “probabilistic” because they are based on the probability that the user trying to access a certain device or application is the same person than the registered user. We can measure the performance of a biomedical system based on three main characteristics. These are: false rejection rate (FRR), false acceptance rate (FAR) and equal error rate (ERR). The rate of false rejections represents the probability of detection errors by a system. biometric, which means that it cannot recognize a user whose characteristics biometric cases are already in the database. In case of rejection, the person must see rify your identity again. From a safety and security perspective, this rate does not mean that it is necessarily a negative result. Each biometric method co, be it face reading, fingerprint reading, palm print reading, iris reading, etc., has different va- lores for different rates based on which a system rejects or accepts requests. triads. 2.2. Biometric templates as special and high category personal data risk. According to the definition given by article 4.14 of the GDPR, biometric data processed by these systems will become personal data as long as when the purpose of the processing is the identification or authentication of a person, in the sense provided for in article 4.1 of the GDPR, which defines personal data as: "1. Personal data: any information about an identified natural person or identifiable ("the interested party"); Any identifiable natural person will be considered person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, a telephone number, identification, location data, an online identifier or one or more C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/54 elements of physical, physiological, genetic, psychological identity, economic, cultural or social of said person.” In the present case there is no doubt that biometric data of personal nature, since the purpose of the system implemented for the acquisition of season titles and access to the animation stands by fingerprint is identify the people who access the stands, is to determine the identity, direct or indirectly, from the person. Every time the process assigns an identifier (the biometric template obtained by collecting fingerprint samples from interested parties) that allows to single out an individual and distinguish him from others, to through “elements specific to physical, physiological, genetic, and psychological identity.” It must be taken into account that the approval of the RGPD (after the regulation of the Book XII of the RGLALIGA) has meant a paradigm shift in matters of protection of personal data that aims to guarantee citizens control of your personal data, establishing high protection standards and adapted to the digital environment in which we live. According to the Principle of Proactive Responsibility, inspiration for the new regulation, the new RGPD makes emphasize that the person responsible must seriously evaluate the risks of the treatment that you want to establish in the rights and freedoms of the interested parties (always prior to starting any treatment, and continuously if you decide to do so), opting for a risk analysis approach by design and by default, to be able to identify them, determine the probability of materialization and its impact and foresee measures and guarantees that eliminate or, at least, mitigate the risks detected, preventing its materialization. Likewise, certain obligations must be met and respect certain principles established by regulations. Thus, whenever personal data of any type is processed, whatever, the person responsible must comply with the principles and obligations provided for in the data protection regulations for all types of personal data. All of these duties are exponentially accentuated when it comes to data from special category, whose treatment is considered high risk. Both circumstances occur in biometric data aimed at uniquely identifying to a person, as happens in the present case. Thus, this paradigm shift has especially affected the data biometrics, since on the one hand - unlike what happened under the regime prior to the RGPD - these have come to be considered personal data of special category in article 9, the processing of which is generally prohibited, unless any of the exceptions provided for in article 9.2 of the RGPD apply. Which does not exempt the fact that there must always also be a basis of legality provided for in the article 6 thereof, among many other requirements and principles that must be met whoever decides to opt for this type of treatment. In accordance with article 9.1 of the GDPR, data processing is prohibited biometrics when they are: “biometric data aimed at uniquely identifying to a natural person.” Although recital 51 of the GDPR includes both identification and authentication procedures: “since only are included in the definition of biometric data when the fact of be treated with specific technical means allowing the identification or C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/54 univocal authentication of a natural person. Such personal data should not be treated, unless treatment is permitted in specific situations contemplated in this Regulation.” In this sense, it should be noted that the classification as special category data necessarily implies the observance of special caution when determining determine whether it is possible to carry out data processing of this nature. Among other things, and in addition to there being an exception that allows overcoming the prohibition of the article 9.1 of the GDPR, that there is a basis for the legality of Article 6 of the GDPR and that comply with the principles of the RGPD, the subject that intends to implement data systems biometrics, in this case, BURGOS CF, must previously analyze the attendance compliance with the mandatory criteria of necessity, suitability and proportionality of the treatment. I lie. That is, whoever intends to establish personal data processing of this nature za must, first of all, ensure that what has been called in the jurisprudence as “the triple judgment of proportionality”, considering in particular whether the processing of biometric data is ideal, proportionality, and above all, necessary Aryan. If there are other non-biometric systems that allow the same goal to be achieved, ability to identify-verify the identity of people effectively, it will not be necessary initiate biometric treatments, and, therefore, implementing this system will be considered contrary to the GDPR. This judgment must be the starting point of your analysis, since only in If these methods pass the aforementioned triple judgment, compliance with other requirements or guarantees. And, in addition to being special category personal data, the processing of This type of biometric data is also considered “high risk”, which will require to always carry out an impact evaluation (IAPD), in accordance with the provisions of the article 35.1 of the RGPD, this DPIA must be prior to the start of the treatment, but be carried out continuously. And it will not be enough to do it, but the same must be considered valid, because it meets the requirements set forth in the aforementioned article, in particular, that contains at least the information of art. 35.7 of the GDPR. The processing of biometric data is considered high risk in accordance with the provisions in section 4 of article 35, which provides that “…The supervisory authority establish and publish a list of the types of processing operations that require a data protection impact assessment in accordance with section 1…”, given that it is among the treatments included in the document “Lists of types of data processing that require evaluation of impact regarding data protection”, made public by the AEPD in development of the provision contemplated in the fourth section of the aforementioned article 35. There is no doubt about the high-risk nature of this data, given that the biometric data meets the criteria corresponding to numbers 4, 5 and 10 of said document (those that involve the use of special categories of data; the use of biometric data and those that involve the use of new technologies or innovative use of established technologies). Therefore, the data processing biometrics can never be started if a valid DPIA has not been prepared prior to the treatment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/54 23. BURGOS CF as responsible for data processing operations biometrics. Article 4.2 of the GDPR defines “processing of personal data” as: “any operation or set of operations carried out on personal data or set of personal data whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification cation, extraction, consultation, use, communication by transmission, dissemination or any other form of access enablement, collation or interconnection, limitation, su- pressure or destruction;” Biometric data can be processed and stored in different ways. Sometimes the Biometric information captured from a person is stored and processed in raw form, which that allows you to recognize the source from which it comes without special knowledge; by For example, a photograph of a face, a photograph of a fingerprint, or a recording voice. Other times, the raw biometric information captured is treated in a that only certain characteristics or traits are extracted and saved as a bio-template. metric, here called “vector”. According to what was stated by the club itself, the biometric system implemented by BURGOS CF works with biometric data obtained from a person (fingerprint- tilar), from which an algorithm selects characteristics to create a template. biometric call. Then, when the fan enters the stadium, they pass a check access in which the system checks the identity of the person with the database biometric. You can do it in a second, while comparing hundreds of millions of data. cough. That is, the biometric characteristics are subjected to technical treatment through which a person is recognized through a chronological process that is contained in all biometric data processing: data capture or registration with your system next storage or processing and the comparison or matching phase, the conservation of data, as well as its subsequent deletion, limitation...etc. Therefore, the identification process necessarily includes carrying out several processing operations (data collection or capture, registration, storage, processing) cessation, comparison, authentication, conservation, deletion, limitation...etc) of for which only BURGOS CF was responsible for the purposes provided for in article 4. 7 of the RGPD, which provides: “7) “responsible for the treatment” or “responsible”: the person physical or legal entity, public authority, service or other body that, alone or together with others, determine the purposes and means of the processing; whether the law of the Union or of the States members determines the purposes and means of the processing, the data controller or The specific criteria for their appointment may be established by the Law of the Union or of the Member States. In short, when BURGOS CF implemented a new fingerprint detection system fingerprint for the identification-verification of the identity of natural persons (instead of the usual method of identity verification by means of DNI, and purchase title via QR reader, or chip on card) must have been aware that it was going to be res- C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/54 responsible for setting the purposes and means of various data processing operations of special and high risk category. From the evidence that exists so far in the file, and without prejudice to the resulting in the instruction, it is initially deduced that the club implemented this system when it already had an identification-authentication system for the identity of the people who accessed the entertainment stands of their stadium, which was much less trusive, with which the same purpose was obtained, so the biometric treatment does not It should never have started under these conditions. But in addition to starting this treatment without it being necessary and proportional, there are evidence that the treatment was carried out in breach of many other obligations pre- seen in the data protection regulations when we are faced with the presence of data biometric personal data from which the alleged commission of 4 other possible administrative violations. We will thus refer in the Fundamentals of Law III to VII of this agreement to the lack of concurrence of an exception that would lift the prohibition. tion of processing biometric data of article 9 of the RGPD, not to prepare or pass a EIPD prior to treatment, but late and invalid, failing to comply with the duties of informing tion related to article 13 of the GDPR, and not obtain the consent of the parties. parents or legal guardians of minors under 14 years of age referred to in article 8 of the GDPR. In short, given the fingerprint system that was implemented by BURGOS CF at as of November 4, 2022 of the evidence obtained so far and without prejudice to what may be deduced in the investigation phase, it follows that the Club did not act with the diligence required of a data controller special category and high risk such as biometrics, committing up to 5 infractions administrative provisions of the RGPD, in the terms set out below in the Legal Fundamentals III to VII of this Initiation Agreement. III. On the need to carry out a prior and appropriate impact evaluation to the treatment. 5.1. Obligation and legal requirements of the impact evaluation (EIPD) in treatments high-risk. As stated above, before implementing a project data processing based on this very intrusive technology, it is also necessary previously audit its operation, not in isolation but within the framework of the specific treatment in which it is going to be used (in this case, sale of subscriptions and access to the entertainment stands of the BURGOS CF stadium). The impact assessment on the protection of personal data, DPIA, appears then as the tool required by the GDPR to ensure compliance with this aspect of the treatment, as established in article 35 in its section - 1 of the GDPR, “When it is likely that a type of treatment, particularly if it uses new technologies, noologies, due to their nature, scope, context or purposes, entail a high risk for rights and freedoms of natural persons, the person responsible for the processing carried out C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/54 Before treatment, an evaluation of the impact of the treatment operations will be carried out. ment in the protection of personal data…” As already indicated, the processing of biometric data has been rated as highly risk by the AEPD, by virtue of the provisions of article 35.4, so we must based on the fact that the processing of biometric data initiated by BURGOS CF After its statement of November 4, 2022, it should have been preceded by a valid impact assessment, which included at least the sections provided for in article 35.7 of the GDPR. This implies that it is not enough to carry out a DPIA, but rather It will have to be overcome to comply with the RGPD. This evaluation will be done prior to the start of treatment, but must be understood as a continuous or periodic evaluation, in the sense established by the Article 35.11 of the GDPR, which states: “If necessary, the controller will examine whether the treatment complies with the impact assessment relating to the protection of data, at least when there is a change in the risk represented by the operations of treatment.” A DPIA must meet the minimum requirements or content listed in the article. 35.7 of the GDPR, which provides: “The evaluation must include at least: a) a systematic description of the planned processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the person responsible for the treatment; b) an assessment of the necessity and proportionality of the processing operations treatment with respect to its purpose; c) an assessment of the risks to the rights and freedoms of the data subjects referred to in section 1, and d) the measures planned to address the risks, including guarantees, security measures security and mechanisms that guarantee the protection of personal data, and show compliance with this Regulation, taking into account the rights rights and legitimate interests of the interested parties and other affected persons.” In short, overcoming a DPIA requires that the person responsible for a treatment high risk document in writing that it passes the suitability assessment, necessity and proportionality of the treatment, and that manages from the design the specific risks of the treatment, with the practical application of measures aimed at them in a way that guarantees an acceptable risk threshold throughout the processing life cycle, as established in article 35 of the GDPR. Furthermore, it requires prior consultation with the supervisory authority in the event that the responsible has not taken measures to mitigate the risk in accordance with the article 36 of the GDPR. 5.2. Breach of the duty to present a DPIA by BURGOS CF. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/54 In the present case, the club has provided (Annex V of the WrittenBurgos1) the document “Impact Assessment Report Related to Data Protection” (DPIA Report) dated February 15, 2023 by a third party (DATAINFO CONSULTORÍA Y ASESORÍA, S.L.). But the start of treatment occurred on the 4th November 2022, as recognized by BURGOS CF itself. This DPIA is after the start of the biometric treatment, since starting the treatment on November 4, 2022, the date of the DPIA is February 15, 2023, which shows that for more than three months a processing of biometric data without complying with the obligation prescribed in the article 35 of the GDPR. It is, therefore, recognized and accredited that BURGOS CF began the treatment on November 4, 2022 without having previously carried out a DPIA, so clearly violated the provisions of article 35.1 of the RGPD, which prevents carrying out any high-risk processing - such as biometric data - without having carried out previously a DPIA, which analyzes the purpose, the risks, the judgment of proportionality of the treatment, and, where appropriate, the measures to be provided to protect the personal information. IV Concurrence of an exception to article 9 of the RGPD, and legitimizing basis of the Article 6 of the GDPR. 4.1. Regarding the need for an exception to the prohibition of the treatment of biometric data. As already indicated, biometric data, cataloged as “category special”, in article 9, both of the RGPD and the LOPDGDD, are data personal data, the use of which may give rise to significant risks to the rights and fundamental freedoms, and therefore, in principle its treatment is prohibited in the article 9.1 of the RGPD, unless any of the exceptions provided for in the paragraph 2 of the same article. Another additional requirement of this type of treatment will therefore be that Before starting the treatment, the person responsible must also check and prove that one of the exceptions provided for in article 9.2 of the RGPD exists or other specific legislation. In this way, its treatment being prohibited in general, any An exception to this prohibition must be subject to restrictive interpretation. So and as can be deduced from recitals 51 and 52 of the GDPR, which show: ”Such personal data should not be processed, unless their processing is permitted. treatment in specific situations contemplated in this Regulation, taking into account that Member States may establish provisions specific provisions on data protection in order to adapt the application of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/54 rules of this Regulation to comply with a legal obligation or to fulfillment of a mission carried out in the public interest or in the exercise of powers public conferred on the person responsible for the treatment. In addition to the requirements specific to that treatment, general principles and other rules of this Regulation, in particular as regards the conditions of legality of the treatment. Exceptions must be explicitly stated general prohibition on the processing of these special categories of data personal, among other things when the interested party gives explicit consent or in the case of specific needs, particularly when the treatment is carried out within the framework of legitimate activities by certain associations or foundations whose objective is to allow the exercise of fundamental freedoms. “Exceptions must also be authorized to the prohibition of treating categories special personal data when established by Union or European Union law. Member States and provided that appropriate guarantees are given, in order to protect personal data and other fundamental rights, when it is in the public interest, in particular the processing of personal data in the field of labor legislation, the legislation on social protection, including pensions and for security purposes, health supervision and alert, prevention or control of communicable diseases and other serious threats to health (...)” Thus, the exceptions that could possibly allow the lifting of the general prohibition on processing biometric data aimed at identifying-verifying identity of natural persons, are those provided for in article 9.2. of the RGPD, with the following wording literal, which must be interpreted restrictively, always in favor of protecting the rights and freedoms of citizens in case of doubt: "2. Section 1 will not apply when one of the circumstances occurs following: a) the interested party gave explicit consent for the processing of said data personal data for one or more of the specified purposes, except when the Right to the Union or the Member States establishes that the prohibition referred to in section 1 cannot be lifted by the interested party;” b) the processing is necessary for the fulfillment of obligations and the exercise of specific rights of the controller or the interested party in the field of labor law and social security and protection, to the extent that it is authorized by Union or Member State law. c) the processing is necessary to protect vital interests of the interested party or another natural person, in the event that the interested party is not qualified, physical or legally, to give consent; d) the treatment is carried out, within the scope of its legitimate activities and with the due guarantees, by a foundation, an association or any other body without profit-making, whose purpose is political, philosophical, religious or union, provided that The processing refers exclusively to current or former members of such organizations or persons who maintain regular contact with them in relation for its purposes and provided that personal data is not communicated outside of them without the consent of the interested parties; e) the processing refers to personal data that the interested party has made manifestly public; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/54 f) the treatment is necessary for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function; g) the treatment is necessary for reasons of essential public interest, on the basis of Union or Member State law, which must be proportional to the objective pursued, to essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and rights fundamentals of the interested party; h) the treatment is necessary for preventive or occupational medicine purposes, evaluation of the worker's work capacity, medical diagnosis, provision of assistance or health or social treatment, or management of healthcare systems and services health and social assistance, on the basis of Union or State law members or under a contract with a healthcare professional and without prejudice to the conditions and guarantees contemplated in section 3; i) the treatment is necessary for reasons of public interest in the field of health public, such as protection against serious cross-border health threats, or to guarantee high levels of quality and safety of care health and medicines or health products, on the basis of the Law of the Union or the Member States that establishes appropriate measures and specific to protect the rights and freedoms of the interested party, in particular the professional secret. j) the processing is necessary for archiving purposes in the public interest, purposes of scientific or historical research or statistical purposes, in accordance with the article 89(1) on the basis of Union or Member State law, which must be proportional to the objective pursued, essentially respect the right to data protection and establish appropriate and specific measures to protect the interests and fundamental rights of the interested party.” Therefore, in addition to previously verifying that the treatment exceeds the judgment of proportionality, if the person responsible does not prove that their treatment is within some of these exceptions, you will not even be able to start treatment without incurring a violation of article 9 of the GDPR. 4.2. Need for a legal basis for the processing of article 6.1. In addition to lifting the prohibition on its treatment, the person responsible must prove also that its treatment can be carried out because one of the bases is present legal legitimating of the treatment contained in article 6.1 of the RGPD, which are general requirement for the processing of any personal data. This is the concurrence of exception that hypothetically allows lifting the prohibition of treating biometric data will not be sufficient, it does not replace the need for there to be a basis of legality in the case of biometrics. The person responsible must be in willingness to prove that both are present, in addition to the fact that the judgment of proportionality mentioned above, and so on, with respect to the rest of the requirements provided for in the regulations. That is why we speak of “cumulative requirements” and not alternatives. Thus, article 6 of the GDPR also starts from the fact that processing personal data In general it is something exceptional, maintaining that: "1. Treatment will only be legal if at least one of the following is met conditions (commonly referred to as “legal basis”): C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/54 a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract in which the interested party is part or for the application at his request of measures pre-contractual; c) the processing is necessary for compliance with an applicable legal obligation to the person responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or another Physical person; e) the processing is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible for the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that regarding said interests do not prevail over the interests or fundamental rights and freedoms of the interested party requiring the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions. Therefore, in the event that there is no basis of legality, the violations mentioned above, a violation of article 6 of the RGPD would be added. 4.3. Analysis of the concurrence of an exception and a basis of legality in the case present. With regard to the case at hand, the BURGOS CF refers to these issues in what is called the analysis of “legitimation and legality”, of point 1.3 of the EIPD of February 15, 2023), where reference is made to both the exception concurrent as the basis of legality that presumably legitimizes the biomedical treatment trico for the purpose of controlling access to the entertainment stands of your stadium. In In this sense, BURGOS clearly distinguishes two periods (before and after the EIPD) in which there has been a change in criteria of the legitimizing basis and exception which supported the possibility of processing biometric data. It is stated that the legitimacy for the use of the system prior to December 15 February 2023 was based on compliance with a legal obligation and that the lifting of the prohibition on processing data from special categories was supported in sections b and g of article 9.2 of the RGPD, and in the legality basis of 6.1.c). TO starting February 15, 2023 (after the CEVRXID agreement of that same date), The EIPD states that the treatment is based on the consent of the interested parties, in accordance with article RGPD: 9.2.a) and 6.1.a) of the RGPD), whose interested parties are the people with access to the El Plantío Stadium Entertainment Stand. Thus, with regard to the basis of legality of the treatment of article 6 of the RGPD, the concurrence of a basis of legality of article 6.1.c) is alleged (compliance legal obligation) before February 15, 2023, but after that date From now on it is said to assume that the base is that of 6.1, without indicating exactly what letter/cause they refer to. They admit that compliance with a legal obligation does not can be the basis as indicated in Report 98/22 of the legal office of this Agency, and they say change the concurrent exception. But they do not give any other alternative. It goes with respect to the basis of legality, confusing exception with basis of legality. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/54 Although this omission to indicate the basis of legality that occurs in the treatment may affect the validity of the DPIA, the truth is that to assess whether a violation occurs of article 6 of the RGPD, the main thing is to check that there really is a legal basis legal indication, even if the person responsible has not determined it correctly or included it in the EIPD. And in this case, it can be established that initially there is a legal basis that enables the club to process personal data in general (not for biometrics, since this means that an exception from article 9 must also apply). In specifically, that referred to in article 6.1.b), which refers to that: “the treatment is necessary for the execution of a contract to which the interested party is a party or for the application of pre-contractual measures at his request.” Every time the purchasing a ticket or season ticket constitutes the creation of a link contractual between the purchaser and the club, which is governed by the conditions provided in the front and back of the ticket/subscription and the document of conditions that the club provided as Annex VI of its first written statement of allegations. Therefore, it does not fit initially allege a violation of Article 6 of the GDPR. Now, although there was a legal basis, this legitimized the club to treat other non-biometric personal data, already usually required to access by the previous access methods, but in no case did it legitimize starting a biometric treatment if there is also no exception from article 9.2 that would allow lifting the prohibition on processing biometric data. The concurrence of the lack of exception that would allow biometric data to be processed before The EIPD is clear and clear, as it is recognized by the Club itself. It is not a question discussed. - On the one hand, we have that the Club acknowledges having initiated a treatment of biometric data without obtaining express consent and for the specific purpose for which referred to in the exception of article 9.2.a), since the biometric system was mandatory, there was no option for an alternative access method, and the fan of this animation tier was obliged to provide his data biometrics to acquire the season ticket and access the stands. This is corroborated by the content of the model that was signed until February 15, 2023 (Annex VI), which is not even considered a model of consent on data protection, constituting a simple contractual document that indicates the conditions of membership, access and permanence that the acquirer must sign to be able to acquire the bonus. It is accredited and recognized in consequence that before the EIPD, the club was not collecting a consent for protection of biometric data that could fit into the exception of article 9.2.a). - On the other hand, the club recognizes that the exceptions of 9.2.b) and 9.2.g) (compliance with legal obligation and essential public interest) do not justify the processing of these data, assuming the interpretation made by Report No. 98/2022 of this Agency, as have also been done by CEVRXID and LALIGA. And in Based on this, they claim to have changed the exception to the express consent of the 9.2.a) as of February 15, 2023. This implies, without a doubt, that between November 4, 2022 and February 15 2023, BURGOS CF began processing biometric data without An exception would arise that would lift the prohibition on processing these data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/54 Consequently, it is also possible to initiate sanctioning proceedings for violation of article 9 of the RGPD, since there is recognition by the reported and sufficient evidence that the biometric treatment was started without no legal exception that justifies it will occur until February 15, 2023. V On the requirement that the treatment be necessary, suitable and proportional One of the obligations that correspond to every data controller personal is to ensure that the treatment respects the Principles provided for in the Article 5 of the GDPR. In the case of biometric data, because it is of a special category and high risk, it is possible highlight the essential importance of respecting the principle of minimization of treatment/data, provided for in article 5.1.c) which indicates: "1. The personal data will be: a) adequate, relevant and limited to what is necessary in relation to the purposes for those who are processed (“data minimization”)”. Respect for this principle must be the starting point at the beginning of everything treatment, the person responsible must first of all consider whether this treatment It will be really necessary, suitable, and proportional before starting it. And if this treatment is high risk - in the case of biometrics - must reflect this evaluation prior of necessity and proportionality in a specific document called personal data protection impact assessment (DPIA), in accordance with the provided for in article 35.7.b) of the RGPD, which states that it must be carried out and overcome “an assessment of the necessity and proportionality of the operations of treatment with respect to its purpose. This is confirmed by recital 39 of the GDPR, which underlines the importance of the processing is necessary, indicating that “Personal data should only be processed if “the purpose of the processing could not reasonably be achieved by other means.” Along the same lines, the Working Group of article 29, in its Opinion 3/2012 on the evolution of biometric technologies, indicates that “When analyzing the proportionality of a proposed biometric system, it is necessary to previously consider whether the system is necessary to respond to the identified need, that is, if it is essential to satisfy that need, and not just the most appropriate or profitable one. A second factor that should be taken into account is the probability that the system will be effective in responding to the need in question in light of the specific characteristics of the technology biometric to be used. A third aspect to consider is whether the loss of The resulting intimacy is proportional to the expected benefits. If the benefit is relatively minor, such as greater comfort or slight savings, then the loss of privacy is not appropriate. The fourth aspect to evaluate the adequacy of a biometric system is to consider whether a less invasive means of privacy would achieve the desired end.” Idea that is reiterated in section 72 of Guidelines 3/2019 on the treatment of personal data through video devices, dated 01/29/2020, from the CEPD, which indicates: “The use of biometric data and, in particular, facial recognition entails high risks for the rights of the interested parties. It is essential that the use of such technologies take place with due respect for the principles of legality, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/54 necessity, proportionality and data minimization as established by the GDPR. Although the use of these technologies may be perceived as particularly effective, those responsible for the treatment must first evaluate the impact on the fundamental rights and freedoms and consider less intrusive means of achieving their legitimate purpose of the processing. That is, the question would have to be answered as to whether this biometric application is something that is really essential and necessary, or is it just "convenient". Therefore, processing personal data that is not suitable (adequate) necessary and proportional is always prohibited, and constitutes in itself the commission of an administrative violation of article 5.1.c) of the RGPD. Since the processing of biometric data implies restricting rights and freedoms of the interested parties, the obligation to process only “personal data that is appropriate, relevant and limited to what is necessary in relation to the purposes for which are processed” provided for by the principle of data minimization/processing of the article 5.1.c) of the RGPD, must be interpreted in accordance with the provisions of the reiterated jurisprudence of our Constitutional Court regarding the need to verify that any restrictive measure of fundamental rights (biometric treatment in this case) overcomes what is called “the triple judgment of proportionality.” This implies that, first of all, it is necessary to verify whether it meets the following three requirements or conditions referred to by the Constitutional Court: "if such measure is capable of achieving the proposed objective (suitability judgment); yes, furthermore, it is necessary, in the sense that there is no other more moderate measure for the achievement of such purpose with equal effectiveness (judgment of necessity); and finally, if itself is weighted or balanced, since more benefits or advantages are derived from it for the general interest that damages other goods or values in conflict (judgment of proportionality in the strict sense). In view of the antecedents in this file, the denounced club states that party to have carried out a suitability evaluation in its DPIA of February 15, 2023. ity, necessity and proportionality of biometric processing for the purpose of control Access your stadium's entertainment stands using your fingerprint. Proceeds, Therefore, analyze whether the intended treatment exceeds the so-called triple judgment of pro- proportionality, which in accordance with the aforementioned doctrine of the Constitutional Court analyze the following: 1. If the treatment is likely to achieve the proposed objective (judgment of suitability). It is about determining whether the treatment is appropriate for the purpose it pursues. That treatment is the response to certain deficiencies, demands, demands as obligations or objective opportunities and can achieve the proposed objectives. positions with sufficient efficiency. Requested about the “Suitability Judgment” by the inspector, BURGOS CF refers to its response in this regard in the DPIA of February 15, 2023, which indicates what following: “With this measure the objective is achieved in a more effective way set to guarantee security at matches based on a mission carried out in the public interest, with legitimation based on express consent, since which is the most reliable method we currently have according to the power technique verify a person's identity. On the other hand, the installation of systems C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/54 biometric recognition is the only way to comply with the requirements of the State Commission against Violence, Racism, Xenophobia and Intolerance, as well as the orders imposed by The League." Indeed, it has been found that BURGOS CF already had two other methods of acquiring tickets and access to the entertainment stands before the 4th November 2022, the details of which will be referred to in the judgment of necessity. With regard to the arguments put forward regarding suitability, the club It simply indicates that biometric control is more effective than the security system. previous access because it is the most reliable method, but it does not prove it. Rather to On the contrary, taking into account that the biometric system generates false rates acceptance, false rejections and equal errors, as indicated previously. These errors are added to those that can already occur when using QR code, barcode or chip card readers used in other security systems access. And it must be taken into account that what the judgment of suitability, necessity and proportionality must evaluate is the effectiveness of the system for the protection of the rights and freedoms of the interested parties who provide their biometric data, and not those that favor the organization. On the other hand, the fact that CEVRXID and LALIGA had ordered establishing this biometric system does not in itself mean that this system is ideal, nor necessary or proportional. That there is a mandate of a higher entity does not justify the person responsible for not evaluating whether this system is suitable, necessary, or proportionality prior to installing it in your stadium. Finally, it cannot be accepted that the processing of biometric data was ideal, necessary or proportional to begin basing the system on the express consent, given that the need for treatment is a matter prior and unrelated to what may constitute the exception of article 9 of the RGPD and the legitimizing legal basis of article 6 of the RGPD. So, even though I can constitute a cause to lift the exception of article 9, does not affect in any way the proportionality judgment. Especially when it comes to the judgment of necessity, since that, as the jurisprudence of our TC indicates, necessity cannot never depend on what the affected party decides. 1. If, furthermore, it is necessary, in the sense that there is no other more modern measure. rada to achieve such purpose with equal effectiveness (judgment of necessity). The point is that it must be determined whether the goal pursued cannot be achieved another less harmful or invasive way, that is, if there is no alternative treatment, that is equally effective in achieving the intended purpose. Necessity should not be confused with utility of the system. The detection may fingerprint make it easier to avoid having to carry a card, which takes a few seconds. two less in its access, which is automatic and instantaneous and not excessively expensive. cough. Obviously, a fingerprint system can be useful, but it doesn't have to be be objectively necessary (the latter being what really must be present). tea). As established in opinion 3/2012 on the evolution of biomedical technologies, trics - of GT 29 -, it must be examined “if it is essential to satisfy that need, and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/54 not just the most suitable or profitable one.” Options and alternatives must be analyzed before establishing a new system that represents an exaggerated limitation of the right choice of each user, when there may be less invasive means of privacy, and not opt for what is practical or agile and comfortable, when the rights of your rights are at stake. tulars. Thus, the person in charge who considers implementing data processing biometrics must be scrupulous in its work of exhaustively analyzing all the alternative options that are equally suitable and effective, but less intrusive available. Consequently, the study of the feasibility of other possible alternative options available that do not require the using special data, compare all options and document the conclusions. What has not been done for BURGOS CF. Despite stating that There are two other alternatives to the biometric access method available, it does not perform nor does it attach to its DPIA any analysis referring to the differences and impact of applying the biometric method compared to other alternative options from the point of view of the risks and impact produced on the rights and freedoms of the interested parties. The need assessment carried out by BURGOS CF in the EIPD is completely in- sufficient to justify the processing of biometric data. To assess the need ity of the treatment, the proposed measure must be supported by evidence that Describe the problem that is going to be addressed with the measures, how it will be addressed with the measure, and why existing or less intrusive measures cannot address give it sufficiently. Thus, according to what BURGOS CF has stated and is observed in Annex I of the EscritoBurgos1, there are other pre-existing alternatives that were already used previously to verify the identity of the fans who accessed the stands of animation: “Access to the animation stands is through a single door that has three turnstiles with the possibility of access by identification biometric. Each of these turnstiles has several access methods (in addition to biometric reading): optical reading of barcodes or QR, and wireless card reading with built-in chip.” According to the club, the pre-existing fingerprint modalities always appear as an “access” to which one can return, with respect to which there is no further record or log that the passage of the aforementioned entrance through the turnstiles through which those people they access. Thus, the subscription tickets for the animation stand, the form adopted by the access titles, contain personal data that the accused demanded for their issuance (name, DNI, etc.), power granted to the organizer of the event by the regulations for ticket sales and access to sports venues, and involves the creation of a legal relationship between the parties of a contractual nature. These are also same data contained in the subscription card in its various modalities (QR/chip card) which serve as a basis to implement the registration and use of the fingerprint. Then, this implies that in the entertainment stands of the El Plantío stadium there are 3 possible access systems, two of them being non-biometric and prior to the implementation of the biometric system. In view of what was stated by himself BURGOS CF, these two systems stopped being used between November 4, 2022 and February 15, 2023, during the period in which the system was implemented C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/54 biometric as mandatory, being again available and operational from so. It is also stated that since February 15, 2023, the collect new biometric data and require biometric control in stadiums, This system being suspended until the AEPD determines what to do. But I know alludes to the fact that biometric control continues to be used to access the stands animation by those subscribers who opt for it voluntarily, AND also that the data is kept until the end of the season, although it is still They are being held at this time, awaiting determination of what to do. It is thus proven that the denounced Club had and has two identity verification methods that are clearly less intrusive for the rights of people who access the stadium, and identify the subscriber with the same effectiveness as biometric systems. Whenever you can access with the physical card or with the subscription on the mobile phone (NFC chip) or reading the QR code of the subscriber card, whose identity can be verified by simply showing of the DNI. System that was already operating before the implementation of the fingerprint reader. Consequently, if there are alternatives available so that at a given time all fans opt for non-biometric access, and a free, express and specific consent that allows you to choose between these others less intrusive methods and biometrics, this implies that data processing biometrics is not necessary for the purpose of controlling the identity of those who They access the animation stands. In no case is the judgment of necessity because biometric processing is not necessary. Asked about the judgment of necessity in the inspection, BURGOS CF does not offer reasons. zones that justify it. The EIPD only states the following: “In regarding the question raised regarding the need to incorporate a system of biometric recognition, we must argue that this measure contributes to Avoid violence in sports in two ways. On the one hand, we find mos with its deterrent effect as it functions as a preventive factor; Yes one person knows that the organization has its unique identification through fingerprint, you will be much more careful when carrying out actions that involve acts of violence, racism or intolerance inside or outside the stadium. By On the other hand, this type of identification can reliably help to determine identify the identity of people who are part of hypothetical violent acts that occur given in the context of football matches” However, the argument of helping to avoid violence in sport cannot be be accepted as valid enough to consider that these biometric systems are necessary for this reason. Since the current regulation regarding the sale of tickets and access to sports venues (RGLALIGA; Law 19/2007 against violence, racism, xenophobia and intolerance in sport, and its development regulations approved by RD 557/2011) it follows that there are other ways to prevent rape. lence in the stadiums and identify those responsible, who function properly For this end. Thus, among other means, this regulation allows establishing that the tickets are nominative, inside the stadiums there may be security systems video surveillance, which can be placed at the entrances and surroundings of the stadium, and each seat is assigned to the person who purchases the ticket. Through the methods traditional access through a nominative subscription with display of the DNI is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/54 can identify and register people who access the stands. It's not understood that the fingerprint is going to add a plus that allows identifying those who presume They could have committed acts of violence in the match in question. And not even m- unless it contributes to avoiding it. It is thus deduced that the fingerprint access system compared to the traditional The sale of registered tickets does not represent a clear and differentiated plus in security. ity of the stadiums, since with the already existing means it is possible to identify also to possible offenders and verify the facts that have occurred. 2. Finally, if it is weighted or balanced, because it is derived from it more benefits or advantages for the general interest that harm other goods or values in conflict (proportionality judgment in the strict sense). This is determined, among others, in “STC 66/1995, of May 8, F. 5; STC 55/1996, of March 28, FF. 7, 8 and 9; STC 270/1996, of December 16, F. 4.e; STC 37/1998, of February 17, F. 8; STC 186/2000, of July 10, F. 6).” In this regard, the seriousness of the risk to the rights and freedoms of the treatment, and its interference in the fundamental right to Data Protection of personal character must be appropriate to the objective pursued and proportionate to the urgency and seriousness of this. We must weigh the benefit that the treatment From the point of view of Data Protection, society provides, maintaining a balance with the impact it represents on other rights fundamental. However, although it may partially cede, in no case will can assume the absolute denial of the right to Data Protection and empty of its essential content. There must be a logical link between the measure and the legitimate objective pursued. In order for the principle of proportionality to be respected, the advantages resulting from the measure should not be outweighed by the disadvantages that the measure causes regarding the exercise of fundamental rights. And one of the factors that play In proportionality it is the effectiveness of the measures of the existing measures, for above the proposal, if in the same context measures already existed for a similar or identical purpose, should be considered, if not, the evaluation of the proportionality has not been properly carried out. With respect to the Proportionality Judgment, BURGOS CF states in its DPIA only the following: “We must remember that the BURGOS CLUB DE FÚTBOL, S.A.D. has been informed that there are several people with precautionary measures, of the corresponding courts with jurisdiction in the matter, which have been prohibited from entering the stadium and a 500-meter restraining order. To avoid skip any other type of looser control, a control through data biometrics ends up being configured as an essential system that cannot be deceive, since the fingerprint is a piece of information inherent to each person, which cannot be modified or transferred. In this way, we determine that, in relation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/54 with the interference that this system entails in the rights of the interested party and making a weighing judgment between the interference of their right to privacy, this is conceived as minuscule compared to the assurance of the right to life and physical integrity of each person who pursues proposed control measure.” Again, the judgment made is not correct since it is not weighing the advantages and disadvantages of using this biometric system. But above all, and in relation to the proportionality requirement, because the alleged conflict between the right to life and physical integrity of people and the right to protection of personal data is not solved solely by means of a biometric access system, since there is another alternative method pre-existing information that allows the identification and verification of the identity of those people who They are prohibited from entering the stadium with the same effectiveness as a fingerprint. Taking into account that the computerized sales control and management system of tickets, as well as access to football stadiums provided by law, can achieve that the entries must be nominative, which is a type of access common and normalized, and there being another modality of the same less intrusive than the EIPD recognizes, it must prevail as it is preferable to the biometric system of fingerprint detection. From all of the above, it is clearly deduced that fingerprint access system fingerprint implanted by BURGOS CF in accordance with the provisions of the EIPD of February 15. February 2023 does not pass this triple judgment of proportionality, for the specified purpose. intended ca according to the club (“access control to the entertainment stands through the fingerprint identification") and in the specific framework of the BUR stadium. GOS CF. In the present case, the intended purpose is to univocally identify the people who accessed the stadium's entertainment stands using data biometrics, and considering that there is an access modality that complied and complies with the same purpose in a less intrusive way, it is considered that the treatment of biometric data carried out by BURGOS CF is not necessary, nor proportional, therefore that violates the provisions of the principle of data minimization contained in the article 5.1.c), which advocates that the data processed must be limited to what is necessary to achieve those ends. All this, to the extent that the club recognizes that the biometric system continues operational on a voluntary basis, and that continues to retain the biometric data collected above, since this will mean continuing to process biometric data, when this It is not necessary, appropriate or proportional. Therefore, the club is warned that the violation of article 5.1.c) is still maintaining at present and will continue, as long as this biometric treatment without being suitable, necessary, or proportional, being indifferent whether This is voluntary or mandatory. For completeness, it should be noted that the DPIA presented cannot be considered valid, since it does not exceed the minimum requirements established in article 35.7 of the GDPR. Not only in terms of not passing the evaluation of need and proportionality, but also for not describing well the operations and purposes of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/54 treatment, not containing an adequate analysis of the risks of the treatment from the point of view of the rights and freedoms of people, nor propose measures adequate and sufficient as necessary to reduce the impact of threats raised. VI About the consent of minors In addition to the requirements set out above, it must be taken into account that the BURGOS CF in the Annex VI document is allowing minors under 18 years old access the stadium's entertainment stands as long as there is a consent signed by parents or legal guardians, without establishing any limits minimum age, and including in the signature footer of the document said possibility of signature of the representative in case of being a minor) as acceptance of the terms of use. Thus, section 1 of this Annex VI provides that: “1.- Anyone who accesses the Animation Stand must be at least eighteen (18 years old) old. If this If this is not the case, signed consent from the parents or legal guardian will be required.” Through this clause, the denounced club has been seeking consent contractual that is required to make up for the minor's lack of capacity to acquire the season ticket, for the purposes of the club-subscriber contractual relationship. When it is possible for minors to go to the stadium (without any limitation of age), and allow them to acquire the subscription as long as the document of the Annex VI is signed by their parents or guardians, this will imply that they will be obliged to provide their personal data. In relation specifically to the processing of biometric data, as of 15 February 2023, the BURGOS CF considered that it was necessary to request the consent to proceed with the processing of these personal data. However, it does not accredit the club that is obtaining consent. for the biometric treatment of minors, either (i) by parents or guardians of minors under 14 years of age or (ii) by the own minors over 14 years of age, regarding the treatment of your personal biometric data from February 15, 2023, as this possibility does not appear in the model in Annex VII. It turns out that for minors there is no provision established in said document. any provision of consent to process your personal data biometrics. In this regard, article 8 of the GDPR provides that, "1. Where Article 6(1)(a) applies in relation to the direct offer to children of information society services, the processing of a child's personal data will be considered lawful when is at least 16 years old. If the child is under 16 years of age, such treatment It will only be considered lawful if the consent was given or authorized by the owner. of parental authority or guardianship over the child, and only to the extent that it was given or authorized. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/54 Member States may establish by law an age lower than such purposes, as long as this is not less than 13 years. 2. The controller will make reasonable efforts to verify in such cases that the consent was given or authorized by the owner of the parental authority or guardianship over the child, taking into account technology available. 3. Paragraph 1 shall not affect the general provisions of the Law contractual law of the Member States, such as rules relating to the validity, formation or effects of contracts in relation to a child.” Likewise, it is necessary that the conditions provided for in article 7 of the LOPDGDD, which on the “Consent of minors”, provides that, "1. The processing of personal data of a minor only may be based on your consent when you are over fourteen years of age. Exceptions are cases in which the law requires the attendance of the holders of parental authority or guardianship for the celebration of the legal act or business in the context of which consent for treatment is obtained. 2. The processing of data of minors under fourteen years of age, based on the consent, it will only be lawful if it includes that of the holder of parental authority or guardian. “cloth, with the scope determined by the holders of parental authority or guardianship.” In conclusion, at present there is sufficient evidence that there has been There has been an alleged violation of Article 8 of the GDPR, since it appears that the club is not obtaining the consent of minors for the treatment of their biometric data, either by their parents or guardians or from them directly, depending on the age of the minor. VII On the information duties of article 13 of the RGPD One of the obligations of the person responsible for all personal data processing is comply with the duties of information to interested parties that are provided for in the Articles 12 to 14 of the GDPR. In accordance with the provisions of article 12.1 of the RGPD, the starting point is a Principle of “Transparency of information, communication and modalities of exercise of the rights of the interested party”: "1. The person responsible for the treatment will take the appropriate measures to facilitate the interested party all information indicated in articles 13 and 14, as well as any communication under articles 15 to 22 and 34 relating to processing, in concise, transparent, intelligible and easily accessible form, with clear and simple, particularly any information directed specifically at a child. The Information will be provided in writing or by other means, including, if applicable, by electronic means. When requested by the interested party, the information may be provided verbally as long as the identity of the interested party is demonstrated by other media" These information duties are specified in articles 13 and 14, being of application to the present case, those provided for in article 13 of the RGPD on “Information that must be provided when personal data is obtained from the interested": C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/54 1. When personal data relating to him or her are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person responsible and, where applicable, their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the processing for which the personal data are intended and the basis legal treatment; d) when the processing is based on Article 6, paragraph 1, letter f), the legitimate interests of the controller or a third party; e) the recipients or categories of recipients of the personal data, in your case; f) where applicable, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a adequacy decision of the Commission, or, in the case of transfers indicated in Articles 46 or 47 or Article 49, paragraph 1, paragraph second, reference to the adequate or appropriate guarantees and the means to obtain a copy of these or to the place where they have been made available. provision. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the time the data is obtained personal, the following information necessary to guarantee a treatment of loyal and transparent data: a) the period during which the personal data will be kept or, when not where possible, the criteria used to determine this period; b) the existence of the right to request from the data controller the access to personal data relating to the interested party, and its rectification or deletion, or limitation of its processing, or to oppose the processing, as well as such as the right to data portability; c) when the processing is based on Article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw the consent at any time, without affecting the legality of the treatment based on consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of automated decisions, including the preparation of profiles, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information about the logic applied, as well as the importance and anticipated consequences of such treatment for the interested. 3. When the data controller plans the subsequent processing of data personal data for a purpose other than that for which they were collected, will provide to the interested party, prior to said further processing, information about that other purpose and any additional information relevant under paragraph 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 36/54 As already anticipated, being required by the inspector in relation to justifying the compliance with the duty to inform the interested party of the content provided for in the mentioned article 13 of the RGPD, Burgos has provided two documents that have used, both prior to February 15, 2023, and the one used later (Annexes VI and VII). Firstly, Annex VI of the WrittenBurgos1, which according to the BURGOS CF is the only document that was signed by the interested parties when acquiring the subscription before 15 February 2023, is not a consent regarding the processing of personal data, but a contractual document that contains the “Conditions of membership, access and permanence in the animation stands. 2022/2023 season”, and what is necessary sign to be able to acquire the subscription. However, this document requires the collection of personal data for the “achievement of the season ticket”. In section 3 it refers to the obligation to provide personal data such as name, surname, ID, contact details contact, and sign a data protection law consent, which is not contributes. And section 8 contains the obligation to submit to access control biometric prior to obtaining the subscription, collecting your data for this purpose biometrics, indicating that any other access system will have a exceptional. It should be noted that the inspector requested BURGOS CF on a second occasion to to provide the supposed data protection consent document that interested parties had to sign before collecting the data referred to in the section 3, but the club did not contribute it in the Written2Burgos (limiting itself to contributing new Annex VII), nor in the Writing3. Therefore, we must consider that this consent was not signed. It follows that, until February 15, 2023, data was collected biometric and other personal data (DNI, name, surname, etc.) without having duly informed the purchasers of the payment of the information provided in the Article 13 of the GDPR. Since the only document they signed was this Annex VI, which only contained the following generic information regarding personal data protection: […] 8.- Any person who accesses the "LA HINCHADA" Entertainment Stand DEL ARLANZON” must undergo biometric access control, to which, prior to obtaining the subscription for this area, must facilitate the capture of the fingerprint that is necessary. Any other system access that does not entail biometric recognition, will have a exceptional. The biometric data collected is for exclusive use of entry to the sporting event, and the subscriber may request a cancellation of said file canceling your subscription. […] 12.- For the purposes of the provisions of Organic Law 3/2018 of 5 December protection of personal data and guarantee of rights digital, we inform you that the personal data that has been collected in this document, as well as those obtained by biometric means will be included in a data file of a nature staff owned by the Club. In this sense, the undersigned lends his express consent for the processing of your aforementioned personal data staff." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/54 In short, before February 15, 2023, there is no doubt that BURGOS CF was collecting personal data from these subscribers (700 people according to the club), both biometric and other types, without informing the interested party of all the aspects expressed in article 13, resorting to a generic formula. This document does not comply with the information required by the GDPR, which has been expanded considerably with respect to previous legislation. For the period after February 15, 2023, BURGOS CF provides the document “Information on access control to animation stands through biometric data (fingerprint)” (Annex VII of the EscritoBurgos1). The document, used as indicated by Burgos after February 15, 2023, if applicable an express consent that informs the signatory about the treatment through the biometric control. Thus, it states that by signing the document the interested party consents to “the processing of biometric data relating to my fingerprint or pattern thereof for the purpose described.” This contains most of the information provided for in article 13, except that provided for in 13.2.c) referring to the possibility of withdrawing the consent given. Well, despite the fact that the possibility of requesting the right to delete the data collected, this is not equivalent to revoking consent. In short, from the documents in the file and without prejudice to those that are provided during the instruction, at this time there is evidence enough that BURGOS has been collecting personal data from the 700 subscription purchasers without adequately informing them of all the aspects required to data protection purposes, so a violation of the Article 13 of the GDPR. VIII Classification of infractions and qualification for the purposes of prescription. As has been explained in Legal Fundamentals III to VII of this agreement, It is considered that BURGOS CF may have committed the following infractions of the current regulations regarding data protection: 8.1. Violation of article 35 of the GDPR As set out in Legal Fundamentals V, in accordance with the evidence that is available at the present time, and without prejudice to what results from the instruction, it is considered that the facts presented could violate the established in article 35 of the RGPD, which could involve the commission of a administrative offense classified in article 83.4.a) of the RGPD which indicates that: “Infringements of the following provisions will be sanctioned, in accordance with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global annual total business volume of the previous financial year, opting for the largest amount: a) The obligations of the person responsible and the person in charge in accordance with the articles 8, 11, 25 to 39, 42 and 43.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/54 For the purposes of prescription, the LOPDGDD establishes in its article 73.t) that: “In Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: t) The processing of personal data without having carried out the evaluation of the impact of processing operations on the protection of personal data in the cases in which it is enforceable.” 8.2. Violation of article 9 of the GDPR. As set out in the Fundamentals of Law IV, in accordance with the evidence that is available at the present time, and without prejudice to what results from the instruction, it is considered that the facts presented could violate the established in article 9 of the RGPD, which could involve the commission of a administrative offense classified in article 83.5 of the RGPD, which provides the following: “Infringements of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20 000 000 or, treatment of a company, of an amount equivalent to a maximum of 4% of the volume global annual total business of the previous financial year, opting for ma- i amount: “a) the basic principles for treatment, including the conditions for consent in accordance with articles 5, 6, 7 and 9.” For the purposes of prescription, the LOPDGDD establishes in its article 72.e): “Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe violations that involve three years a substantial violation of the articles mentioned therein and, in particular, the following: “e) The processing of personal data of the categories referred to in the article. 9 of Regulation (EU) 2016/679, without any of the circumstances occurring provided for in said precept and in article 9 of this organic law.” 8.3. Violation of article 5.1.c of the RGPD. As set out in the Fundamentals of Law V in accordance with the evidence that is available at the present time, and without prejudice to what results from the instruction, it is considered that the facts presented could violate the established in article 5.1.c) of the RGPD, which could involve the commission of a administrative offense typified in article 83.5 of the RGPD, which provides following: “Infractions of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20 000 000 or, treatment of a company, of an amount equivalent to a maximum of 4% of the volume global annual total business of the previous financial year, opting for ma- i amount: “a) the basic principles for treatment, including the conditions for C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/54 consent in accordance with articles 5, 6, 7 and 9.” For the purposes of prescription of infractions, the LOPDGDD establishes in its article 72: “Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established “established in article 5 of Regulation (EU) 2016/679”. 8.4. Violation of article 8 of the GDPR. As set out in Legal Fundamentals VII, in accordance with the evidence that is available at the present time, and without prejudice to what results from the instruction, it is considered that the facts presented could violate the established in article 8 of the RGPD, which could involve the commission of a administrative offense classified in article 83.4 of the RGPD, which provides as follows: following: “Infringements of the following provisions will be sanctioned, in accordance with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global annual total business volume of the previous financial year, opting for the largest amount: a)- the obligations of the person responsible and in charge in accordance with articles 8, 11, 25 at 39, 42, and 43”. For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data of a minor without obtaining their consent, when he has the capacity to do so, or that of the holder of his parental authority or guardianship, in accordance with article 8 of Regulation (EU) 2016/679.” 8.5. Violation of article 13 of the RGPD. As stated in the Fundamentals of Law VI, in accordance with the evidence that is available at the present time, and without prejudice to what results from the instruction, it is considered that the facts presented could violate the established in article 13 of the RGPD, which could involve the commission of a administrative offense classified in article 83.5 of the RGPD, which provides following: “Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe violations that involve three years C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/54 a substantial violation of the articles mentioned therein and, in particular, the following: b) the rights of the interested parties under articles 12 to 22.” For the purposes of the limitation period, article 74 “Infringements considered minor” of The LOPDGDD indicates: “The remaining infractions of violations are considered minor and will expire after one year.” purely formal nature of the articles mentioned in sections 4 and 5 of the article 83 of Regulation (EU) 2016/679 and, in particular, the following: a) Failure to comply with the principle of transparency of information or right of information of the affected person for not providing all the information required by Articles 13 and 14 of Regulation (EU) 2016/679. X Determination of sanctions Article 58.2 of the GDPR provides the following: “Each supervisory authority will have of all the following corrective powers indicated below: i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;” The determination of the sanctions that should be imposed in the present case requires ob- serve the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, mind, they provide the following: "1. Each supervisory authority will ensure that the imposition of administrative fines pursuant to this article for violations of this Regulation. indicated in sections 4, 9 and 6 are effective in each individual case, pro- portioned and dissuasive.” "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account. ta: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; a) intentionality or negligence in the infringement; b) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; c) the degree of responsibility of the person responsible or in charge of the treatment. taking into account the technical or organizational measures that have been applied in under articles 25 and 32; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/54 d) any previous infraction committed by the person responsible or in charge of the treatment; e) the degree of cooperation with the supervisory authority in order to enforce medium to the infringement and mitigate the possible adverse effects of the infringement; f) the categories of personal data affected by the infringement; g) the way in which the supervisory authority became aware of the infringement, in particular if the controller or processor notified the infringement and, in such case, in what measure; h) when the measures indicated in Article 58, paragraph 2, have been organized previously condemned against the person responsible or the person in charge in question in relation to tion with the same matter, compliance with said measures; i) adherence to codes of conduct under Article 40 or mechanisms of certification approved in accordance with Article 42, and j) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, direct or indirectly, through infringement.” Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions and corrective measures”: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established acids in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatment. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the sion of the violation. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which that there are disputes between them and any interested party. 3. It will be possible, complementary or alternatively, adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Rules. ment (EU) 2016/679.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/54 For the assessment of the sanction that would be implemented in this initial agreement, for the alleged violation of article 35 of the RGPD, the following circumstances are contemplated: cias: - “The nature, severity and duration of the infraction, taking into account the nature nature, scope or purpose of the treatment operation.” Every time he treats biometric data processing began on November 4, 2022 without the EIPD until February 15, 2023, in such a way that for more than three months carried out the treatment without identifying, evaluating and assessing the risks to the rights and freedoms of natural persons, without, among other issues, establishing bleed and implement, as a consequence of the above, the appropriate measures to seek their protection, in response to the purpose sought by the RGPD. And it affected 700 subscribers who acquired the animation stand subscription title in the season 2022/2023. (83.2.a GDPR). For completeness, it should be noted that not having carried out DPIA is substantially serious in this case, in which when carrying it out it has been passed from a mandatory to a voluntary system, also changing the basis of legality and applicable exception. - A serious lack of diligence is included (art 83.2.b RGPD), given that any treatment that entails a high risk requires the performance of a DPIA with ter prior to the start of the treatment, especially if it can encompass categories special personal data, such as biometrics in this case, or subjects who deserve cen specific protection, such as children. In this sense, the Supreme Court has understood that there is imprudence A legal duty of care is always neglected, that is, when the offender does not behaves with the required diligence. And in the assessment of the degree of diligence, the professionalism or otherwise of the subject must be especially considered, and there is no doubt that, in the case now examined, when the activity of the recurring is constant and abundant handling of data of a personnel must insist on rigor and exquisite care to conform to the legal precautions in this regard. The STS of 06/05/1998 requires professionals in the sector "a duty to know especially the standards applicable", and in similar terms are pronounced, among others, the SSTS of 03/2/1999 and 09/17/1999, due to their activity they are accustomed to the treatment of personal data must be especially diligent and careful when making operations with them and must always opt for the most favorable interpretation to safeguard the fundamental right to data protection (as of repeatedly maintains the National Court, among others in a ruling of 11/26/2008). - The impact on one of the special categories of data, biometric data, whose need for protection is to that extent greater than that of other personal data, in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of 05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article 83.2.g) of the RGPD “the categories of personal data affected by the infringement". - The impact on the rights of minors (76.f) of the LOPDGDD). Since of According to the document provided as Annex VI, it is possible to process biometric data of under 18 years old. As a consequence, with the elements that are available, the sanction is quantified in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/54 50,000 euros, without prejudice to what results from the processing of the procedure. For the assessment of the sanction that would be implemented in this initial agreement, for the alleged violation of article 9 of the RGPD, the following circumstances are contemplated: cias: - “The nature, severity and duration of the infraction, taking into account the nature nature, scope or purpose of the treatment operation”, given that it is an operation periodic processing of personal data that affected since November 4th November 2022 to February 15, 2023 to the 700 subscribers who acquired the title subscription for the animation stand in the 2022/2023 season (83.2.a RGPD). - A lack of diligence is included, given that it prepared the implementation of the system and It did not foresee its impact, so this factor would operate as an aggravating factor. (art 83.2.b RGPD), in accordance with the doctrine of the Supreme Court previously referred to ciada - The impact on the rights of minors (76.f) of the LOPDGDD). Since of According to the document provided as Annex VI, it is possible to process biometric data of under 18 years old. As a consequence, with the elements that are available, the sanction is quantified in 50,000 euros, without prejudice to what results from the processing of the procedure. Regarding the violation of the principle of data minimization due to the presumption This violation of article 5.1.c) of the RGPD, the following circumstances are contemplated: - “The nature, severity and duration of the infraction, taking into account the nature nature, scope or purpose of the treatment operation.” It was not considered correctly specifically the specific purpose of the processing of personal data in relation to the needs to be covered, which constitutes the nature of the infringement and which opened the scope of affected to any subscriber of the accused, considering that the purpose of the treatment processing is a basic activity of the person responsible for the treatment, which aggravates tea. (83.2.a GDPR). - A serious lack of diligence is included, given that it was available and thus stated documented in the DPIA of February 15, 2023 that there were other means to process less intrusive treatment and the use of the solution was left to the users' will, and not foreseen its impact, so this factor would operate as an aggravating factor (art 83.2.b GDPR). - The impact on one of the special categories of data, biometric data, whose need for protection is to that extent greater than that of other personal data, in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of 05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article 83.2.g) of the RGPD “the categories of personal data affected by the infringement". - The impact on the rights of minors (76.f) of the LOPDGDD). Since of According to the document provided as Annex VI, it is possible to process biometric data of under 18 years old. As a consequence, with the elements that are available, the sanction is quantified in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/54 50,000 euros, without prejudice to what results from the processing of the procedure. Regarding the violation of the principle of data minimization due to the presumption This violation of article 8 of the RGPD, the following circumstances are contemplated: - “The nature, severity and duration of the infraction, taking into account the nature nature, scope or purpose of the treatment operation”, whenever the treatment Biometric data collection carried out as of February 15, 2023 provided for the provision of tion of consent for the processing of biometric data without prior sion to collect their consent. Which represents a loss of control and disposition of your personal data. (83.2.a GDPR). - A serious lack of diligence is included (art 83.2.b RGPD), given that any processing that collects data from minors and that requires the provision of consent feeling, must contain specific provisions for the provision of the same by these directly or by their legal representatives, depending on the age of the nor. Considering that negligence occurs in accordance with the doctrine of the Court Supreme Court previously referenced. - The impact on one of the special categories of data, biometric data, whose need for protection is to that extent greater than that of other personal data, in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of 05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article 83.2.g) of the RGPD “the categories of personal data affected by the infringement". As a consequence, with the elements that are available, the sanction is quantified in 25,000 euros, without prejudice to what results from the processing of the procedure. With regard to the alleged violation of article 13 of the RGPD, the following are contemplated: following circumstances: - “The nature, severity and duration of the infraction, taking into account the nature nature, scope or purpose of the treatment operation.” Every time the response Saber of the treatment did not inform those affected under the terms of the RGPD since 4 November 2022, when the processing of biomedical data was launched. nor from February 15, 2023, date of completion of the DPIA, nor In none of the cases was said information adapted to minors, and which affected 700 subscribers who acquired a subscription to the entertainment stand in the 2022/2023 season. All of this means a lack of information, a loss of provision and control over personal data (83.2.a RGPD). - A serious lack of diligence is included (art 83.2.b RGPD), since it is necessary that interested parties be informed prior to treatment, especially when the information precedes the provision of consent. In this sense, the Supreme Court has understood that there is imprudence A legal duty of care is always neglected, that is, when the offender does not behaves with the required diligence. And in the assessment of the degree of diligence The professionalism or lack of professionalism of the subject must be especially considered, and it is not possible doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data must be insisted upon. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/54 employ rigor and exquisite care to comply with legal preventions when regard. The STS of 06/05/1998 requires professionals in the sector "a duty to know especially the applicable standards", and in similar terms it is pronounce, among others, the SSTS of 03/02/1999 and 09/17/1999, for their activity are accustomed to the processing of personal data must be especially careful. ligent and careful when carrying out operations with them and should always choose the most favorable interpretation to safeguard the fundamental right to data protection (as the National Court repeatedly maintains, in- three others in ruling of 11/26/2008). - The impact on one of the special categories of data, biometric data, whose need for protection is to that extent greater than that of other personal data, in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of 05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article 83.2.g) of the RGPD “the categories of personal data affected by the infringement". - The impact on the rights of minors (76.f) of the LOPDGDD). Since of According to the document provided as Annex VI, it is possible to process biometric data of under 18 years old. As a consequence, with the elements that are available, the sanction is quantified in 25,000 euros, without prejudice to what results from the processing of the procedure. XI Adoption of corrective measures. If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” The imposition of this measure is compatible with the sanction consisting of a fine administrative, according to the provisions of art. 83.2 of the GDPR. It is warned that failure to comply with the possible order to adopt measures imposed by This body in the sanctioning resolution may be considered as a administrative offense in accordance with the provisions of the RGPD, classified as infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a subsequent administrative sanctioning procedure. XI. Provisional measures Article 58.2 of the GDPR provides the following: “Each supervisory authority will have all of the following corrective powers: indicated below: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/54 d) order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, when appropriate, in a certain manner and within a specified period;” f) impose a temporary or definitive limitation on the processing, including its prohibition; […]” i) impose an administrative fine in accordance with Article 83, in addition to or instead of of the measures mentioned in this section, depending on the circumstances of each particular case;” The imposition of these measures are compatible with each other and with the consistent sanction in administrative fine, according to the provisions of art. 83.2 of the GDPR. There is no evidence that BURGOS CF has stopped using the biometric system to access to the stadium based on the consent of the users, since it maintains it as Voluntary method of access to the cheer stands at your stadium. In particular, it is worth mentioning article 69 of the LPACAP, which determines: "1. During the carrying out of prior investigation actions or initiating a procedure for the exercise of sanctioning power, the Spanish Agency for Data Protection may agree to provisional measures with reasons. necessary and proportionate to safeguard the fundamental right to data protection and, in particular, those provided for in article 66.1 of the Regulation (EU) 2016/679, the precautionary blocking of data and the immediate obligation to attend the right requested. 2. In cases where the Spanish Data Protection Agency considers that the continuation of the processing of personal data, its communication or international transfer will entail a serious impairment of the right to protection of personal data may order those responsible or in charge of the treatments, the blocking of the data and the cessation of its processing and, in the event of If these said mandates are not complied with, proceed to their immobilization.” Article 56 of the LPACAP, insofar as it is applicable, indicates the measures provisionally the following in sections 1 and 3: "1. Once the procedure has started, the administrative body competent to resolve, may adopt, ex officio or at the request of a party and in a motivated manner, the measures provisional measures that it deems appropriate to ensure the effectiveness of the resolution that could relapse, if there were sufficient elements of judgment for it, according to with the principles of proportionality, effectiveness and least onerousness. (…). 3. In accordance with the provisions of the two previous sections, the following provisional measures, in the terms provided in Law 1/2000, of 7/01, Civil Procedure: a) Temporary suspension of activities. b) Provision of guarantees. c) Withdrawal or intervention of productive assets or temporary suspension of services for reasons of health, hygiene or safety, the temporary closure of the establishment for these or other reasons provided for in the regulatory regulations applicable. d) Preventive seizure of assets, income and fungible things computable in metallic by application of certain prices. e) The deposit, retention or immobilization of movable property. f) The intervention and deposit of income obtained through an activity that is considered illegal and whose prohibition or cessation is sought. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/54 g) Consignment or constitution of deposit of the amounts claimed. h) The withholding of income on account that must be paid by the Administrations Public. i) Those other measures that, for the protection of the rights of interested parties, expressly provide for the laws, or that are deemed necessary to ensure the effectiveness of the resolution. 4. Provisional measures may not be adopted that may cause harm to difficult or impossible reparation to the interested parties or that involve violation of rights protected by law. 5. Provisional measures may be lifted or modified during the processing of the procedure, ex officio or at the request of a party, by virtue of circumstances that occurred or that could not be taken into account in the time of its adoption. In any case, they will be extinguished when the administrative resolution that puts an end to the corresponding procedure.” In the data processing analyzed, the high risk that means for the rights and freedoms of a large number of those affected, such as loss of control and disposition of your personal data or the use of the data personnel that are not obviously necessary to access the stadium, which It also includes minors. Along with this, there are indications and proven evidence that recommend not continuing with the aforementioned treatment that involves categories special personal data. The continuation of the treatment, for which there is evidence that it has not passed the triple judgment of proportionality and therefore the failure to exceed the DPIA of February 15 of 2023, which could lead to very serious and irreparable harm to the rights of those users. Therefore, the temporary suspension of treatment is the only measure that can be adopted to safeguard the Fundamental Right to Data Protection, also proving to be the least harmful, onerous, proportional and effective, as well as the most proportional and effective for the accused. From these premises and in order to guarantee the rights and freedoms of those affected, It is considered appropriate to impose a provisional measure that prevents as soon as possible the continuation of the processing of personal data through the fingerprint recognition for access to the El Plantío stadium BURGOS CF, which must temporarily suspend its use. This measure would not prevent the accused from continuing to control the entry correctly. and legal with the other systems you are using, not even the fans would mind. loss of service, since you can continue entering the stadium normally because It is a “complementary” or “alternative” system to the fingerprint, as stated continually the accused. Consequently, in accordance with art 83.2 of the RGPD and article 76.3 of the LOPDGDD transcribed above, it is possible to impose through this Agreement of Start of sanctioning file the provisional measure of ordering, in accordance with the provisions in art. 69 of the LOPDGDD and art. 56 of the LPACAP, the temporary suspension of all processing of biometric personal data and especially those related to the Fingerprint recognition for access to the El Plantío stadium. Every time the provisional suspension of treatment is considered necessary, proportional, effective to guarantee the rights and freedoms in contention of those affected and of less burdensomeness for the accused. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/54 The provisional measure must be carried out from the notification of this agreement initiation of the sanctioning procedure until its final resolution, in which it must be confirmed, modified or lifted, without prejudice to the provisions of art. 56.5 of the LPACAP. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE against BURGOS CLUB DE FOOTBALL, S.A.D. with NIF A09012428, for the following violations of the RGPD: - For the alleged violation of article 35, typified in article 83.4 of the RGPD - For the alleged violation of article 9 of the RGPD, typified in article 83.5.a) of the GDPR. - For the alleged violation of article 5.1.c, typified in article 83.5.a) of the GDPR. - For the alleged violation of article 8 of the RGPD, typified in article 83.4.a) of the GDPR. - For the alleged violation of article 13 of the RGPD, typified in article 83.5.b) of the GDPR. SECOND: ORDER as a provisional measure the BURGOS FOOTBALL CLUB, S.A.D. with NIF A09012428, in accordance with the provisions of article 69 of the LOPDGDD and article 56 of the LPACAP, the temporary suspension of all treatment of personal data related to fingerprint detection for access to the El stadium Plantation. The provisional measure must be carried out within ten business days, counted from the notification of this agreement to open the procedure, and will remain until its final resolution, in which it must be confirmed, modified or lifted, without prejudice to the provisions of art. 56.5 of the LPACAP. To this end, you must justify before this Spanish Data Protection Agency the attention of this request. THIRD: APPOINT A.A.A. as instructor. and, as secretary, to B.B.B., indicating that they may be challenged, if applicable, in accordance with the provisions of the Articles 23 and 24 of Law 40/2015, of 1/10, on the Legal Regime of the Public Sector (LRJSP). FOURTH: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Inspection of Data. FIFTH: THAT for the purposes provided for in art. 64.2 b) of the LPCAPAP, the sanction that could correspond would be for each of the infractions charged, without prejudice to What results from the instruction would be: - 50,000 euros, for the violation of article 35 of the RGPD. - 50,000 euros, for the violation of article 9 of the RGPD. - 50,000 euros, for the violation of article 5.1.c) of the RGPD. - 25,000 euros, for violating article 8 of the RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/54 - 25,000 euros, for the violation of article 13 of the RGPD. SIXTH: NOTIFY this agreement to BURGOS CLUB DE FÚTBOL, S.A.D. with NIF A09012428, granting a hearing period of ten business days so that formulate the allegations and present the evidence you consider appropriate. In its written allegations must provide your NIF and the file number that appears in the heading of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of the LPACAP. In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be established at 160,000 euros, resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean the reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 160,000 euros, and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for the recognition of responsibility, provided that this recognition of responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 120,000 euros. In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above 160,000 euros or 120,000 euros, you must make it effective by depositing it into the account number IBAN: ES00-0000-0000-0000-0000-0000 open to name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for reducing the amount which is welcomed. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of twelve months from the date of the initiation agreement. After this period, its expiration will occur and, in consequently, the archive of actions; in accordance with the provisions of the article 64 of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/54 Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 935-30102023 Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On March 5, 2024, the claimed party has proceeded to pay the sanction in the amount of 120,000 euros, making use of the two reductions provided for in the initiation Agreement transcribed above, and has submitted a written document in the same date on which you request a resolution to terminate the procedure, recognizing their responsibility, and expressly desisting from any action or administrative appeal against the sanction. THIRD: In the aforementioned Initiation Agreement transcribed above, it was agreed: “OR- DENIM as a provisional measure the BURGOS CLUB DE FÚTBOL, S.A.D. with NIF A09012428, in accordance with the provisions of article 69 of the LOPDGDD and article 56 of the LPACAP, the temporary suspension of all processing of personal data relating to fingerprint detection for access to the El Plantío stadium. The provisional measure nal must be carried out within a period of ten business days, counted from the notification. tion of this agreement to open the procedure, and will remain until its resolution final, in which it must be confirmed, modified or lifted, without prejudice to the provisions to in art. 56.5 of the LPACAP. To this end, you must justify before this Spanish Agency of Data Protection attention to this requirement.” The BURGOS CLUB DE FUTBOL, S.A.D has not yet proven to have executed This provisional suspension measure has been lifted. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/54 regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” III Elevation of provisional measure to definitive. Adoption of corrective measures. Article 58.2 of the GDPR provides the following: “Each supervisory authority will have all of the following corrective powers: indicated below: d) order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, when appropriate, in a certain manner and within a specified period;” f) impose a temporary or definitive limitation on the processing, including its prohibition; […]” i) impose an administrative fine in accordance with Article 83, in addition to or instead of of the measures mentioned in this section, depending on the circumstances of each particular case;” Regarding the temporary or definitive limitation of the treatment, it is worth referring to the article 69 of the LPACAP, which determines: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 52/54 "1. During the carrying out of prior investigation actions or initiating a procedure for the exercise of sanctioning power, the Spanish Agency for Data Protection may agree to provisional measures with reasons. necessary and proportionate to safeguard the fundamental right to data protection and, in particular, those provided for in article 66.1 of the Regulation (EU) 2016/679, the precautionary blocking of data and the immediate obligation to attend the right requested. 2. In cases where the Spanish Data Protection Agency considers that the continuation of the processing of personal data, its communication or international transfer will entail a serious impairment of the right to protection of personal data may order those responsible or in charge of the treatments, the blocking of the data and the cessation of its processing and, in the event of If these said mandates are not complied with, proceed to their immobilization.” Article 56 of the LPACAP states in its fifth section that: "5. The provisional measures may be lifted or modified during the processing of the procedure, ex officio or at the request of a party, by virtue of circumstances that occurred or that could not be taken into account in the time of its adoption. In any case, they will be extinguished when the administrative resolution that puts an end to the corresponding procedure.” In the present procedure, there is no evidence that BURGOS CF had suspended the data processing related to access to the stadium's entertainment stands through fingerprint-which were maintained as a voluntary access system for members who opt for the same -, the agreement to initiate this procedure ordered to agree “the temporary suspension of all processing of biometric personal data and in special of those referred to the fingerprint recognition system for access to the El Plantío stadium”, since the provisional suspension of the treatment was considered necessary, proportional, effective to guarantee the rights and freedoms in list of those affected and less burdensome for the accused. In accordance with the provisions of the agreement to initiate this procedure, the provisional measure should have been adopted since the notification of the initiation of the sanctioning procedure until its final resolution, in which it had to be confirmed, modified or lifted, without prejudice to the provisions of art. 56.5 of the LPACAP. As of the date of this resolution, BURGOS CF has recognized its responsibility and the payment, requesting the termination of the procedure, without reference to the state in which is the processing of biometric data in the animation tier of its stadium, so it is unknown if this system has been provisionally suspended, as ordered in the agreement to initiate the sanctioning procedure, or have definitively suspended. Well, having said the above, BURGOS CF has recognized its responsibility, the infractions that were charged in the initial agreement, and it is also necessary to impose on the person responsible the adoption of the appropriate corrective measures to adjust their actions to the protection regulations of data, as already anticipated in the initial agreement. It is estimated that the same risks undoubtedly persist today as motivated the suspension or provisional limitation of the treatment in the initiation agreement, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 53/54 since the continuation of the treatment could lead to very serious damage and irreparable for the rights and freedoms of users who access the stadium using the implemented biometric system. Given the circumstances, it is understood that the prohibition of treatment, as a measure corrective action of those granted in article 58.2 of the RGPD to the Spanish Agency for Data Protection is the only measure that can be adopted to safeguard the Fundamental Right to Data Protection, also proving to be the least harmful, onerous, proportional and effective, as well as the most proportional and effective for the denounced. From these premises and in order to guarantee the rights and freedoms of those affected, It is considered appropriate to confirm the provisional suspension ordered in the agreement initiation, and prohibit, as a corrective measure, the processing of personal data through the fingerprint recognition system for access to the El Plantío stadium of BURGOS CF, proceeding to cessation of treatment. This measure would not prevent the accused from continuing to control the entry appropriate and legal with the other systems you are using, nor do hobbyists care would mean the loss of service, since you can continue entering the stadium with normality since it is a system already implemented “complementary” or “alternative” to that of fingerprint, as the defendant continually states. In accordance with what has been stated, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of the sanctioning procedure processed with the number PS/00483/2023 (EXP202213792), in accordance with the provisions of article 85 of the LPACAP. SECOND: Confirm the provisional measure imposed in the agreement to start the present sanctioning file, and prohibit BURGOS CLUB DE FÚTBOL S.A.D, as a corrective measure, any processing of personal data relating to the processing fingerprint for access to the El Plantío stadium, proving within ten business days before this Spanish Data Protection Agency that has proceeded to the cessation of your treatment. THIRD: NOTIFY this resolution to BURGOS CLUB DE FÚTBOL, S.A.D. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 54/54 1219-21112023 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es