AEPD (Spain) - EXP202213323
From GDPRhub
| AEPD - EXP202213323 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(f) GDPR Article 27 GDPR Article 32 GDPR Article 33 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 12.12.2022 |
| Decided: | 19.01.2024 |
| Published: | |
| Fine: | 72,000 EUR |
| Parties: | Shanghai Moonton Technology Co. Ltd. |
| National Case Number/Name: | EXP202213323 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA fined a videogame company €90,000 for its use of forum moderators without proper data minimisation or security measures limiting their access to personal data. The controller paid a reduced fine of €72,000 in accordance with national law.
English Summary
Facts
On 2 November 2022, a security breach occurred on Shanghai Moonton Technology Co. Ltd.’s (the controller) videogame forum. The controller is a Chinese videogame company headquartered in Shanghai that was acquired by Bytedance in March 2021.
The breach affected 442 Spanish data subjects and included usernames on the controller’s forum, user ID numbers, frequency of each data subject’s visit to the forum, the reported sex of data subjects, IP addresses, email addresses and the data subjects’ activities on the forum including publications and interactions. On the day of the breach, 2 November 2022, the personal data obtained in the breach was published on a third party website. The following day, 3 November 2022, a member of the controller’s security team identified the publication of the data on the third party website. From 4 November to 16 November 2022, the controller investigated the data breach. The controller identified the location of each data subject based on their IP address and notified the corresponding DPAs accordingly. It began notifying DPAs on 11 November 2022.
On 21 November 2022, the controller notified the Spanish DPA (AEPD) of thebreach.
In its investigation, the AEPD noted that the controller used moderators which were volunteers, not employees or contractors, in order to manage its forums. Moderators were hired using a two-week trial period and were required to abide by terms of service and a code of conduct. The controller gave moderators access to users’ personal data in order to monitor the forums and where necessary, revise or eliminate posts, block user access to the forum, respond to users or approve new users. This access included data which was available to all users on the forum including data subjects’ usernames, user IDs, number of visits to the forum, reported sex, and activities on the forum. In addition, moderators were given access to personal data which was not already publicly available to all forum users: data subjects’ email addresses, time and date of the most recent activity on the forum, and IP addresses.
The controller stated that it had security measures in place prior to the breach with regard to the affected data with the goal of avoiding such incidents. It was unaware of any prior security incidents and noted that it had not received any claim or request from data subjects in Spain in relation to the breach. With regard to the delay in notifying the AEPD of the breach, the controller argued that as it did not have a legal establishment in Spain, it needed to contract a legal assessor within Spain to prepare the due notification and documents.
Holding
The AEPD concluded that the controller likely violated Articles 5(1)(c), 5(1)(f), 27, 32 and 33 GDPR.
With regard to the data minimisation violation, the AEPD found that the controller shared more personal data of data subjects than necessary with forum moderators. It stated that it was not necessary to provide moderators access to all of this personal data – particularly email and IP addresses – in order to moderate the forums. These data were not relevant to the duties that the controller envisioned for the moderators.
The AEPD also determined that the controller failed to comply with security obligations. It stated that the publication of personal data from its forum on a third party website indicated a violation of integrity and confidentiality principles under Article 5(1)(f) GDPR. The AEPD also took issue with the controller’s use of moderators – in essence, the controller permitted users who volunteered to moderate to access other users’ personal data. It employed no security measures beyond a code of conduct, terms and conditions and a two-week trial period. These measures, the AEPD found, were inadequate and violated Article 32 GDPR.
The AEPD also concluded that the controller had failed to designate a representative in the European Union. The controller is a Chinese videogame company offering services in the European Union, and was thus required to do so pursuant to Article 27 GDPR.
Finally, the AEPD found that the controller did not notify the AEPD of the breach within the time frame envisioned by Article 33 GDPR. The controller did not notify the DPA within 72 hours of learning of the breach, but instead took 18 days.
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €90,000.
Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted for the latter option and reduced the fine by 20%, paying the reduced sanction amount of €72,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/54
File No.: EXP202213792
Sanctioning Procedure PS/00483/2023.
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On December 29, 2023, the Director of the Spanish Agency
of Data Protection agreed to initiate sanctioning proceedings against BURGOS CLUB
DE FÚTBOL, S.A.D. (hereinafter, the claimed party), through the Agreement that is
transcribes:
File No.: EXP202213792.
Sanctioning Procedure No.: PS/00483/2023.
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:
FACTS................................................. .................................................. ....................2
FIRST:................................................ .................................................. ...............2
SECOND:................................................ .................................................. ..............3
THIRD:................................................ .................................................. ...............4
ROOM:................................................ .................................................. .................4
FIFTH:................................................ .................................................. ..................4
5.1. Intervening parties and documents that form part of the file........................4
5.2. On the origin and current situation of the implementation of biometric systems
in first and second division soccer stadiums................................................ .5
5.3. Facts related to BURGOS CF................................................ ...........8
5.4 Conclusions................................................ .................................................. 12
LEGAL FUNDAMENTALS................................................. ...................................13
I Competition................................................ .................................................. ........13
II Biometric data as special category personal data...................................13
2.1. Definition and characteristics of biometric data...................................................13
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/54
2.2. Biometric templates as special and high category personal data
risk................................................. .................................................. .................fifteen
23. BURGOS CF as responsible for data processing operations
biometrics................................................. .................................................. ........17
III. On the need to carry out a prior and appropriate impact evaluation to the
treatment................................................. .................................................. ............18
5.1. Obligation and legal requirements of the impact assessment (EIPD) in
high-risk treatments................................................... ....................................18
5.2. Breach of the duty to present a DPIA by BURGOS CF.
.................................................. .................................................. .........................twenty
IV Concurrence of an exception to article 9 of the RGPD, and legitimizing basis of the
Article 6 of the GDPR................................................ .................................................. .twenty
4.1. Regarding the need for an exception to the prohibition of
processing of biometric data................................................ ............................twenty
4.2. Necessity of the basis of legality of the treatment of article 6.1................................22
4.3. Analysis of the concurrence of an exception and a basis of legality in the
present assumption................................................ ................................................2. 3
V Regarding the requirement that the treatment be necessary, appropriate and proportional...25
VI About the consent of minors................................................ ...................31
VII On the information duties of article 13 of the RGPD................................33
VIII Classification of infractions and qualification for the purposes of prescription....36
8.1. Violation of article 35 of the GDPR................................................ ...................36
8.2. Violation of article 9 of the GDPR................................................ .....................36
8.3. Violation of article 5.1.c of the RGPD................................................ .................37
8.4. Violation of article 8 of the GDPR................................................ .....................37
8.5. Violation of article 13 of the GDPR................................................ ...................38
X Determination of sanctions............................................... ................................38
XI Adoption of corrective measures................................................... ............................43
XI. Provisional measures................................................ ............................................44
HE REMEMBERS:............................................... .................................................. ............46
FACTS
FIRST:
With dates of November 4 and 7, 2022, they are received at this Spanish Agency of
Data Protection complaint and claim against the implementation of systems
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/54
biometrics for access control to the entertainment stands of the stadium
BURGOS CLUB DE FÚTBOL, S.A.D. with NIF A09012428 (hereinafter, “the
club”/BURGOS CF).
- Firstly, a complaint was received on November 4, 2022 stating the
State Commission against violence, racism, xenophobia and intolerance in
The sport adopted an agreement according to which access to the cheering stands
of football stadiums was to be carried out through biometric control. In
Consequently, some football teams are already adopting these forms of action.
cess for its stands, such as BURGOS CF. The complaining party
considers that the aforementioned treatment is excessive. In this sense, it indicates that
They can carry out the same controls by requesting nominal payments and, if by chance
security issues were necessary, by requesting the exhibition of the
National identity document.
The complainant does not attach any documentation to his writing.
- Subsequently, a claim is received on November 7 of the same year.
nifiesta that BURGOS CF is requesting, compulsorily, to access the
Football field animation stand, the use of fingerprint. Literally
states the following: “When you become a member of the cheering tier, in no way
moment you sign anything about data protection and they do not tell you that it will be able to
tender, for access to the field, biometric data. Until now the system
The key to access the field is: first they ask for your DNI and MEMBERSHIP CARD to
verify that you are the subscriber, and then you go through a turnstile in which you have to
Enter your membership card and you are registered. Therefore, the justification of
that it is for security is unjustified, since there is a less invasive means. Is
discriminatory that only one stand is requiring this measure of
access control to the field, since none of the subscribers in another stand will be
imposed on you, nor on people who enter punctually with a ticket. Yes,
“They gain security, where security is in the rest of the field.”
The claimant accompanies the official statement published on November 4,
2002 on the burgoscf.es website about “Official statement | Access
biometric in animation stands carried out by BURGOS CF” in which
states the following:
“The Burgos Football Club, in compliance with Law 19/2007, of July 11,
lio, Royal Decree 203/2010, of February 26, and Book
General of LaLiga, after an audit carried out by LaLiga, and after
the agreement adopted by the State Commission against violence, racism,
xenophobia and intolerance in sport, communicates that access to its
animation stand will have to be done through biometric control.
In this sense, all the LaLiga clubs, among which also
Burgos CF is located, have been warned that failure to comply
This regulation will give rise to the action of the commission through the co-
rresponding proposals for opening sanctioning proceedings in
under current legislation. In this way, LaLiga has installed a pro-
fingerprint detection program so that all subscribers of this
area of the stadium go to the club offices to establish their fingerprint and thus act
give in to the El Plantío Stadium with this method. (…) This movement is
only a first step, since the Burgos entity has the objective and ad-
wants the commitment to implement this biometric access mechanism
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/54
for the entire stadium in an estimated period of two seasons. Actually yes-
guiding the line of action of other reference clubs in Spanish football,
The entity intends to develop facial identification processes, in favor of
speed and accessibility, when these systems are more developed.”
None of the complainants provides evidence that suggests that
collected your biometric data.
SECOND:
In accordance with article 65.4 of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (hereinafter
LOPDGDD), on December 1, 2022, said transfer was made
claim to BURGOS CF so that it could proceed with its analysis and inform this
Agency within a period of one month, of the actions carried out to adapt to the
requirements provided for in data protection regulations.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on December 2, 2022, as
It appears in the acknowledgment of receipt that is in the file. However, BURGOS CF
did not respond to this first transfer.
THIRD:
On January 2, 2023, the Director of the Spanish Protection Agency
of Data urged the Subdirectorate General of Data Inspection (SGID) to initiate the
prior investigative actions referred to in article 67 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD) to analyze the implications that
could have in terms of personal data protection the practical application of the
aforementioned biometric system in football stadiums, one of which was the
BURGOS CF.
ROOM:
On February 3, 2023, in accordance with article 65 of the LOPDGDD,
They were accepted for processing and acknowledged receipt of the complaint and claim.
FIFTH:
Following instructions from the agreement of the Director of the AEPD, the Subdirectorate
General Data Inspection initiated a file of previous actions of
investigation (AI/00444/2022) to clarify the facts contained in the
complaint of November 4 and in the complaint of November 7, 2022. All
this, by virtue of the functions assigned to the control authorities in the article
57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), and in accordance
with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD.
5.1. Intervening parties and documents that are part of the file.
To clarify the facts, it was necessary to carry out various requirements of
information and documentation aimed at all those entities that participated in
the implementation of the biometric system in the first and second football stadiums
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/54
division at the state level, and specifically, in the Plantío stadium of BURGOS CF, such
as:
- HIGHER SPORTS COUNCIL (hereinafter, CSD).
- STATE COMMISSION AGAINST VIOLENCE, RACISM,
XENOPHOBIA AND INTOLERANCE IN SPORTS (hereinafter,
CEVRXID).
- NATIONAL PROFESSIONAL FOOTBALL LEAGUE (hereinafter, LALIGA)
- SOCIEDAD ESPAÑOLA DE FÚTBOL PROFESIONAL, S.A.U (hereinafter,
SEFPSA)
- BURGOS CF.
On September 22, 2023, a report is issued on previous actions of
investigation, according to which they are made aware and attached to the file
the following documents and actions carried out:
- Those carried out before the start of the previous actions, with the complaint and
claim and documents that have already been mentioned in the background
first to fourth of this agreement.
- Regarding BURGOS CF, 3 requirements are made that run as follows:
luck:
1. On 02-16-2023, BURGOS CF is requested for the first time,
which is notified by electronic and postal means. BURGOS CF responds to
same dated 03-16-23 (hereinafter, WrittenBurgos1).
2. On 07-06-2023, the request to BURGOS CF is reiterated,
to which he responds by writing of 07-27-23 (hereinafter,
WrittenBurgos2).
3. On 08-22-2023, BURGOS CF is required to provide certain
additional documentation, and he responds in writing dated 04-09-
2023 (hereinafter, WrittenBurgos3).
- Regarding LALIGA, two information requirements are made. The first of
02-17-23, is answered dated 03-10-23 (WrittenLaliga1). The second was
carried out on 07-06-23, LALIGA requesting an extension of the deadline to be granted
gave on 07-13-23. Finally, LALIGA presented allegations in response to the same
mo dated 07-27-23 (WrittenLaliga2).
- Regarding the CSD, a first request was formulated on 02-23-2023 and a second
on 6-07-23. In response to them, the CSD presents three written documents with
on 03-28-2023 (Written CSD1), 07-21-23 (Written CSD2), and 07-24-23 (Written
toCSD3). And a second request on 07-06-2023, to which in response
this one on 07-21-23.
- Finally, on 08-22-2023 information is required from SEFPSA, reiterate-
issued on 09-4-2023, which received a response on 09-15-2023 (WrittenSEFPSA1).
5.2. On the origin and current situation of the implementation of biometric systems in
first and second division football stadiums.
In accordance with the information collected, and before analyzing the particular case of the
BURGOS CF, a succinct reference must be made to the actions (chronologically
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/54
ordered) carried out by the inspector in order to elucidate what was the origin and what is
the current status of the implementation of biometric fingerprint or fingerprint systems
facial recognition that was carried out in a general way to be able to access the
football stadiums of LALIGA's first and second division clubs.
- On September 23, 2015, the CSD authorized the new
version of Book XII of the League Regulations (hereinafter, RGLALIGA), which
is currently in force, whose article XII establishes the following in its
sections 2, 3, and 4:
” 2. The sale of season or half-season access titles or documents,
regardless of its name, in the cheering stands with the
characteristics described in section 1, will require that the fan provide, together with
the data referred to in article 1 of this Regulation, that biometric data
determined, and the consent of the interested party must be obtained, informing
clearly of the specific purposes for the processing of the aforementioned data.
personal nature, in accordance with current regulations on protection
of personal data. At the time of acquiring the access title,
by the affiliated Club/SAD, the fan will be associated with the affiliation provided and the
biometric data.
3. ACCESS TITLES for season or half-season stands
animation will be personal and non-transferable, regardless of the policy
that the Club/SAD has on these for the rest of the venue. To this end, the
Club/SAD will establish, both in the document of acquisition of the access title
so, as in the corresponding internal regulations that, in said areas, the
Pectators will undergo all those identity verification controls
current at all times, including those related to automatic systems.
biometric data, as well as the display of the access title next to the
document proving your identity.
4. Only fans will be allowed access to the cheering stands.
two who have obtained the title of access to said area and who, at the time
at the entrance, submit to the reading of their biometric data. Access will be denied
cess in the event that the person does not contribute, if required to do so, along with
biometric data, a document proving your identity that matches
the affiliation associated with the biometric data and the access title.”
- There is no evidence that LALIGA had adopted measures aimed at
demand compliance with the obligations provided for in the aforementioned article of the RGLALIGA
until CEVRXID urged him to do so. Specifically, it is proven that the
CEVRXID urged LALIGA on two occasions to promote the implementation
by the clubs of the biometric control measures indicated in Book XII of their
General Regulations, exclusively for the animation stands in first and
second division. In its agreements it also refers to the fact that its non-compliance
will give rise to “the corresponding proposals for opening files
sanctioners in the exercise of their surveillance and control function provided for in the Law.”
- The first agreement directed by CEVRXID to LALIGA was on March 15,
2022, and gave rise to the beginning of the implementation of these systems by various clubs,
warning them of the possibility of incurring sanctioning responsibility, the
that this agreement was communicated by LALIGA.
- Once its first agreement was issued on March 15, 2022, the CEVRXID, in
At its meeting on October 20, 2022, it agreed to consult the AEPD
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/54
only a question related to compliance with protection regulations
of data. Specifically, on the legitimizing cause and exception applicable to
These biometric treatments referred to could be carried out under the protection of the
articles 6.1.e and 9.2.g of the personal data protection regulations in
consideration with the competence attributed to the CEVRXID by article 13.1
of Law 19/2007, of July 11, against violence, racism, xenophobia and
intolerance in sport. There was no consultation about the need and
proportionality of the processing of biometric data or compliance with the
rest of the principles and obligations provided for in the regulations for the protection of
data.
- On December 22, 2022, the AEPD legal office issued the
Report 98/2022 in response to the previous consultation (joined by the inspector in
the Reference Diligence mentioned above). The report is based on several
previously reported background, and maintains that in the present case
“there was no legal norm in the Spanish legal system that brought together the
requirements of article 9.2.g) of the RGPD, so the treatment only
could rely on the consent of those affected as long as it was
guaranteed that he is free.”
- After receiving the aforementioned report, the CEVRXID communicated on March 21,
2023 to LALIGA that “in accordance with what was reported by the AEPD, access to the
animation stands using biometric data will be carried out with the
consent of the interested party" so that, "in the case of not having the
consent of the interested party to access the animation stands
through biometric data, it will be mandatory for clubs/SAD to have
a procedure that allows the identification of all those who access
outside of biometric control.”
- Having received the previous statement, LALIGA adopted on March 23, 2023 the
“Circular No. 19 of the 2022/2023 Season, which transferred the
clubs as indicated by the aforementioned Commission, also informing of the report of
that AEPD of December 22, 2022.” The Circular informs the clubs that
“Access to the cheering stands through biometric data can
maintained but provided that there is free consent of the interested party, prior
information on the specific purposes for the processing of data
personal character. If you do not have the consent of the
interested, the CEVRXID reminds that the spectators in these stands do not
will be exempt from undergoing all verification checks
identity that are in force at all times and, to this end, it is
It is mandatory that the Club or SAD has a procedure that allows
identify them.”
Additionally, in the phase of previous actions, the
following information on the effective implementation of biometric systems to
access control to the stadiums of LALIGA members. In this regard, it
highlights the following:
- LALIGA states that it is aware that 18 of its members have
implemented a biometric system to control access to their
stadiums, one of them being BURGOS CF. The moment when they would have
launched differs from one to another, with the 2015-2016 season being
oldest referred to and 2022-2023 the most recent. Furthermore, according to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/54
the information provided by the League, in all cases but one the
implementation of these access controls would have only occurred in the
“entertainment stands”.
- The League, through the SEFPSA entity, provides members who request it
the different devices for operating the entrance turnstiles to the
sports venues, including, where appropriate, biometric systems
fingerprint recognition. Clubs are free to contract the system
fingerprint from SEFPSA or any other, as long as they have
a biometric system for the sale of season tickets and access control to its stands.
animation.
- According to the information provided, SEFPSA states that it has provided its
biometric solution for 15 League members, the system being identical
for everyone, and considers that he acts neither as responsible nor as manager
of treatment in this context, since its work is limited to the supply of
necessary hardware and software without accessing personal data. In this
situation indicates that it has not carried out risk analysis or evaluations of
impact regarding the treatments derived from the use of its supplies.
- Upon receipt of League Circular 19 of March 23, 2023, the
clubs that had biometric recognition systems implemented
adopted measures aimed at suspending this procedure
of access, either to maintain it as voluntary and complementary
of others.
- BURGOS CF installed the biometric fingerprint detection system in
the animation stand, door 15, through three turnstiles, hiring the system
developed by SEFPSAU, which seems to correspond to SEFPSA. Starting
on February 15, 2023, before receiving LALIGA Circular 19, I would choose
for maintaining the fingerprint as a voluntary access system, sending
a statement to its partners that informed of this, as well as the possibility
to request the deletion of your biometric data. This was applied from
match against Albacete held on February 19, 2023, as stated in
the Minutes provided in the WrittenBurgos1.
5.3. Facts related to BURGOS CF.
Regarding the particular case of BURGOS CF, to which this file refers
sanctioning, it is worth briefly highlighting the main aspects and documents
contributed by him so far during the phase of previous actions of
investigation:
1. Response dated March 16, 2023 (WrittenBurgos1).
In response to the request made on February 16, 10 Annexes are attached, and
The following manifestations are carried out that must be highlighted:
- BURGOS CF began to implement the biometric fingerprint system
as a mandatory means of accessing the entertainment stands on November 4
2022, following an audit carried out by LALIGA on July 27, 2022. In
Proof of this is said to accompany the audit as Annex 1, but the aforementioned Annex
does not correspond to the audit, but to the “System Technical Report
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/54
El Plantío Stadium Access Control developed by SEFPSAU, with the logo of
LALIGA, which appears undated and unsigned.
- The CEVRXID agreement dated 03/15/22 is attached as Annex II,
previously referenced.
- Burgos has provided the Impact Assessment as Annex V of Document 1
Relating to the Data Protection of the system, dated February 16, 2023
(EIPD Report), signed by the entity DATAINFO CONSULTORÍA Y
CONSULTING, S.L. (hereinafter, DATA CONSULTING). It is well observed that his
realization was considerably later than the start of treatment (4 of
November 2022). Its content and adaptation to what is required by the regulations of
Data protection will be analyzed in detail in the fundamentals of
right of this initiation agreement.
- Responding to several of the questions asked in the first request
of information, BURGOS CF is identified as responsible for the treatment
of biometric data for access to the El Plantío stadium, informing of the
following regarding compliance with data protection regulations:
-Source of the data: The interested party himself provides them.
- Collection procedure: In person through fingerprint reader
fingerprint.
- Deletion period: Once the season ends.
- Recipients: They are the 700 members of the entertainment tier, which is
at door 15. No transfer is planned, except for possible
compliance with legal obligations.
-International transfers: No transfers are planned
international except possible compliance with legal obligations.
-The purpose of biometric processing, according to the EscritoBurgos1, was
“meet the requirements established by La Liga and the Commission
Permanent of the State Commission against violence, racism,
xenophobia and intolerance in sport.”
-Data conservation period: per season, waiting for
that the AEPD decides whether it should proceed with its conservation or destruction.
The partners are informed of this in Annex VII, and they were given the
possibility of requesting deletion in the statement of Annex IV.
-Those in charge of processing special category data: they do not exist.
-Those in charge of processing other data: LALIGA, the Company
Española de Fútbol Profesional S.A, and Ligatech S.L.
- The BURGOS CF has identified the following relevant dates regarding the
treatment: November 4, 2022 as the start date of collection
biometric data; December 8, 2022 as the date of the first
match in which the treatment was carried out to control access to the stands
animation; February 15, 2023 as the end date of the
treatment (mandatory) to control access to the stands
animation; and on February 19, 2023 as the first match in which
Only those who had access entered the stadium with a fingerprint
voluntarily, the rest entering, about 60 with the card.
In this regard, the 9 minutes are attached as Annex III of the EscritoBurgos1
signed by the Security Director of BURGOS CF and the Coordinator of
Security belonging to the Ministry of the Interior on the matches held in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/54
the El Plantío Stadium during the years 2022 and 2023, where the
need to carry out biometric controls of the animation stand. Some of
These minutes state that the stadium did not have an identification system
biometric for access, without prejudice to the fact that the collection has already been carried out
of fans' footprint (e.g. minutes of the following dates: August 14, 16
October, October 29, November 27, 2022). In others it is stated
that this control has been used for access.
The completion of the biometric system as a mandatory access system and its
continuation as a volunteer is accredited by means of the communication addressed to their
partners on February 16, 2023, as Annex IV of the EscritoBurgos1, in which
informs that, in view of Report 98/2022 of the AEPD, the fingerprint system
fingerprint would be maintained for use on a voluntary basis, providing the
One-way partners to request deletion of recorded biometric data
in the system. What is corroborated in the Minutes of the match played between Burgos
and Albacete on February 19, 2023, which states the following: “The
Security Director DELIVERS to the security coordinator a copy of a
writing addressed to the League in which he requests allegations in relation to opinion 98/22 of the
Spanish data protection agency dated January 20, 2023 declaring the
non-conformity with current regulations regulating data protection, of which
copy attached. Therefore, in this match the club has decided that only the
partners who have voluntarily agreed to transfer said data, with the rest entering, some
sixty, simply with meat.”
- Consequently, BURGOS CF has indicated that currently the treatment
is suspended “pending the completion of this process before the
AEPD to be able to implement it with the technical, legal, and security measures
“adequate.” Specifically, it is specified in the EscritoBurgos2: “this treatment of
data has not yet been implemented and is not currently operational
since BURGOS CLUB DE FÚTBOL, S.A.D. is waiting for the
completion of this process before the AEPD to be able to implement it with the measures
appropriate technical, legal and security measures. Therefore, currently it is not
collects no biometric data from the Controller, constituting the
exposed measures planning for the future.” Additionally, Burgos
states that “it is waiting for the decision of the Spanish Agency of
Data Protection on whether to continue retaining said data or proceed
to its destruction” and that “affected people have been given the option to
suppress it.”
- The documents that prove the consent of the interested parties for the
processing of your personal data, or document that proves that they have been
provided the information provided for in article 13 of the GDPR, before collecting
Your personal data (biometric and others whose contribution is mandatory), were
required by the inspector on two occasions. However, BURGOS CF
has only provided as Annexes VI and VII of the EscritoBurgos1 the two models
which it says were provided to interested parties before and after February 15,
2023.
- Annex VI. Conditions of membership, access and permanence in
the animation stands for the 22-23 season. Used before
02/15/23. It is not a personal data consent model but
a contractual document, which requires the provision of personal data
biometric and non-biometric (nominative, ID, contact information...).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/54
- Annex VII. Information about access to the cheering stands
through biometric data (fingerprint). Model used after
02/15/23. In which a specific consent is signed regarding
processing of biometric data.
- To prove what security measures have been adopted regarding
data protection, provide as Annex VIII the document prepared by the
SEFPSAU entity, as the supplier of the hardware and software on which
executes the processing of biometric data. This document provides information
descriptive description of the operation of the biometric system installed in the stadium of the
Burgos, from which the following main points are extracted:
.
-The personal data collected from each interested party in the process of
registration (registration in the system) are name, surname, DNI number, a
identifier generated by the system, and the biometric pattern of the fingerprint
fingerprint.
-The registration of the biometric fingerprint pattern is carried out in the
microcomputer positions serving members. Access to the
animation stand is carried out through a single door that has
three turnstiles with the possibility of access by identification
biometric. Each of these lathes has several methods of
access (in addition to biometric reading): optical reading of access codes
bars or QR, and wireless card reading with built-in chip.
-The comparison process carried out is “identification
biometric” (one to many). Thus, the readers installed on the turnstiles
send the encrypted biometric pattern of the fingerprint of the interested party
that is accessing the stadium to the Identification Management Server
Biometric (SGI) located in the club facilities, and to which only the
club has access. The comparison performed on this server returns the
positive or negative identification result.
-Biometric patterns are encrypted at all times with
the keys of the device manufacturer. The latter proves that the
Decryption keys are only kept by him and are not
are available to their clients. Additionally, it certifies that
Once the fingerprint image template has been extracted, the latter
is suppressed.
-In point 6 it refers only to security measures
specific to the elements or technical equipment.
- Burgos has also provided (annex IX of the EscritoBurgos1) the content of the
record of processing activities related to “Access control through
biometric data (fingerprint) to Grada de Animación”.
1. Response dated July 27, 2023 (WrittenBurgos2).
On July 6, 2023, the inspector formulates a new requirement in which
requests that the action plan of security measures mentioned be provided
but they are not provided in the EIPD or in any other document of the EscritoBurgos1, and the
documentation accrediting the technical detail of the measures described in the heading
“regarding the biometric vector”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/54
Responding to the new requirement, BURGOS CF provides as Document 1 the
consent model that is signed at the time of fingerprint collection
(not consents signed by subscribers).
As Document 2, it provides the document from the system provider that explains the
security measures related to the biometric vectors obtained by the
system, to which 3 Annexes are attached, issued by various system providers
installed: NITGEN (sensor manufacturer), KIMALDI (guide for the integrator of
biometric solutions), and SETELSA SECURITY (fingerprint control system in
CONACWIN client position). From these only some of the
technical specifications and characteristics of the biometric system used, such as
which uses a biometric vector encrypted with AES algorithm proprietary to the manufacturer
NITGEN of an irreversible nature for its own employees, clients (including the
Club) and their suppliers (SEFPSAU). These documents do not constitute
no elaborate plan of security measures for the purposes provided for in the article
32 or 35.7.d) of the GDPR, aimed at addressing risks, including guarantees, security measures
security and mechanisms that guarantee the protection of personal data, and to
demonstrate compliance with this Regulation, taking into account the
rights and legitimate interests of the interested parties and other affected persons.
Various statements are also made regarding compliance with the
principles provided for in article 5 of the RGPD, the operation of the system through
of encrypted vectors that capture part of the fingerprint and generate a template, and the
protocol applied in case of security breaches, of which no copy is provided
some. And it is expressly said that currently no
measure, but rather it is a plan of future measures given that they are not being
capturing new biometric data.
2. Response dated September 4, 2023 (WrittenBurgos3).
Finally, on August 22, the inspector requests and the BURGOS CF responds
the following, without accompanying any document:
- Present the risk analysis document: refer to the content in the
DPIA provided in Document 1.
- Provide information about the places where the patterns are stored
biometrics (club servers -SGI- or Tornos): they are stored only on the server
of the club. It states, among other things, that “The normal thing is to collect 2 templates
per finger and 2 fingers per subscriber. Enrollment is done through a reader
desktop USB fingerprint scanner, which is interacted with and managed from the client application
installed on the Club's equipment. − Once the enrollment process is completed, the
"client application transmits the metadata to the Club Server (SGI) that stores it."
(…).“The lathe (reader) does not store the biometric pattern, it only serves as an issuer,
collects the subscriber's template through the fingerprint reader and transmits it in
raw (vLan over Private IP with HTTPS encryption) to the club server (SGI)”.
- That the security measures applied for storage be indicated.
A specific detail of measures is not found in the response, but rather a
explanation of the authorization process. The club explains when it considers a
user as “unauthorized”, the possibility of authorizing it manually in case
of errors. Something important that is said is that being “unauthorized” does not imply
delete your data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/54
- Describe how their suppression occurs, stating that: "when a
authorized employee of the club, decides to delete one or all biometric patterns,
You can do it from the Conacwin system, eliminating them from the only place in the
which are stored, the Club Server (SGI); This process is irreversible,
Therefore, once eliminated, recovery is not possible.” Mention is made
also to the different causes of withdrawal for which employees can be disavowed.
someone, or data deletion.
5.4 Conclusions.
In view of the actions carried out, it is considered that initially
various evidences that justify the opening of sanctioning proceedings against the
BURGOS CF, for having implemented a biometric system based on the detection of
fingerprint to access the cheering stands of your stadium on November 4
of 2022 that did not comply with several requirements and principles required by the regulations of
data protection, both when it was required as the only system for purchasing
tickets and access to the stadium, as when he became a volunteer on February 15,
2023.
All this without prejudice to the fact that the previous actions carried out may lead to the
initiation of sanctioning procedures against other possible persons responsible for the
implementation of these biometric systems in first-class soccer stadiums and
second division, when the concurrence of other infractions of the
present regulations.
FIFTH: According to the report collected from the AXESOR tool, the entity
BURGOS CLUB DE FÚTBOL, S.A.D. is an SME that acts as a Company
Anonymous sports company associated with LALIGA, established in 2018, and with a volume
of business of €1,451,967 euros in 2021.
FOUNDATIONS OF LAW
I Competition
In accordance with the powers provided by article 58.2 of the GDPR and as
established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter, LOPDGDD), is competent to initiate and resolve this procedure
Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II Biometric data as special category personal data
2.1. Definition and characteristics of biometric data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/54
Biometric data processing systems are based on collecting and processing
personal data relating to the physical, physiological or behavioral characteristics of
natural persons, which may include their neural characteristics,
through devices or sensors, creating biometric templates (also
called signatures or patterns) that make it possible to identify, track or
profiling of said people.
The GDPR defines art.4.14 biometric data as “personal data obtained through
based on a specific technical treatment, related to the physical characteristics,
physiological or behavioral characteristics of a natural person that (…) unique to said person,
such as facial images or fingerprint data.”
As already pointed out in Opinion 4/2007 of the working group of article 29 (ART. 29 of the
Directive 95/46 EC, as an EU body, of consultative and independent character),
on the concept of personal data (WP136), of 06/20/2007, biometric data
can be defined as:
“… biological properties, physiological characteristics, personality traits or
tics, which are, at the same time, attributable to a single person and measurable, even
whether the models used in practice to technically measure them imply a certain
degree of probability. Typical examples of biometric data are those that provide
fingerprints, retinal patterns, facial structure, voices, but
also the geometry of the hand, the venous structures and even certain ha-
deep-seated ability or other behavioral characteristic (such as
handwriting, heartbeats, a particular way of walking or talking, etc.). A
particularity of biometric data is that they can be considered both
content of information about a certain person (So-and-so has these bones)
fingerprints) as an element to link information to a specific
person (this object has been touched by someone who has these fingerprints and these
fingerprints correspond to so-and-so; Therefore, So-and-So has touched this object).
As such, they can serve as "identifiers." In effect, as it corresponds to a single
each person, biometric data can be used to identify that person.
This dual character also occurs in the case of DNA data, which provides
tion information about the human body and allow unequivocal identification
of one, and only one, person.”
Every biometric access control system to the stadium, in order to be used, must
first register the user's identity in the system by capturing a security
series of biometric parameters (in this case, the fingerprint of subscribers who purchase tickets)
access tickets for the entertainment stands of the BURGOS CF stadium). Of what
What we are trying to achieve is to carry out processing on those parameters to identify
tify the person each time they then re-enter and exit through the access point.
A biometric data contained in a system is stored in the form of a template or pa-
biometric tron, commonly called “vector”. A biometric template is a form
writing method of a human biometric characteristic, such as a face or fingerprint
fingerprint, so that it is interpretable by a machine efficiently and effectively
for a specific purpose or purposes. The biometric template is not aimed at
be interpreted by a person, like a photograph, but is oriented to be processed
ted in an automated process, that is, be efficiently and effectively interpretable by
a machine. This form of storage would allow an individual to be singled out and executed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/54
cut actions automatically, profile or infer information about a subject such as
attitudes or patterns of behavior, etc.
This technology can be really intrusive and requires an ethical and legal debate
calm, since it can have very adverse effects on the fundamental values
them and human integrity. Look at just a few of its special features and think
Consider the significant impact that occurs when this data is compromised, in
comparison to when other types of personal data are processed:
- Biometric systems are closely linked to a person, given
that can use a certain unique property of an individual to identify them.
tion. Each individual has unique fingerprints that show characteristics
that can be measured to decide whether a fingerprint corresponds to
a recorded sample. Therefore, they are unique, permanent or definitive in time.
and the person cannot free himself from them, they can never be changed, not even with age,
so the damage created in case of compromise-loss or intrusion into the system is
irreparable in this case. Unlike a password, if lost, the data
of our fingerprint or face cannot be changed.
- Furthermore, because biometric data is specific to a person and per-
petuos, the user can use the same data in different systems.
- While traditional authentication methods such as passwords
require a 100% character-for-character match to allow the user to
rio accesses, for example, an account or application (deterministic methods), the methods
Biometrics are called “probabilistic” because they are based on the probability that
the user trying to access a certain device or application is the same
person than the registered user. We can measure the performance of a biomedical system
based on three main characteristics. These are: false rejection rate
(FRR), false acceptance rate (FAR) and equal error rate (ERR). The rate of
false rejections represents the probability of detection errors by a system.
biometric, which means that it cannot recognize a user whose characteristics
biometric cases are already in the database. In case of rejection, the person must see
rify your identity again. From a safety and security perspective, this
rate does not necessarily mean it is a negative result. Each biometric method
co, be it face reading, fingerprint reading, palm print reading, iris reading, etc., has different va-
lores for different rates based on which a system rejects or accepts requests.
triads.
2.2. Biometric templates as special and high category personal data
risk.
According to the definition given by article 4.14 of the GDPR, biometric data
processed by these systems will become personal data as long as
when the purpose of the processing is the identification or authentication of a person,
in the sense provided for in article 4.1 of the GDPR, which defines personal data
as:
"1. Personal data: any information about an identified natural person or
identifiable ("the interested party"); Any identifiable natural person will be considered
person whose identity can be determined, directly or indirectly, in
particular by means of an identifier, such as a name, a telephone number,
identification, location data, an online identifier or one or more
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/54
elements of physical, physiological, genetic, psychological identity,
economic, cultural or social of said person.”
In the present case there is no doubt that biometric data of
personal nature, since the purpose of the system implemented for the acquisition
of season titles and access to the animation stands by fingerprint is
identify the people who access the stands, is to determine the identity, direct or
indirectly, from the person. Every time the process assigns an identifier (the
biometric template obtained by collecting fingerprint samples from
interested parties) that allows to single out an individual and distinguish him from others, to
through “elements specific to physical, physiological, genetic, and psychological identity.”
It must be taken into account that the approval of the RGPD (after the regulation of the
Book XII of the RGLALIGA) has meant a paradigm shift in matters of
protection of personal data that aims to guarantee citizens control of
your personal data, establishing high protection standards and
adapted to the digital environment in which we live. According to the Principle of
Proactive Responsibility, inspiration for the new regulation, the new RGPD makes
emphasizes that the person responsible must seriously evaluate the risks of the treatment
that you want to establish in the rights and freedoms of the interested parties (always
prior to starting any treatment, and continuously if you decide to do so),
opting for a risk analysis approach by design and by default, to
be able to identify them, determine the probability of materialization and its impact and foresee
measures and guarantees that eliminate or, at least, mitigate the risks detected,
preventing its materialization. Likewise, certain obligations must be met and
respect certain principles established by regulations.
Thus, whenever personal data of any type is processed,
whatever, the person responsible must comply with the principles and obligations provided for in the
data protection regulations for all types of personal data.
All these duties are exponentially accentuated when it comes to data from
special category, whose treatment is considered high risk. Both
circumstances occur in biometric data aimed at uniquely identifying
to a person, as happens in the present case.
Thus, this paradigm shift has especially affected the data
biometrics, since on the one hand - unlike what happened under the regime
prior to the RGPD - these have come to be considered personal data of
special category in article 9, the processing of which is generally prohibited,
unless any of the exceptions provided for in article 9.2 of the RGPD apply.
Which does not exempt the fact that there must always also be a basis of legality provided for in the
article 6 thereof, among many other requirements and principles that must be met
whoever decides to opt for this type of treatment.
In accordance with article 9.1 of the GDPR, data processing is prohibited
biometrics when they are: “biometric data aimed at uniquely identifying
to a natural person.” Although recital 51 of the GDPR includes both
identification and authentication procedures: “since only
are included in the definition of biometric data when the fact of
be treated with specific technical means allowing the identification or
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/54
univocal authentication of a natural person. Such personal data should not be
treated, unless treatment is permitted in specific situations
contemplated in this Regulation.”
In this sense, it should be noted that the qualification as special category data
necessarily implies the observance of special caution when determining
determine whether it is possible to carry out data processing of this nature. Among other
things, and in addition to there being an exception that allows overcoming the prohibition of the article
9.1 of the GDPR, that there is a basis for the legality of Article 6 of the GDPR and that
comply with the principles of the RGPD, the subject that intends to implement data systems
biometrics, in this case, BURGOS CF, must previously analyze the attendance
compliance with the mandatory criteria of necessity, suitability and proportionality of the treatment.
I lie.
That is, whoever intends to establish personal data processing of this nature
za must, first of all, ensure that what has been called in the
jurisprudence as “the triple judgment of proportionality”, considering in particular whether
the processing of biometric data is ideal, proportionality, and above all, necessary
Aryan. If there are other non-biometric systems that allow the same goal to be achieved,
ability to identify-verify the identity of people effectively, it will not be necessary
initiate biometric treatments, and, therefore, implementing this system will be considered
contrary to the GDPR. This judgment must be the starting point of your analysis, since only in
If these methods pass the aforementioned triple judgment, compliance with
other requirements or guarantees.
And, in addition to being special category personal data, the processing of
This type of biometric data is also considered “high risk”, which will require
to always carry out an impact evaluation (IAPD), in accordance with the provisions of the
article 35.1 of the RGPD, this DPIA must be prior to the start of the treatment, but
be carried out continuously. And it will not be enough to do it, but the same
must be considered valid, because it meets the requirements set forth in the aforementioned
article, in particular, that contains at least the information of art. 35.7 of the
GDPR.
The processing of biometric data is considered high risk in accordance with the provisions
in section 4 of article 35, which provides that “…The supervisory authority
establish and publish a list of the types of processing operations that
require a data protection impact assessment in accordance
with section 1…”, given that it is among the treatments included in the
document “Lists of types of data processing that require evaluation of
impact regarding data protection”, made public by the AEPD in development of the
provision contemplated in the fourth section of the aforementioned article 35.
There is no doubt about the high-risk nature of this data, given that the
biometric data meets the criteria corresponding to numbers 4, 5 and 10
of said document (those that involve the use of special categories of data;
the use of biometric data and those that involve the use of new technologies or
innovative use of established technologies). Therefore, the data processing
biometrics can never be started if a valid DPIA has not been prepared prior to the
treatment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/54
23. BURGOS CF as responsible for data processing operations
biometrics.
Article 4.2 of the GDPR defines “processing of personal data” as:
“any operation or set of operations carried out on personal data or
set of personal data whether by automated procedures or not, such as
the collection, registration, organization, structuring, conservation, adaptation or modification
cation, extraction, consultation, use, communication by transmission, dissemination or
any other form of access enablement, collation or interconnection, limitation, su-
pressure or destruction;”
Biometric data can be processed and stored in different ways. Sometimes the
Biometric information captured from a person is stored and processed in raw form, which
that allows you to recognize the source from which it comes without special knowledge; by
For example, a photograph of a face, a photograph of a fingerprint, or a recording
voice. Other times, the raw biometric information captured is treated in a
that only certain characteristics or traits are extracted and saved as a bio-template.
metric, here called “vector”.
According to what was stated by the club itself, the biometric system implemented by
BURGOS CF works with biometric data obtained from a person (fingerprint-
tilar), from which an algorithm selects characteristics to create a template.
biometric call. Then, when the fan enters the stadium, they pass a check
access in which the system checks the identity of the person with the database
biometric. You can do it in a second, while comparing hundreds of millions of data.
cough.
That is, the biometric characteristics are subjected to technical treatment by means of
which a person is recognized through a chronological process that is contained in
all biometric data processing: data capture or registration with your system
next storage or processing and the comparison or matching phase,
the conservation of data, as well as its subsequent deletion, limitation...etc.
Therefore, the identification process necessarily includes carrying out several
processing operations (data collection or capture, registration, storage, processing)
cessation, comparison, authentication, conservation, deletion, limitation...etc) of
for which only BURGOS CF was responsible for the purposes provided for in article 4. 7
of the RGPD, which provides: “7) “responsible for the treatment” or “responsible”: the person
physical or legal entity, public authority, service or other body that, alone or together with others,
determine the purposes and means of the processing; whether the law of the Union or of the States
members determines the purposes and means of the processing, the data controller or
The specific criteria for their appointment may be established by the Law of the
Union or of the Member States.
In short, when BURGOS CF implemented a new fingerprint detection system
fingerprint for the identification-verification of the identity of natural persons (instead
of the usual method of identity verification by means of DNI, and purchase title
via QR reader, or chip on card) must have been aware that it was going to be res-
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/54
responsible for setting the purposes and means of various data processing operations of
special and high risk category.
From the evidence that exists so far in the file, and without prejudice to the
resulting in the instruction, it is initially deduced that the club implemented this system
when it already had an identification-authentication system for the identity of the
people who accessed the entertainment stands of their stadium, which was much less
trusive, with which the same purpose was obtained, so the biometric treatment does not
It should never have started under these conditions.
But in addition to starting this treatment without it being necessary and proportional, there are
evidence that the treatment was carried out in breach of many other obligations pre-
seen in the data protection regulations when we are faced with the presence of data
biometric personal data from which the alleged commission of 4 other possible
administrative violations. We will thus refer in the Fundamentals of Law III to
VII of this agreement to the lack of concurrence of an exception that would lift the prohibition.
tion of processing biometric data of article 9 of the RGPD, not to prepare or pass a
EIPD prior to treatment, but late and invalid, failing to comply with the duties of informing
tion related to article 13 of the GDPR, and not obtain the consent of the parties.
parents or legal guardians of minors under 14 years of age referred to in article 8 of the
GDPR.
In short, given the fingerprint system that was implemented by BURGOS CF at
as of November 4, 2022 of the evidence obtained so far and without
prejudice to what may be deduced in the investigation phase, it follows that the Club
did not act with the diligence required of a data controller
special category and high risk such as biometrics, committing up to 5 infractions
administrative provisions of the RGPD, in the terms set out below in the
Legal Fundamentals III to VII of this Initiation Agreement.
III. On the need to carry out a prior and appropriate impact evaluation to the
treatment.
5.1. Obligation and legal requirements of the impact evaluation (EIPD) in treatments
high-risk.
As stated above, before implementing a project
data processing based on this very intrusive technology, it is also necessary
previously audit its operation, not in isolation but within the framework of the
specific treatment in which it is going to be used (in this case, sale of subscriptions and access
to the entertainment stands of the BURGOS CF stadium).
The impact assessment on the protection of personal data, DPIA, appears
then as the tool required by the GDPR to ensure compliance with
this aspect of the treatment, as established in article 35 in its section - 1
of the GDPR,
“When it is likely that a type of treatment, particularly if it uses new technologies,
noologies, due to their nature, scope, context or purposes, entail a high risk for
rights and freedoms of natural persons, the person responsible for the processing carried out
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/54
Before treatment, an evaluation of the impact of the treatment operations will be carried out.
ment in the protection of personal data…”
As already indicated, the processing of biometric data has been rated as highly
risk by the AEPD, by virtue of the provisions of article 35.4, so we must
based on the fact that the processing of biometric data initiated by BURGOS CF
After its statement of November 4, 2022, it should have been preceded by a
valid impact assessment, which included at least the sections provided for in
article 35.7 of the GDPR. This implies that it is not enough to carry out a DPIA, but rather
It will have to be overcome to comply with the RGPD.
This evaluation will be done prior to the start of treatment, but must
be understood as a continuous or periodic evaluation, in the sense established by the
Article 35.11 of the GDPR, which states: “If necessary, the controller will examine
whether the treatment complies with the impact assessment relating to the protection of
data, at least when there is a change in the risk represented by the operations
of treatment.”
A DPIA must meet the requirements or minimum content listed in the article
35.7 of the GDPR, which provides:
“The evaluation must include at least:
a) a systematic description of the planned processing operations and the
purposes of the processing, including, where applicable, the legitimate interest pursued by
the person responsible for the treatment;
b) an assessment of the necessity and proportionality of the processing operations
treatment with respect to its purpose;
c) an assessment of the risks to the rights and freedoms of the data subjects to
referred to in section 1, and
d) the measures planned to address the risks, including guarantees, security measures
security and mechanisms that guarantee the protection of personal data, and
show compliance with this Regulation, taking into account the rights
rights and legitimate interests of the interested parties and other affected persons.”
In short, overcoming a DPIA requires that the person responsible for a treatment
high risk document in writing that it passes the suitability assessment,
necessity and proportionality of the treatment, and that manages from the design the
specific risks of the treatment, with the practical application of measures aimed at
them in a way that guarantees an acceptable risk threshold throughout the
processing life cycle, as established in article 35 of the GDPR.
Furthermore, it requires prior consultation with the supervisory authority in the event that the
responsible has not taken measures to mitigate the risk in accordance with the
article 36 of the GDPR.
5.2. Breach of the duty to present a DPIA by BURGOS CF.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/54
In the present case, the club has provided (Annex V of the WrittenBurgos1) the
document “Data Protection Impact Assessment Report”
(DPIA Report) dated February 15, 2023 by a third party (DATAINFO
CONSULTORÍA Y ASESORÍA, S.L.). But the start of treatment occurred on the 4th
November 2022, as recognized by BURGOS CF itself.
This DPIA is after the start of the biometric treatment, since starting the
treatment on November 4, 2022, the date of the DPIA is February 15,
2023, which shows that for more than three months a
processing of biometric data without complying with the obligation prescribed in the article
35 of the GDPR.
It is, therefore, recognized and accredited that BURGOS CF began the treatment on
November 4, 2022 without having previously carried out a DPIA, so
clearly violated the provisions of article 35.1 of the RGPD, which prevents carrying out
any high-risk processing - such as biometric data - without having carried out
previously a DPIA, which analyzes the purpose, the risks, the judgment of
proportionality of the treatment, and, where appropriate, the measures to be provided to protect the
personal information.
IV Concurrence of an exception to article 9 of the RGPD, and legitimizing basis of the
Article 6 of the GDPR.
4.1. Regarding the need for an exception to the prohibition of the treatment of
biometric data.
As already indicated, biometric data, cataloged as “category
special”, in article 9, both of the RGPD and the LOPDGDD, are data
personal data, the use of which may give rise to significant risks to the rights and
fundamental freedoms, and therefore, in principle its treatment is prohibited in the
article 9.1 of the RGPD, unless any of the exceptions provided for in the
paragraph 2 of the same article.
Another additional requirement of this type of treatment will therefore be that
Before starting the treatment, the person responsible must also check and
prove that one of the exceptions provided for in article 9.2 of the RGPD exists or
other specific legislation.
In this way, its treatment being prohibited in general, any
An exception to this prohibition must be subject to restrictive interpretation. So and
as can be deduced from recitals 51 and 52 of the GDPR, which show:
”Such personal data should not be processed, unless their processing is permitted.
treatment in specific situations contemplated in this Regulation,
taking into account that Member States may establish provisions
specific provisions on data protection in order to adapt the application of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/54
rules of this Regulation to comply with a legal obligation or to
fulfillment of a mission carried out in the public interest or in the exercise of powers
public conferred on the person responsible for the treatment. In addition to the requirements
specific to that treatment, general principles and other
rules of this Regulation, in particular as regards the conditions
of legality of the treatment. Exceptions must be explicitly stated
general prohibition on the processing of these special categories of data
personal, among other things when the interested party gives explicit consent or
in the case of specific needs, particularly when the treatment is
carried out within the framework of legitimate activities by certain associations or
foundations whose objective is to allow the exercise of fundamental freedoms.
“Exceptions must also be authorized to the prohibition of treating categories
special personal data when established by Union or European Union law.
Member States and provided that appropriate guarantees are given, in order to protect
personal data and other fundamental rights, when it is in the public interest, in
particular the processing of personal data in the field of labor legislation, the
legislation on social protection, including pensions and for security purposes,
health supervision and alert, prevention or control of communicable diseases
and other serious threats to health (...)”
Thus, the exceptions that could possibly allow the lifting of the
general prohibition on processing biometric data aimed at identifying-verifying identity
of natural persons, are those provided for in article 9.2. of the RGPD, with the following wording
literal, which must be interpreted restrictively, always in favor of protecting the
rights and freedoms of citizens in case of doubt:
"2. Section 1 will not apply when one of the circumstances occurs
following:
a) the interested party gave explicit consent for the processing of said data
personal data for one or more of the specified purposes, except when the Right to
the Union or the Member States establishes that the prohibition referred to in
section 1 cannot be lifted by the interested party;”
b) the processing is necessary for the fulfillment of obligations and the exercise of
specific rights of the controller or the interested party in the field
of labor law and social security and protection, to the extent that it is
authorized by Union or Member State law.
c) the processing is necessary to protect vital interests of the interested party or another
natural person, in the event that the interested party is not qualified, physical or
legally, to give consent;
d) the treatment is carried out, within the scope of its legitimate activities and with the
due guarantees, by a foundation, an association or any other body without
profit-making, whose purpose is political, philosophical, religious or union, provided that
The processing refers exclusively to current or former members of such
organizations or persons who maintain regular contact with them in relation
for its purposes and provided that personal data is not communicated outside of them
without the consent of the interested parties;
e) the processing refers to personal data that the interested party has made
manifestly public;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/54
f) the treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function;
g) the treatment is necessary for reasons of essential public interest, on the
basis of Union or Member State law, which must be proportional
to the objective pursued, to essentially respect the right to data protection and
establish appropriate and specific measures to protect the interests and rights
fundamentals of the interested party;
h) the treatment is necessary for preventive or occupational medicine purposes, evaluation
of the worker's work capacity, medical diagnosis, provision of assistance or
health or social treatment, or management of healthcare systems and services
health and social assistance, on the basis of Union or State law
members or under a contract with a healthcare professional and without prejudice to the
conditions and guarantees contemplated in section 3;
i) the treatment is necessary for reasons of public interest in the field of health
such as protection against serious cross-border health threats,
or to guarantee high levels of quality and safety of care
health and medicines or health products, on the basis of the Law
of the Union or the Member States that establishes appropriate measures and
specific to protect the rights and freedoms of the interested party, in particular the
professional secret.
j) the processing is necessary for archiving purposes in the public interest, purposes of
scientific or historical research or statistical purposes, in accordance with the article
89(1) on the basis of Union or Member State law,
which must be proportional to the objective pursued, essentially respect the right
to data protection and establish appropriate and specific measures to protect
the interests and fundamental rights of the interested party.
Therefore, in addition to previously verifying that the treatment exceeds the judgment of
proportionality, if the person responsible does not prove that their treatment is within some
of these exceptions, you will not even be able to start treatment without incurring a
violation of article 9 of the GDPR.
4.2. Necessity of legal basis for the processing of article 6.1.
In addition to lifting the prohibition on its treatment, the person responsible must prove
also that its treatment can be carried out because one of the bases is present
legal legitimating of the treatment contained in article 6.1 of the RGPD, which are
general requirement for the processing of any personal data. This is the
concurrence of exception that hypothetically allows lifting the prohibition of treating
biometric data will not be sufficient, it does not replace the need for there to be
a basis of legality in the case of biometrics. The person responsible must be in
willingness to prove that both are present, in addition to the fact that the judgment of
proportionality mentioned above, and so on, with respect to the rest of the requirements
provided for in the regulations. That is why we speak of “cumulative requirements” and not
alternatives.
Thus, article 6 of the GDPR also starts from the fact that processing personal data
In general it is something exceptional, maintaining that:
"1. Treatment will only be legal if at least one of the following is met
conditions (commonly referred to as “legal basis”):
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/54
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the processing is necessary for the performance of a contract in which the
interested party is part or for the application at his request of measures
pre-contractual;
c) the processing is necessary for compliance with an applicable legal obligation
to the person responsible for the treatment;
d) the processing is necessary to protect vital interests of the interested party or another
Physical person;
e) the processing is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible for the
treatment;
f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party requiring the protection of personal data, in particular when the
interested is a child.
The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.
Therefore, in the event that there is no basis of legality, the infringements
mentioned above, a violation of article 6 of the RGPD would be added.
4.3. Analysis of the concurrence of an exception and a basis of legality in the case
present.
With regard to the case at hand, the BURGOS CF refers to these
issues in what is called the analysis of “legitimation and legality”, of point 1.3
of the EIPD of February 15, 2023), where reference is made to both the exception
concurrent as the basis of legality that presumably legitimizes the biomedical treatment
trico for the purpose of controlling access to the cheer stands of your stadium. In
In this sense, BURGOS clearly distinguishes two periods (before and after the
EIPD) in which there has been a change in criteria of the legitimizing basis and exception
which supported the possibility of processing biometric data.
It is stated that the legitimacy for the use of the system prior to December 15
February 2023 was based on compliance with a legal obligation and that the
lifting of the prohibition on processing data from special categories was supported
in sections b and g of article 9.2 of the RGPD, and in the legality basis of 6.1.c). TO
starting February 15, 2023 (after the CEVRXID agreement of that same date),
The EIPD states that the treatment is based on the consent of the interested parties,
in accordance with article RGPD: 9.2.a) and 6.1.a) of the RGPD), whose interested parties are the
people with access to the El Plantío Stadium Entertainment Stand.
Thus, with regard to the basis of legality of the treatment of article 6 of the
RGPD, the concurrence of a basis of legality of article 6.1.c) is alleged (compliance
legal obligation) before February 15, 2023, but after that date
From now on it is said to assume that the base is that of 6.1, without indicating exactly
what letter/cause they refer to. They admit that compliance with a legal obligation does not
can be the basis as indicated in Report 98/22 of the legal office of this
Agency, and they say change the concurrent exception. But they do not give any other alternative.
It goes with respect to the basis of legality, confusing exception with basis of legality.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/54
Although this omission to indicate the basis of legality that occurs in the treatment may
affect the validity of the DPIA, the truth is that to assess whether a violation occurs
of article 6 of the RGPD, the main thing is to check that there really is a legal basis
legal indication, even if the person responsible has not determined it correctly or included it in
the EIPD.
And in this case, it can be established that initially there is a legal basis that enables
the club to process personal data in general (not for biometrics,
since this means that an exception from article 9 must also apply). In
specifically, that referred to in article 6.1.b), which refers to that: “the treatment is
necessary for the execution of a contract to which the interested party is a party or for the
application of pre-contractual measures at his request.” Every time the
purchasing a ticket or season ticket constitutes the creation of a link
contractual between the purchaser and the club, which is governed by the conditions provided in the
front and back of the ticket/subscription and the document of conditions that the club
provided as Annex VI of its first written statement of allegations. Therefore, it does not fit
initially allege a violation of Article 6 of the GDPR.
Now, although there was a legal basis, this legitimized the club to treat
other non-biometric personal data, already usually required to access by
the previous access methods, but in no case did it legitimize starting a
biometric treatment if there is also no exception from article 9.2 that
would allow lifting the prohibition on processing biometric data.
The concurrence of the lack of exception that would allow biometric data to be processed before
The EIPD is clear and clear, as it is recognized by the Club itself. It is not a question
discussed.
- On the one hand, we have that the Club acknowledges having initiated a treatment of
biometric data without obtaining express consent and for the specific purpose for which
referred to in the exception of article 9.2.a), since the biometric system was
mandatory, there was no option for an alternative access method, and the
fan of this animation tier was obliged to provide his data
biometrics to acquire the season ticket and access the stands. This is corroborated by the
content of the model that was signed until February 15, 2023 (Annex VI),
which is not even considered a model of consent on
data protection, constituting a simple contractual document that indicates
the conditions of membership, access and permanence that the acquirer must
sign to be able to acquire the bonus. It is accredited and recognized in
consequence that before the EIPD, the club was not collecting a
consent for protection of biometric data that could fit into the
exception of article 9.2.a).
- On the other hand, the club recognizes that the exceptions of 9.2.b) and 9.2.g)
(compliance with legal obligation and essential public interest) do not justify the
processing of these data, assuming the interpretation made by Report No.
98/2022 of this Agency, as have also been done by CEVRXID and LALIGA. And in
Based on this, they claim to have changed the exception to the express consent of the
9.2.a) as of February 15, 2023.
This implies, without a doubt, that between November 4, 2022 and February 15
2023, BURGOS CF began processing biometric data without
An exception would arise that would lift the prohibition on processing these data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/54
Consequently, it is also possible to initiate sanctioning proceedings for violation
of article 9 of the RGPD, since there is recognition by the
reported and sufficient evidence that the biometric treatment was started without
no legal exception that justifies it will occur until February 15, 2023.
V On the requirement that the treatment be necessary, suitable and proportional
One of the obligations that correspond to every data controller
personal is to ensure that the treatment respects the Principles provided for in the
Article 5 of the GDPR.
In the case of biometric data, because it is of a special category and high risk, it is possible
highlight the essential importance of respecting the principle of minimization of
treatment/data, provided for in article 5.1.c) which indicates:
"1. The personal data will be:
a) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed (“data minimization”)”.
Respect for this principle must be the starting point at the beginning of everything
treatment, the person responsible must first of all consider whether this treatment
It will be really necessary, suitable, and proportional before starting it. And if this
treatment is high risk - in the case of biometrics - must reflect this evaluation
prior of necessity and proportionality in a specific document called
personal data protection impact assessment (DPIA), in accordance with the
provided for in article 35.7.b) of the RGPD, which states that it must be carried out and
overcome “an assessment of the necessity and proportionality of the operations
of treatment with respect to its purpose.
This is confirmed by recital 39 of the GDPR, which underlines the importance of the
processing is necessary, indicating that “Personal data should only be processed if
“the purpose of the processing could not reasonably be achieved by other means.”
Along the same lines, the Working Group of article 29, in its Opinion 3/2012 on the
evolution of biometric technologies, indicates that “When analyzing the proportionality of
a proposed biometric system, it is necessary to previously consider whether the system is
necessary to respond to the identified need, that is, if it is essential to
satisfy that need, and not just the most appropriate or profitable one. A second factor that
What should be taken into account is the probability that the system will be effective in responding
to the need in question in light of the specific characteristics of the technology
biometric to be used. A third aspect to consider is whether the loss of
The resulting intimacy is proportional to the expected benefits. If the benefit is
relatively minor, such as greater comfort or slight savings, then the
loss of privacy is not appropriate. The fourth aspect to evaluate the adequacy of
a biometric system is to consider whether a less invasive means of privacy
would achieve the desired end.”
Idea that is reiterated in section 72 of Guidelines 3/2019 on the treatment of
personal data through video devices, dated 01/29/2020, from the CEPD, which indicates:
“The use of biometric data and, in particular, facial recognition entails
high risks for the rights of the interested parties. It is essential that the use of
such technologies take place with due respect for the principles of legality,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/54
necessity, proportionality and data minimization as established by the GDPR.
Although the use of these technologies may be perceived as particularly
effective, those responsible for the treatment must first evaluate the impact on the
fundamental rights and freedoms and consider less intrusive means of achieving their
legitimate purpose of the processing. That is, the question would have to be answered as to whether this
biometric application is something that is really essential and necessary, or is it just
"convenient".
Therefore, processing personal data that is not suitable (adequate)
necessary and proportional is always prohibited, and constitutes in itself the commission of
an administrative violation of article 5.1.c) of the RGPD.
Since the processing of biometric data implies restricting rights and freedoms
of the interested parties, the obligation to process only “personal data that is
appropriate, relevant and limited to what is necessary in relation to the purposes for which
are processed” provided for by the principle of data minimization/processing of the article
5.1.c) of the RGPD, must be interpreted in accordance with the provisions of the reiterated
jurisprudence of our Constitutional Court regarding the need to verify
that any restrictive measure of fundamental rights (biometric treatment in this
case) overcomes what is called “the triple judgment of proportionality”.
This implies that, first of all, it is necessary to verify whether it meets the following three
requirements or conditions referred to by the Constitutional Court: "if such measure is
capable of achieving the proposed objective (suitability judgment); yes, furthermore, it is
necessary, in the sense that there is no other more moderate measure for the
achievement of such purpose with equal effectiveness (judgment of necessity); and finally, if
itself is weighted or balanced, since more benefits or advantages are derived from it for
the general interest that damages other goods or values in conflict (judgment of
proportionality in the strict sense).
In view of the antecedents in this file, the denounced club states that
party to have carried out a suitability evaluation in its DPIA of February 15, 2023.
ity, necessity and proportionality of biometric processing for the purpose of control
Access your stadium's entertainment stands using your fingerprint. Proceeds,
Therefore, analyze whether the intended treatment exceeds the so-called triple judgment of pro-
proportionality, which in accordance with the aforementioned doctrine of the Constitutional Court su-
analyze the following:
1. If the treatment is likely to achieve the proposed objective (judgment of
suitability).
It is about determining whether the treatment is appropriate for the purpose it pursues. That
treatment is the response to certain deficiencies, demands, demands
as obligations or objective opportunities and can achieve the proposed objectives.
positions with sufficient efficiency.
Requested about the “Suitability Judgment” by the inspector, BURGOS CF refers to
its response in this regard in the DPIA of February 15, 2023, which indicates what
following: “With this measure the objective is achieved in a more effective way
set to guarantee security in matches based on a mission carried out
in the public interest, with legitimation based on express consent, since
which is the most reliable method we currently have according to the power technique
verify a person's identity. On the other hand, the installation of systems
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/54
biometric recognition is the only way to comply with the
requirements of the State Commission against Violence, Racism,
Xenophobia and Intolerance, as well as the orders imposed by The League."
Indeed, it has been found that BURGOS CF already had two other
methods of acquiring tickets and access to the entertainment stands before the 4th
November 2022, the details of which will be referred to in the judgment of necessity.
With regard to the arguments put forward regarding suitability, the club
It simply indicates that biometric control is more effective than the security system.
previous access because it is the most reliable method, but it does not prove it. Rather to
On the contrary, taking into account that the biometric system generates false rates
acceptance, false rejections and equal errors, as indicated
previously. These errors are added to those that can already occur when using
QR code, barcode or chip card readers used in other security systems
access. And it must be taken into account that what the judgment of suitability,
necessity and proportionality must evaluate is the effectiveness of the system for the
protection of the rights and freedoms of the interested parties who provide their
biometric data, and not those that favor the organization.
On the other hand, the fact that CEVRXID and LALIGA had ordered
establishing this biometric system does not in itself mean that this system is
ideal, nor necessary or proportional. That there is a mandate of a
higher entity does not justify the person responsible for not evaluating whether this system is
suitable, necessary, or proportionality prior to installing it in your stadium.
Finally, it cannot be accepted that the processing of biometric data was
ideal, necessary or proportional to begin basing the system on the
express consent, given that the need for treatment is a matter
prior and unrelated to what may constitute the exception of article 9 of the RGPD and the
legitimizing legal basis of article 6 of the RGPD. So, even though I can
constitute a cause to lift the exception of article 9, does not affect in any way the
proportionality judgment. Especially when it comes to the judgment of necessity, since
that, as the jurisprudence of our TC indicates, necessity cannot
never depend on what the affected party decides.
1. If, furthermore, it is necessary, in the sense that there is no other more modern measure.
rada to achieve such purpose with equal effectiveness (judgment of necessity).
The point is that it must be determined whether the goal pursued cannot be achieved
another less harmful or invasive way, that is, if there is no alternative treatment,
that is equally effective in achieving the intended purpose.
Necessity should not be confused with utility of the system. The detection may
fingerprint scanner makes it easier to avoid having to carry a card, which takes a few seconds.
two less in its access, which is automatic and instantaneous and not excessively expensive.
cough. Obviously, a fingerprint system can be useful, but it doesn't have to be
be objectively necessary (the latter being what really must be present).
tea). As established in opinion 3/2012 on the evolution of biomedical technologies,
trics - of GT 29 -, it must be examined “if it is essential to satisfy that need, and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/54
not just the most suitable or profitable one.” Options and alternatives must be analyzed
before establishing a new system that represents an exaggerated limitation of the right
choice of each user, when there may be less invasive means of privacy,
and not opt for what is practical or agile and comfortable, when the rights of your rights are at stake.
tulars.
Thus, the person in charge who considers implementing data processing
biometrics must be scrupulous in its work of exhaustively analyzing all the
alternative options that are equally suitable and effective, but less intrusive
available. Consequently, the study of
the feasibility of other possible alternative options available that do not require the
using special data, compare all options and document the
conclusions. What has not been done for BURGOS CF. Despite stating that
There are two other alternatives to the biometric access method available, it does not perform
nor does it attach to its DPIA any analysis referring to the differences and impact of applying the
biometric method compared to other alternative options from the point of view of the
risks and impact produced on the rights and freedoms of the interested parties.
The need assessment carried out by BURGOS CF in the EIPD is completely in-
sufficient to justify the processing of biometric data. To assess the need
ity of the treatment, the proposed measure must be supported by evidence that
Describe the problem that is going to be addressed with the measures, how it will be addressed
with the measure, and why existing or less intrusive measures cannot address
give it sufficiently.
Thus, according to what BURGOS CF has stated and is observed in Annex I
of the EscritoBurgos1, there are other pre-existing alternatives that were already used
previously to verify the identity of the fans who accessed the stands
of animation: “Access to the animation stands is through a single
door that has three turnstiles with the possibility of access by identification
biometric. Each of these turnstiles has several access methods
(in addition to biometric reading): optical reading of barcodes or QR, and
wireless card reading with built-in chip.”
According to the club, the pre-existing fingerprint modalities always appear
as an “access” to which one can return, with respect to which there is no further record or
log that the passage of the aforementioned entrance through the turnstiles through which those people
they access.
Thus, the subscription tickets for the animation stand, the form adopted by the
access titles, contain personal data that the accused demanded for their
issuance (name, DNI, etc.), power granted to the organizer of the event by the
regulations for ticket sales and access to sports venues, and involves the creation
of a legal relationship between the parties of a contractual nature. These are also
same data contained in the subscription card in its various modalities
(QR/chip card) which serve as a basis to implement the registration and use of the
fingerprint.
Then, this implies that in the entertainment stands of the El Plantío stadium there are 3
possible access systems, two of them being non-biometric and prior to the
implementation of the biometric system. In view of what was stated by himself
BURGOS CF, these two systems stopped being used between November 4,
2022 and February 15, 2023, during the period in which the system was implemented
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/54
biometric as mandatory, being again available and operational from
so.
It is also stated that since February 15, 2023, the
collect new biometric data and require biometric control in stadiums,
This system being suspended until the AEPD determines what to do. But I know
alludes to the fact that biometric control continues to be used to access the stands
animation by those subscribers who opt for it voluntarily, AND also
that the data is kept until the end of the season, although it is still
They are being held at this time, awaiting determination of what to do.
It is thus proven that the denounced Club had and has two
identity verification methods that are clearly less intrusive
for the rights of people who access the stadium, and identify the subscriber
with the same effectiveness as biometric systems. Whenever you can access
with the physical card or with the subscription on the mobile phone (NFC chip) or reading the QR code of
the subscriber card, whose identity can be verified by simply showing
of the DNI. System that was already working before the implementation of the
fingerprint reader.
Consequently, if there are alternatives available so that at a given time
all fans opt for non-biometric access, and a
free, express and specific consent that allows you to choose between these others
less intrusive methods and biometrics, this implies that data processing
biometrics is not necessary for the purpose of controlling the identity of those who
They access the animation stands. In no case is the judgment of
necessity because biometric processing is not necessary.
Asked about the judgment of necessity in the inspection, BURGOS CF does not offer reasons.
zones that justify it. The EIPD only states the following: “In
regarding the question raised regarding the need to incorporate a system
of biometric recognition, we must argue that this measure contributes to
Avoid violence in sports in two ways. On the one hand, we find
mos with its deterrent effect as it functions as a preventive factor; Yes one
person knows that the organization has its unique identification through
fingerprint, you will be much more careful when carrying out actions that
involve acts of violence, racism or intolerance inside or outside the stadium. By
On the other hand, this type of identification can reliably help to determine
identify the identity of people who are part of hypothetical violent acts that occur
given in the context of football matches”
However, the argument of helping to avoid violence in sport cannot be
be accepted as valid enough to consider that these biometric systems are
necessary for this reason. Since the current regulation regarding the sale of
tickets and access to sports venues (RGLALIGA; Law 19/2007 against violence,
racism, xenophobia and intolerance in sport, and its development regulations
approved by RD 557/2011) it follows that there are other ways to prevent rape.
lence in the stadiums and identify those responsible, who function properly
For this end. Thus, among other means, this regulation allows establishing that the
tickets are nominative, inside the stadiums there may be security systems
video surveillance, which can be placed at the entrances and surroundings of the stadium, and each
seat is assigned to the person who purchases the ticket. Through the methods
traditional access through a nominative subscription with display of the DNI is
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/54
can identify and register people who access the stands. It's not understood
that the fingerprint is going to add a plus that allows identifying those who presume
They could have committed acts of violence in the match in question. And not even m-
unless it contributes to avoiding it.
It is thus deduced that the fingerprint access system compared to the traditional
The sale of registered tickets does not represent a clear and differentiated plus in security.
ity of the stadiums, since with the already existing means it is possible to identify
also to possible offenders and verify the facts that have occurred.
2. Finally, if it is weighted or balanced, because it is derived from it more
benefits or advantages for the general interest that harm other goods or values
in conflict (proportionality judgment in the strict sense).
This is determined, among others, in “STC 66/1995, of May 8, F. 5; STC 55/1996,
of March 28, FF. 7, 8 and 9; STC 270/1996, of December 16, F. 4.e; STC
37/1998, of February 17, F. 8; STC 186/2000, of July 10, F. 6).”
In this regard, the seriousness of the risk to the rights and freedoms of the
treatment, and its interference in the fundamental right to Data Protection of
personal character must be appropriate to the objective pursued and proportionate to the
urgency and seriousness of this. We must weigh the benefit that the treatment
From the point of view of Data Protection, society provides,
maintaining a balance with the impact it represents on other rights
fundamental. However, although it may partially cede, in no case will
can assume the absolute denial of the right to Data Protection and empty
of its essential content.
There must be a logical link between the measure and the legitimate objective pursued.
In order for the principle of proportionality to be respected, the advantages resulting from the
measure should not be outweighed by the disadvantages that the measure causes
regarding the exercise of fundamental rights. And one of the factors that play
In proportionality it is the effectiveness of the measures of the existing measures, for
above the proposal, if in the same context measures already existed for a
similar or identical purpose, should be considered, if not, the evaluation of the
proportionality has not been properly carried out.
With respect to the Proportionality Judgment, BURGOS CF states in its DPIA
only the following: “We must remember that the BURGOS CLUB DE FÚTBOL,
S.A.D. has been informed that there are several people with precautionary measures,
of the corresponding courts with jurisdiction in the matter, which have been
prohibited from entering the stadium and a 500-meter restraining order. To avoid
skip any other type of looser control, a control through data
biometrics ends up being configured as an essential system that cannot be
deceive, since the fingerprint is a piece of information inherent to each person, which
cannot be modified or transferred. In this way, we determine that, in relation
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/54
with the interference that this system entails in the rights of the interested party and
making a weighing judgment between the interference of their right to
privacy, this is conceived as minuscule compared to the assurance
of the right to life and physical integrity of each person who pursues
proposed control measure.”
Again, the judgment made is not correct since it is not weighing the
advantages and disadvantages of using this biometric system. But above all, and in
relation to the proportionality requirement, because the alleged conflict between
the right to life and physical integrity of people and the right to protection
of personal data is not solved solely by means of a
biometric access system, since there is another alternative method
pre-existing information that allows the identification and verification of the identity of those people who
They are prohibited from entering the stadium with the same effectiveness as a fingerprint.
Taking into account that the computerized sales control and management system of
tickets, as well as access to football stadiums provided by law, can
achieve that the entries must be nominative, which is a type of access
common and normalized, and there being another modality of the same less intrusive than
the EIPD recognizes, it must prevail as it is preferable to the biometric system of
fingerprint detection.
From all the above, it is clearly deduced that fingerprint access system
fingerprint implemented by BURGOS CF in accordance with the provisions of the EIPD of February 15.
February 2023 does not pass this triple judgment of proportionality, for the specified purpose.
intended ca according to the club (“access control to the entertainment stands through the
fingerprint identification") and in the specific framework of the BUR stadium.
GOS CF.
In the present case, the intended purpose is to univocally identify the
people who accessed the stadium's entertainment stands using data
biometrics, and considering that there is an access modality that complied and complies
with the same purpose in a less intrusive way, it is considered that the treatment of
biometric data carried out by BURGOS CF is not necessary, nor proportional, therefore
that violates the provisions of the principle of data minimization contained in the article
5.1.c), which advocates that the data processed must be limited to what is necessary
to achieve those ends.
All this, to the extent that the club recognizes that the biometric system continues
operational on a voluntary basis, and that continues to retain the biometric data collected
above, since this will mean continuing to process biometric data, when this
It is not necessary, appropriate or proportional.
Therefore, the club is warned that the violation of article 5.1.c) is still
maintaining at present and will continue, as long as this
biometric treatment without being suitable, necessary, or proportional, being indifferent whether
This is voluntary or mandatory.
For completeness, it should be noted that the DPIA presented cannot be considered
valid, since it does not exceed the minimum requirements established in article 35.7 of the
GDPR. Not only in terms of not passing the evaluation of need and
proportionality, but also for not describing well the operations and purposes of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/54
treatment, not containing an adequate analysis of the risks of the treatment from the
point of view of the rights and freedoms of people, nor propose measures
adequate and sufficient as necessary to reduce the impact of threats
raised.
VI About the consent of minors
In addition to the requirements set out above, it must be taken into account that the
BURGOS CF in the Annex VI document is allowing minors under 18
years old access the stadium's entertainment stands as long as there is a
consent signed by parents or legal guardians, without establishing any limits
minimum age, and including in the signature footer of the document said possibility of
signature of the representative in case of being a minor) as acceptance of the
terms of use.
Thus, section 1 of this Annex VI provides that: “1.- Anyone who accesses the
Animation Stand must be at least eighteen (18 years old) old. If this
If this is not the case, signed consent from the parents or legal guardian will be required.”
Through this clause, the denounced club has been seeking consent
contractual that is required to make up for the minor's lack of capacity to
acquire the season ticket, for the purposes of the club-subscriber contractual relationship.
When it is possible for minors to go to the stadium (without any limitation
of age), and allow them to acquire the subscription as long as the document of the
Annex VI is signed by their parents or guardians, this will imply that they will be
obliged to provide their personal data.
In relation specifically to the processing of biometric data, as of 15
February 2023, the BURGOS CF considered that it was necessary to request the
consent to proceed with the processing of these personal data.
However, it does not accredit the club that is obtaining consent.
for the biometric treatment of minors, either (i) by parents or
guardians of minors under 14 years of age or (ii) by the
own minors over 14 years of age, regarding the treatment of
your personal biometric data from February 15, 2023, as this
possibility does not appear in the model in Annex VII.
It turns out that for minors there is no provision established in said document.
any provision of consent to process your personal data
biometrics.
In this regard, article 8 of the GDPR provides that,
"1. Where Article 6(1)(a) applies in relation to the
direct offer to children of information society services, the
processing of a child's personal data will be considered lawful when
is at least 16 years old. If the child is under 16 years of age, such treatment
It will only be considered lawful if the consent was given or authorized by the owner.
of parental authority or guardianship over the child, and only to the extent that it was given or
authorized.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/54
Member States may establish by law an age lower than such
purposes, as long as this is not less than 13 years.
2. The controller will make reasonable efforts to verify in
such cases that the consent was given or authorized by the owner of the
parental authority or guardianship over the child, taking into account technology
available.
3. Paragraph 1 shall not affect the general provisions of the Law
contractual law of the Member States, such as rules relating to the validity,
formation or effects of contracts in relation to a child.”
Likewise, it is necessary that the conditions provided for in article 7 of the
LOPDGDD, which on the “Consent of minors”, provides that,
"1. The processing of personal data of a minor only
may be based on your consent when you are over fourteen years of age.
Exceptions are cases in which the law requires the attendance of the holders of
parental authority or guardianship for the celebration of the legal act or business in
the context of which consent for treatment is obtained.
2. The processing of data of minors under fourteen years of age, based on the
consent, it will only be lawful if it includes that of the holder of parental authority or guardian.
“cloth, with the scope determined by the holders of parental authority or guardianship.”
In conclusion, at present there is sufficient evidence that there has been
There has been an alleged violation of Article 8 of the GDPR, since it appears that the
club is not obtaining the consent of minors for the treatment
of their biometric data, either by their parents or guardians or from them
directly, depending on the age of the minor.
VII On the information duties of article 13 of the RGPD
One of the obligations of the person responsible for all personal data processing is
comply with the duties of information to interested parties that are provided for in the
Articles 12 to 14 of the GDPR.
In accordance with the provisions of article 12.1 of the RGPD, we start from a Principle of
“Transparency of information, communication and modalities of exercise of the
rights of the interested party”:
"1. The person responsible for the treatment will take the appropriate measures to facilitate the
interested party all information indicated in articles 13 and 14, as well as any
communication under articles 15 to 22 and 34 relating to processing, in
concise, transparent, intelligible and easily accessible form, with clear and
simple, particularly any information directed specifically at a child. The
Information will be provided in writing or by other means, including, if applicable,
by electronic means. When requested by the interested party, the information may
be provided verbally as long as the identity of the interested party is demonstrated by
other media"
These information duties are specified in articles 13 and 14, being of
application to the present case, those provided for in article 13 of the RGPD on
“Information that must be provided when personal data is obtained from the
interested":
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/54
1. When personal data relating to him or her are obtained from an interested party, the
responsible for the treatment, at the time these are obtained,
will provide all the information indicated below:
a) the identity and contact details of the person responsible and, where applicable, their
representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the processing for which the personal data are intended and the basis
legal treatment;
d) when the processing is based on Article 6, paragraph 1, letter f), the
legitimate interests of the controller or a third party;
e) the recipients or categories of recipients of the personal data,
in your case;
f) where applicable, the intention of the controller to transfer personal data to a
third country or international organization and the existence or absence of a
adequacy decision of the Commission, or, in the case of transfers
indicated in Articles 46 or 47 or Article 49, paragraph 1, paragraph
second, reference to the adequate or appropriate guarantees and the means
to obtain a copy of these or to the place where they have been made available.
provision.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained
personal, the following information necessary to guarantee a treatment of
loyal and transparent data:
a) the period during which the personal data will be kept or, when not
where possible, the criteria used to determine this period;
b) the existence of the right to request from the data controller the
access to personal data relating to the interested party, and its rectification or
deletion, or limitation of its processing, or to oppose the processing, as well as
such as the right to data portability;
c) when the processing is based on Article 6, paragraph 1, letter a), or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw the
consent at any time, without affecting the legality of the
treatment based on consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement,
or a necessary requirement to sign a contract, and if the interested party is
obliged to provide personal data and is informed of the possible
consequences of not providing such data;
f) the existence of automated decisions, including the preparation of
profiles, referred to in article 22, paragraphs 1 and 4, and, at least in such
cases, significant information about the logic applied, as well as the
importance and anticipated consequences of such treatment for the
interested.
3. When the data controller plans the subsequent processing of data
personal data for a purpose other than that for which they were collected, will provide
to the interested party, prior to said further processing, information about that
other purpose and any additional information relevant under paragraph 2.
4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
to the extent that the interested party already has the information.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/54
As already anticipated, being required by the inspector in relation to justifying the
compliance with the duty to inform the interested party of the content provided for in the
mentioned article 13 of the RGPD, Burgos has provided two documents that have
used, both prior to February 15, 2023, and the one used
later (Annexes VI and VII).
Firstly, Annex VI of the WrittenBurgos1, which according to the BURGOS CF is the only
document that was signed by the interested parties when acquiring the subscription before 15
February 2023, is not a consent regarding the processing of personal data,
but a contractual document that contains the “Conditions of membership, access
and permanence in the animation stands. 2022/2023 season”, and what is necessary
sign to be able to acquire the subscription.
However, this document requires the collection of personal data for the
“achievement of the season ticket”. In section 3 it refers to the
obligation to provide personal data such as name, surname, ID, contact details
contact, and sign a data protection law consent, which is not
contributes. And section 8 contains the obligation to submit to access control
biometric prior to obtaining the subscription, collecting your data for this purpose
biometrics, indicating that any other access system will have a
exceptional.
It should be noted that the inspector requested BURGOS CF on a second occasion to
to provide the supposed data protection consent document that
interested parties had to sign before collecting the data referred to in the
section 3, but the club did not contribute it in the Written2Burgos (limiting itself to contributing
new Annex VII), nor in the Writing3. Therefore, we must consider that this
consent was not signed.
It follows that, until February 15, 2023, data was collected
biometric and other personal data (DNI, name, surname, etc.) without having
duly informed the purchasers of the payment of the information provided in the
Article 13 of the GDPR. Since the only document they signed was this
Annex VI, which only contained the following generic information regarding
personal data protection:
[…] 8.- Any person who accesses the "LA HINCHADA" Entertainment Stand
DEL ARLANZON” must undergo biometric access control, to
which, prior to obtaining the subscription for this area, must
facilitate the capture of the fingerprint that is necessary. Any other system
access that does not entail biometric recognition, will have a
exceptional. The biometric data collected is for exclusive use
of entry to the sporting event, and the subscriber may request a cancellation of
said file canceling your subscription.
[…] 12.- For the purposes of the provisions of Organic Law 3/2018 of 5
December protection of personal data and guarantee of rights
digital, we inform you that the personal data that has been
collected in this document, as well as those obtained by
biometric means will be included in a data file of a nature
staff owned by the Club. In this sense, the undersigned lends his
express consent for the processing of your aforementioned personal data
staff."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/54
In short, before February 15, 2023, there is no doubt that BURGOS CF
was collecting personal data from these subscribers (700 people according to the
club), both biometric and other types, without informing the interested party of all the
aspects expressed in article 13, resorting to a generic formula. This
document does not comply with the information required by the GDPR, which has been expanded
considerably compared to previous legislation.
For the period after February 15, 2023, BURGOS CF provides the
document “Information on access control to animation stands through
biometric data (fingerprint)” (Annex VII of the EscritoBurgos1). The document,
used as indicated by Burgos after February 15, 2023, if applicable
an express consent that informs the signatory about the treatment through the
biometric control. Thus, it states that by signing the document the
interested party consents to “the processing of biometric data relating to my fingerprint or
pattern thereof for the purpose described.” This contains most of the
information provided for in article 13, except that provided for in 13.2.c) referring to the
possibility of withdrawing the consent given. Well, despite the fact that the
possibility of requesting the right to delete the data collected, this is not
equivalent to revoking consent.
In short, from the documents in the file and without prejudice to those
that are provided during the instruction, at this time there is evidence
enough that BURGOS has been collecting personal data from the 700
subscription purchasers without adequately informing them of all the aspects required to
data protection purposes, so a violation of the
Article 13 of the GDPR.
VIII Classification of infractions and qualification for the purposes of prescription.
As has been explained in Legal Fundamentals III to VII of this agreement,
It is considered that BURGOS CF may have committed the following infractions of the
current regulations regarding data protection:
8.1. Violation of article 35 of the GDPR
As set out in Legal Fundamentals V, in accordance with the
evidence that is available at the present time, and without prejudice to what
results from the instruction, it is considered that the facts presented could violate the
established in article 35 of the RGPD, which could involve the commission of a
administrative offense classified in article 83.4.a) of the RGPD which indicates that:
“Infringements of the following provisions will be sanctioned, in accordance with
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global annual total business volume of the previous financial year, opting
for the largest amount:
a) The obligations of the person responsible and the person in charge in accordance with the articles
8, 11, 25 to 39, 42 and 43.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/54
For the purposes of prescription, the LOPDGDD establishes in its article 73.t) that: “In
Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
t) The processing of personal data without having carried out the evaluation of the
impact of processing operations on the protection of personal data in
the cases in which it is enforceable.”
8.2. Violation of article 9 of the GDPR.
As set out in the Fundamentals of Law IV, in accordance with the
evidence that is available at the present time, and without prejudice to what
results from the instruction, it is considered that the facts presented could violate the
established in article 9 of the RGPD, which could involve the commission of a
administrative offense classified in article 83.5 of the RGPD, which provides the
following:
“Infringements of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20 000 000 or, treatment
of a company, of an amount equivalent to a maximum of 4% of the volume
global annual total business of the previous financial year, opting for ma-
i amount:
“a) the basic principles for treatment, including the conditions for
consent in accordance with articles 5, 6, 7 and 9.”
For the purposes of prescription, the LOPDGDD establishes in its article 72.e):
“Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:
“e) The processing of personal data of the categories referred to in the article.
9 of Regulation (EU) 2016/679, without any of the circumstances occurring
provided for in said precept and in article 9 of this organic law.”
8.3. Violation of article 5.1.c of the RGPD.
As set out in the Fundamentals of Law V in accordance with the
evidence that is available at the present time, and without prejudice to what
results from the instruction, it is considered that the facts presented could violate the
established in article 5.1.c) of the RGPD, which could involve the commission of a
administrative offense classified in article 83.5 of the RGPD, which provides the
following:
“Infringements of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20 000 000 or, treatment
of a company, of an amount equivalent to a maximum of 4% of the volume
global annual total business of the previous financial year, opting for ma-
i amount:
“a) the basic principles for treatment, including the conditions for
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/54
consent in accordance with articles 5, 6, 7 and 9.”
For the purposes of prescription of infractions, the LOPDGDD establishes in its article
72: “Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data violating the principles and guarantees established
“established in article 5 of Regulation (EU) 2016/679”.
8.4. Violation of article 8 of the RGPD.
As set out in Legal Fundamentals VII, in accordance with the
evidence that is available at the present time, and without prejudice to what
results from the instruction, it is considered that the facts presented could violate the
established in article 8 of the RGPD, which could involve the commission of a
administrative offense classified in article 83.4 of the RGPD, which provides as follows:
following:
“Infringements of the following provisions will be sanctioned, in accordance with
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global annual total business volume of the previous financial year, opting
for the largest amount:
a)- the obligations of the person responsible and in charge in accordance with articles 8, 11, 25
at 39, 42, and 43”.
For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data of a minor without obtaining their
consent, when he has the capacity to do so, or that of the holder of his parental authority
or guardianship, in accordance with article 8 of Regulation (EU) 2016/679.”
8.5. Violation of article 13 of the RGPD.
As stated in the Fundamentals of Law VI, in accordance with the
evidence that is available at the present time, and without prejudice to what
results from the instruction, it is considered that the facts presented could violate the
established in article 13 of the RGPD, which could involve the commission of a
administrative offense classified in article 83.5 of the RGPD, which provides
following:
“Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe violations that involve three years
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/54
a substantial violation of the articles mentioned therein and, in particular, the
following:
b) the rights of the interested parties under articles 12 to 22.”
For the purposes of the limitation period, article 74 “Infringements considered minor” of
The LOPDGDD indicates:
“The remaining infractions of violations are considered minor and will expire after one year.”
purely formal nature of the articles mentioned in sections 4 and 5 of the
article 83 of Regulation (EU) 2016/679 and, in particular, the following:
a) Failure to comply with the principle of transparency of information or the
right of information of the affected person for not providing all the information required by
Articles 13 and 14 of Regulation (EU) 2016/679.
X Determination of sanctions
Article 58.2 of the RGPD provides the following: “Each supervisory authority will have
of all the following corrective powers indicated below:
i) impose an administrative fine in accordance with Article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of
each particular case;”
The determination of the sanctions that should be imposed in the present case requires ob-
serve the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively,
mind, they provide the following:
"1. Each supervisory authority will ensure that the imposition of administrative fines
pursuant to this article for violations of this Regulation.
indicated in sections 4, 9 and 6 are effective in each individual case, pro-
portioned and dissuasive.”
"2. Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account.
ta:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;
a) intentionality or negligence in the infringement;
b) any measure taken by the person responsible or in charge of the treatment
to alleviate the damages and losses suffered by the interested parties;
c) the degree of responsibility of the person responsible or in charge of the treatment.
taking into account the technical or organizational measures that have been applied in
under articles 25 and 32;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/54
d) any previous infraction committed by the person responsible or in charge of the
treatment;
e) the degree of cooperation with the supervisory authority in order to enforce
medium to the infringement and mitigate the possible adverse effects of the infringement;
f) the categories of personal data affected by the infringement;
g) the way in which the supervisory authority became aware of the infringement,
in particular if the controller or processor notified the infringement and, in such case, in
what measure;
h) when the measures indicated in Article 58, paragraph 2, have been organized
previously condemned against the person responsible or the person in charge in question in relation to
tion with the same matter, compliance with said measures;
i) adherence to codes of conduct under Article 40 or mechanisms
of certification approved in accordance with Article 42, and
j) any other aggravating or mitigating factor applicable to the circumstances
of the case, such as financial benefits obtained or losses avoided, direct
or indirectly, through infringement.”
Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions
and corrective measures”:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria established
acids in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of medical treatment.
personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the
sion of the violation.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis,
to alternative conflict resolution mechanisms, in those cases in which
that there are disputes between them and any interested party.
3. It will be possible, complementary or alternatively, adoption, when appropriate,
of the remaining corrective measures referred to in article 83.2 of the Rules.
ment (EU) 2016/679.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/54
For the assessment of the sanction that would be implemented in this initial agreement, for the
alleged violation of article 35 of the RGPD, the following circumstances are contemplated:
cias:
- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation.” Every time he treats
biometric data processing began on November 4, 2022 without the
EIPD until February 15, 2023, in such a way that for more than three months
carried out the treatment without identifying, evaluating and assessing the risks to the
rights and freedoms of natural persons, without, among other issues, establishing
bleed and implement, as a consequence of the above, the appropriate measures to
seek their protection, in response to the purpose sought by the RGPD. And it affected 700
subscribers who acquired the animation stand subscription title in the season
2022/2023. (83.2.a GDPR). For completeness, it should be noted that not having carried out
DPIA is substantially serious in this case, in which when carrying it out it has been
passed from a mandatory to a voluntary system, also changing the basis of legality and
applicable exception.
- A serious lack of diligence is included (art 83.2.b RGPD), given that any
treatment that entails a high risk requires the performance of a DPIA with
ter prior to the start of the treatment, especially if it can encompass categories
special personal data, such as biometrics in this case, or subjects who deserve
cen specific protection, such as children.
In this sense, the Supreme Court has understood that there is imprudence
A legal duty of care is always neglected, that is, when the offender does not
behaves with the required diligence. And in the assessment of the degree
of diligence, the professionalism or otherwise of the subject must be especially considered,
and there is no doubt that, in the case now examined, when the activity of the
recurring is constant and abundant handling of data of a
personnel must insist on rigor and exquisite care to conform to the
legal precautions in this regard. The STS of 06/05/1998 requires
professionals in the sector "a duty to know especially the standards
applicable", and in similar terms are pronounced, among others, the SSTS of
03/2/1999 and 09/17/1999, due to their activity they are accustomed to the treatment of
personal data must be especially diligent and careful when making
operations with them and must always opt for the most favorable interpretation
to safeguard the fundamental right to data protection (as of
repeatedly maintains the National Court, among others in a ruling of
11/26/2008).
- The impact on one of the special categories of data, biometric data,
whose need for protection is to that extent greater than that of other personal data,
in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of
05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article
83.2.g) of the RGPD “the categories of personal data affected by the
infringement".
- The impact on the rights of minors (76.f) of the LOPDGDD). Since of
According to the document provided as Annex VI, it is possible to process biometric data of
under 18 years old.
As a consequence, with the elements that are available, the sanction is quantified in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/54
50,000 euros, without prejudice to what results from the processing of the procedure.
For the assessment of the sanction that would be implemented in this initial agreement, for the
alleged violation of article 9 of the RGPD, the following circumstances are contemplated:
cias:
- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation”, given that it is an operation
periodic processing of personal data that affected since November 4th
November 2022 to February 15, 2023 to the 700 subscribers who acquired the title
subscription for the animation stand in the 2022/2023 season (83.2.a RGPD).
- A lack of diligence is included, given that it prepared the implementation of the system and
It did not foresee its impact, so this factor would operate as an aggravating factor. (art
83.2.b RGPD), in accordance with the doctrine of the Supreme Court previously referred to
ciada
- The impact on the rights of minors (76.f) of the LOPDGDD). Since of
According to the document provided as Annex VI, it is possible to process biometric data of
under 18 years old.
As a consequence, with the elements that are available, the sanction is quantified in
50,000 euros, without prejudice to what results from the processing of the procedure.
Regarding the violation of the principle of data minimization due to the presumption
This violation of article 5.1.c) of the RGPD, the following circumstances are contemplated:
- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation.” It was not considered correctly
specifically the specific purpose of the processing of personal data in relation to the
needs to be covered, which constitutes the nature of the infringement and which opened the scope
of affected to any subscriber of the accused, considering that the purpose of the treatment
processing is a basic activity of the person responsible for the treatment, which aggravates
tea. (83.2.a GDPR).
- A serious lack of diligence is included, given that it was available and thus stated
documented in the DPIA of February 15, 2023 that there were other means to process
less intrusive treatment and the use of the solution was left to the users' will, and not
foreseen its impact, so this factor would operate as an aggravating factor (art 83.2.b
GDPR).
- The impact on one of the special categories of data, biometric data,
whose need for protection is to that extent greater than that of other personal data,
in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of
05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article
83.2.g) of the RGPD “the categories of personal data affected by the
infringement".
- The impact on the rights of minors (76.f) of the LOPDGDD). Since of
According to the document provided as Annex VI, it is possible to process biometric data of
under 18 years old.
As a consequence, with the elements that are available, the sanction is quantified in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/54
50,000 euros, without prejudice to what results from the processing of the procedure.
Regarding the violation of the principle of data minimization due to the presumption
This violation of article 8 of the RGPD, the following circumstances are contemplated:
- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation”, whenever the treatment
Biometric data collection carried out as of February 15, 2023 provided for the provision of
tion of consent for the processing of biometric data without prior
sion to collect their consent. Which represents a loss of
control and disposition of your personal data. (83.2.a GDPR).
- A serious lack of diligence is included (art 83.2.b RGPD), given that any
processing that collects data from minors and that requires the provision of consent
feeling, must contain specific provisions for the provision of the same by
these directly or by their legal representatives, depending on the age of the
nor. Considering that negligence occurs in accordance with the doctrine of the Court
Supreme Court previously referenced.
- The impact on one of the special categories of data, biometric data,
whose need for protection is to that extent greater than that of other personal data,
in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of
05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article
83.2.g) of the RGPD “the categories of personal data affected by the
infringement".
As a consequence, with the elements that are available, the sanction is quantified in
25,000 euros, without prejudice to what results from the processing of the procedure.
With regard to the alleged violation of article 13 of the RGPD, the following are contemplated:
following circumstances:
- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation.” Every time the response
Saber of the treatment did not inform those affected under the terms of the RGPD since 4
November 2022, when the processing of biomedical data was launched.
nor from February 15, 2023, date of completion of the DPIA, nor
In none of the cases was said information adapted to minors, and
which affected 700 subscribers who acquired a subscription to the entertainment stand
in the 2022/2023 season. All of this means a lack of information, a loss of
provision and control over personal data (83.2.a RGPD).
- A serious lack of diligence is included (art 83.2.b RGPD), since it is necessary
that interested parties be informed prior to treatment, especially
when the information precedes the provision of consent.
In this sense, the Supreme Court has understood that there is imprudence
A legal duty of care is always neglected, that is, when the offender does not
behaves with the required diligence. And in the assessment of the degree of diligence
The professionalism or lack of professionalism of the subject must be especially considered, and it is not possible
doubt that, in the case now examined, when the activity of the appellant
is constant and abundant handling of personal data must be insisted upon.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/54
employ rigor and exquisite care to comply with legal preventions when
regard. The STS of 06/05/1998 requires professionals in the sector "a duty
to know especially the applicable standards", and in similar terms it is
pronounce, among others, the SSTS of 03/02/1999 and 09/17/1999, for their activity
are accustomed to the processing of personal data must be especially careful.
ligent and careful when carrying out operations with them and should always choose
the most favorable interpretation to safeguard the fundamental right to
data protection (as the National Court repeatedly maintains, in-
three others in ruling of 11/26/2008).
- The impact on one of the special categories of data, biometric data,
whose need for protection is to that extent greater than that of other personal data,
in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of
05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article
83.2.g) of the RGPD “the categories of personal data affected by the
infringement".
- The impact on the rights of minors (76.f) of the LOPDGDD). Since of
According to the document provided as Annex VI, it is possible to process biometric data of
under 18 years old.
As a consequence, with the elements that are available, the sanction is quantified in
25,000 euros, without prejudice to what results from the processing of the procedure.
XI Adoption of corrective measures.
If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”
The imposition of this measure is compatible with the sanction consisting of a fine
administrative, according to the provisions of art. 83.2 of the GDPR.
It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.
XI. Provisional measures
Article 58.2 of the GDPR provides the following:
“Each supervisory authority will have all of the following corrective powers:
indicated below:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/54
d) order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, when
appropriate, in a certain manner and within a specified period;”
f) impose a temporary or definitive limitation on the processing, including its
prohibition; […]”
i) impose an administrative fine in accordance with Article 83, in addition to or instead of
of the measures mentioned in this section, depending on the circumstances
of each particular case;”
The imposition of these measures are compatible with each other and with the consistent sanction
in administrative fine, according to the provisions of art. 83.2 of the GDPR.
There is no evidence that BURGOS CF has stopped using the biometric system to
access to the stadium based on the consent of the users, since it maintains it as
Voluntary method of access to the cheer stands at your stadium.
In particular, it is worth mentioning article 69 of the LPACAP, which determines:
"1. During the carrying out of prior investigation actions or initiating a
procedure for the exercise of sanctioning power, the Spanish Agency for
Data Protection may agree to provisional measures with reasons.
necessary and proportionate to safeguard the fundamental right to
data protection and, especially, those provided for in article 66.1 of the Regulation
(EU) 2016/679, the precautionary blocking of data and the immediate obligation to attend
the right requested.
2. In cases in which the Spanish Data Protection Agency considers that the
continuation of the processing of personal data, its communication or
international transfer will entail a serious impairment of the right to
protection of personal data may order those responsible or in charge of
the treatments, the blocking of the data and the cessation of its processing and, in the event of
If these said mandates are not complied with, proceed to their immobilization.”
Article 56 of the LPACAP, insofar as it is applicable, indicates the measures
provisionally the following in sections 1 and 3:
"1. Once the procedure has started, the administrative body competent to resolve,
may adopt, ex officio or at the request of a party and in a motivated manner, the measures
provisional measures that it deems appropriate to ensure the effectiveness of the resolution that
could relapse, if there were sufficient elements of judgment for it, according to
with the principles of proportionality, effectiveness and least onerousness. (…).
3. In accordance with the provisions of the two previous sections, the
following provisional measures, in the terms provided in Law 1/2000, of
7/01, Civil Procedure:
a) Temporary suspension of activities.
b) Provision of guarantees.
c) Withdrawal or intervention of productive assets or temporary suspension of
services for reasons of health, hygiene or safety, the temporary closure of the
establishment for these or other reasons provided for in the regulatory regulations
applicable.
d) Preventive seizure of assets, income and fungible things computable in
metallic by application of certain prices.
e) The deposit, retention or immobilization of movable property.
f) The intervention and deposit of income obtained through an activity that is
considered illegal and whose prohibition or cessation is sought.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/54
g) Consignment or constitution of deposit of the amounts claimed.
h) The withholding of income on account that must be paid by the Administrations
Public.
i) Those other measures that, for the protection of the rights of
interested parties, expressly provide for the laws, or that are deemed necessary to
ensure the effectiveness of the resolution.
4. Provisional measures may not be adopted that may cause harm to
difficult or impossible reparation to the interested parties or that involve violation of
rights protected by law.
5. Provisional measures may be lifted or modified during the
processing of the procedure, ex officio or at the request of a party, by virtue of
circumstances that occurred or that could not be taken into account in the
time of its adoption. In any case, they will be extinguished when the
administrative resolution that puts an end to the corresponding procedure.”
In the data processing analyzed, the high risk that
means for the rights and freedoms of a large number of those affected, such as
loss of control and disposition of your personal data or the use of the data
personnel that are not obviously necessary to access the stadium, which
It also includes minors. Along with this, there are indications and proven evidence
that recommend not continuing with the aforementioned treatment that involves categories
special personal data.
The continuation of the treatment, for which there is evidence that it has not passed the
triple judgment of proportionality and therefore the failure to exceed the DPIA of February 15
of 2023, which could lead to very serious and irreparable harm to the
rights of those users. Therefore, the temporary suspension of treatment is the
only measure that can be adopted to safeguard the Fundamental Right to
Data Protection, also proving to be the least harmful, onerous, proportional
and effective, as well as the most proportional and effective for the accused.
From these premises and in order to guarantee the rights and freedoms of those affected,
It is considered appropriate to impose a provisional measure that prevents as soon as possible the
continuation of the processing of personal data through the
fingerprint recognition for access to the El Plantío stadium
BURGOS CF, which must temporarily suspend its use.
This measure would not prevent the accused from continuing to control the entry correctly.
and legal with the other systems you are using, not even the fans would mind.
loss of service, since you can continue entering the stadium normally because
It is a “complementary” or “alternative” system to the fingerprint, as stated
continually the accused.
Consequently, in accordance with art 83.2 of the RGPD and article 76.3 of the
LOPDGDD transcribed above, it is possible to impose through this Agreement of Start of
sanctioning file the provisional measure of ordering, in accordance with the provisions
in art. 69 of the LOPDGDD and art. 56 of the LPACAP, the temporary suspension of all
processing of biometric personal data and especially those related to the
Fingerprint recognition for access to the El Plantío stadium. Every time the
provisional suspension of treatment is considered necessary, proportional, effective
to guarantee the rights and freedoms in contention of those affected and of less burdensomeness
for the accused.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/54
The provisional measure must be carried out from the notification of this agreement
initiation of the sanctioning procedure until its final resolution, in which it must be
confirmed, modified or lifted, without prejudice to the provisions of art. 56.5 of the
LPACAP.
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: START SANCTIONING PROCEDURE against BURGOS CLUB DE
FOOTBALL, S.A.D. with NIF A09012428, for the following violations of the RGPD:
- For the alleged violation of article 35, typified in article 83.4 of the RGPD
- For the alleged violation of article 9 of the RGPD, typified in article 83.5.a)
of the GDPR.
- For the alleged violation of article 5.1.c, typified in article 83.5.a) of the
GDPR.
- For the alleged violation of article 8 of the RGPD, typified in article 83.4.a)
of the GDPR.
- For the alleged violation of article 13 of the RGPD, typified in article 83.5.b)
of the GDPR.
SECOND: ORDER as a provisional measure the BURGOS FOOTBALL CLUB,
S.A.D. with NIF A09012428, in accordance with the provisions of article 69 of the
LOPDGDD and article 56 of the LPACAP, the temporary suspension of all treatment of
personal data related to fingerprint detection for access to the El stadium
Plantation. The provisional measure must be carried out within ten business days,
counted from the notification of this agreement to open the procedure, and
will remain until its final resolution, in which it must be confirmed, modified or
lifted, without prejudice to the provisions of art. 56.5 of the LPACAP. To this end, you must
justify before this Spanish Data Protection Agency the attention of this
request.
THIRD: APPOINT A.A.A. as instructor. and, as secretary, to B.B.B.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
Articles 23 and 24 of Law 40/2015, of 1/10, on the Legal Regime of the Public Sector
(LRJSP).
FOURTH: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data.
FIFTH: THAT for the purposes provided for in art. 64.2 b) of the LPCAPAP, the sanction that
could correspond would be for each of the infractions charged, without prejudice to
What results from the instruction would be:
- 50,000 euros, for the violation of article 35 of the RGPD.
- 50,000 euros, for the violation of article 9 of the RGPD.
- 50,000 euros, for the violation of article 5.1.c) of the RGPD.
- 25,000 euros, for the violation of article 8 of the RGPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/54
- 25,000 euros, for the violation of article 13 of the RGPD.
SIXTH: NOTIFY this agreement to BURGOS CLUB DE FÚTBOL, S.A.D. with
NIF A09012428, granting a hearing period of ten business days so that
formulate the allegations and present the evidence you consider appropriate. In its
written allegations must provide your NIF and the file number that appears in the
heading of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of the LPACAP.
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 160,000 euros, resolving the
procedure with the imposition of this sanction.
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which will mean
the reduction of 20% of its amount. With the application of this reduction, the sanction
would be established at 160,000 euros, and its payment will imply the termination of the
procedure, without prejudice to the imposition of the corresponding measures.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for the recognition of responsibility, provided that this recognition of
responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 120,000 euros.
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above 160,000 euros or 120,000 euros, you must make it effective
by depositing it into the account number IBAN: ES00-0000-0000-0000-0000-0000 open to
name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the procedure
that appears in the heading of this document and the reason for reducing the amount
which is welcomed.
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After this period, its expiration will occur and, in
consequently, the archive of actions; in accordance with the provisions of the
article 64 of the LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/54
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.
935-30102023
Sea Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On March 5, 2024, the claimed party has proceeded to pay
the sanction in the amount of 120,000 euros, making use of the two reductions
provided for in the initiation Agreement transcribed above, and has submitted a written document in the
same date on which you request a resolution to terminate the procedure,
recognizing their responsibility, and expressly desisting from any action or
administrative appeal against the sanction.
THIRD: In the aforementioned Initiation Agreement transcribed above, it was agreed: “OR-
DENIM as a provisional measure the BURGOS CLUB DE FÚTBOL, S.A.D. with NIF
A09012428, in accordance with the provisions of article 69 of the LOPDGDD and article 56
of the LPACAP, the temporary suspension of all processing of personal data relating
to fingerprint detection for access to the El Plantío stadium. The provisional measure
nal must be carried out within a period of ten business days, counted from the notification.
tion of this agreement to open the procedure, and will remain until its resolution
final, in which it must be confirmed, modified or lifted, without prejudice to the provisions
to in art. 56.5 of the LPACAP. To this end, you must justify before this Spanish Agency of
Data Protection attention to this requirement.”
The BURGOS CLUB DE FUTBOL, S.A.D has not yet proven to have executed
This provisional suspension measure has been lifted.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/54
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
“regularly.”
III
Elevation of provisional measure to definitive. Adoption of corrective measures.
Article 58.2 of the GDPR provides the following:
“Each supervisory authority will have all of the following corrective powers:
indicated below:
d) order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, when
appropriate, in a certain manner and within a specified period;”
f) impose a temporary or definitive limitation on the processing, including its
prohibition; […]”
i) impose an administrative fine in accordance with Article 83, in addition to or instead of
of the measures mentioned in this section, depending on the circumstances
of each particular case;”
Regarding the temporary or definitive limitation of the treatment, it is worth referring to the article
69 of the LPACAP, which determines:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/54
"1. During the carrying out of prior investigation actions or initiating a
procedure for the exercise of sanctioning power, the Spanish Agency for
Data Protection may agree to provisional measures with reasons.
necessary and proportionate to safeguard the fundamental right to
data protection and, in particular, those provided for in article 66.1 of the Regulation
(EU) 2016/679, the precautionary blocking of data and the immediate obligation to attend
the right requested.
2. In cases where the Spanish Data Protection Agency considers that the
continuation of the processing of personal data, its communication or
international transfer will entail a serious impairment of the right to
protection of personal data may order those responsible or in charge of
the treatments, the blocking of the data and the cessation of its processing and, in the event of
If these said mandates are not complied with, proceed to their immobilization.”
Article 56 of the LPACAP states in its fifth section that:
"5. The provisional measures may be lifted or modified during the
processing of the procedure, ex officio or at the request of a party, by virtue of
circumstances that occurred or that could not be taken into account in the
time of adoption. In any case, they will be extinguished when the
administrative resolution that puts an end to the corresponding procedure.”
In the present procedure, there is no evidence that BURGOS CF had suspended the
data processing related to access to the stadium's entertainment stands through
fingerprint-which were maintained as a voluntary access system for members who
opt for the same -, the agreement to initiate this procedure ordered to agree
“the temporary suspension of all processing of biometric personal data and in
special of those referred to the fingerprint recognition system for access
to the El Plantío stadium”, since the provisional suspension of the treatment was
considered necessary, proportional, effective to guarantee the rights and freedoms in
list of those affected and less burdensome for the accused.
In accordance with the provisions of the agreement to initiate this procedure, the
provisional measure should have been adopted since the notification of the
initiation of the sanctioning procedure until its final resolution, in which it had to be
confirmed, modified or lifted, without prejudice to the provisions of art. 56.5 of the
LPACAP.
As of the date of this resolution, BURGOS CF has recognized its responsibility and
the payment, requesting the termination of the procedure, without reference to the state in
which is the processing of biometric data in the animation tier of its
stadium, so it is unknown if this system has been provisionally suspended,
as ordered in the agreement to initiate the sanctioning procedure, or have
definitively suspended.
Well, having said the above, BURGOS CF has recognized its responsibility,
the infractions that were charged in the
initial agreement, and it is also necessary to impose on the person responsible the adoption of the
appropriate corrective measures to adjust their actions to the protection regulations
of data, as was already anticipated in the initial agreement.
It is estimated that the same risks undoubtedly persist today as
motivated the suspension or provisional limitation of the treatment in the initiation agreement,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/54
since the continuation of the treatment could lead to very serious damage and
irreparable for the rights and freedoms of users who access the stadium
using the implemented biometric system.
Given the circumstances, it is understood that the prohibition of treatment, as a measure
corrective action of those granted in article 58.2 of the RGPD to the Spanish Agency for
Data Protection is the only measure that can be adopted to safeguard
the Fundamental Right to Data Protection, also proving to be the least
harmful, onerous, proportional and effective, as well as the most proportional and effective for the
denounced.
From these premises and in order to guarantee the rights and freedoms of those affected,
It is considered appropriate to confirm the provisional suspension ordered in the agreement
initiation, and prohibit, as a corrective measure, the processing of personal data
through the fingerprint recognition system for access to the
El Plantío stadium of BURGOS CF, proceeding to cessation of treatment.
This measure would not prevent the accused from continuing to control the entry
appropriate and legal with the other systems you are using, nor do hobbyists care
would mean the loss of service, since you can continue entering the stadium with
normality since it is a system already implemented “complementary” or “alternative” to that of
fingerprint, as the defendant continually states.
In accordance with what has been stated, the Director of the Spanish Agency for the Protection of
Data RESOLVES:
FIRST: DECLARE the termination of the sanctioning procedure processed with the
number PS/00483/2023 (EXP202213792), in accordance with the provisions of the
article 85 of the LPACAP.
SECOND: Confirm the provisional measure imposed in the agreement to start the
present sanctioning file, and prohibit BURGOS CLUB DE FÚTBOL S.A.D,
as a corrective measure, any processing of personal data relating to the processing
fingerprint for access to the El Plantío stadium, proving within ten
business days before this Spanish Data Protection Agency that has proceeded to the
cessation of your treatment.
THIRD: NOTIFY this resolution to BURGOS CLUB DE FÚTBOL,
S.A.D.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/54
1219-21112023
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
