AEPD (Spain) - EXP202212956
AEPD - EXP202212956 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(a) GDPR Article 9 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 22.11.2022 |
Decided: | 21.01.2025 |
Published: | 22.01.2025 |
Fine: | 200,000 EUR |
Parties: | Club Atlético Osasuna |
National Case Number/Name: | EXP202212956 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | ao |
The DPA held that the implementation of an optional facial-recognition system to enter a football stadium violated the principle of data minimisation as there were less invasive alternatives and therefore issued a €200,000 fine.
English Summary
Facts
A data subject lodged a complaint against the Spanish football club “Club Atlético Osasuna” with the Spanish DPA (Agencia National de Protection de Datos – AEPD) on 22 November 2022.
The football club, here the controller, had implemented a facial recognition system at one of the stadium entrances on the 10 April 2022. By the 22 April 2022, the system had been added to several entrances. Fans were given the option to register for the system online to which they had to provide a selfie, a scan of their ID-card and agreement to the terms and conditions.
Traditional entry with physical or digital tickets was still possible at other entrances. The controller detailed that the purpose of the system was primarily limited to convenience. Therefore, security and identity verification purposes were not listed as the aim of the system.
The controller had carried out a data protection impact assessment and concluded that based on the legal basis of consent, the processing did not endanger data protection rights. The DPIA had shown that the data was only processed for the intended purpose.
The data subject alleged that the large-scale processing of biometric data lacked proportionality, that the controller did not provide sufficient safeguards and that consent alone was not enough to legitimise this processing.
Holding
Consent under Article 6(1)(a) GDPR The AEPD confirmed that the opt-in design of the system proved that the use of the facial-recognition system was in fact voluntary. Fans were not confronted with any negatives if they refused to use the system or if they withdrew their consent. The sign-up system required multiple opt-ins in order to sign up, so the AEPD concluded that consent was informed and freely given. Further, people wanting to sign up were informed on data usage and storage by the controller.
Necessity of processing sensitive Article 9 GDPR data However, the nature of the biometric data processed under Article 9 GDPR required further assessment. The AEPD highlighted that more information had to be provided on how and when data was deleted. The AEPD found that the amount of data processed (e.g., ID scans, selfies, and live facial recognition) exceeded what was required to achieve the system’s purpose which was managing efficient access to the stadium. It explained that the data minimisation principle required controllers to assess and make use of alternatives which would be less intrusive, but which would still fulfil the intended purpose.
Violation of Article 5(1)(c) GDPR The AEPD found that even if the consent of data subjects is obtained, the processing of sensitive biometric data must be necessary especially when other options are viable. It held that the use of the facial-recognition was not adequately justified in light of other options such as QR codes and digital tickets. These methods already provided for viable and efficient methods to achieve the purpose (fast access to the stadium). The controller was ordered to reevaluate the system as it had violated Article 5(1)(c) GDPR as marginal benefits did not justify the processing.
Administrative fine The AEPD held that the controller had showed negligence in implementing a system processing large-scale sensitive data without being necessary for quick access to the stadium. Therefore, the AEPD set a fine of €200,000 based on the controller’s income.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/128 File No.: EXP202212956 SANCTIONING PROCEDURE RESOLUTION BACKGROUND..........................................................................................................2 FIRST: Receipt of complaint dated 11/22/2022................................................2 SECOND: Director's agreement to initiate preliminary investigation proceedings. ...................................................................................................................................3 THIRD: First request to C.A. OSASUNA in the course of the preliminary investigation proceedings................................................................................................3 FOURTH: Second request to C.A.OSASUNA in the course of the preliminary investigation proceedings..................................................................................................25 FIFTH: Incorporation of documentation in the preliminary investigation proceedings................................................................................................................41 SIXTH: Brief analysis of the EIPD provided by C.A.OSASUNA in preliminary investigation proceedings...................................................................................................50 SEVENTH: Start agreement of 12/4/2023...................................................................51 EIGHTH: Sending a copy of the file..................................................................................52 NINTH: Allegations to the start agreement of 12/28/2023..................................................52 TENTH: Proposal for a resolution of 10/30/2024 and allegations..................................62 TENTH FIRST: Objections to the proposal.................................................................62 PROVEN FACTS................................................................................................................70 FIRST:..........................................................................................................................70 SECOND:..........................................................................................................................70 THIRD:........................................................................................................................70 FOURTH:.......................................................................................................................71 FIFTH:.......................................................................................................................71 SIXTH:.......................................................................................................................72 SEVENTH:...................................................................................................................74 EIGHTH:........................................................................................................................75 NINTH:........................................................................................................................75 TENTH:...................................................................................................................76 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/128 TENTH FIRST:.......................................................................................................76 TWELFTH:..........................................................................................................77 LEGAL BASIS...........................................................................................................77 I Jurisdiction.......................................................................................................77 II Definition of personal data and biometric data.......................................78 III Regulations on control of tickets and access to stadiums...................................86 IV Differences in data processing for access to the stadium...................................91 V Examination of necessity and proportionality........................................................92 VI Processing of biometric data: exception to article 9 of the GDPR, and legitimizing basis of article 6 of the GDPR.................................................................................103 VII Response to the allegations of C.A. OSASUNA..........................................106 VIII Classification and Classification of the infringements..........................................................116 IX Determination of the sanctions..........................................................................117 X Corrective powers............................................................................................122 RESOLVES:................................................................................................................125 From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: Receipt of complaint dated 11/22/2022 On 11/22/2022, this AEPD received a complaint (hereinafter, the complainant) against CLUB ATLÉTICO OSASUNA with NIF G31080179 (hereinafter, C.A. OSASUNA). The reasons on which the complaint is based are that C.A. In April 2022, OSASUNA introduced a biometric facial recognition system (SBRF hereinafter) for spectator access to its El Sadar stadium. The press release published on 05/22/2022 by elespañol.com is included at: https://www.elespanol.com/invertia/disruptores- innovadores/innovadores/tecnologicas/20220522/accesos-rapidos-seguros-sistema- reconocimiento-laliga-operativo/673682724_0.html. In summary, the news indicates that it has been a process in which from the beginning they have had the participation of La Liga, as the entity in charge of managing access to the stadiums of the First and Second Division, in the three ways that existed until now to access the stadium and that the process, available at the moment for members who register through the website, would be an optional form of access to the stadium. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/128 The complainant indicates that freedoms and fundamental rights are restricted, the lack of proportionality of which does not make the treatment legitimate, not even with an eventual consent associated with its implementation. SECOND: Director's agreement to begin preliminary investigation actions. As a result of the complaint and the news that appeared in the press, the Director of the Spanish Data Protection Agency sent a letter on 5/12/2022 to the General Subdirectorate of Data Inspection, so that preliminary inspection actions are carried out ex officio in order to verify proper compliance with the regulations. THIRD: First request to C.A. OSASUNA in the course of the preliminary investigation actions. The General Subdirectorate for Data Inspection proceeded to carry out preliminary investigation actions AI/00417/2022 to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD. On 02/14/2023, C.A. OSASUNA was asked to provide information "relating to the processing of biometric data referred to in the news published in the media." On the other hand, it should also be noted that, at that time, other actions were being carried out (file number EXP202213792) in which the situation regarding the use of biometric systems for access to the stadiums was being investigated (AI/00444/2022). In the proceedings of the present case, dated 13/03/2023, as prior information, C.A.OSASUNA states that "the Facial Recognition Solution or System" (SBRF hereinafter) established, makes it possible to facilitate access control to the El Sadar stadium and is not configured as mandatory, being a complementary method to the remaining procedures established by the Club for admission and access control to the venue currently in existence, and those who choose between the different access methods available. C.A. OSASUNA entered into contracts with DAS-GATE ACCESSS CONTROL SOLUTIONS SL, (DAS-GATE hereinafter) provider of technological services that, through the use of biometric technology generated by VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, S.L (hereinafter, "VERIDAS"), developed the System. Prior to the implementation of the Solution, they carried out between the months of November 2021 and February 2022, a Data Protection Impact Assessment (hereinafter, EIPD), the final version of which, dated 4/02/2022, is attached as DOCUMENT 1, whose summary related to the essence of the matter is summarized in the last of the FACTS. Determination, for each of the activities that involve the processing of biometric data, of: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/128 1.1. Dates on which they began and, where applicable, the date of completion. C.A. OSASUNA responded that a pilot test of the system was carried out on 04/10/2022. Attached as DOCUMENT 2 is the announcement of the implementation of the System next Sunday in: “official news-communiqué of 04/05/2022”. It is reported that it will be the first La Liga club to allow access to its stadium through facial recognition, as a quick, convenient and safe way, without the need to carry the physical season ticket, - “opening the turnstile in a process that lasts less than a second”, - “it will be the fan who chooses how to enter the stadium, always having the option of using the physical card, the digital season ticket on their mobile phone or biometric access”, -“… following the protocol set by La Liga, a first turnstile with biometric access will be opened at gate 7 of the stadium”, “Initially only members who enter through gate 7 will receive the link to register”. - “user registration can be completed via mobile phone, following the steps that the system will indicate and taking a photograph of both the membership card and the ID.” “Once the registration process has been completed, the system will recognize the member in all the matches of the season without having to repeat the process.” C.A. OSASUNA stated that, on the occasion of the next match, on 04/22/2022, the number of access gates that have terminals for the operation of the System was expanded, at gates 3, 8, 10, 11, 16, 21 and 27, thus completing the eight gates initially planned. (ONE of the turnstiles at each gate having been enabled for this purpose. To use it, you must register beforehand). Attached as DOCUMENT NUMBER 3 is the “newsletter” from C.A. OSASUNA states sent to members on 04/09/2022, with information that also includes that “Registration does not prevent you from accessing the day you want with your physical card or with the subscription on your mobile”, or that the SBRF “will allow you to access, even if you have forgotten your card, since you will not need to carry it with you to enter”. DOCUMENT 4 is included, a newsletter that C.A. OSASUNA states sent to members on 04/18/2022 that contains an infographic on the explanation of registration and the messages that appear on the device. There is a link tab to start the activation process (step 1) (registration landing page), “access the following link to start the activation process” - Activate (in the tab) showing the steps: 2 “start the process and accept the terms and conditions of the processing of your data”, with a drawing of a mobile device that appears in all the steps, and “digitalization of the subscription - start digitalization”. 3 “Enter your ID and your email address to begin the process”. The “enter your data” screen will appear, the first box to enter the DNI number including the letter, the next box for the email, and two boxes to tick: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/128 The first: “I expressly consent to the processing of my personal data, including my image for the generation of a facial vector using an artificial intelligence system that allows my identification at the time of access to the stadium.” The second: “I have read and accept the Privacy Policy,” with the Privacy Policy highlighted to create a link. Below the second box, to tick, there is a START key and a Cancel key. 4. “Take a photo of the QR code on your club membership card” On the mobile device used to carry out the operation, there is a space for “Scan your membership QR code. Place the QR code on your membership card in the square so that the camera can scan it.” 5. “Take a photo of your ID card from the front and back.” Place the front of your ID card in the square.” 6. “Take a selfie” “Place your face in the oval and perform the movements indicated.” 7. “The system verifies that the photo on your ID card matches the features and identity of the person who took the selfie.” A message appears on the mobile device screen that “It's almost there...” with a message that preparations are being made to allow access to the stadium with SBRF. 8 “The system verifies that the data provided matches that of the subscriber who is registering in the system and informs whether the process has been carried out correctly” “the process has been completed successfully”. At your usual access gate you will find duly marked fast access turnstiles with facial recognition.” C.A. OSASUNA states that there is information on “QUESTIONS AND ANSWERS regarding the new access system to the El Sadar stadium” available from the Club website, which it provides as DOCUMENT 5. It can be seen that it does not have a date, but it informs that the new system will be available for gate 7 in the match on 10/04, and that for the next match on 20/04 until the end of the season, access turnstiles by SBRF will be enabled at other gates. It is also noted that it indicates, among other aspects, that “the activation process can be accessed from this link https://osasuna-socios.app.das-gate.com/”, and that the activation process requires “your mobile phone, your Osasuna season ticket and your ID”. In “How to activate access with DAS-GATE?”, it also refers to the Tablet or computer, accessing the website www.osasuna.es “where you will find a communication with the system information and a button to start the activation process, https://osasuna-socios.app.das-gate.com/ the explanations coinciding with DOCUMENT 4, already seen. It is reiterated: “will I be able to continue accessing with my season ticket? Yes, you will always be able to choose how to access the stadium. Access with DAS-GATE is just one more option available to you to enter El Sadar” and that “the new system will be optional and voluntary, while the rest of the access methods that have been used until now will remain available”, “you will always be able to choose how to access the stadium”. It is also reported that “you can unsubscribe at any time from the user area, at C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/128 cancel account.”, as well as the management by DAS-GATE and that they have carried out a EIPD. In “what advantages does it offer?”, it is indicated, among others, that “this type of access allows control that it is you who uses the subscription. Enjoying the match with the peace of mind that all the people present have the relevant permits is a benefit for everyone”, and “This new access system strictly complies with the General Data Protection Regulation and is endorsed by the League”. C.A. OSASUNA states regarding the end date that: “Considering the objective of the System to facilitate biometric access to the stadium to those fans who freely wish to do so, there is no pre-established end date for the processing”. 1.2 Purposes and bases for legitimation of the processing activities (art. 6 RGPD). If applicable, reasons for lifting the general prohibition of processing special categories of personal data (art. 9 RGPD). It reiterates that: -The System offers its fans a complementary method of access to the stadium to those currently existing (and which can continue to be freely used by the fans), consisting of the recognition of biometric vectors of those Club members who wish to use the System, instead of those derived from other conventional means such as, for example, reading the QR code of the member card or the NFC chip. In no case will members be obliged to use the System to be able to access the venue. - “even when a member has registered in the System, he/she may decide at each match he/she attends the means of access to the stadium that he/she deems appropriate, being able to opt for biometric recognition or for any of the other access procedures or methods that C.A. OSASUNA makes available to him/her. -The user may, at any time and immediately, revoke the consent given, as will be indicated elsewhere in this document.” It states that: -“The purpose of the processing is to guarantee Osasuna fans who have freely decided to do so access to the stadium through facial recognition, as a non-exclusive alternative to the different means of access made available to them by the Club. -“Firstly, specific and free consent is required in all cases so that the user can register in the System, so that subscribers are entirely free not to do so, and may continue to use the remaining means of access made available to them by the Club, under the same terms as they have done so until now. To do this, two processing activities are carried out: ● The one related to the registration and verification of the user's identity by the System, in order to include him in it and generate his biometric vector. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/128 ● The reference to the corresponding biometric control of access to the stadium at the time of each event, through its identification in the System.“ -“With regard to the basis of legitimacy for the treatment, it analyzed, first of all, the applicability to the System of the provisions of article 9 of the RGPD, taking into account that it implies the processing of biometric personal data for identification purposes (1:N).This analysis concluded that this provision was applicable, so that, together with the concurrence of one of the legal bases provided for in article 6.1 of the RGPD, it was necessary that one of the exceptions to the prohibition provided for in article 9.2 of the RGPD be applicable to it.” As indicated, the use of the System is constituted as an option that fans may choose freely and completely voluntarily. For this reason, given that only the data of those interested parties who request it will be processed, without conditioning said authorization on access to the stadium, the processing is covered by the provisions of articles 9.2 a) and 6.1 a) of the RGPD, that is, by the explicit consent of the interested party to the processing of their biometric data.” The EIPD provided, analyses the concurrence of the requirements required for the validity of the consent in its section 5.2.3 (in particular, its character of manifestation of free, specific, informed and unequivocal will), as well as the viability of this basis of legitimation in the processing of biometric data, concluding on the validity of said legal basis. Literally, the EIPD states, within section 5 “Legal basis of consent”, after indicating that consent must be lawful for which it is required to comply with one of the legal bases of article 6.1 of the GDPR, it goes on to analyse whether there may be any cause that lifts the prohibition of processing, because it is special data, “given that only in the event that one of the prohibitions is applicable would the study of the legal basis of processing make sense”. In the following section of the EIPD, 5.2.1, it specifies that “the application of facial recognition techniques for biometric identification, and the subsequent processing of the personal identification data of the interested party linked to his or her facial pattern, or simply of the latter, has usually been the subject of analysis within the framework of the action of public surveillance and security. Therefore, since such surveillance is based on systems that do not allow users to be discriminated against (i.e., the facial pattern of all persons who are exposed to the recording or collection of data by a particular device is collected), consent is not analyzed in these cases as a legal basis for processing, since it is not possible to obtain it or compliance with the requirements for it is clearly compromised (for example, consent cannot be considered to be given by the mere fact of crossing the area where the data is collected and, at the same time, such consent is hardly free, since the data will be collected in any case, without the interested party being able to refuse it or revoke an alleged consent given).” The DPIA considers that, based on the analysis of, for example, the EDPB Guidelines 3/2019 adopted on 29/01/2020, on the processing of personal data by means of video devices, the existence of cases in which consent could be an adequate legal basis for the treatment is inferred, which in its point 77, within section 5.1 “general considerations for the processing of biometric data”, indicates: “77. The use of video surveillance, including the biometric recognition function installed by private entities for their own purposes (e.g., marketing, statistics or even security), will require in most cases the explicit consent of all interested parties [Article 9, paragraph 2, letter a)]; However, another suitable exception to Article 9 could also be applied,” and gives the example: “In order to improve its service, a private company replaces the passenger screening and identification points within an airport (baggage drop-off, boarding) with video surveillance systems that use facial recognition techniques to check the identity of passengers who have chosen to consent to such a procedure. Since the processing falls within the scope of Article 9, passengers, who have previously given their explicit and informed consent, will have to be included in an automatic terminal, for example, to create and register their facial template associated with their identity card and their boarding pass. Facial recognition screening points must be clearly separated, for example, the system must be installed in a gantry so that the biometric templates of the person who has not given consent are not captured. Only passengers who have previously given their consent and proceeded to register will use the gate equipped with the biometric system.” The EIPD considers that, even if it is an identification system and not an authentication system, in its system, also an identification system, the interested party can freely decide to undergo the treatment, without negative consequences, "that is, the comparison system is still 1 to "n", in which "n is limited to those interested parties who voluntarily and freely decide and consent to the performance of the treatment" The EIPD considers that the consent is valid based on Guidelines 5/2020 of 05/04/2020, on consent within the meaning of Regulation EU 2016/679, or on the legal report of the Legal Office of the AEPD (G.J. of the AEPD) 36/2020, since it does not entail any disadvantage or harm to those who do not give it, or withdraw it. Both means (referring to access) will be essentially equivalent except for the intrinsic benefits of each of them, for example, the greater or lesser speed of access. It reviews the elements of consent, indicating in the EIPD, page 38, 5.2.2., that the Club does not benefit those who opt for one access system or another, “without prejudice to promoting the use of this access system, given its novel nature, both means being essentially equivalent except for the intrinsic benefits of each of them - for example, the greater or lesser speed of access”. It estimates that it meets all its requirements and in its final section, 5.2.3 indicates: “Therefore, it can be considered that the treatment is validly covered by the establishments of article 9.2.a) of the RGPD. The consequence of the above is that, since the consent required by article 9.2 a) is reinforced with respect to that established in article 6.1 a) as a general legal basis for the processing of personal data, it must be considered that said consent is also subsumed in the content of this last rule, so that, in addition, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/128 processing will have the legal basis established in article 6.1 a), thus complying with the principle of legality.” 1.3 Proportionality judgments made for the execution of activities through the processing of biometric data. He replied that it is contained in section 6.4 of the EIPD, first analyzing the fact that the processing of the biometric data of the interested parties “is suitable for achieving the purpose of recognition for access control - following the doctrine established by the AEPD in the resolution of procedure PS/ 00120/2021 (Mercadona case) and in the report of the Legal Office 47/2021”, “showing that the system, unlike those analyzed in the aforementioned AEPD documents, would be based on consent, thus not producing recognition except for those fans who so request and freely authorize it”. -Section 6.4.3 of the EIPD, framed in the analysis of the principle of data minimization, and more specifically, of the "criteria in relation to the application of the principle of minimization in the processing of biometric data (6.4.2), indicates that "the following must be taken into consideration to assess the necessity and proportionality of the processing:" A-The processing will be limited only to those who voluntarily wish to use this procedure, it is not indiscriminate or massive, preserving the alternative means of access. B-The processing involves an identification process, "and not an authentication process, which would be less invasive, although: it occurs on vectors and not directly on images or on biometric information and the search for matches between vectors would not be limited to all persons who access the stadium." C- Facial recognition is not carried out remotely and in areas completely open to the public, but the identification process takes place a few centimetres from the machine in front of which the user must be located less than ONE metre from the terminal so that their data can be captured, making it impossible for other interested parties who do not have the specific intention of accessing the sports venue through the solution to try to “vectorise” the data. D- “Data will only be processed on the basis of the consent of the interested parties who freely wish to use the solution, which must be weighed favourably for the purposes of verifying the proportionality of the processing, given that it is possible to appreciate from the own conduct of the interested party, the concurrence in the processing of a mutual benefit for the Club and the person, which speeds up access to the stadium”. E- The use of the solution is limited to subscribers over 14 years of age under Article 7 of the LOPDGDD in connection with Article 8 of the RGPD - the age will also be verified during the registration process, when the scanned image of the DNI is processed. - It adds that this occurs within the framework of Article 11.1 of the Anti-Violence Law, which establishes that "all sports venues in which state competitions of a professional nature are held must include a computerized system for controlling and managing ticket sales, as well as access to the venue." C.A. OSASUNA considers that the treatment passes the triple test of suitability, necessity and proportionality, indicating that: “Indeed, the data processing carried out for registration in the solution is, as will be seen later, suitable for carrying out this registration process, by allowing full identification of the subscriber. Similarly, the treatment of the facial vector is suitable for facilitating access to the El Sadar stadium through the readers incorporated in addition to the entrance turnstiles, by simply reading the image of the interested party and comparing it with the aforementioned facial vector. Secondly, the processing is necessary to achieve the purpose pursued by the processing, which is to facilitate access to the sports venue for OSASUNA subscribers who so wish through a fast and simple procedure. Certainly, at this point, it is possible to achieve the purpose pursued (access to the El Sadar stadium) using a less intrusive means (the use of traditionally used means, such as the use of a QR code reader incorporated into the subscription). However, the implementation of the processing analyzed in this DPIA does not prevent the use of this option. That is, the interested party can freely decide, without affecting their rights as a subscriber in any way, to opt for one or another treatment for access to the stadium. In this way, the need would be linked in this case to the will of the subscriber, which cannot be satisfied using a less intrusive means of access. Finally, as regards compliance with proportionality, it is necessary to bring up what was pointed out by the AEPD in the documents reproduced above, in the sense that this principle would be breached in the event that the subscribers were forced, without any possible alternative, to access the premises through the procedure described and it was not possible to assess the concurrence of “more benefits or advantages for the general interest than damages to other goods or values in conflict”. However, in this case it is the subscriber himself who weighs up the preference between one or the other system (at the time of registration and, additionally, at each access) and the prevalence of his particular interest over the rights that he might consider affected, without his personal integrity being affected…).” -C.A. states. OSASUNA, that the principle of minimization would be fulfilled, as stated in point 6.4.5 of the EIPD “concluding that, given the terms of operation of the System, the requirements of article 5.1 c) of the GDPR are met both in the process of registration of the interested party who freely decides to do so and in the control of access by the same to the stadium, if he wishes to use the aforementioned System. In any case, in section 2 of the EIPD the data flows generated as a consequence of the System are detailed.” C.A. states. OSASUNA, that: “In addition, the data processor DAS-GATE provides additional technical guarantees, such as: -It presents controlled vectorization measures in the registry -It maintains security measures against unwanted interference -It complies with official certifications C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/128 -As the Solution is a model based on Artificial Intelligence, the non-traceability of facial features –reversibility- is reinforced with respect to previous or less advanced software and models. Consequently, in accordance with the information provided in the Descriptive Document, this would imply that the biometric vector resulting from the facial image collected will be linked to the Solution without another facial recognition system being able to reverse the vector. That is, the mathematical vector cannot be interpreted with the purpose of extracting information from the initial interested party, resulting in practically a hash of the interested party's facial image. In particular, in accordance with the information transferred by DAS-GATE, each DAS-GATE biometric engine and even each version of that biometric engine is unique so that the vectors derived from the Solution are not interoperable with other versions of the software.” 1.4 Where applicable, legal protection for the processing of personal data relating to criminal convictions and offences (Article 10 of the GDPR and the LOPDGDD) and where applicable of personal data relating to administrative offences and sanctions (Article 27 of the LOPDGDD). He responded that the system does not collect data on these matters. 1.5 Procedures followed to comply with the duty of information (Articles 13 and 14 of the RGPD). Evidence of compliance. He replied that “since the personal data is collected by the Club, directly from the interested party at the time he decides to register in the System, information is provided in layers.” With regard to the time at which the information is provided, the Club, at the address www.osasuna.es/acceso-biometrico-a-el-sadar, makes available to the interested party basic information about the procedure adopted, as well as the most frequently asked questions in relation to the System, offering the interested party the possibility of continuing the process through a link to the DAS-GATE portal. It states that “Once the interested party has entered the DAS-GATE portal, through which the registration process will take place, the basic information regarding the treatment is reflected, which is provided as DOCUMENT 6, which includes a link to the second information layer that is incorporated in the privacy policy available on the OSASUNA website, which is provided as DOCUMENT NUMBER 7.” It can be seen that DOCUMENT 6 is called: “treatment of access control data to the facilities by facial recognition”, and the following information is listed as most notable: “Responsible party: C.A. OSASUNA Purpose: access control using a facial recognition system Legitimation: consent of the interested party article 6.1. a) GDPR and article 9.2.a) express authorization for the processing of images using an artificial intelligence system, facial recognition, generating a vector that allows the identification of the user for the control of access to the facilities. Recipients: no transfers of data to third parties are planned. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/128 Rights: you have the right to access, rectify and delete data, as well as other rights, indicated in the additional information, which you can exercise by contacting lopd@osasuna.es and dpo@gfmservicios.com, clicking on the link on the website and the member portal “exercise of ArSol rights”. Additional information; You can consult additional and detailed information on Data Protection here https://www.osasuna.es/privacypolicy”, which then contains a tab to accept and another to reject. C.A. OSASUNA states that “this information includes the consent box relating to the processing, which the interested party must check if they choose to give their consent, having been previously informed of all aspects of the processing. Reading this information is mandatory in order to continue the process.” C.A. OSASUNA states that “Once consent to the processing has been given, the OSASUNA consent manager sends the subscriber an email (a copy of which is provided as DOCUMENT NUMBER 8) in which the subscriber is provided with the technical details of the consent granted, as well as the privacy policy linked to the processing of the data consented to by the subscriber, with said remission being recorded. In this way, the interested party not only accesses the privacy policy at the time of registration in the System, but also personally receives the aforementioned policy, so that it can be used at any time. In any case, the way in which OSASUNA informs interested parties about the processing of their data is analyzed and detailed in section 7.1 of the EIPD provided. “ It can be seen from DOCUMENT 7, “last update date January 2022”, second informative layer, also includes the designated DPD and their email, the purposes are defined more broadly, indicating that “the personal data of the subscribers are processed for the purpose of digitizing them and verifying the identity of the subscriber, with the aim of registering them in the DAS-GATE system, a contracted provider.” “(REGISTRATION OF THE SUBSCRIBER) The data to be processed for this purpose will be the data provided by the interested party (identification data), as well as the National Identity Document, the image obtained from a selfie of the interested party and the contents of the QR code of the subscription (subscriber and ID number, as well as access ID), and (BIOMETRIC ACCESS): personal data will be processed for the purpose of allowing access to the Club Atlético Osasuna stadium through facial recognition, an alternative entry system that allows strengthening the security of access to it, as well as speeding up entry to it, facilitating this for the Club members. LOG IN to the das-Gate portal (IS) – the personal data of the interested parties will be processed so that they can identify themselves and access the Das-Gate portal, so that they can manage access through facial recognition associated with the subscription, being able to request cancellation of this service or the transfer of the subscription, in those cases where this is permitted.” The retention period states that “The identification data of the member will be kept for the duration of the process for generating the corresponding vectors, being automatically deleted by the computer systems at that same time. The irreversible vectors, as well as the access IDs and the user ID (created by the member), will be kept until the interested parties request their deletion, unless C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/128 other legally established provisions apply. In any case, the data will be deleted if the user ceases to be a member of C.A. Osasuna or assignee of a Club membership.” “You may exercise your rights through the private area of each user on the DAS-GATE portal” “You have the right to withdraw this consent at any time.” “Data processed - Member identification data (ID of the holder, front and back) - Member email address - Member subscription QR code data (ID, number of subscribers and access ID) - Member number - Member image - “Vector” algorithm of the member image - User ID on the Das Gate platform”. Document 8, on the other hand, consists of an email informing the subscriber member with a link to the privacy policy and the possibility of exercising their rights, containing the IP, ID and email and the date on which they have given their consent, as “proof of consent”. 1.6 Periods of conservation of personal data (obtained from the registration process, and from the identification process, whether positive or negative) or, when not possible, the criteria used to determine this period. Evidence of compliance. He responded that “in order to determine the conservation periods, it will be necessary to distinguish between: ● The data subject to processing during the subscriber registration process. - as for the data that is processed in the user registration process, its conservation will be strictly limited to the period in which the verification of the subscriber's identity takes place to carry out his registration in the System, given that the only purpose that justifies this processing is to achieve the aforementioned verification as a previous step to carrying out the registration and the generation of the subscriber's facial vector from his selfie photo. -On the other hand, regarding the image collected for the generation of the aforementioned vector, this is deleted once it is verified that it corresponds to the one that appears on the DNI provided by the user, having generated the corresponding facial vector. In this way, upon completion of the registration process, the System only retains the subscriber's facial vector, without associating it with any identifying data that appears on his DNI or on his subscription, or with the data provided by the interested party in the registration process. The System only retains (i) the facial vector; (ii) the anonymous access identifier corresponding to the subscription, for the exclusive purpose of avoiding duplications in its use; and (iii) the hash of the user identifier in the System, which is collected for the exclusive purpose of serving as the first authentication element for secure access C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/128 by the user to the DAS-GATE portal, in order to be able to interact with the System (for example, to proceed with the deregistration or exercise their rights). These data will be kept as long as the interested party does not revoke the consent previously given or continues to hold the status of OSASUNA subscriber, proceeding to its deletion in case of revocation or cessation of the status of subscriber. The revocation of consent may be carried out directly and at any time by the interested party from the user portal.” Manifiesta C.A. OSASUNA that “In the event of one of these circumstances occurring, the data will be blocked, in accordance with article 32 of the LOPDGDD, for a period of 3 years, coinciding with the maximum period of prescription of violations in the field of personal data protection, in order to be able to respond to possible liabilities derived from the treatment. Attached, as DOCUMENT NUMBER 9, is a copy of the screenshots referring to the exercise of rights on the OSASUNA website with the title “exercise of ArSol rights”, consisting of a form to fill in “exercise of ARSOL rights”. It is reported among other aspects that “If you have given your consent for a specific purpose, you have the right to withdraw, revoke, the consent given at any time…”. At the bottom there is a drop-down menu with the rights that are exercised and a field to fill in “message”. It requires as mandatory for its exercise, the email, mobile, ID, name and surname and ID IMAGE, which must be selected as a file for attachment. ● The data that is processed for the purpose of facilitating your access to the stadium. "It is explained in greater detail in another section" (response to point 2.3 of this writing). The System does not store the image captured by the reader located at the entrance to the venue or the facial vector generated from it, which will only be processed and kept for the minimum time essential to carry out the identification of the subscriber as such. In this way, only the information related to the fact of access will be stored (i.e. records (logs) of successful identification and acceptance or denial of access, associated with anonymous identifiers), but in no case the image captured, or the facial vector associated with it. The data relating to the records (logs) linked to the identification and access to the stadium will be kept until the beginning of the season following that to which the stored access refers, at which time it will also be blocked for the period of three years mentioned above. 1.7 Where appropriate, determine the recipients or categories of recipients of the personal data collected by virtue of these treatments. The data subject replied that no data transfers to third parties are planned. In order to carry out the data processing for access by facial recognition, they signed a contract under the provisions of article 28 of the GDPR in order to provide OSASUNA with a service consisting of the processing of the subscriber's identification data and the generation of their facial vector, with the information remaining stored on C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/128 their servers, without the Club's servers storing any information related to the development of the System. The aforementioned system use license agreement (software and hardware) is provided as DOCUMENT NUMBER 10, and in ANNEX I the contract of assignment 1.8 Determine the existence or not of automated individual decisions in the terms described in article 22 of the GDPR and, if applicable, describe the logic underlying the decisions and the data involved in the process, and “Specify whether the processing activities involve international transfers of personal data and, if so, detail the guarantees applied” The data controller responded that “the data collected are in no case subject to processing for the adoption of automated individual decisions. At the same time, the processing of the data is carried out in its entirety in the European Economic Area, with no international transfers of personal data occurring.” 1.9 List of entities involved (data processors) in the procedure with an indication of the role of each one, the set of personal data to which they have access, the guidelines that have been provided to them, and the commitments they have acquired in relation to the operation of the system. He responded that: “The personal data that will be subject to access by DAS-GATE are the following: (i) National Identity Document number; (ii) image of the front and back of the National Identity Document; (iii) subscriber number; (iv) email address; (v) selfie photo; (vi) proof of life consisting of an image of the interested party in motion; (vii) data from the QR code of the member's subscription (ID, subscriber number and access ID); (viii) “Vector” of the image; and, (ix) User ID on the DAS-GATE platform.” For its part, DAS-GATE has signed service provision agreements with two entities, which act as sub-processors, under the terms established in article 28 of the GDPR, which are: a) VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, S.L., as a provider of document validation and biometric recognition technology. b) ***EMPRESA.1 (hereinafter, “***EMPRESA.1”) as a provider of (…) and (…) The services provided by these entities are located within the European Economic Area (more specifically, in Spain, Ireland and Germany) and therefore no international data transfers take place. Regarding the relationship formalized between DAS-GATE and VERIDAS, the contract for the use and distribution of platforms signed between VERIDAS and DAS-NANO, S.L. is provided as DOCUMENTS NUMBERS 11 and 11 bis, as well as the agreement for the transfer of the cited contract formalized by DAS-NANO, S.L. and DAS-GATE, by virtue of which the latter holds the status of licensee in relation to the System. On the other hand, the terms and conditions signed by DAS-GATE in relation to the service provided by ***EMPRESA.1 are provided as DOCUMENTS NUMBERS 12 and 12 bis, as well as the agreement for the assignment relating to the processing of personal data carried out by the aforementioned provider. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/128 2. Documentation/Description of the biometric data processing system or systems used in each of the activities referred to above, which includes, at least, the following information: 2.1- Architecture of the system with an indication of the places where each element is located and executed. He responded by providing a schematic drawing showing the process and flow of data: “both in the phases of registration in the system and access to the stadium. Likewise, the way in which the user registered in the System can interact with it is detailed, revoking his consent or exercising the rights established in the regulations for the protection of personal data” Accompanying the diagram-graphics: “Registration process-Digitalization of season ticket”, to the right: “Access to the stadium”. Below: “Access to the Club's DAS-GATE portal” and to the right “Exercise of rights”. The diagram-drawings contain boxes with arrows, which indicate where this information/data goes. By not describing them literally or explaining them, C.A. OSASUNA, are described below: In the “Subscription digitalization-registration process”, we start with a box that contains: “ID, SELFIE, QR subscription card” with an arrow towards another central box called “Subscriber identity validation: ID, SELFIE, QR subscription card” below the box it says: “deleted in seconds”. From “validation…” two arrows emerge, - one to a box “ID, SELFIE, QR subscription card blocked data”, from which no arrow emerges. -another, to the box with a cloud symbol: “facial vector, access ID, user ID hash + operation logs” with the note below: “data required for operation”. From this box, an arrow emerges to the diagram of the following process: “ACCESS TO THE STADIUM”. In this process, from the “facial photo” action, an arrow goes to the box: “Facial vector, access id + operation logs” that has a drawing next to a device that captures the face. From this, an arrow goes to the “Access ID” box, from which another arrow goes to the “Door opening” box. The graph below contains the process: “access to the DAS portal: GATE of the Club”, it originates with the “User ID, SELFIE” box, with an arrow to the box called “Subscriber authentication:”, which contains the pair “User ID, user ID hash”, and “SELFIE-facial vector”. The box has an arrow that comes to it, coming from the “User ID HASH- Facial vector” box with the cloud symbol, and from the “subscriber authentication” box an arrow that leads to “portal access”. The last graph, “exercise of rights” Explains the types of data “in the system”: - “personal data of users”, “from the content of the member’s subscription and the process of digital verification of identity”, in its facets of: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/128 a) Generation: web services deployed in the cloud. b) Storage: Encrypted data in databases in the cloud and images temporarily stored in S3 storage in the cloud. These are used only for identity verification and generation of the biometric mathematical vector (embedding) and are automatically deleted after the retention time previously agreed with the client. c) Distribution: none. d) Access: Both (...) and (...) are not publicly accessible and only DAS-GATE services can consume them. The databases are located in (…) network. The images are stored (…). At a logical level, both services are protected by mechanisms (…) to ensure that the information is only (…). - “Credentials: anonymized credentials belonging to users: embedding and user identifier for La Liga access control. a) Generation: web services deployed in the cloud. b) Storage: vectors are stored in an encrypted database in the cloud. c) Distribution: (…) to databases in (…). Secure communications (…), exchange of (…) and algorithms (…). Authentication of the connection (…). - Observability: information about the events that occur in the System (status of the services in information about their use, warnings, possible errors, etc.). This information is sent from the different services (…) authenticated to a database in the cloud that is only accessed by the display service (…).” 2.2- Registration process of the persons to be identified with an indication of the categories of interested parties and the categories of personal data collected. Also indicate the number of stored persons who will be subject to detection by the system. Respond through “description of the registration process in the System” that is included in the EIPD, section 2.1 and following. “To register in the system, the subscriber must enter the OSASUNA website, where there will be an information screen of the system’s functionalities, as well as a button that will allow them to start the process. If they request the start of the process, the user is redirected to the DAS- GATE website, where the process will be developed. When accessing this website, the interested party is presented with the terms and conditions regarding the processing of their data, which they must accept. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/128 You will also be asked for data regarding your National Identity Document number (hereinafter, “DNI”), subscriber number and an email address, and the registration process will begin. These data will be collected and stored directly on DAS-GATE’s own servers, with no data processing taking place on OSASUNA’s servers, which will be limited to redirecting interested parties to these. However, the email address, as well as the accreditation of the effective provision by the interested party of the consent to the treatment by the subscriber will be immediately transmitted to OSASUNA, so that the requests for the exercise by the interested parties of the rights established by the data protection regulations can be adequately managed through it. The accreditation of consent will be kept on the Osasuna servers through a software application integrated into the "consent manager" process, thus recording all the consents of the interested parties for their subsequent management by the Club. This complies with the requirements provided for in the RGPD for the accreditation of the effective provision of consent by the interested parties. Also, at this stage, the interested party must show the image of the QR code existing on their subscriber card. This Code contains information about the subscriber's ID number, their subscriber number and their access identifier. The system extracts the data corresponding to the DNI number and the subscriber number and compares them with the data previously entered by the user in order to verify their identity. Once the aforementioned verification has been carried out, the user takes a screenshot of the front and back of their DNI, and then requests a selfie with their mobile phone, as well as a “proof of life”, consisting of a movement in front of the camera of their mobile phone, in order to ensure that it is a living person and not a static image. The system then proceeds to check the facial patterns of the DNI photo and the selfie photo, proceeding to terminate the process if the comparison gives a positive result. At the same time, by taking the selfie photo, the facial vector of the interested party is generated, which will be processed and stored by DAS-GATE, in order to allow the identification of the interested party and the access of the interested party to the stage in the development of the second phase of the treatment. -“Likewise, in this phase the subscriber will also be asked to create a user identifier in the platform created for the development of the Solution. The purpose of the creation of this identifier will be: ● In general, the establishment of a first authentication element that will allow verification of their identity in the DAS-GATE portal. ● Likewise, the identifier will allow the future management by the interested party of their subscription within the application, particularly in cases where the transfers of the same will be carried out, in the terms analyzed in section 2.4 of this DPIA, or the cancellation of their registration in the DAS-GATE system. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/128 The system will instruct the subscriber about the characteristics that their user identifier must meet to ensure its robustness (for example, that it may consist of an alphanumeric code with certain characteristics). The user identifier will be encrypted (…) by DAS-GATE, and will be stored on its servers. In any case, the system will issue a message informing whether the user registration process has been successful. “ -“Through these operations, the system verifies that the person who is registering is the holder of the subscription used for registration, given that: ● The National Identity Document number entered is verified with the one included in the QR Code of the subscription card and the document shown for identity verification using their photograph, so that all three match. ● It is verified that the membership number entered by the user corresponds to the QR code on the membership card. ● It is finally verified that the person who carries out the process is indeed the holder of the pass, by authenticating their facial pattern with the one that appears in the photograph of their National Identity Document. -Additionally, in relation to the generation of the facial vector, it will be carried out through a model based on Artificial Intelligence and, more specifically, on neural networks developed by VERIDAS. In this way, the mathematical vector is not generated as a consequence of the mere measurement of points of the subject's biometric characteristic, but from Artificial Intelligence algorithms, linked where appropriate to other possible components of the model. This development implies that the vector resulting from the application of the engine used in the development of the Service does not correspond to that which could result from the use of a different artificial intelligence engine or even from the one derived from the use of a different version of the engine used, given that each version of the biometric engine is unique, which prevents the mathematical vectors derived from the Service from being used by other engines. Thus, in this model with Artificial Intelligence, not even the expert engineer who designed the system would be able to interpret the mathematical vector with the purpose of extracting information from the individual to whom this vector refers. Therefore, in the current state of the art, it would be impossible to extract, from the vector, information about the individual to whom it belongs or that allows him to be identified, and in particular the image (selfie photo) from which the facial vector has been obtained. At the same time, the documentation provided shows that the reliability and precision of the model based on neural networks reaches (according to the analyses carried out through laboratory tests, external evaluations, etc.) 99.8%, compared to the precision of 95% of traditional models based on the recognition of distances from certain facial points. Likewise, the data used once the Service is operational are not used for any purpose other than the identification of the interested party by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/128 comparison with an image of the same, without being kept for any other purpose and without being used for the training of the model itself. In this way, the image from which the facial vector comes is deleted from the system as soon as the process of generating the said vector is concluded. To this end, as indicated in the documentation provided: ● For the training of the systems, VERIDAS makes use of public databases intended for these purposes or, failing that, of private databases created by the entity obtaining the consent of the subjects for this specific purpose. ● In relation to the above, it should be noted that in no case are the data that are being processed by the biometric engine for the provision of the identification or authentication service in production used for the automatic training of the system. There is no training of the system during the identification or authentication of users in production. The biometric engine does not contain any data of the employees for its training. The engines are a set of algorithms derived from the precise training carried out in the development stages of the technology, but do not contain personal data” -“Thus, with regard to the categories of interested parties, OSASUNA processes the data of the Club's fans whose season ticket allows them to access through one of the stadium gates in which a biometric access terminal is installed and who have voluntarily registered in the System. On the other hand, regarding the categories of personal data subject to processing, it follows from the above that they are the following: ● Identification data of the member (ID of the holder, front and back). ● Email address of the member. ● Data from the QR code of the member's season ticket (ID, number of subscribers and access ID). ● Member number. ● Image of the member. ● “Vector” algorithm of the partner's image. ● User ID on the DAS-GATE platform.” Finally, in relation to the number of people who are registered and therefore can be identified by the System, as of 03/06/2023 it is (…). 2.3- Process of comparing the data captured with the registered data, indicating the guarantees of accuracy and the moment or moments in which it is executed (in real time, on C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/128 recorded images, etc.). It is also requested to provide the list of data resulting from the comparison process, whether the result of the comparison is positive or negative, determining, in each case, the actions to be carried out (registration, communication, deletion, etc.). He responded that “the biometric comparison process is as follows: (i) “When a biometric access attempt occurs, the frame captured by the camera of the person who activates the System is taken when he or she is less than one meter from the screen and in front of it; (ii) A face detection inference is made on said frame. (iii) If the detected face exceeds a sufficient threshold of size and proximity to the biometric terminal, and quality in the detection, it is processed in such a way that the mathematical vector calculated by the neural network is generated. (iv) The vector calculated for the face detected on the camera frame captured at that moment is compared based on mathematical distance with the vectors that are registered for users registered in the System. It should be noted that current biometric technology does not make these comparisons based on characteristic points of the face, such as the size of the mouth, the distance between the eyes or the curvature of the ciliary arch. (v) The person present in front of the camera at that moment is considered to be identified as one of the registered persons when the similarity between both vectors (the one registered and the one processed at that moment) exceeds the established threshold. (vi) In addition, inferences are made to determine whether that face is authentic and is not an attempt at impersonation (such as, for example, presentation of a printed image, use of a mask, presentation of an image or video from a screen, etc.). Therefore, for an ongoing biometric access attempt, the person will only be identified as registered if all the above requirements are met: 1) a sufficiently close face is detected (less than ONE meter away from the terminal), with sufficient size and quality, in the frame being processed, 2) the degree of similarity between the mathematical vector calculated for the detected face and the vector recorded for the registered user is met, and 3) it is also considered that this is not an attempt at impersonation. Once the interested party has been authenticated by identifying their facial vector, an access request will be sent to the server in charge of operating the turnstiles at the entrance to the stadium. This access request consists of communicating to the server that an anonymous access identifier is located at the terminal and has been authenticated according to the previous process. These servers are managed by the Sociedad Española de Fútbol Profesional, S.A.U. (hereinafter, “SEFPSA”), which acts in the development of this activity on behalf of OSASUNA, which has entered into the corresponding contract with the latter as data processor under the terms established in article 28 of the RGPD. Thus, the transmission of this data is only carried out between OSASUNA data processors, without constituting a transfer of personal data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/128 In any case, it is necessary to indicate that the aforementioned data processor does not at any time access or process any biometric data, limiting the processing of the anonymous access identifier, in order to proceed to activate the corresponding turnstile and check that there is no duplicate use of the subscription, without providing any data related to the subscriber's facial vector or any other information that allows their identification. Once this information has been received, if the use of the ticket for access to the event in which the access request is made is not already recorded, the acceptance of access will be confirmed by activating the turnstile at the entrance to the premises and proceeding to open it. When the terminal tries to identify the user who has placed himself in front of it (as previously explained), the following logs are recorded: 1) date-time, 2) identifier of the biometric terminal, 3) anonymous identifier of the user most similar to the face being identified, and 4) biometric similarity score obtained. If the biometric similarity score exceeds the established security threshold (positive comparison), the System shows the user on screen the message of successful identification. In parallel, the System sends the access request to SEFPSA, sending only the associated anonymous identifier. The sending of this request is also logged by the terminal (date-time, terminal identifier, anonymous user identifier recognized). When processing the access request sent by the biometric terminal, SEFPSA decides whether or not to authorize the user's access and acts directly on the turnstile, commanding (or not) its opening. SEFPSA does not inform the biometric terminal of its authorization decision. It should be mentioned at this point that SEFPSA, upon receiving this request, cannot distinguish between requests received from biometric terminals and QR or NFC readings; that is, it does not know how the user has been authenticated. SEFPSA "at no time accesses or carries out the processing of any biometric data, limiting itself to the processing of the anonymous access identifier, in order to proceed to activate the corresponding turnstile and check that there is no duplicate use of the subscription, without providing any data related to the subscriber's facial vector or any other information that allows their identification. Once this information has been received, if the use of the pass for access to the event in which the access request is made is not already recorded, the acceptance of access will be confirmed by activating the turnstile at the entrance to the premises and proceeding to open it. If the biometric similarity score does not exceed the established security threshold (negative comparison), the System displays the message on the screen of unsuccessful identification to the user and does not send any access request to SEFPSA. It is expressly indicated that the established security threshold is (...). That is, it will be necessary to exceed this threshold to consider that the comparison is positive. If the comparison yields a lower result, it will be considered a negative comparison. The VERIDAS facial recognition model used by biometric terminals has been evaluated by the NIST (National Institute of Standards and Technology) of the USA, which is the international body that has become, de facto, the evaluator of this type of technology. The results of the NIST evaluations are public and can be consulted C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/128 on the official NIST website (https://pages.nist.gov/frvt/html/frvt1N.html), under the umbrella of the FRVT (Face Recognition Vendor Test). The current accuracy of the biometric technology that is in the state of the art shows that it has surpassed the human capacity in comparing faces. Also, as mentioned above, it should be noted that current biometric technology, based on deep neural networks, does not make these comparisons based on characteristic points of the face, such as the size of the mouth, the distance between the eyes or the curvature of the ciliary arch.” 2.4- List of locations where cameras/data capture devices subject to identification have been installed. Measures used to prevent the recovery of personal data of third parties. He replied that, “On the date of preparation of this document, the System has been installed at eight different gates of the stadium, listed in the first section of this document, (point 1.1 of this document), each of which houses a series of entrance turnstiles that allow access to a certain number of attendees. Season ticket holders and, consequently, those likely to be users of the System, have the gate through which they can enter the stadium assigned in their season ticket, and may, therefore, access indiscriminately through any of the turnstiles installed at said gate, so that they can choose, on the occasion of each match, to use or not to use the Facial Recognition System. It indicates that there is a facial biometric terminal at a turnstile at each of the eight gates: 3, 7, 8, 10,11, 16, 21 and 27, in addition to the non-biometric turnstiles, it indicates the total number of turntiles at each gate, and it is noted that there is no gate at which there are no non-biometric turntiles. It indicates that: “As can be seen, the System is in no case the only means of access to the premises, there being sufficient alternative means at each gate to facilitate the aforementioned access. DOCUMENT NUMBER 13 provides a photograph of one of the gates of the stadium, in which it can be seen as an example how the biometric terminal is implemented exclusively at one of the turnstiles. The measures to ensure the confidentiality of personal data are applied at two levels: - (…) following the recommendations of the NIST. (…) - (…) of communications (…) through (…). - The above is complemented by other security measures that are described in detail in section 8.2 and the annexes of the EIPD. It should also be remembered that all the measures implemented by DAS-GATE have been audited and certified based on the certifications of its information security management system (ISO (…) etc.).” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/128 2.5- Security measures applied to each element of the system in which personal data are processed. He responded that:” Section 8 and the annexes of the EIPD include the details of the security measures implemented in the solution. In summary, in this section, it is indicated that all the measures shown in the (…) have been implemented. In particular, the following should be mentioned: ● All data communications are encrypted: ○ (...). ○ At rest: they are encrypted (…). ● Restricted access and minimum privilege policies at the system and application level. ● A system is implemented (…). ● Users (…): it is avoided (…). Each person who accesses the System or applications has (…). ● A design process is applied for the secure development of the product, including a review of the security requirements during the validation processes prior to the delivery of versions. ● Measures of (…). ● Measures aimed at preventing temporary unavailability of information with the consequent limitation of the service. ● There is an internal DPO who has been duly registered and who ensures compliance with data protection in the organization. ● There are (…). 3 Copy of: 3.1- Content included in the Register of Processing Activities (Article 30 of the GDPR) relating to activities involving the processing of biometric data. 3.2- Content included in the Risk Analysis or Assessment (Article 32 of the GDPR) relating to activities involving the processing of biometric data. 3.3- Data Protection Impact Assessment (Article 35 of the GDPR) relating to activities involving the processing of biometric data. 3.4- Where applicable, contracts signed with data processors involved in activities involving the processing of biometric data. Respond in full, indicating that you have already provided the DPIA and other documents. They provide a copy of the RAT in DOCUMENT 14, from which the following content is extracted: - Treatment: “FACIAL RECOGNITION ACCESS CONTROL” o Purposes: registration and management of access to the facilities using a facial recognition system. o Legal basis: consent of the interested party 6.1 a) and 9.2 a) of the RGPD). o Categories of interested parties: members and subscribers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/128 o Categories of personal data: Identification: NIF/DNI; name and surname; image; email address. Social circumstances: membership in clubs and associations; Others: identification data of the member (ID of the holder, front and back); email address of the member; QR code data for membership (ID, membership number, and access ID); membership number; Member image. Special data: biometric data. o Data source: the interested party. Categories of recipients: “Organizations or persons directly related to the data controller.” “Data transfers to third parties are not planned, except in cases where the data is provided to companies and organizations that provide services to the data controller, as they are necessary for the provision of the service.” o International transfers: none exist. In this regard, it expressly states that “the hosting of data on the servers of ***EMPRESA.1 will always take place within the European Economic Area.” o Expected deletion periods: “Regarding facial recognition for access to the premises, it is indicated that “irreversible vectors, as well as access IDs and the user ID (created by the member), will be kept until the interested parties request their deletion, unless other legally established provisions apply. In any case, the data will be deleted if the user ceases to hold the status of a C.A. Osasuna subscriber or transferee of a Club subscription” Data processors: DAS-GATE. FOURTH: Second request to C.A. OSASUNA in the course of the preliminary investigation actions. On 09/16/2023, the C.A. OSASUNA: 1. The information provided in the previous letter specified the category of interested parties for the processing of biometric data as members and subscribers and the purpose of controlling access to CLUB ATLÉTICO OSASUNA matches at the El Sadar stadium. In relation to this data, and taking into account what has been published in the media, the following is requested: 1.1 Indicate whether OSASUNA is using the system for other purposes, interested parties, and locations other than those specified in the previous letter. In such case, provide the information on the specific processing activities (date on which it was launched, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/128 description of the purpose, legal basis, judgment of proportionality, duty of information, etc.) in what is different from what is indicated in the previous letter. On 10/9/2023, he replied that the system that was reported on in March 2023 “is not being applied for purposes other than those stated in said response.” 1.2 Specify the system expansion plan in terms of expected start-up dates, locations (gates, buildings, etc.), and categories of interested parties (season ticket holders, OSASUNA employees, purchasers of “match” tickets, etc.). He replied: “Since the system was put into operation, internal conversations have been held about its possible expansion to the entire El Sadar stadium. However, as of the date of submission of this document, a specific expansion plan for the system has not been specified. In any case, the possible future implementation of the system in other access gates to the premises would be carried out with the same limitations and guarantees that are currently being applied, also implementing the same technical and organizational measures, analyzed in the DPIA to address the risks that the treatment could generate in the interested parties.” 1.3 The Treatment Activities Register (RAT) document included in the previous letter includes the following among the categories of personal data subject to treatment: voice, social circumstances (accommodation and housing characteristics; properties and possessions; “military” situation; hobbies and lifestyle; membership in clubs and associations; licenses, permits and authorizations). It is requested to clarify for what purpose said personal data are used and to provide the database scheme (or similar) that collects all the categories of personal data of the subscribers treated by OSASUNA. He replied that: “As described in the DPIA and in the responses given by OSASUNA to the previous request for information from that AEPD, as well as in the response to other questions raised in this request, the processing does not include data related to the voice nor, within “social circumstances”, those referring to the characteristics of accommodation and housing, properties and possessions, “military” status, hobbies and lifestyle or licenses, permits and authorizations. Only the data pertaining to the “social circumstances” of the interested parties are those that prove “belonging to clubs or associations”, since the status of member of the Club is implicit in the very nature of the processing, since it affects the members subscribers of OSASUNA who request the use of this recognition system for access to the stadium.” Taking into account the above, the RAT of Treatment Activities related to the treatment subject of this request has been modified, which is attached as DOCUMENT NUMBER 1 in which it no longer appears in “personal data categories” the voice, social circumstances (accommodation and housing characteristics; properties and possessions; “military” situation). The data that C.A. Osasuna collects from its subscribers, in order to manage their membership, and provided by the interested party at the time of REGISTERING OR RENEWING THEIR MEMBERSHIP STATUS, the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/128 - Name and surname - ID - Date of birth - Sex - Full address - Telephone number - Email address - Bank details, for payment of the subscription As internal data that is incorporated in the MEMBERSHIP CARD, the subscriber number, the type of subscription with its price and, if applicable, applied discount, the assigned seat and the zone through which the subscriber must access appear. Additionally, if the member has REGISTERED IN THE ACCESS CONTROL SYSTEM BY FACIAL RECOGNITION, the hash of the user identifier will be available, as well as the facial biometric vector. Provide a copy of a capture of three screens of the management application used by the Clubs belonging to the League, where the referred data can be seen, except those associated with the access control system by SBRF, which are not integrated into this application. 1.4 Indicate the number of existing turnstiles in the doors in which facial biometrics has been incorporated prior to its incorporation. Indicate whether the incorporation of the turnstile with opening by facial biometrics has meant the elimination of one of the previous ones. Provide, for this purpose, photographs that show the before and after. He states that, as of the date of writing this document, of the 29 total access gates to the El Sadar stadium, only EIGHT of them have a turnstile with biometric access. The distribution of the turnstiles - including both those with biometric reading and those without it implemented - is provided in a table in which the total number of turnstiles is indicated for each gate number, and it is broken down into the number of turnstiles with biometric reading and turnstiles with non-biometric reading. The summary can be summarized as there are eight turnstiles with biometric reading, one at each of the eight gates mentioned, and at each of these eight gates, there is at least one turnstile with non-biometric reading, with some gates reaching a maximum of four turnstiles with non-biometric readings at the same gate. In DOCUMENT TWO, a report is provided which includes the access doors to the premises which incorporate the biometric recognition system in one of their turnstiles. As there are no photographs prior to the time when the readers were installed, it has been decided to show the situation of the doors with the turnstile folded (i.e., as it would be if it were not turned on) and deployed (i.e., as it would happen in the case of holding meetings where access to the premises is possible through the biometric recognition system). 1.5 Indicate whether the system is working “continuously” after starting it up (it continuously captures images “tracking” if there is “something” to identify) or whether there is some event that triggers the capture and identification process. Determine, also, whether the system captures sounds during the process in addition to images. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/128 He replied that “a distinction must be made between the switching on of the turnstile and its activation once it is switched on. As regards switching on, this only occurs during sporting matches where it is possible to access using this technology and always together with the other access turnstiles. Thus, prior to each match, the terminals are switched on and uncovered at the moment when the technicians switch on the power supply to the turnstiles at the gates and uncover all the devices. It must, however, be taken into account that there will be matches for which the system will remain inactive, given that recognition only occurs in cases where the season ticket holder could access the venue with his card without having to buy a ticket, so matches outside of the season ticket are excluded. In these cases, the biometric system will be out of service and covered by an opaque cover.” “As for the activation of the reader, when it is on and operational, the system does not work “continuously”, but its activation only takes place in the event that a specific situation is triggered that leads to the start of the image capture and identification process, which is described in the sixth section of this document. The activation occurs by “proximity”, that is, by placing the interested party who is going to access the El Sadar stadium within a range of less than ONE meter away from the device. In this way, the system will only be able to capture and identify the image of the person who is standing in front of the turnstile, in the access lane by means of facial recognition and who does not exceed the maximum image capture distance. In order to ensure that the capture is only possible for the person who intends to access the premises, it is necessary to indicate that the image capture systems are installed within the restricted area of the stadium, that is, after the entry control point exercised by the arms of the access turnstile (the one with biometric reading) with the aim that only the images of those people who are positioned very close to the / of the turnstile with biometric reading, and looking in the direction of the system, are captured and processed. This fact can be verified in the report provided as DOCUMENT NUMBER TWO.” “The limitation of the capture range established in the system prevents images from being captured of people who are in different rows or at a distance greater than one meter, thus avoiding a “remote” and erroneous identification.” DOCUMENT NUMBER THREE provides a graphic example of the distance between the arms of the lathe and the image capture system. Finally, as far as sound capture is concerned, the systems are not able to capture this type of personal data, they are limited exclusively to capturing images. 1.6 In relation to the consent of the interested parties, the following is requested: -Determine the measures implemented in the system so that the images (frames) that it collects are restricted to the interested party who wants to be recognized (limitation of distance collected, physical devices, etc.) and so that people can estimate the area that the device captures. He replied that “as far as the distance of image capture is concerned, the system is configured in such a way that it does not perform any processing of the visible image (hereinafter, “RGB”) if it does not detect any object less than ONE meter away from the depth sensor. Thus, in the event of detecting any pixel in the depth image at less than the predetermined distance, the terminal proceeds to search for faces in the scene C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/128 by applying proprietary algorithms (from the supplier) of computer vision on the RGB channel. This is achieved because the biometric identification devices are equipped with stereoscopic cameras that provide both an RGB image and a depth map that represents the distance of each pixel in the RGB image with respect to the camera sensor. The aforementioned algorithms dedicated to capturing faces produce as a result a series of bounding boxes -rectangles- on each region of the image in which the algorithm considers that there is a face with a sufficient degree of certainty. In this way, if these algorithms have generated a rectangle, the system proceeds to determine using proprietary algorithms the distance of each region of interest to the camera sensor. Thus, if none of the regions of interest is less than the established meter of distance, the system automatically discards the frame and waits for the next one. In this regard, it should be noted that there is only one image processing when the interested party is less than one meter from the terminal, but there is no additional processing of personal data, since, the selection criterion being proximity, the system only continues to process the region of interest that is in the aforementioned range of less than one meter, therefore, there is no attempt to biometrically recognize the captured subject nor are the images used for other purposes since the captured region is discarded. If the region of interest is within the capture distance, then the terminal continues with the processing and only in that case applies the facial recognition algorithms developed by VERIDAS to complete the user authentication process, that is, the calculation of the biometric vector, the 1: N comparison, -the N being composed only of those users who have voluntarily registered in the system in advance- and proof of life. Finally, as a reinforced measure, biometric terminals are installed within the restricted area of the stadium, that is, after the entry control point operated by the arms of the access turnstile with biometric reading, with the aim that only those people who are very close to the turnstile and looking in the direction of the terminal, that is, those who intend to access the premises using the system, can be captured by it.” - Provide the data available in relation to the rate/speed of access through the turnstiles to access the stadium with opening by facial recognition and the turnstiles to access the stadium with opening by the rest of the procedures. He responded that: “An estimate has been made of the rate/speed of access of interested parties to the El Sadar stadium, both with regard to access through the turnstiles with biometric systems and access through the turnstiles that do not have the aforementioned technology. Thus, personnel have been deployed at different points in the El Sadar stadium with the aim of obtaining an access rate based on observation and recording of results at different times of use of the system. As a result of the observations, it was possible to conclude that the average rate of user access through a conventional turnstile using the pass -NFC reader or QR reader- or paper ticket -code reader- is 12 people per minute; on the other hand, the average rate of access of interested parties through the turnstiles that have biometric technology implemented is 20 people per minute. The values provided represent the value that has the highest frequency in the access rates.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/128 - Example of the record sent for a specific interested party from the DAS-GATE system to OSASUNA as a result of the registration process for its storage and management in its rights exercise platform. Responded: When a member decides to register in the system, he or she is first asked for express acceptance of the privacy policy - as shown in Document Number 14, referred to in section ten of this document - since, without reading and accepting the privacy policy, it is not possible to continue with the registration. In case of acceptance and registration in the system, DAS-GATE sends the following information to the OSASUNA consent manager: (provides a screen with programming code), stating that “This image shows the code fragment that implements the text that will be sent to the OSASUNA consent manager, which includes the email and ID of the corresponding user, as well as the two specific texts that the user consents to when registering. It can be verified that: 1 The text is consistent with the consents that will be sent (consent1 and consent2). 2 The email and ID values that depend on the user are provided to the function as input arguments, that is, for each user they will take the pertinent values that correspond to them. With the previous process, OSASUNA receives a notification in its consent manager in which the interested party is informed of the consent provided, the following image can serve as an example of the notifications that OSASUNA receives in relation to the consents: (it is a written report that contains the domain: Osasuna- socios.app.das-gate.com, the DNI data, email, date, IP, and a literal that indicates "I expressly consent to the processing of my personal data including my image for the generation of a facial vector through an artificial intelligence (AI) system that allows my identification at the time of accessing the stadium: Accepted checked: true. I have read and accept the privacy policy. Accepted checked: true." -Example of a record sent for a specific interested party from the DAS-GATE system to OSASUNA as a result of the management process on its platform for exercising rights: It responded that "In relation to the exercise of rights, it is They distinguish two different ways depending on whether the right exercised by the interested party corresponds to the withdrawal of consent and deletion of personal data or whether the right exercised corresponds to any of the other rights available to them. In the first case, when the user wishes to exercise their right to withdraw consent and delete, they have the possibility of exercising them from within their user account in the system. In this case, the system sends the following information to the OSASUNA consent manager - providing a printout of a screen with programming code - indicating that it “shows the code fragment that implements the text that will be sent to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/128 the consent manager. Specifically, in the “notification-payload” function, it can be checked that: • The text is consistent with the cancellation that will be sent. • The DNI value that depends on the user is provided to the function as an input argument, that is, for each user it will take the relevant value that corresponds to it. With this, OSASUNA receives the following notification in its consent manager (it provides a written report similar to that indicated in the previous point with the text “cancel account. Accepted checked: true” “On the other hand, to exercise any of the remaining rights established by the data protection regulations, which may not be related to the processing of biometric data, from your user account you are sent directly to the specific site where interested parties can find it available on the OSASUNA website. Thus, OSASUNA will transfer the specific request to the system provider so that, once analyzed, it will transfer a response to the interested party. 1.7. Identification of the specific biometric engine used by OSASUNA in the processing. Also provide the following documentation: - Official certifications issued for the same. He responded that “The biometric engine installed in the access terminals that have the biometric system in the El Sadar stadium corresponds to the “(...)” engine and this engine is evaluated by NIST FRTE 1: N since November 2021 as specified in the following section. Additionally, the access control system using biometric identification is within the scope of the information security and quality certifications of the provider. Specifically, it complies with the following certifications: (i) (…), (ii) (…), (iii) (…), (….), and (iv) (…). Attached to this document as DOCUMENTS NUMBERS 4 to 7 is evidence of the mentioned certifications. On the other hand, the (…) VERIDAS engines are certified according to the (…). The following documents related to the mentioned certifications are provided: • 220406-VERIDAS-PAD-Level-1-Confirmation-Letter.pdf, as DOCUMENT NUMBER 8. • 201215-VERIDAS-PAD-Level-2-Confirmation-Letter.pdf, as DOCUMENT NUMBER 9. - Specify, within the NIST website indicated in the previous document, what are the results corresponding to the evaluation of the biometric engine used by Osasuna. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/128 He replied that “The biometric engine used to identify interested parties has been evaluated by NIST in the FTRE 1:1 and FRTE 1: N challenges. The results of the mentioned analysis can be found in the following link of NIST FRTE 1: N: (…)” - Procedure that would have to be followed to change the engine/version of the biometric engine and make it available for stadium access control. He replied that “The process of updating the biometric engine for access to the El Sadar stadium would require, first of all, that the provider and the Club agree on the change of the engine and jointly prepare a calendar in which will be reflected (i) the dates of the communications to the subscribers in which they would be informed of the variations that would occur and; (ii) the technical actions on the cloud and the supplier's biometric terminals. Thus, once the project schedules have been drawn up, the supplier will carry out an operation to delete the active databases of the production environment, so that there are no active users left in the information systems, in order to subsequently update the biometric engine used in its cloud to generate the biometric vectors. Next, all the biometric terminals for access control to the El Sadar stadium would be updated with a new software version that incorporates the new biometric engine. This is necessary because the biometric vectors generated by the VERIDAS facial recognition models are not interoperable between versions. After updating the terminals, validation tests would be carried out to confirm that the complete biometric registration flow and biometric access to the El Sadar stadium function correctly through all the doors equipped with facial recognition terminals. Finally, and in compliance with the deadlines established in the calendar, OSASUNA would inform interested parties - subscribers who have consented to the processing of their data for the purpose of accessing the El Sadar stadium using biometric technology- that the biometric engine has been updated, indicating that if they wish to continue using access via facial recognition, they must complete the registration process again. The completion of this new process is essential, since, as has been said, facial recognition models are not interoperable and, in application of the principle of data minimisation, as stated in the EIPD, the system does not retain the facial images - selfies - that users provided at the time of their registration, so it is not possible to generate a vector from these images, making it necessary to repeat the process so that the system can generate new vectors. 1.8 Determine the procedure followed to make effective the procedure for blocking data incorporated during the registration process. He replied by reiterating that the following personal data is requested from the interested parties in order to register them in the system: i DNI; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/128 ii Email address; iii QR code of your membership card, which includes information on the DNI number, the subscriber number and a unique access identifier in order to avoid several accesses with the same membership card during the holding of a meeting. iv Copy of the front and back of the DNI; and v A selfie photograph. Once the interested party is registered in the system, the aforementioned data will be blocked, in the terms established by law, as they are not necessary to carry out the biometric recognition, with the only exception being the unique identifier. This blocking, as indicated in the Data Protection Impact Assessment prepared with respect to the processing and provided in the response to the first of the requests made by the AEPD, will last for THREE years, coinciding with the maximum limitation period for violations of personal data protection. Thus, the blocking process is configured as follows: As a starting point, during the registration phase in the system, the personal data that the interested party provides are temporarily stored on the S3 server provided by ***EMPRESA.1 associated with a quick (“short”) deletion label. This will allow the personal data to be permanently deleted if the user abandons the registration process without completing it. If the interested party completes the registration, as a final action of the user registration process, the short label is replaced by a long-term label (“long”) and another one with restricted access (“restricted”), which will imply that the personal data cannot be accessed (“blocked” status) by any person who does not have an authorized account for this, in this case it will be the DPO account, and they are kept for a period of THREE years from the registration date coinciding with the period provided for in the personal data protection regulations. The management of the life cycle of personal data is the responsibility of the provider and is established in relation to the S3 life cycle policies, which are defined through the short/long and restricted labels. In this way, the labels are configurable for each client of the provider, and in the case of OSASUNA they are configured as follows: 1 Long = 3 years 2 Short = 1 day. Likewise, the following is requested: - Sample record with the data that remains for a specific interested party in the system once the registration process has been completed. - Sample record of the data that remains for the same specific interested party in the “blocked” storage. - Record of the data of the same interested party incorporated into the access terminals. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/128 - Logs recorded in relation to the accesses of said interested party to the stadium to date, both of the process of recognizing the interested party in the terminal and of the submissions made to the SEFPSA servers. The respondent provided as DOCUMENT NUMBER 10, a report issued by VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, S.L. which includes a description of a specific example that relates the data stored in the system after the registration process, including: the hash of the ID number, access identifier, alphanumeric code that represents the facial vector, and internal data (internal system identifier, creation and update dates, etc.). According to the document, if a user unsubscribes from the system (withdraws their consent), this data is deleted. Likewise, this document also includes a specific example of the data that remains blocked. It identifies the files in which it states that the following data is recorded: screenshots of the front and back of the ID card taken during the registration process, content of the QR scanned during the digitalisation process of the season ticket, results of the digital identity verification process, biometric vector generated from the user's selfie photo. - Data incorporated in the stadium entrance recognition process. According to what has been seen above, the recognition process takes place in the access terminals themselves, where “the facial vector and the access identifier of the registered users are stored”. In this way, as explained, the comparison is made “between the biometric vector generated at the time of access and the biometric vector generated at the time of user registration” in the DAS-GATE systems. Osasuna has provided (document 10) a specific example that relates the data stored in the stadium terminals. According to it, they coincide with those registered in the system after registration: hash of the DNI number, access identifier, alphanumeric code that represents the facial vector, and internal data (internal system identifier, creation dates, update dates, etc.). According to it, if a user unsubscribes from the system (withdraws his/her consent), this data is deleted by virtue of the “established synchronization process”. Furthermore, Osasuna stated in its first response that it “does not store the image captured by the reader located at the entrance to the premises nor the facial vector generated from it, which will only be processed and kept for the minimum time necessary to carry out the identification of the subscriber”. Thus, it indicates that each time the terminal tries to perform an identification, the following data is recorded: date and time; biometric terminal identifier; access identifier of the subscriber most similar to the one being identified; and biometric similarity score obtained; record of the request being sent to the SEFPSA servers (in the event that the score exceeds the stipulated minimum threshold). As provided in the EIPD Report, this recorded information is stored on the DAS-GATE servers contracted with ***EMPRESA.1 (hereinafter, ***EMPRESA.1). The storage time, as quoted by Osasuna (EscritoOsasuna1), is "until the beginning of the season after the one to which the stored access refers, when it will also be blocked for the aforementioned period of three years." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/128 The EIPD Report also indicates that the corresponding access identifier will be transferred to the SEFPSA servers only when the recognition is positive, in order to make the decision of whether or not to open the turnstile”, this data being necessary to avoid fraud in access to the premises such as duplicate entry to the stadium with the same season ticket, and constituting one of the measures imposed by the Anti-Violence Law, which in its article 11.1 determines: It provides as DOCUMENT NUMBER 11, the authentication logs of the accesses by the interested parties to the El Sadar stadium of a specific user, with a section 1, entitled “Sample registration with the data that remain for a specific interested party in the system once the registration process has been completed” It is indicated that in order to be able to To consult the requested data, it is necessary to access the databases of the production environment, an action only available to the system administrator, and to obtain the data of a user registered in the system, it is necessary to know the (…) to which a (…) is applied to obtain the (…). From there, access the object (…), which contains the stored properties of the users. It indicates that the information is provided of the identifier extracted from the QR, the subscriber's access ID, and then obtains the object “(…)”, “type of data used by VERIDAS to be able to complete the authentication processes in the biometric terminals through a query by (…) to the database. It indicates that the data “(…) extracted during registration from (…) identified with the (…) appears. In point “2. Example record of the data that remains of the same specific interested party in the blocked storage”, it indicates that, among others, the files of the (…) are contained. It also provides the logs that refer to access requests sent to the SEFPSA systems. Among other data, it contains: date, user access identifier, access terminal identifier, identification assessment (numeric, with values between 993 and 999) and identification of the success of the identification (in all the exemplified cases it has been successful). 1.9 As part of the previous letter, the information that would be presented in a second layer of information has been provided. It is requested to identify the internet address where this information is located. It responded that "The information corresponding to the processing of personal data in relation to access to the El Sadar stadium through the biometric system is accessible at the link https://www.osasuna.es/facialRecognitionPolicy". However, in order to facilitate the aforementioned access, DOCUMENT NUMBER 12 is provided, updated on January 22. The document contains the same as that described in point 1.5 DOCUMENT 7. 1.10 Screenshots of the system showing how the interested party accesses his user account in the DAS-GATE system and: - Exercises the right of access and obtains the result. - Revokes consent and exercises the right of deletion. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/128 He replied that “As DOCUMENT NUMBER 13, the screenshots corresponding to the access of the interested parties to their user account in the system, as well as the exercise of the rights of access, deletion and revocation of consent, together with the results corresponding to the exercise of each of the aforementioned rights, are provided.” In the screenshots of DOCUMENT 13, from the Osasuna website, abonados.osasuna.es, in the “member area” tab, entering the username and password if you are already registered, leads to a window that shows, among others, the “Your season ticket details”, “biometric access”. Clicking on the latter takes you to a Das GATE URL where you can see the initial information screen of “Now you can access El Sadar with your face” and a tab where you can start the process, with the “Start” tab. The screenshot provided reiterates the registration process. It starts with another “Register” screen, to access the registration system to access with facial biometrics - We recommend using a smartphone - “Scan this QR with your mobile to continue” The next screen that appears is the one that contains the spaces to complete the DNI number and the email. Below it appears “By clicking on Register you accept the privacy policy”, and another “I consent…” Below the “register” tab C.A. OSASUNA states that when clicking on the consent checkboxes, a pop-up is displayed that obligatorily shows the text of the first layer”. “It is from that pop-up where the treatment is accepted -opt-in- by giving consent, so that the user will always see that information before being able to consent.” “If the user does not accept both checkboxes - they are divided into two to ensure greater clarity - they cannot continue with the process, they cannot click on “Register” Attached copy of the reading of the informative literal “terms conditions basic information on data protection. Attached are the rest of the screenshots that continue the data registration process for the already examined registration: “Scan the QR of your subscription”, “Scan the official document”, “selfie”. It also provides the process of accessing the user portal, also entering through “Member Area”, accessing the same page when registering, showing the option: Do you want to unsubscribe?, to do so according to C.A. OSASUNA, more clearly to the user, which “would trigger the withdrawal of consent and deletion of their data for that purpose in a simple way”. The process continues by registering their ID, and asking the system to make a SELFIE to complete access to their account. Once they have accessed, the options for access rights appear, in the form of “consult my data”. It also provides as a complement the written model to exercise the exercise of rights, in which there are spaces to fill in the data of name and surname, ID, e-mail, mobile phone, and upload a FILE, and a drop-down list with the rights, also showing the “revocation”, and the “Send” tab. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/128 Señala C.A. OSASUNA states that when the right is exercised, the user receives an SMS on his/her mobile phone confirming that his/her request has been sent. It provides the impression of a message informing him/her: “Touch the link to confirm your ARSOL request”, with a link to click on. “Thank you for confirming your ARSOL request”. “After this request, within the legally established time limits, the user receives a response by email.” Regarding the revocation process, C.A. OSASUNA points out: “Although the user could exercise this right through the Osasuna website for exercising ARSOL rights indicated above (in which case the steps would be equivalent to those already indicated), the user is offered a faster and more direct way of revoking consent for the specific purpose of access through facial recognition. In fact, Osasuna has always wanted users to be able to unsubscribe in a simple way if they wished to stop using this access method (and continue accessing through the other available methods). This is why, as previously mentioned, the user is offered the clear button “Do you want to unsubscribe?” from the Biometric Access section of their profile. Once they access their user portal by clicking on this button, they are shown the “Delete account” option, which appears next to the “check my data” option. The process, according to the screenshot provided, requires entering the DNI number, with C.A. OSASUNA stating that “this data is not being stored in the database, which is necessary to trigger the deletion of the personal data that were active in the system and the notification to the Osasuna consent manager that said user has unsubscribed from using the facial recognition access system. It should be noted that this specific withdrawal is from this system and does not imply that the member loses his membership status - he will be able to continue accessing the system with his subscription as normal." It ends by indicating that “said account is deleted without prejudice to the corresponding blocked data, deactivating the option for the user to access the Sadar stadium through facial recognition. Likewise, the user portal will no longer be enabled.” 1-11 Evidence that the configuration of the services provided by ***EMPRESA.1 do not involve international data transfers. It responded by providing a list of the services of ***EMPRESA.1 (hereinafter, “***EMPRESA.1”) involved in the provision of the access control service through facial recognition. It states that “Of all the above services, the only ones in which personal data reside or may reside would be: Instances, RDS and S3. Likewise, personal data could be located in (...) in the event that a vulnerability is detected at the time of the analysis. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/128 In relation to the aforementioned services, all personal data managed by them remain in the ***EMPRESA.1 region where they are deployed, that is, eu- west-1 (Ireland). Furthermore, at the time of contracting the services of ***EMPRESA.1, an analysis was carried out of the services that applied to the processing of access control through facial recognition in order to identify whether the mentioned transfers of personal data did not actually occur. After carrying out the aforementioned analysis, it was concluded that personal data could be transferred from (...), however, such transfer would only be possible if there was express approval from the client to allow it. In this respect, the provider disabled this functionality so that it is not possible to transfer personal data. The following image shows evidence of the opt-out performed - it provides a screenshot with an enabled configuration of “AI services opt ut policies”. “Thus, once information has been provided on the services of ***COMPANY.1 that affect the treatment, below, screenshots of the console of ***COMPANY.1 are shown as evidence where the region in which each piece of the infrastructure mentioned above is deployed can be seen - all in eu-west-1 = Ireland-:” It provides several screenshots. It adds that “for personal data storage services, as can be checked from the following screenshots, the data is stored encrypted”, and provides a series of screenshots with the title of the files “encrypted”. 1.12 If it has been performed, report on (…) recommended by VERI-DAS DIGITAL AUTHENTICATION SOLUTIONS, S.L. (hereinafter, VERIDAS) in the contract signed with Das-gate. It responded that “Considering that the provider has various certifications in information security, (…) of various components used in the biometric identification access systems, OSASUNA has not deemed it necessary to carry out an additional one, given the results and conclusions provided by the one already prepared.” 1.13 The Data Protection Impact Assessment attached to the previous document cites parts of the document “Technical report. Facial biometric technology” from DAS-GATE. A copy of said document is requested. It responded by providing it in DOCUMENT 14 “Technical report. (…)”, (14 pages) of VERIDAS, first version (…), which cites: “Importance and need for secure recognition of real identity in the digital environment” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/128 “And just as in the physical environment we say that society recognizes us for what we are, in the digital environment the accreditation of identity must also revolve around the person, their attributes, and not around devices or cards that they may possess. “The biometric systems that are the key to carrying out this accreditation of real identity in the digital environment”. “Throughout the report (…) are analyzed. From the study of the above, it is concluded that the use of biometric models based on Artificial Intelligence allows to guarantee privacy by default and from the design of these Systems” “The use of biometric systems usually leads to doubts in four main areas: Protection of personal data. Quality or precision of biometric technology. Non-discrimination of users. Detection of attempts at identity theft. Throughout this document, we attempt to explain (…), which allows us to respond and avoid or mitigate the risks that may arise.” “Modern biometric verification systems (1:1 or one-to-one) and identification (1:N or one-to-many) (…).” In section 2 (…)”, it indicates that the key element of biometric recognition is the engine used. It is from a technical point of view, to the extent that (…)” It distinguishes (…) biometric engine models: “Biometric models (…). On the other hand, it analyses modern biometric models based on AI, specifically based on neural networks. “(…). As a consequence, in this model (…). Having this vector, therefore, does not mean that the biometric information has been compromised or that it can no longer be cancelled.” “In addition, the levels of precision of those that use neural networks are much higher (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/128 Section 2.2 “(…)”:” The algorithms used are based on machine learning techniques. Specifically on “deep” artificial neural networks (coined in English as “Deep Learning”). (…).” Explains the technical process based on (…). Indicates that “each vector (…).” “It is worth mentioning that all of the above refers to the intrinsic privacy of (…), but the rest of the security strategies that are applied to it should not be ignored, such as (…).” “The above in this section allows us to clarify that there is a clear misunderstanding in the belief that biometric data are permanent over time and cannot be changed in the event of compromise or loss of the same. Our faces characterize us and have always been used by humans to recognize people; now, they also allow us to recognize them supported by technology. The face will always continue to represent us, and it will not change (except, of course, for significant, aesthetic or health-related operations), (…). Therefore, biometric vectors are not unique, they change (…), so they can be modified at any time without compromising the security of their use.” It points out that -NIST, an agency dependent on the US Department of Commerce, has in October 2021 evaluated the VERIDAS RF system in the Face precognition Vendor Test on- going, being among the 25% of the best systems presented in the category (…) of FVVT 1:1 -The independent certification body (…) has accredited that VERIDAS accredits compliance with the standard (…) information (…) presentation (…). They provide a link 1.14. Technical documentation accompanying the contracts referred to in the previous document (between Osasuna, DAS-GATE, and VERIDAS) as indicated in the contracts themselves.” He replied that the following documents are provided as DOCUMENTS NUMBER 15 to 17: • Questions and answers regarding the new access system to the El Sadar stadium (1).pdf • Manual_instalacion_DAS-GATE _v1 (1).pdf • Info_garantia_DAS-GATE _ENG_.pdf FIFTH: Incorporation of documentation in the previous investigation actions. On 10/26/2023, the Inspector carried out a diligence, noting the incorporation of various documentation into the inspection actions, of which it is interesting to highlight: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/128 1. General Regulations of the National Professional Football League (RGLNFP). Downloaded on 02/16/2023 from the internet address https://www.laliga.com/transparencia/normativa, approved by the Board of Directors of the CSD on 11/7/2022. 2. Certification of the approval agreement of the Higher Sports Council of Book XII of the RGLNFP. From the document with registration number REGAGE(...) corresponding to file EXP202213792, with background of AI/00444/2022. The letter from the CSD Board of Directors (competent to approve the modification of the RGLNFP, pursuant to the provisions of articles 10. 2. b), of Law 10/1990, of 15/10, on Sport, and 3.b), of Royal Decree 1242/1992, of 16/10, regulating the composition and operation of the Board of Directors, certifies that at the session of 23/12/2015, the agreement was adopted in which, among others, book XII is incorporated, which deals with the sale of season tickets and tickets. 3.Communication addressed by the Permanent Commission of the State Commission against Violence, Racism, Xenophobia and Intolerance in Sport (CEVRXID) to the National Professional Football League on 15/03/2022. Originating from the document with registration number REGAGE(...) corresponding to EXP202213792. 4. Report 98/2022 of the Legal Office of the AEPD, dated 12/22/2022, extracted on 08/24/023 from the AEPD website (https://www.aepd.es/es/documento/2022- 0098.pdf). This report responds to the query raised by CEVRXID on whether “the adoption of an agreement of the same within the scope of its powers (art. 13.1.b) Law 19/2007 of 11/07, against violence, racism, xenophobia and intolerance in sport”, (hereinafter ANTIVIOLENCE LAW) “establishing measures for the compliance of the clubs consisting of the installation of biometric systems for the control of all access to the animation stands that allows the unique identification of the fans who access said stands, would be legally viable in accordance with the regulations governing data protection.” According to the consultant, the processing of the personal data of the fans, including their biometric data, would be carried out in accordance with Article 6.1.e) of Regulation (EU) 2016/679 General Data Protection Regulation (GDPR), that is, the processing of the data would be necessary “for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller”. After carrying out the analysis, it is concluded that “the adoption of the CEVRXID agreement within the scope of its powers, establishing measures for the compliance of the clubs consisting of the installation of biometric systems for the control of all access to the animation stands that allows the unique identification of the fans who access said stands, is not in accordance with the regulations governing data protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/128 5. Communication sent by the CEVRXID to the League on 03/21/2023. Originating from the letter with registration number REGAGE23e00022024546 corresponding to the action EXP202213792, in which it communicates to the LNFP the agreement adopted at its meeting of 03/13/2023. 6. "Circular No. 19 of the 2022/2023 Season, of the League, of 03/23/2023", by which the indications of the aforementioned CEVRXID were transferred to the Clubs, also reporting the AEPD report of 12/22/2022. From the document with registration number REGAGE(...), corresponding to EXP202213792. 7. Content of the website https://VERIDAS.com/en/data-protection/ downloaded on 25/08/2023. It advertises how “we believe in the right of people to use their biometrics to be identified voluntarily and safely”, “privacy by default and by design”. It informs about “digital onboarding”, “a solution that allows the entire identity verification procedure to be carried out remotely, both through an app and a website”, “a photograph or video of the user and a document that allows them to prove their identity will be taken. All the data contained in both the document and the image of the face will be sent to the validation systems developed by VERIDAS. In this phase, the veracity of the document will be analyzed by processing the data contained in it and the identity of the person, for which two biometric vectors will be created: one from the photo contained in the document and another from the selfie photo taken by the user at that moment; by comparing them with each other in a process known as 1 to 1, it is possible to verify that a person is who they say they are. After performing the verification, this data is sent to the VERIDAS client company that will generally act as the controller (although there may be cases in which our client acts as the processor, in which case it will transfer the information to the controller) and the VERIDAS systems are instantly eliminated. “ Informs about. - “facial authentication” “which involves verifying that a person is who they say they are, but in this case the person must have already registered in the systems. Therefore, either it is in our client's database, or it has received a biometric QR code that will allow it to access it." It ends by indicating that "no data of yours will remain in our systems, since these will be used only to make the comparison and will then be deleted." - "Measures to guarantee trust and security in the processing of personal data," pointing out among other aspects that they use biometric technology based on artificial intelligence with which "the data that will be processed by the biometric engine is collected and sent to it." In this engine, the data will be processed, generating what is known as a "biometric vector, which is nothing more than a way of representing people's features. At first glance, it is a very long numerical string..." which has the following advantages: - “it is irreversible, it is not possible to reconstruct the face from the vector, the numbers do not represent distances between characteristic points of the face, but are a unique interpretation that the biometric engine makes of it and that only it will understand”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/128 - “it is not interoperable, it is not possible to use the vector in other systems, whether they are different biometric engines or other versions of the same engine that created it. This also implies that, simply by updating the version of the biometric engine, the vectors created by the previous version would be useless. Therefore, in the event of theft or unauthorized access, this data would be completely useless, there would only be a string of numbers that could not be made sense of”. - “VERIDAS does not retain the user's personal data or the biometric vectors that have been created: Once the process for which we have been contracted has been carried out and the relevant information has been sent to the client, we automatically delete all the information that has been on our servers.” -In the FAQs section “What data is processed for the use of VERIDAS solutions?”, it is explained that “VERIDAS only processes data from identification documents, images that the person has provided to verify their identity (using a photograph, video or recording) and that these will be different depending on the solution you are using.” -Regarding international transfers, it reports that it “uses the servers that ***EMPRESA.1 has in Germany and Ireland to host its cloud services” -Informs about: “biometric engine, is the name given to the set of algorithms that transform the data of the face - obtained in our case through a photograph or video - into what is known as a “biometric vector”: a biometric data, having been subjected to a specific technical treatment, forming an irreversible chain of numbers 8. Content of the website https://VERIDAS.com/es/cumplimiento/ downloaded on 08/25/2023. In which information is provided on the technological certifications available: -National Institute or Standards and Technology, of the United States Department of Commerce, -From the CCN, the certificate of compliance with the security requirements of Annex F.11 of the TIC-CCN-STIC-140 Security Guide with a high ENS category. - (...) regulations that refer to the detection of attempts at impersonation or deception of the system, -Provides services to trusted electronic service providers to comply with the requirements of order ETD/465/2021 of 6/05, which regulates the methods of remote identification by video for the issuance of qualified electronic certificates. -Certificate in systems (...), -Certificate of compliance with the ENS -SOC 2 certificate of the services developed by VERIDAS. SOC 2 is a report based on the auditing standards of the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board corresponding to the Trust Services Criteria (TSC). It is indicated that it “includes a description of more than 100 controls established to protect the data processed in the services offered by VERIDAS solutions”. 9. Content of the website https://www.osasuna.es/privacyPolicy downloaded on 09/06/2023 using forced loading with cache clearing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/128 The document entitled “privacy policy” last updated November 2019. It reflects C.A. OSASUNA as responsible, without any reference to the DPD. Among others, because it is related to the subject, it appears: a) In “Purpose of the treatment and nature of the data processed, it indicates that “Depending on the form that the user completes in each case, the data may be processed for the following purposes”: -of a contractual nature: to facilitate the management of the provision of agreed services, maintain the commercial relationship, as well as any other service that is contracted later”, -based on the consent of the interested party: for marketing purposes for the sending of newsletters and technical communications related to our activity, -based on compliance with a legal obligation, applicable to the person responsible for the treatment in relation to sports and HR management and administration, -based on the public interest, in relation to image processing for security purposes through the various systems b) “basis that legitimizes the data processing” “It is the user's own consent that is expressed by checking the acceptance box as step prior to sending each form. The user has the right to withdraw consent at any time, without affecting the legality of the processing based on the consent prior to its withdrawal. -The exercise of rights is also reported Additionally, the content returned for the address https://www.osasuna.es/politica-de-privacidad on the same day 09/06/2023 is attached. 10. Access to the website https://osasuna-socios.app.das-gate.com and simulation of the registration carried out on 09/07/2023. Access by the Inspector, from the laptop to the internet address: osasuna- socios.app.das-gate.com and view of the content of the page. The content of the view of the page begins with the logo and “now you can access El Sadar with your face” “Through this website you can register and enable your access with your face to the stadium. A faster, more comfortable and safer way to access” with five other tabs with information. “Your privacy comes first During this registration we will ask you to take a selfie that will be used only to facilitate your access to the stadium. This information will be kept by the club along with the rest of your season ticket data optional and voluntary Biometric access with your face is optional and voluntary; you can continue to enter el Sadar with the physical or digital (mobile) season ticket. Access doors that will have this system C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/128 Initially, face-enabled access will be enabled for members at doors 3,7,8,10,11, 16, 21 and 27. However, you can continue to access all doors with the physical or digital (mobile) season ticket. What should you have on hand for registration? Your membership card Your ID” There is a “start” tab and here the six information tabs end. When you click on “start”, the page to start the registration called “register” is displayed, next to it is: “Do you want to unsubscribe?” “Clicking the button to start the registration, shows us a QR code to scan, and recommends us to continue with the smartphone because on a PC it may give an error. Alternatively, it gives the option to continue from the PC” “The QR code directs us to the internet address: https://osasuna-socios.app.das- gate.com/, and that address is the one referred to at the beginning of this document.” If we continue from the PC, the registration process starts, with a box to fill in NIF or NIE, email and a box that says “By clicking on register you accept our privacy policy” Below that is a second box that says “I expressly consent to the processing of my personal data, including my image for the generation of a facial vector using an artificial intelligence system that allows my identification when accessing the stadium”, next to the “register” tab, and another that says “Do you already have an account? “log in”. When you press the first “Check” of “By clicking on register you accept our privacy policy”, a first layer of personal data protection information is shown on the screen, of which a printout is attached, under the literal: “terms and conditions” “basic information on data protection”, with the details of the person responsible: C.A. Osasuna, the “purpose: Access control through a facial recognition system, legitimation: consent of the interested party art 6.1.a) and 9.2.a) RGPD, express authorization for the processing of images through the artificial intelligence system, facial recognition, generating a vector that allows the user to be identified for the control of access to the facilities. Informs about the recipients, and about the “rights of access and rectification and deletion” “as well as other rights, indicated in the additional information” that can be exercised by contacting lopd@osasuna.es and dpo@gfmservicios.com and/or clicking on the link on the website and the member portal - “exercise of ArSol rights” ” Additional information: You can consult additional and detailed information on data protection here: https://www.osasuna.es/politica-de-privacidad”, On the right of the document there are the “reject” and “accept” boxes. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/128 When you click on the link to the privacy policy (additional information), you will get a “page not found” on the Osasuna website. If you click the “Reject” button on the right-hand side of the document, it will return you to the form without the “Check”, while if you click “Accept”, it will return you with the “Check” checked. When you fill in all the “registration”, “NIF or NIE”, “e-mail”, “by clicking on register you accept our privacy policy” box and the other “I consent…” box, the “register” tab is activated. “When you click the registration button, the process begins by requesting to show the QR code of the ticket on camera:”. 11. Access to the internet addresses https://www.osasuna.es/politica-deprivacidad and https://www.osasuna.es/acceso-biometrico-a-el-sadar and to the records of the same in the “internet archive” (https://web.archive.org/). Carried out on 10/10/2023. At the first address, the 8 records from 2022 and 2023 are accessed through the “internet archive” tool, the last one from 06/01/2023, and all of them refer to the last update as November 2019. Its content is printed Also, on 10/10/2023, https://www.osasuna.es/politica-deprivacidad is accessed and the result shows “page not found” On 10/10/2023, an attempt is made to access https://www.osasuna.es/acceso-biometrico-a-el-sadar with “page not found” appearing “Access on 10/10/2023 through Internet Archive (https://archive.org/web/) to the historical records of the address https://www.osasuna.es/acceso-biometrico-a-el-sadar, gives 4 versions of registrations for 2022 and 2023: 04/15/2022, 05/25/2022, 09/27/2022, and 05/31/2023”, printing its content. In it, it is reported that the pilot test of access through biometric access with facial recognition will be established on 04/10/2022 and “on 04/20 there will be eight doors that will offer members the possibility of using this type of access”, it is indicated that for those who wish to do so, as a faster, more comfortable and safer way of access because it allows access without having the card. There is a FAQ section, and another one on “register to use biometric access” “register in a minute”. 12. Downloading information relating to (…). (https://tienda.aenor.com/norma-(...) A sheet of information is offered by the AENOR store on “Information technology, security techniques, information security systems management, requirements”. 13. Download of information related to the (...) carried out on 10/19/2023 from the url: ***URL.1 Information is offered (...), on security assessment. 14. Download of information related to the standard (...) from the AENOR website on 10/21/2023. (***URL.2) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/128 This is a sheet with the AENOR store advertisement for “quality management systems”. 15. Download of information related to the standard (...) from the website from AENOR on 10/22/2023. (***URL.3) It consists of a folio that offers information on the sale of the product “biometric attack detection, tests and reports. 16. Navigation through the NIST website and its programs on facial recognition carried out on 10/22 and 10/23/2023. 17. Evaluation report of the algorithm (…) in the FRTE 1: N Identification evaluation, downloaded from ***URL.4.pdf 18. Evaluation report of the algorithm (…) in the FRTE 1:1 Verification evaluation, downloaded from ***URL.5.html It consists of a graphic report from the NIST entity, generation date 09/28/2023. 19. Evaluation report of the algorithm (…) in the FRTE 1:1 Verification evaluation, downloaded from ***URL.6.html It consists of a graphic report from the NIST entity, generation date 09/28/2023. 20. Capture, on 10/23/2023, of the content of the website https://www.osasuna.es/facialRecognitionPolicy and download of the documents linked to it (privacy policy and responsible declaration) Figure “PRIVACY POLICY RELATING TO FACIAL RECOGNITION”, reporting that “it has implemented the requirements and measures of the RGPD and the LOPDGDD in relation to the obligation established by article 35 of the RGPD regarding the processing of biometric data for access through facial recognition”, below, two downloadable: 1-PRIVACY POLICY RELATING TO FACIAL RECOGNITION: which contains four pages and is entitled: “PROCESSING OF ACCESS CONTROL DATA TO FACIAL RECOGNITION FACILITIES - complete information on data protection”, Last update date: January 2022, indicating: - data of the person responsible, the DPD, - For what purpose do we process your personal data? At CLUB ATLÉTICO OSASUNA we process the information provided to us by interested parties in order to manage access to the facilities of members through facial recognition created with the processing of images generating a vector that allows the member to be identified. CLUB ATLÉTICO OSASUNA will process this data for the following purposes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/128 Subscriber Registration (AA) – the personal data of subscribers will be processed for the purpose of digitizing them and verifying the identity of the subscriber in order to register them in the DAS-GATE system, a provider contracted by C.A. Osasuna for the provision of the biometric access service. The data to be processed for this purpose will be the data provided by the interested party (identification data), as well as the National Identity Document, the image obtained from a selfie of the interested party and the contents of the QR code of the subscription (subscriber and ID number, as well as access ID). Biometric Access (AB) – personal data will be processed for the purpose of allowing access to the Club Atlético Osasuna stadium through facial recognition, an alternative entry system that strengthens the security of access to it, as well as speeding up entry to it, making it easier for the Club's members. Login to das-Gate portal (IS) – personal data of interested parties will be processed so that they can identify themselves and access the DAS-GATE portal, so that they can manage access through facial recognition associated with the subscription, being able to request cancellation of this service or the transfer of the subscription, in those cases where it is permitted. No automated decisions will be made based on the data provided. - How long will we keep your data? The identifying data of the member will be kept for the duration of the process for the generation of the corresponding vectors, being automatically eliminated by the computer systems at that same time. The irreversible vectors, as well as the access IDs and the user ID (created by the member), will be kept until the interested parties request their deletion, unless other legally established provisions apply. In any case, the data will be deleted if the user ceases to have the status of a member of C.A. Osasuna or assignee of a Club subscription. - What is the legitimacy for the processing of your data? We indicate the legal basis for the processing of your data: Consent of the interested party: Art. 6.1.a) RGPD EU 2016/679 and Art. 9.2.a) express authorization for the processing of images using an AI (Artificial Intelligence) system, facial recognition, generating a vector that allows the identification of the member, for access control to the facilities. - To which recipients will your data be communicated? Data transfers to third parties are not planned, except for those transfers made to third parties and entities related to the data controller that are necessary for the provision of the service, such as DAS-GATE, the entity that provides the devices and systems necessary to carry out data processing for access through facial recognition. -Data transfers to third countries C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/128 No data transfers to third countries are planned. - What are your rights when you provide us with your data? Any person has the right to obtain confirmation as to whether or not CLUB ATLÉTICO OSASUNA is processing personal data that concerns them. Interested persons have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. You also have the right to the portability of your data. In certain circumstances, interested parties may request that the processing of their data be limited, in which case we will only retain them for the exercise or defence of claims. You may materially exercise your rights through the Private Area of each user in the DAS-GATE Portal, in which the options for exercising your rights have been enabled through forms in which the interested party must duly prove their identity. You have the right to withdraw said consent at any time, without affecting the lawfulness of the processing based on the consent prior to its withdrawal. If you feel that your rights have been violated with regard to the protection of your personal data, especially when you have not obtained satisfaction in the exercise of your rights, you may file a claim with the competent Data Protection Control Authority through its website: www.aepd.es. - How did we obtain your data? The personal data that we process at CLUB ATLÉTICO OSASUNA come from: The interested party. Data that is processed: - Identification data of the member. (ID of the holder, front and back) - Email address of the member. - Data from the QR code of the membership (ID, number of subscribers and access ID) - - Member number - Image of the member - “Vector” algorithm of the image of the member. - User ID on the DAS-GATE platform. The following categories of special data are processed: biometric data “images” for facial recognition, that is, for the generation of the member identification Vector. - 2 “RESPONSIBLE DECLARATION OF COMPLIANCE WITH THE RGPD AND LOPDGDD”, which is structured in two sections: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/128 -The first contains a declaration dated 18/02/2022 that C.A.OSASUNA “has implemented the measures established in article 35 of the RGPD” regarding the processing of biometric data for access through facial recognition and the index of the document. -The second is a summary of the EIPD, which consists of an alternative and complementary system of the currently existing entry admission procedures. It contains an index, although not all the points are explained, dealing only with its introduction and the 7th “duty of information and rights of interested parties”. SIXTH: Brief analysis of the EIPD provided by C.A. OSASUNA in previous investigations In addition to the above, the EIPD provided by C.A. OSASUNA should highlight: - “3 Roles of the different parties involved in data processing”. 3.1. “In the present case, the data processing is carried out in relation to OSASUNA subscribers, with a prior relationship between them and the Club, consisting of the acquisition of the subscription, the purpose of the processing being to guarantee the access by the subscribers to the El Sadar stadium as a consequence of the acquisition of the subscription as a means of access to the sports venue.” -In point 4.3, a section is dedicated to what various documents of the Working Group of WG 29 refer to, referring to the risk of processing biometric data, without being able to cite the Guidelines 5/2022 adopted by the EDPB on 04/26/2023 (the DPIA was approved on 02/04/2022 and contributed to this procedure on 03/13/2023, which, although in terms of application of the Law, refers to various cross-cutting arguments on the rights Three tables are attached. The first ones are titled “LEGAL RISKS.” To describe the “measures to be adopted” (last column), they describe the “risk” in the first one, and in the middle one: “current status”, describing the measures related to it, those that they have implemented and consider. In all the “measures to be adopted”, they appear “it is not necessary to adopt measures additional”. It highlights, for example; “risk of non-compliance with the principle of legality, current status; the legal basis of the treatments has been determined. The second tables, foresee and are called: “ORGANIZATIONAL MEASURES”. In these, the “legal requirement”, the “measure”, and the “compliance” are indicated, which in all cases responds YES. Among others, it states that “DAS-GATE has carried out an analysis of the risks derived from the treatment and the measures necessary to alleviate them”, or that “the measures adopted have been subject to evaluation and certification, taking into account the measure that “DAS-GATE has ISO certifications with respect to (…)” Table three, is called “security risks” and its structure is the same as the previous one, appearing in the “compliance” section YES. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/128 The conclusion is: “Based on the conclusions reached in the analyses carried out throughout this document in relation to the different legal risks that may affect the processing activity examined, as well as the legal measures implemented by OSASUNA to reduce or mitigate said risk, it can be considered that the evaluated processing would not imply a high risk for the rights and freedoms of the interested parties.” SEVENTH: Agreement of initiation of 4/12/2023 On 4/12/2023, the director of the AEPD agreed: “TO START SANCTIONING PROCEDURE against CLUB ATLÉTICO OSASUNA with NIF G31080179, for the alleged infringement of the GDPR of the following articles: -5.1.c), in accordance with article 83.5.a) of the GDPR, classified as very serious for the sole purposes of the prescription of said infringement, in article 72.1.a) of the LOPDGDD. - 9, in accordance with article 83.5.a) of the GDPR, classified as very serious for the sole purposes of the prescription of said infringement, in article 72.1.e) of the LOPDGDD.” “ORDER as a provisional measure to CLUB ATLÉTICO OSASUNA, with NIF G31080179, in accordance with the provisions of article 69 of the LOPDGDD and article 56 of the LPACAP, the temporary suspension of all processing of personal data related to the facial recognition solution for access to the El Sadar stadium. The provisional measure must be carried out within ten business days, counting from the notification of this agreement to open the procedure, and will remain until its final resolution, in which it must be confirmed, modified or lifted, without prejudice to the provisions of art. 56.5 of the LPACAP. To this end, it must justify before this Spanish Data Protection Agency the attention to this request.” “For the purposes provided for in art. 64.2 b) of the LPCAPAP, the sanction that could correspond would be for the infringement of article 5.1.c) of the RGPD is an administrative fine of 200,000 euros, and the infringement of article 9 of the RGPD, with another administrative fine of 200,000 euros, assuming a total amount of 400,000 euros, without prejudice to what results from the investigation.” EIGHTH: Sending a copy of the file On 7/12/2023, C.A. OSASUNA requests an extension of the deadline to make allegations and a copy of the file. The communication of the extension of the deadline was sent on 12/12/2023, together with the letter with the copy of the file on encrypted USB storage, as it exceeded the maximum allowed in the Notific@ system, formalizing the delivery by courier. Independently, through electronic delivery it was sent on 12/13/2023, (…), which was notified on 12/14/2023. The electronic delivery, like the start agreement, was delivered, but not the delivery by courier, which was unsuccessful due to being “absent”, on 12/15 and 12/19 at c/ Sadar s/n in Pamplona, Navarra, being returned on 12/22/2023, so that C.A.OSASUNA does not have, after the time has elapsed, the letter of extension of the deadline or the copy of the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 52/128 On 12/28/2023, a letter was sent to C.A.OSASUNA to inform it that the sending of the copy of the file was unsuccessful and it was requested to provide the delivery location and contact information of the person and telephone number. C.A. OSASUNA, on 01/11/2014, provides these data and sends a copy of the file that was delivered on 01/16/2024 NINTH: Allegations to the start agreement of 12/28/2023 On 12/28/2023, C.A.OSASUNA made allegations, stating: 1) Regarding the content of the operative part, referring to the adoption of the provisional measure imposed, it states that it is not a procedural act, but that it may cause harm. and that it will challenge it in the administrative-contentious manner in order to obtain the suspension of the decision, because it affects its rights and interests susceptible to protection. In announcing this interposition, it requests, in application of article 90.3 of Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations (hereinafter LPACAP) for the provisional measure adopted to be provisionally suspended. 2) The reasoning of the initiation agreement is based on the premise for the two imputed infringements, that the establishment of the voluntary system of access to the El Sadar football stadium, through facial recognition, entails a high risk for the Club's subscribers. Subsequently, the initiation agreement carries out an alleged description of the treatment carried out by the biometric recognition systems, second part of legal ground two, in which it analyses the alleged risks generated to the rights and freedoms of the interested parties by the biometric recognition system established. He states that in that second legal basis, it is insisted on describing the system used as based on the technology of measuring distances between different points of the face - recognition system by "landmarks" - obtaining as a result a mathematical vector and associating the risks indicated in the start agreement when knowing the vector generated with this engine and being standardized systems. This is stated in pages 49 and 50 - which describes the typology of biometric data and the correlation of the sample taking with personal data. Reviewing some paragraphs that tend to explain why these personal data are considered, C.A.OSASUNA selects others, concluding that: “Based on the evaluation and treatment as high risk in light of the considerations just indicated, the start agreement considers that this circumstance determines that the principle of necessity is not met in this case, since the agreement considers that there are other alternatives for access to the stadium that guarantee, as indicated, the full identification of the subscriber given that their data are already sufficiently identified on the subscription card in its various formats.” The start agreement, based on this consideration, shows that biometric data generate an additional risk because they have a “merely probabilistic” character. It adds that, however, in the responses to the two requests, it stated that its system does not respond to the systems described in legal basis II of the start agreement but rather to artificial intelligence models based on neural networks. He reiterates what he stated about the generation of the biometric vector contained in point 2.2 of the first request for preliminary investigation actions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 53/128 He adds that, in addition, with his systems the risks derived from the probabilistic nature of the model and the immutability of the affected person's face are minimized. It states that the risks had been analysed in the detailed impact assessment, being minimised by the technology used in the treatment, appearing "in the aforementioned assessment", a reference to the TECHNICAL REPORT issued by the provider of the technology used, provided as DOCUMENT 14 in the second request for information of the prior investigation actions It states that, subsequently, the document analyses how the risks derived from the treatment are minimised until their practical disappearance in the cases in which the biometric recognition system is based on AI models of neural networks. At the same time, regarding the possible treatment of other data belonging to special categories, it is provided, as DOCUMENT 1, "Latest generation Facial and Voice Biometric Technology. Characteristics and application”, prepared by the entity providing the technology used by OSASUNA, which complements the one mentioned above, in which it is expressly indicated that “the data is captured with the sole purpose of carrying out the biometric recognition (facial or voice) of the person and is treated for this exclusive purpose, without VERIDAS technologies being able to infer other data from it such as emotional state, disabilities, genetic characteristics, etc.” “The document dates from October 2021, and although since then, and as a consequence of the evolution of technology, it has been the subject of several additions, incorporating, among other issues, new tools and certifications that improve what is indicated in the document, it has been considered appropriate to provide this version of the document since it was the one used by OSASUNA to prepare the EIPD for the treatment that is the subject of this file.” "If the premise followed by the AEPD to consider two violations of the provisions of the GDPR as imputable to my client is the high risk derived from facial recognition systems that are in no way similar to the one used by OSASUNA, all the reasoning followed by the same to impute responsibility to my client must fail, given that the premise being erroneous it is not possible to apply to the system implemented by OSASUNA any of the consequences mentioned in the Start Agreement" From the visualization of document 1, it is worth highlighting: -The data will be processed by a biometric engine, that is, the software that processes the captured data to produce a "template" or biometric vector, that is, a digital reference of a set of characteristics that are then used for the authentication or identification of an individual. -Once the vector of the individual to be identified or authenticated is available, the comparison against another vector or vectors can be proceeded. It is important to note that the comparison is always made between vectors between digital references and not between biometric characteristics point the comparison between vectors is interpreted by the biometric engine that created them providing a probabilistic result C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 54/128 -The mathematical vector that they use is not developed nor is it based on characteristic points that imply taking measurements between multiple points of the biometric characteristic obtaining a mathematical vector that is the summary of said measurements. However, the mathematical vector generated with their artificial intelligence is not generated in such a simple way indicating that the racial vectors created with their artificial intelligence imply, for example, that, if a facial image is passed through two different biometric engines or even two different versions of the same engine, the resulting vector will be completely different 3) C.A. states. OSASUNA that, based on this alleged breach of the principle of necessity, the agreement considers that the legal basis on which the treatment is based in the present case is not adequate, given that it seems to try to avoid the guarantee of the principle of necessity. C.A. OSASUNA adds that the legal bases on which access with SBRF is based do not require the value of necessity because they are based on the consent of "article 6.1 a) and 9. 2 a" of the GDPR. C.A.OSASUNA states that from reading the start agreement, it is clear that the legal basis that could really "justify facial recognition control of access to the stadium would be the development of the subscriber's contract with the club for which facial recognition is not necessary or the guarantee of security in the venue which, as a mission of public interest, would not be lawful as a legal basis for the treatment if there is no regulation with the rank of law that enables said access." “This leads to a kind of circular reasoning, in virtue of which, given that there are other means that are supposedly less invasive and more guaranteeing of the right of the interested parties to access the stadium, the consent of the interested party could never be an adequate legal basis to authorize the treatment, given that by requiring alternatives to guarantee that it is freely provided and these being supposedly less restrictive of the rights, the principle of necessity would never be fulfilled. The aim is to base the alleged infringement of article 9 of the RGPD on an argument similar to that which the AEPD has incorporated in its “guide on treatments of presence control, using a biometric system”, published only a few days before the notification of the start agreement, in terms that, as the guide indicates, are susceptible to a similar analysis in relation to the cases of access control for purposes other than work-related purposes. That is, under the appearance that the treatment should have been based on other legal bases, which it also does not consider applicable, because they do not comply with the principle of necessity, what the AEPD intends with the start agreement is to deny validity to the fact that Osasuna subscribers, in exercising the power of disposition that consists of the fundamental right of Data Protection, can give consent to the processing of their personal data, since, as there are less invasive means, in the opinion of the AEPD, the principle of minimisation of personal data would be breached, which leads de facto to denying the possibility that in any case the processing of biometric data can be carried out on the basis of the consent of the interested party.” Manifiesta C.A. OSASUNA “regarding the purpose of the processing carried out by C.A.OSASUNA, the initiation agreement in its legal basis III reaches a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 55/128 conclusion that does not coincide with the one that actually governs the processing carried out by C.A.OSASUNA. In the explanation of the regulations on the control of tickets and access to the stadiums, it would be unnecessary, since it is not applicable, given that the El Sadar stadium does not have animation stands. The start agreement aims to transfer the criterion of need to the specific purpose that has been established by the LIGA in the Regulations for the Sale of Season Tickets and Tickets, RVAE in the animation stand or matches declared high risk in which the CEVRIXD declares the obligation to verify the identity of the attendees, which is not applicable to C.A. OSASUNA. In addition, it estimates the conditions of the LIGA as minimum, not as a single mode of mandatory access, so that "it would not exclude the existence of other systems that could be more reliable to facilitate the enjoyment of the matches by the subscribers that is deduced from their status as subscribers." The agreement adds that it is not possible to establish an access system other than that established by the LIGA, even if it is based on the free will of the interested parties, indicating the agreement that "even when they give their consent, the conduct of C.A. OSASUNA implies stealing the power of disposition and control over the personal data that concern him, power that belongs to the owner”. C.A. OSASUNA states that “As stated in its EIPD, the purpose of the treatment does not simply consist of the development of the contractual relationship derived from the acquisition of the season ticket, but rather in “providing the season ticket holder with a new means of access to the venue that is more appropriate and effective in view of the current state of the art, which even minimizes the risks derived from the other systems of access to the stadium”, since the control of access to the stadium cannot be indicated to be carried out through a single system. C.A. states OSASUNA, which in the initial agreement, denies the interested party the free and voluntary exercise of the full exercise of his right to access his personal data, choosing the access system that he considers most appropriate to his own and exclusive will and that C.A. OSASUNA only makes available to him so that the interested party can freely use it. “This system is not based on the mere convenience of C.A. OSASUNA, but on its desire to facilitate, as much as possible, access to the Stadium for its subscribers with the maximum possible guarantees, avoiding the possible theft or loss of their subscriber card, as well as improving the agility of access to the venue. Certainly, this is based on the existence of a right of access by the subscriber to the Stadium, but this is not, but rather the aforementioned, the purpose of the treatment.” “The premise used by the Commencement Agreement to accuse OSASUNA of the lack of a legal basis for the processing, considering that the same must be based on other legal bases that would be based on an alleged need for the processing, as well as on what was agreed upon by LALIGA, must be abandoned. Neither is the purpose of the processing that which the Agreement claims to pursue, nor is there the slightest “theft” from OSASUNA subscribers of their free power of disposal over the data that concerns them.” 4) C.A. OSASUNA states that “Consent to access the stadium through facial recognition, as reflected in the start agreement, gives the interested party absolute control over their data, who can decide when the data can be processed, both for the preparation of their facial vector and for its comparison with their image when they access the stadium using the enabled readers, recalling that no gate of the Stadium where the facial recognition system is installed has ceased to have alternative means of access to the premises that the interested party, even when they have registered on the platform, can use whenever they want, without any limitation, without even losing the power of decision and control of the means of access to the Stadium at any time. However, the Commencement Agreement, in a way that we can even dare to consider paternalistic, does not cease to consider that the free decision of the interested party about the means chosen for access to the Stadium, as well as to register on the platform and make use of the facial recognition system in each of the matches, implies a loss of the power of disposition that the interested party must have over the data that concerns him, or the use of personal data that are not evidently necessary to access the stadium, which may also include minors. It states that C.A. OSASUNA expressly indicated that the aforementioned treatment would only be possible for those to whom the regulations grant the power to give consent, over 14 years of age. The agreement also considers that it contains the error of indicating that C.A. OSASUNA “avoids any analysis by leaving the assessment of the need in the hands of those affected because it is an option and the interested party has chosen it, being the will of the subscriber. That is to say, the AEPD considers that the fact of granting the OSASUNA subscriber all the power to freely dispose of his data by authorizing whether he wants to use the facial recognition system and when he wants to use that system, is what would apparently vitiate, in the opinion of the AEPD, said system, because it leaves in the hands of the affected party the possibility of determining whether or not he considers the treatment necessary to achieve a purpose that is made available to him and that he freely authorizes. This means that the AEPD positions itself even above the legislator by establishing when it is really possible to exercise the power of disposal and when it will be the AEPD that deprives the interested party of that faculty even if it is a power of disposal that is what constitutes the fundamental right to data protection.” “The legal basis for consent is only limited because it must be provided for the processing of your personal data for one or more specific purposes, without the objective of the AEPD being the one to determine in an all-encompassing manner what those purposes are, but rather that the interested party clearly knows the scope of the disposition that he makes of his data.” “If the interested party clearly knows the scope of the consent that is requested, the purposes of the processing and even the details of the same and the way in which it will be carried out, it is not possible to conclude that the interested party has not freely made use of the power of disposition and control over his own data that consists of the fundamental right.” C.A. OSASUNA considers that users are informed in detail of the way in which the processing will take place, granting them the ability to decide when and how the processing occurs. 5) C.A. indicates OSASUNA that the only restriction as an enabling basis for the processing of personal data contained in the GDPR is found in article 9.2.a) of the GDPR, reflected in article 9.1 of the LOPDGDD. It follows from this that the processing, when the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 57/128 interested party gives their explicit consent for the processing of said personal data for one or more of the specified purposes” is applicable”, and this has been recognized by the AEPD as, for example, in the reports of the Legal Office 36/2020, in 47/2021, or 98/2022. In the same sense, in the Guidelines 3/2019, on the processing of personal data by means of video devices, approved on 01/29/2020, in its section 77, on the use of video surveillance including the biometric recognition function installed by private entities for their own purposes, for example, marketing, statistics or security, it will require in most cases the explicit consent of all interested parties, and details the example that it indicates is similar to the object of analysis, consisting of the access of passengers in the boarding or baggage check-in at the airport through video surveillance systems that use facial recognition techniques to verify the identity of the passengers who have chosen to consent to said procedure. C.A. OSASUNA states that “Likewise, in relation to the consent of the interested party, section 86 of the Guidelines adds that when article 9 of the GDPR requires consent, the data controller cannot make access to its services conditional on the acceptance of biometric processing. In other words, and especially when biometric processing is used for authentication purposes, the data controller must offer an alternative solution that does not involve biometric processing, without restrictions or additional cost for the interested party. That is, the EDPB itself, of which, it is necessary to reiterate, the AEPD is a part, considers the processing of biometric data based on the consent of the interested party to be lawful as long as the data controller makes available to interested parties another alternative means that does not include the processing of biometric data and allows the same result without implying a restriction or additional cost for the interested party.” C.A. OSASUNA, that this criterion seems to have been broken by the Guide referring to the processing of these data for labor and access control, published on 11/23/2023, and from which “it seems to be caused even though no reference is made to it in the notified initiation agreement”. It reiterates the allegation that said guide uses a circular argument, and that “in this way, the AEPD reaches a surprising conclusion that supposes de facto the extension of the scope of the first paragraph of article 9.1 of the LOPDGDD to any categories of data belonging to special categories, the will of the legislator to limit this prohibition to specific categories being entirely irrelevant for the Control Authority. And we say that it affects any category because with respect to the other categories, that is, data that reveal the health of the interested parties or genetic data, the circular reasoning to which we have referred is identical (the existence of less intrusive means excludes the possibility of giving consent)”.”Such a conclusion, which imposes a de facto prohibition of data processing, repealing what is established in the LOPDGDD in the sense of prohibiting any processing of data belonging to special categories on the basis of the consent of the interested party, is carried out, in a completely surprising way and through what is nothing but a Guide whose purpose should not go beyond showing an interpretative criterion of the AEPD for the knowledge of the recipients of the rule.” C.A. OSASUNA also considers that, in accordance with the content of the start-up agreement, denying it the possibility of establishing a system based on the consent of the interested parties for access by means of facial recognition to the “El Sadar” Stadium, limiting itself to indicating that the procedures for access to football stadiums must be subject to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 58/128 minimum criteria established by LA LIGA, makes any treatment based on the power of disposition over the data that consists of the right to data protection unviable, even when it complies with all the requirements established in the RGPD. C.A. OSASUNA considers that it has proven that it complies with all the requirements required for the processing of biometric data based on consent under the GDPR and the LOPDGDD, many of which are analysed in the EIPD, and therefore considers that article 9 of the GDPR is not violated. 6) C.A. OSASUNA states that the infringement of article 5.1.c) of the GDPR is not respected, as the data exceeds those necessary to achieve the purpose, which is exhaustively analysed in the EIPD in which it is contained, taking into account the circumstances surrounding the processing and the consequences that it may cause to the rights and freedoms of the interested parties. The risks that may arise for the interested parties from this technology are analysed in the same. C.A. states OSASUNA that the EIPD analyses at the highest level the scope of the guarantees that must be adopted in the processing of data, even taking into consideration what is established in the proposed regulation on Artificial Intelligence from which it is not deduced that “the non-remote processing of biometric data entails a high risk for the rights and freedoms of the interested parties”. C.A. OSASUNA reiterates that the system used provided by the provider, VERIDAS, which has various certifications that guarantee greater reliability, analyzing and assessing in the EIPD the “biases of probability of an error in identification”, and the “supplanting of identity” that could be carried out through the use of these systems. Reference was also made to the guarantee of integrity of the information being processed, given that the “facial recognition engines are in no case interoperable or reversible”, so that not even the developer of the system could reverse the face of an interested party from a vector. In other words, the “immutable nature of the face of people” is taken into account, adopting measures to avoid the risk to the interested parties of the “type of unique, permanent and invariable identity that is being processed”, or the “interoperability” between facial recognition systems. It states that the facial vector would vary if any technical change or evolution were to occur in the facial recognition engine, which would make the previous vector obsolete, as well as not being able to be recognized by this new version. The EIPD also analyses the life cycle of the data, the registration in the system for the verification process when it seeks to access the stadium, which has not been taken into consideration by the AEPD judging by the content of the start agreement. The EIPD on this aspect shows how measures are adopted aimed at guaranteeing the identification of the interested party, so that there are no risks related to a possible identity theft “for which certain data are collected, on an exclusively temporary basis, that allow their image to be compared with the resulting selfie photo used to generate their facial vector.” “The identity of the interested party is guaranteed by requiring, at the time of taking the selfie photo that will allow the extraction of the facial vector, proof of life, by performing a certain movement, which prevents the use of sophisticated impersonation systems.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 59/128 C.A. OSASUNA concludes that the EIPD analyses in detail the way in which all the risks derived from the treatment are assessed and how in this case they are minimised or directly excluded. C.A. OSASUNA states that “the initial agreement seems to consider that such an effort is not sufficient, given that the EIPD must become a document in which, regardless of whether, from the design, the solution that implies a lesser interference in the rights and freedoms of people is chosen, the alternatives discarded because they imply the generation of a greater risk must be taken into account. From the initial agreement it seems that the AEPD is not so much interested in analysing the risks derived from a treatment as in carrying out a kind of abstract analysis that is what determines the option for one treatment system or another” 7) C.A. states. OSASUNA, regarding the assessment of the legality carried out by the agreement on the initiation of the principle of data minimization, through compliance with the triple judgment of proportionality applicable to a measure that could imply restriction of rights of people, that the agreement focuses on the assessment of the judgment of necessity, deducing that the AEPD does not deny that the SBRF is suitable, inadequate or not pertinent, extracting: “regarding suitability, the Agreement states: “C.A. OSASUNA bases the acceptance of the facial recognition system as such, because the “full identification of the subscriber” occurs, but this problem to be addressed does not occur in this case, since the holders of the subscriptions are already sufficiently identified with the subscription card in its various formats. The agility of the system advocated, of the RF system as opposed to the traditional system, cannot by itself be a decisive part of the suitability for installing the system, and in any case, by itself it cannot justify the need for this system.” C.A. OSASUNA states that it is appropriate that the AEPD “does not deny that facial recognition is suitable for identifying the interested party, but rather considers it unnecessary for this purpose, as the data is contained in the subscription card. C.A. OSASUNA considers that the “assessment made by the start agreement on the judgment of need is conditioned by the initial premise that the purpose must be determined in the abstract and does not depend on the scope that can be given to it in light of the context in which the treatment is carried out, that is, each treatment admits a single solution, the least intrusive for the rights of the interested parties, so that any solution that implies a supposed or apparently superior intrusion must be discarded”. C.A. OSASUNA considers that with the reference in the start agreement to the fact that since April 2022 C.A. OSASUNA already had at least three modalities of user access to the stadium, “the delimitation of the judgment of need of the free will and the consent of the interested parties is being excluded.” If this literal meaning of each of the different modes or options for accessing the stadium is followed, only one would be in accordance with the principle of necessity, the one that involved the processing of a smaller number of data, and the rest should be discarded, since the purpose of the processing could be achieved with less intrusion into the rights of the interested parties.” C.A. OSASUNA indicates that, applying this to the category of biometric data, according to the criteria of the AEPD, “any procedure in which the interested party freely decides to access a certain service through biometric means should be discarded, even when, as has been C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 60/128 analyzed in the previous allegation, article 9.1 of the LOPDGDD has not ruled out the legality of the aforementioned consent.” That is to say, the AEPD is considering that the interested party should not be free to decide freely the use of their biometric data for access to their mobile terminal or to certain applications of the same that provide them with certain services, given that it would always be possible to resort to other less intrusive means, regardless of whether the risk of identity theft is greater, such as the inclusion of a password, more or less extensive, to access said services. C.A. OSASUNA indicates that the system it has implemented guarantees the treatment avoiding any risk of identity theft in the access to a certain service, correlating that the service has been effectively requested by the person and not by a third party who has been able to access the necessary means, such as the extraction of the interested party's subscription card or the theft or coercion of the interested party to provide their access codes. It considers that, in a facial recognition system, to achieve identity theft, it would need to have the face of the interested party to achieve this identification, and the system used by C.A. OSASUNA also has certified tools for the detection of identity theft attacks. Furthermore, the system would allow that, in the event of theft of the season ticket card, the right that such acquisition entails would not be deprived, since access would be possible with the biometric reader, and "no one would be able to access later through the alternative procedures that OSASUNA makes available to its season ticket holders." It is estimated that the system is implemented, therefore, for the benefit of the interested parties themselves, who will be able to access the stadium in a more agile and simple way, not even requiring the carrying of the title that accredits the status of season ticket holder. “In short, following the reasoning of the Commencement Agreement, it will never be possible to base a treatment on the consent of the interested party, given that if in order to guarantee that the treatment is free it is necessary that the interested party can have other alternatives so that the purpose pursued by the treatment is fulfilled, given that it will never be possible to consider that both alternatives imply an identical level of intrusion in the rights and freedoms of the interested parties, at least one of them, generally the one based on consent, should be discarded as intrusive, since the judgment of necessity required by the RGPD is not adequately fulfilled. And OSASUNA respectfully understands that it is not possible to reach such a conclusion on the basis of the aforementioned argument, given that this would in fact be repealing the provisions of article 6.1 a) of the RGPD.” C.A. OSASUNA carried out an assessment of necessity in its EIPD not at an abstract level, but considering all the circumstances and the context. “Contrary to the reasons stated in the start agreement, C.A. OSASUNA does not seek a supposed usefulness of the treatment for itself, nor for economic reasons. Contrary to what the agreement intends to indicate, the establishment of an additional system for access to the Stadium, “does not bring any kind of savings or reduction in cost or inconvenience to OSASUNA, for the simple reason that this system is implemented in addition to those already existing.” C.A. concludes. OSASUNA, indicating that the vision of the start agreement on the application in this case of the principle of minimization, and on the need for treatment, would determine the infeasibility of consent as an adequate legal basis for carrying out a treatment of personal data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 61/128 8) C.A.OSASUNA, referring to the principle of guilt, as contained in those cited by the CJEU of 5/12/2023, case C-907/21 Deutsche Wohnen SE and Staatsanwaltschaft Berlin, and that of 5/12/2023 case C-683/21, deduces that it could be considered guilty, "the conduct in which the controller should have been aware of the illegality of his action, it not being unforeseeable that it would be punishable by the controller competent body for this, so that “it could not ignore the infringing nature of its conduct, whether or not it was aware of infringing the provisions of the GDPR”. This requires considering the circumstances of the case examined in the present file, in which C.A. OSASUNA was aware that both the EDPB and, on a minimum of five occasions at the time of starting the treatment, the AEPD, had expressly recognized the legality of the processing of biometric data on the basis of the consent of the interested party, this criterion having even been reiterated by the AEPD in its report 98/2022, after the establishment of the access system to the “El Sadar” Stadium. C.A. OSASUNA could not venture to the contrary, nor the surprising modification of its criterion after what was indicated that it was in accordance with said Regulation. Such change represents a breach of the principle of legitimate trust, a principle that the Public Administrations must respect in their actions in relations, in accordance with article 3.1.e) of Law 40/2015 of 1/10 of the legal regime of the Public Sector. This principle, according to C.A. OSASUNA, is contained in the Supreme Court ruling of 22/02/2016, appeal 1354/2014, and that of the National Court, of 4/02/2009 (appeal 304/2007). It considers that the AEPD has modified its criteria by means of a sanctioning procedure and that the application of the principle of legitimate trust should lead to the archiving of the procedure, since the element of guilt required for the application of the sanctioning rule to proceed is not present. 9) Alternatively, C.A. points out OSASUNA that the principle of proportionality is infringed in the determination of the sanction. In the circumstances concurrent with the infringements, elements of the conduct itself that is intended to be sanctioned have been taken into account, refuted in this written statement of allegations, or "the alleged negligence that, as indicated, is impossible to apply if one takes into account that the opinion of the AEPD "was in no way contrary to the treatment carried out on the legal basis of the consent of the interested parties, this same criterion being upheld by the EDPB with which the AEPD has decided to disagree". 10) C.A. OSASUNA indicates regarding the application of article 5.1.c) of the RGPD, that it only affects a small number of subscribers, who decided to register, (…), not the totality as indicated in the start agreement. C.A. OSASUNA indicates that the aggravating circumstance of lack of diligence in the sanction of article 5.1.c) of the GDPR does not exist, since the reason contemplated cannot be accepted, given that said arguments, denied, were those that, in the opinion of the AEPD, justify the imposition of the sanction, and therefore cannot be taken into account to aggravate it. C.A. OSASUNA indicates that, regarding the circumstances taken into account in assessing the circumstances to determine the infringement of Article 9 of the GDPR, the subscribers who gave their consent to the use of the system were taken into account, unlike in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 62/128 the infringement of Article 5.1.c) of the GDPR, and that “Mention is made of a supposed amalgam of factors that would operate as aggravating factors, without the agreement mentioning any of them.” C.A.OSASUNA, also on the same article 9 of the GDPR, points out: regarding the alleged negligence of C.A.OSASUNA, "even though the AEPD had considered in accordance with the EDPB's criteria that the processing was lawful, the agreement is based on the principle that the responsibility was greater, based on a criterion completely identifiable with objective responsibility, taking into account its activity, the object of which cannot, evidently, be considered directly linked to the processing of personal data." TENTH: Proposed resolution of 10/30/2024 and allegations. On 10/30/2024, a resolution proposal was issued, with the following literal: “FIRST: That by the Director of the Spanish Data Protection Agency, regarding CLUB ATLÉTICO OSASUNA, with NIF G31080179: -The infringement of article 9 of the GDPR be declared closed, in accordance with article 83.5 a) of the GDPR, and classified as very serious for the sole purposes of the prescription of said infringement, in article 72.1.e) of the LOPDGDD. -A violation of article 5.1.c) of the GDPR shall be sanctioned, in accordance with article 83.5 a) of the GDPR, and classified as very serious for the sole purposes of the prescription of said violation, in article 72.1.a) of the LOPDGDD, with a fine of 200,000 euros, SECOND: Regarding the temporary suspension included as a provisional measure in the initiation agreement, by virtue of article 58.2.f) of the GDPR, it is proposed that it be raised to definitive, urging its prohibition. This will mean that regarding the processing of personal data relating to the biometric facial recognition system for access by persons subscribed to the C.A. OSASUNA to the El Sadar stadium, that within 30 days from the resolution that ends this procedure is enforceable, with the prohibition of the treatment of the aforementioned data for this purpose and the deletion of all data that is related to the operation of the aforementioned system, to safeguard the fundamental right of the (…) people who subscribed to the system on 12/28/2023, and in this sense it is certified by the C.A. OSASUNA.” ELEVENTH: Objections to the proposal On 11/18/2024, objections were received from the C.A. OSASUNA 1) Regarding the elevation to definitive of the provisional measure adopted in the start agreement, consisting of the prohibition of the treatment, C.A. states OSASUNA that since the end of the 2023/2024 season, the data processing through the SBRF analyzed in this file is not operational. It also indicates that the aforementioned suspension C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 63/128 imposed is pending resolution by the administrative litigation chamber, ordinary procedure 5/2024. 2) In view of the fact that the infringement of article 9 of the GDPR has been filed in the proposal, he adds that, nevertheless, the AEPD intends to exclude from the debate the ultimate reason, the exclusion of the consent of the interested party as a legal basis for the processing of biometric data in access control systems to a specific location. 3) Reiterates that it was aware that both the EDPB and the AEPD, on up to five occasions, had expressly recognized the lawfulness of the processing of biometric data on the basis of consent and Opinion 11/2024 on the use of facial recognition to speed up the flow of passengers at airports (compatibility with articles 5.1 e), 5.1) f, 25 and 32 of the GDPR, adopted on 23/05/2024, in which it is "considered respectful of the principles of minimization and necessity, a processing of biometric data whose purpose is to improve the efficiency and streamline an access system." The Court gives as an example “scenario 1” of the aforementioned Opinion, which expressly states that the measures chosen could be considered to comply with the principle of necessity in relation to the purpose pursued – rationalising the flow of passengers – if, depending on the circumstances of the processing, the data controller can demonstrate that there are no less intrusive alternative solutions that could achieve the same objective with the same effectiveness. It adds that the Opinion establishes as a reason justifying the processing of the data the effectiveness of the result and the streamlining of the process, and the “non-existence of a breach of the principle of necessity in the processing, given that the remaining alternatives do not offer this benefit provided that there is a volitional element on the part of the passenger who is aware that the more agile procedure would involve the processing of data that would not be provided in the alternative process”. The AEPD “denies in the resolution proposal that such an option is possible, given that the fact of proceeding to the processing of this category of data implies an alleged unacceptable risk to the rights and freedoms of the interested parties, that is, a conclusion diametrically opposed to that expressed by the EDPB”. Therefore, it reiterates that the violation of the principles of good faith, legal certainty and legitimate trust and the prohibition of arbitrariness of public powers remains fully applicable to the case, being reinforced with the aforementioned arguments of the aforementioned Opinion 11/2024. Finally, it reinforces its argument in the recent judgment of the Supreme Court, appeal for cassation 5039/2022 of 15/07/2024 in which, invoking the principle of predictability in Administrative Law on sanctions, it is clearly indicated that it is not possible for the AEPD to exercise its corrective sanctioning powers by assessing on its part a sanction of the Data Protection regulations that the data controller could not reasonably foresee, implying the action of the AEPD the requirement of compliance with an obligation not expressly provided for in the aforementioned regulations. The Supreme Court considers that, in the event that the enforceability of these additional requirements is assessed, the control authority may make use of these other powers that the legal system grants it, but in no case of the sanctioning powers. It considers that this is the case with C.A. OSASUNA, having planned a treatment with a SBRF based on the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 64/128 consent of the interested parties, knowing that it was not considered by the AEPD or by the EDPB contrary to the data protection rules, without this implying the violation of the principles of proportionality, minimisation, necessity and legality. “It is not possible for the AEPD to agree to the imposition of a sanction based on an integration of the principle of necessity that was not foreseeable” by C.A. OSASUNA, “since the principle of predictability referred to by the Supreme Court is affected.” It indicates that said treatment criterion was altered with the “Guide on the treatment of presence control through biometric systems” (v. November 2023), which is de facto considered a source of data protection law and changes its criteria, breaking the principle of legitimate trust on the first paragraph of article 9.1 of the LOPDGDD. It considers that this does not imply that the same effect does not occur in the imputation of article 5.1c), that a treatment based on the mere will of the interested party - his consent - would be illegal, because it will never be respectful of the principle of necessity, so it will never be possible to base such treatment on the mere will of the interested parties. 4) The respondent states that in the proposed resolution the AEPD cannot categorise the SBRF it implemented as high risk a priori, considering that it does not entail, as it claims in the proposal, "a high risk for the rights and freedoms of the interested parties". In its proposal, the AEPD has not carried out a real analysis of the risks in the case in which the treatment is carried out with the SBRF, considering the means, such as the technology used, the way in which the facial vector data will be processed, the security measures adopted, the conservation periods, etc., considering that such factors are irrelevant. It points out that, in the proposal, it is omitted that the reason that leads the GT 29 to consider the existence of a high risk of interference of the treatment in the rights and freedoms of the interested parties, derives fundamentally from the technology used for the treatment and the format of the biometric data obtained. In the proposed resolution, some of these risks are indicated in the legal basis V.1, which it states are also cited in Opinion 11/2024. For the AEPD, in the proposal, the facial vector is nothing more than the mere mathematical representation of a map of characteristic points from which it is possible to derive and reverse the identity of the person, despite the fact that they have reiterated that their techniques use artificial intelligence based on neural networks, considering that the techniques are different from those that consist of mathematical representation of a map of characteristic points, and from those traditionally referred to, for example, in the 2003 working document on biometrics, and C.A. OSASUNA estimates that the AEPD considers that this fact is what generates this high risk to the rights and freedoms of the interested parties. After indicating that with the mentions of the risks referred to by the AEPD in the proposal "as well as the EDPD in its Guidelines 11/2012", it is concluded that these would be: Uniqueness of the biometric vector. The proposal understands that, given that the biometric template is generated from the features of a certain person and these being unrepeatable, if the template is compromised it cannot be modified or replaced by another, given that its generation always starts from the same immutable model (the face of the subject) and the same procedure for generating said template. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 65/128 Reversibility of the biometric vector. Likewise, the AEPD considers that the risk is high given that from a stored biometric template it is possible to reconstruct the original information and, therefore, the face of the person, given that the template represents specific and characteristic points of the interested party's face. Therefore, when the templates are stored in centralized databases, which can be the target of attacks and security breaches, it would be possible to reconstruct the model from which the template was generated or, at least, the reconstruction of the points that characterize that pattern, with the consequent risk of identity theft, compromising both their privacy and the possible exercise of other rights. Interoperability of the SBRF. The proposed Resolution expressly refers to this characteristic of the aforementioned systems, so that the biometric templates, once created, could be reused in different systems for multiple purposes, so that a much higher risk is produced, given that, if a template is compromised in a system, the attacker can access other services using the same template. In fact, there are other models of biometric data processing, in particular, recognition through fingerprints, based on the establishment of international standards, applied by the different systems. Immutability of the biometric vector. As already indicated when referring to uniqueness, and unlike other authentication methods, biometric templates cannot be modified or revoked, because they are essentially a “written” representation of features that are immutable to the person (the face cannot be changed). Therefore, in the event of a compromise or security breach of a biometric database, given that the interested party does not have the ability to change his facial identity, the attacker will be able to use it, while the interested party will not be able to alter it, thus being exposed to a risk situation permanently. The Resolution Proposal, as indicated, takes as its main premise the classification of the processing carried out by OSASUNA through the SBRF as high-risk processing, which leads it to reach the conclusion that, since it implies an inadmissible interference in the rights and freedoms of individuals, said processing can never respect the principle of necessity if there are other processing activities capable of achieving the same purpose (it has already been indicated that the one assessed by the AEPD -simply, access to the Stadium- is not the real purpose of the processing), it will never be possible for the processing carried out by OSASUNA to be respectful of the principle of minimisation. It considers that the AEPD establishes an a priori assessment of the risk, since its Risk Management Guide and Impact Assessment in the processing of personal data mention the adoption of technical and organizational measures to determine whether the inherent risks of the treatment are susceptible to being minimized to determine the residual risk. In the proposal, the AEPD has assessed the inherent risk through the factors mentioned, ignoring whether said intrinsic and inherent risks concur in the SBRF. It has decided to equate the inherent risk - obtained without the prior evaluation of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 66/128 characteristics of the treatment with the residual risk, in order to reach the determined premise of considering the treatment to be unlawful. He reiterates that the technology used in the treatment of the SBRF that he has used, to which he refers in the “technical report on facial biometric technology” (DOCUMENT 14) (folios 440 and following) and in the EIPD, does not take the “landmarks” as a point of reference for the generation of the facial vector. His SBRF for the recognition of the person does not start from the establishment of maps of points or distances between characteristic points of the human face, but rather from the recognition of an innumerable number of features that differ from one face to another (such as, to give simple examples, the shape or colour of the eyes, the size of the nose, the colour of the skin, the volume of the lips, cheekbones, chin, etc.). This same system is followed in the present case, in which, based on an image of the face, which, let us not forget, must in any case be accompanied by the realization by the interested party of a proof of life that accredits that it is not a question of usurping the identity of the interested party (thus avoiding such usurpation), the SBRF will interpret in an abstract manner information on more than five hundred characteristic elements of said face. This SBRF differs from that established in the resolution proposal. Unlike a model generated from “Landmarks”, in which the numerical value would be immutable from the characteristic points obtained (since their characteristic map or the distances between them will be invariable in any case with respect to the interested party to whom the SBRF is applied, since they are a direct representation of their features), in the RBR (Renewable Biometric Reference) model implemented in the SBRF used by OSASUNA, the vector is generated by association and referencing of the face subjected to recognition with respect to a series of faces (generally greater than a million) used in the training of the model and with respect to each of the more than 500 distinctive features used by the model. “When the interested party requests the generation of their facial vector for biometric recognition, the SBRF attributes a numerical value to it in relation to each of the mentioned features. This value is not generated from a scale referring to the specific feature, but from the comparison of that feature with those that constitute the aforementioned training sample. In addition, it is relevant that “each of the SBRFs that are generated, and even each of the versions of the same system, will differ from the rest, either in the delimitation of the faces used to train the system or in the order assigned to each characteristic feature for the formation of the aforementioned matrix, or in both. This implies that the same face will receive a different value in each system and in each version of the former, so that the facial vector of the same person would be modified even as a consequence of the fact that a single face in the sample used in training is altered or the location of the parameter corresponding to two features in the matrix generating the facial vector is simply exchanged.” He estimates that the system used by C.A. OSASUNA is characterized by: “● The representation of the same human face can give rise to multiple vectors, so that each SBRF will generate a different vector from the others and each version C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 67/128 of the same SBRF will also generate a different vector from the one generated by its previous version. That is, there would not be uniqueness, but rather multiplicity in the vectors generated by the same face depending on the SBRF or its version. ● The facial vector is always irreversible, since it is generated by reference to the position of the interested party with respect to each of the features within the set of faces used as a training model. Thus, it is impossible to proceed to the reconstruction of the face (or of the characteristic features) from the obtained matrix, even if both the order of assignment of each of the features and the total of the images of the sample were known, which is technically unfeasible, since the absence of even one of them would alter the numerical result derived from the positioning of the face with respect to which the vector has been generated. ● The facial vector would never be interoperable, since, as has been said, both the sample and the positioning of each of the features in the generation of the vector would change from one SBRF to another, or even between versions of the same SBRF. In this way, the use of the vector is limited to the system that created it since only this can understand the positional references that each of the components used for its generation represents. Therefore, the reuse of a vector by any system other than the one that generated the data would not be possible. ● The SBRF is immediately revocable, so that in the event of compromise (although it has already been seen that the risk of unauthorized access to the facial vector under the RBR model is non-existent or minimal) it would be possible to generate a new reference, simply by modifying a configuration variable in the system, such as the introduction of an additional comparison element. In this way, the facial vector obtained by the SBRF analyzed in this procedure would be, by definition, susceptible to mutating into another (given the multiplicity characteristic referred to in the first point), thus eliminating the risks generated as a consequence of the immutability of the vector. “ It indicates that the NIST page accredits compliance with the SBRF of C.A. OSASUNA from VERIDAS, model “(...)” indicating the link that leads to the report of XX/XX/2021, concluding that the model is certified and audited and the accuracy of the data is guaranteed C.A. OSASUNA disagrees with the response given in the proposal that indicates that “technology is only one factor to be considered, since other types of measures must be implemented that may include technical and organizational measures of all kinds, and not only security measures. In this case, it was not considered that there was no proportionality or necessity in the treatment derived from the high risks that this type of treatment entails, but rather due to its analysis of the content derived from the EIPD and the analysis of the nature of the treatment described, and this is set out in legal basis V. In this sense, even if the image is converted into a code or vector, the treatment continues to be biometric data and therefore of a special category.” He adds that the proposal does not take into account additional measures in the processing and in the life cycle of the processing aimed at guaranteeing the rights and freedoms of the interested parties that minimise the residual risk that could arise from the processing, recalling the one aimed at avoiding identity theft or meeting the requirements for incorporation with specific reference to being over 14 years of age. He also disagrees with the statement that “the SBRF needs several additional documents and personal data to create and register the facial vector. A group of data that is used for the SBRF and from which it is based is that from the subscription card, which the members who have subscribed already had, and which would be the only ones used for access to the stadium by default in the pre-existing modality before the implementation by C.A. OSASUNA of the SBRF.”, since said data is processed only at the time of registration in order to guarantee the accuracy and integrity and during the registration process in the system. It concludes that it is not possible to maintain the assessment of the judgment of necessity made by the AEPD if the risks considered inherent to the treatment do not actually occur as a consequence of the technology of the system through which this treatment is carried out. 1) The purpose of the implementation of the SBRF is not only, as indicated in the proposal, to access the El Sadar stadium, when its additional aims are to provide agile access, without having to wait in long queues, since it processes the recognition in milliseconds, guaranteeing that the subscriber who accesses is the one who really has the right to carry out this access, without requiring an identification process through conventional means (for example, by comparing the DNI) in the cases in which this could be established, specifically for a specific event, avoiding identity theft in access as a consequence of the theft of documents proving the status of subscriber. The possibility of basing data processing on these additional qualities, such as speeding up or facilitating access to the stadium, is contained in the aforementioned Opinion 11/2014, without referring to these being a mere "convenience" or "usefulness" for the controller as indicated in the proposal. It adds that these reasons justify the processing of data and the absence of a violation of the principle of necessity in the processing (given that the remaining alternatives do not offer this benefit). The assessment of the need for processing has only taken into account mere access to the stadium, when it is access under conditions of greater agility and security for the interested party, such as avoiding identity theft, not for the purposes of Law 19/2007. It reiterates that the suitability requirement is met, since it achieves the proposed objective, which is to access more quickly and guarantee that the interested party cannot be impersonated by a third party. Regarding the analysis of the assessment of the need, it is stated in the proposal that: “Although in practice there is not usually a single way to achieve the purposes for which data processing is oriented, it can be seen that depending on how it is implemented, different risk scenarios can arise. When C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 69/128 considering these other possible alternative treatments, it is necessary to identify those that, using fewer means or less intrusive means, achieve at least equal effectiveness, that is, it must be assessed whether the intended purpose can be achieved by other means, such as using other data (of a different nature or extension) or with less invasive technologies.”, with which C.A. OSASUNA does not agree due to the conclusions reached therein. Considers that, given that beyond excluding the processing of biometric data based on the free consent of the interested party, there will always be less intrusive options, it establishes the premise that there is only one correct way of carrying out the processing of data to the exclusion of any other option that may imply greater intrusion, with this the majority of the processing carried out by any responsible party would be considered to be removed from the judgment of necessity. It gives the example of hosting data in the cloud which is riskier than on own servers, which, therefore, would never be necessary to process it using those providers. Regarding the consideration in the proposal that the agility in access to the stadium is not sufficient, C.A. OSASUNA states that the EDPB, in its Opinion 11/2024, considers the agility of access as an end that would justify the need to carry out a processing of biometric data of the interested parties. Regarding the statement in the proposal that the 1:1 authentication system involves less risk in the processing than the identification system, “the assumption extracted from Opinion 11/2024 is based on a premise that does not occur in this case, which is that in the former the risks of the systems are described, which, in this case, “do not concur with the system based on artificial intelligence”. It considers that the arguments used by the proposal to deny the concurrence of the principle of necessity do not conform to either the purpose of the processing, or to the risks themselves that are intended to be avoided by using this technology, so it is not possible to achieve the objectives of the processing in a less intrusive way. As regards the assessment of proportionality, C.A. OSASUNA points out that the advantages derived from the processing are greater than the risks generated by it, showing that the processing does not entail a high risk for the rights and freedoms of the interested parties, and that the risks generated by its processing are minimized by the technology used and by the measures adopted. 6) In the event that the procedure is not archived because it is considered that the imputed infringement exists, C.A. OSASUNA subsidiarily reiterates that the principle of proportionality is violated in determining the amount of the sanction. C.A. OSASUNA states that in the infringement of article 5.1.c) of the GDPR, the aggravating circumstance of the nature, seriousness and duration of the infringement must subsume that of the processing of special categories of data. It is based on the fact that “given that if the AEPD considers that there is an aggravation of the conduct given the circumstances of the treatment, it is obvious that one of them is that there would be a treatment of special categories of data, which on the other hand is not included as an autonomous aggravating factor in article 83.2 of the RGPD or in article 76.2 of the LOPDGDD, given that it can be considered that the reference to the categories of data made by article 83.2 g) of the RGPD would not be applicable when the aggravating factor is appreciated from the treatment as a whole.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 70/128 -In addition, regarding the assessment of the aggravating factor related to the nature, seriousness and duration of the infringement mentioned, it causes defenselessness because it is incomprehensible. “If what is intended to indicate is that the infringement is having carried out a treatment that was not necessary for the purposes that were intended to be covered by it, apart from denying that statement, such an aggravating circumstance would consist of an alleged breach of the principle of necessity, conduct that is included in the type itself, contrary to the principles of sanctioning law” He adds that the reference to the potential impact of the treatment on all OSASUNA subscribers, contained in the proposal, in the explanation of 83.2.a) of the RGPD of “if it is not stopped it may affect more subscribers, is meaningless”, since it is not possible to aggravate a sanction for a fact whose occurrence is impossible, since since the 2024/2025 season it is not processing the data with the SBRF. Regarding the second aggravating factor, in article 83.2.b) of the GDPR, OSASUNA points out that the proposal was answered in an incomprehensible manner, and that if it is a question of considering gross negligence the fact of allowing the treatment to be carried out on the basis of the consent and free decision of the interested parties, such interpretation would not be negligent or artificial, and would not follow the criteria derived from the documents of the EDPB and GT 29. It considers that these facts cannot aggravate the liability of OSASUNA, but should exclude its liability, leading to the archiving of the file. PROVEN FACTS FIRST: On 11/22/2022, a complaint was received by the AEPD referring to a press release published on 05/22/2022 by elespañol.com in which it reports the implementation of a biometric facial recognition system -SBRF- in the sports venue, El Sadar stadium, of C.A. Osasuna. As a result, the Director of the AEPD agreed to initiate preliminary actions., SECOND: In preliminary actions, dated 03/13/2023 C.A. OSASUNA acknowledged that it had established a non-mandatory SBRF, complementary to the existing one to date and that would coexist with it, to facilitate access control throughout the stadium, of members/subscribers (subscribers) to its stadium, as well as that its system complies with the requirement of being a 1:N biometric identification, accepting that these are biometric data of a special category. The SBRF, once the subscribers have been registered in the SBRF as users, allows subscribers from now to choose between this type of access and the one established and in force previously, with TWO access methods available at any match. The first day, as a pilot test of use of the SBRF was 04/10/2022, only for subscribers who had been assigned access through gate 7, with the installation in one of its turnstiles, of a combined one with biometric access at said gate. turnstile that was added to the existing turnstiles at the same gate for access by the ordinary system for the access to the stadium of season ticket holders. At the football match on 22/04/2022, the number of access gates that have terminals for the operation of the SBRF was expanded to numbers: 3, 8, 10, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 71/128 11, 16, 21 and 27, with a combined turnstile with biometric access at each gate, which was added to the turnstiles facilitating access with the ordinary system. According to the information in the elespañol.com news item, 500 people used facial recognition to enter the stadium in this match, and the system allows up to 20 people to enter the stadium per minute, and “until now there were three ways to access the stadium when the spectator arrived at the turnstiles: showing the membership card, using RFID technology that integrates these cards, or with the digital subscription downloaded to the mobile phone”. THIRD: C.A. OSASUNA emphasizes in previous actions and in its Data Protection Impact Assessment that registering to use the SBRF to access the El Sadar sports ground is one more means, since the previous pre-existing methods can be used, being added as one more option, keeping the rest of the access modalities used until then available, and the subscribed member can use any modality to access. This is added to the information on the C.A. website. Osasuna, on 04/05/2022 (doc 2 provided in previous actions, first response, 03/13/2023, fact THIRD) that it is not necessary to carry the “physical pass” “or digital on the mobile” to enter, if the SBRF is used. In frequently asked questions about the system on the C.A. website OSASUNA, DOCUMENT 5 provided in previous actions, first response, 03/13/2023, made THIRD, 1.1, it is indicated that the system will be used for season ticket holders over 14 years of age, with a “nominal season ticket”, “modern access system that has been installed as an additional option to enter the stadium, improve the experience of people visiting El Sadar, modernize the facilities, and that in the turnstiles enabled for this type of access you will be able to automatically open the barrier and enter the stadium “by bringing your face closer to the small screen that exists in said turnstiles. As advantages, it points out the speed, the comfort, security, voluntary, easy to use for everyone and that the system is trained to recognize you”, despite the changes in appearance.” Before the implementation by the C.A. OSASUNA del SBRF, 10/04/2022, the current means used for access to its stadium by subscribers were the physical subscriber card, or the digital one on the mobile phone, or with QR code reading, which coexist from 10/04/2022, with the implementation of the SBRF. It is accredited from the previous investigation actions and the responses of C.A. OSASUNA, that, with the season ticket cards, access to the stadium is only obtained by passing the season ticket card in its three forms, be it a physical card, a digital card on a mobile phone or a QR code, through the access turnstile that every stadium must have by express mandate of Law 19/2007 of 11/07 against violence, racism, xenophobia and intolerance in sport, in its article 11 "computerized system for the control and management of ticket sales, as well as access to the venue". FOURTH: As the purpose of the treatment, in previous actions, on 03/13/2023, the C.A. OSASUNA indicated that the SBRF implemented for access to the El Sadar stadium for subscribers is to guarantee Osasuna fans who have freely decided to do so access to the El Sadar stadium sports venue “through an agile and simple procedure” using said system, as a non-exclusive alternative to the different means of access made available to them by the Club. In the Registry of Treatment Activities (RAT) it appears in document 14, provided in previous investigation actions on 03/13/2023, fact THIRD, 3.5., that the purposes of the treatment “access control by facial recognition” are: “registration and management of access to the facilities using a facial recognition system”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 72/128 FIFTH: In previous actions, C.A. OSASUNA stated, and this is stated in its EIPD of 4/02/2022, that the user registration process in the SBRF for C.A. OSASUNA subscribers must only be carried out once and is done remotely and in a guided manner. Its characteristics are that it can be done from the user's mobile phone (preferably), tablet or computer with an internet connection and camera. It can be started from the OSASUNA website, www.osasuna.es, where there is a notice with general information about the system and a button to start the guided registration and activation process at the link: https://osasunasocios.app.das-gate.com/, and for its activation it is necessary: - data entry: ID and email, with two boxes to check on consent and privacy policy, the details of which are analyzed in the following proven fact. To continue the process, the boxes must be checked and the "Start" tab must be clicked -- photo of the QR code of the Club membership card ("Scan QR of your membership" according to the screen information) – (it should be noted that the QR code contains the data of each member, the ACCESS ID, the member number and ID number that are part of the basic data contained in the membership cards). - Capture of a photo of the DNI from the front and back. - Take a selfie, placing your face in the oval that appears in the image and make the movements indicated (The system verifies that the photo on the DNI matches the features and identity of the person who took the selfie). The selfie image is compared with the image obtained from the DNI. After the aforementioned verification, it is reported that the registration process has been correctly carried out, adding that “At your usual access door you will find the access turnstiles with RF duly marked” Due to the fact that, for the registration process and storage of the biometric data, various data already indicated are used, C.A. SASUNA, stated that the image of the photograph used for verification with the one that appears on the DNI, because it is not necessary, is deleted. In addition, C.A. stated OSASUNA, which at the end of the registration process (subscriber registration) only keeps: - the ACCESS ID, corresponding to the subscription and which appears on the subscription (C.A. OSASUNA says that it is anonymous, but in the EIPD of said entity, dated 4/02/2022, section 6.4.4, 4 b) it is indicated that all subscriptions "contain a unique identifier that does not single out the subscriber, but allows the individualization of the subscription itself. This data is necessary to prevent the access system from allowing duplicate access to the stadium with the same subscription, so that once access is authorized, the use of the subscription will be impossible"). -“the hash of the user identifier in the System, which is collected for the exclusive purpose of serving as the first authentication element for the secure access by the user to the DAS-GATE portal, in order to be able to interact with the System (for example, to deregister or exercise their rights)”, as stated in the response in previous investigation actions, THIRD fact, point 1.6. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 73/128 - the facial vector identifier of the subscribed persons, about which C.A. OSASUNA states, “without associating it with any identifying data that appears on their ID or in their subscription or with the data provided by the interested party in the registration process”. Determines C.A. OSASUNA that these data are kept as long as the subscribers do not revoke their consent, and will be deleted "in the event of revocation or cessation of the subscriber status." With the completion of the user registration process in the SBRF, C.A. OSASUNA indicated that the data used for registration appear in the blocked status, except for the access ID, email and the facial vector. SIXTH: The information process on the collection and processing of the data collected by C.A. OSASUNA for the SBRF for access to the El Sadar stadium, appears on the same screen of user access registration through which registration in the system is activated, on the page https://osasunasocios.app.das-gate.com/. According to document 4 provided in the previous actions, first response, point 1, in the registration process as a user, on the first screen, together with the introduction of the first data: ID and email, there are two blank boxes to check. The first, with the “I expressly consent to the processing of personal data for the generation of a facial vector that allows identification at the time of accessing the stadium”, the second with “I have read and accept the privacy policy”. After checking it, there is the “start” tab. Document 6, which is reflected in the THIRD FACT 1.5, entitled: “processing of access control data to the facilities by facial recognition”, contains the first layer of information with the person responsible, purpose: access control by facial recognition system, legitimation 6.1.a and 9.2.a of the GDPR, “express authorization for the processing of images by means of an artificial intelligence system, facial recognition, generating a vector that allows the user to be identified for access control to the facilities”. In “rights”, the rights of access, rectification and deletion appear, “as well as other rights indicated in the additional information, which can be exercised by contacting” two addresses, one of Osasuna and another of the DPO “and/or by clicking on the link to the website and the partner portal “exercise of ArSol rights”. In this first layer there is no reference to the information on the possibility of withdrawing consent. At the end of the first layer, there is an accept button. The first layer contains a link to additional information: https://www.osasuna.es/privacypolicy”, (provided in document 7, in previous actions, THIRD FACT, 1.5,) entitled “Complete Information on Data Protection” which indicates that it is an alternative entry system that allows strengthening the security of access to it, as well as speeding up entry, making it easier for the Club's members. In the second layer, according to document 7, there is added information such as the processing of personal data in the DAS-GATE portal to manage the right of access through facial recognition, being able to request the cancellation of the service and the details of the data retention periods, indicating here the reference to the withdrawal of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 74/128 consent. Here it is also indicated that rights can be exercised through the private area of each user in the DAS-GATE portal. According to what was stated by C.A. OSASUNA, the withdrawal of the consent previously given for the use of the SBRF through the facial vector, will mean the cessation of the processing of this data for such purposes, since as indicated, the data will not be used for any other purpose, however, the subscribers in this case, according to C.A. OSASUNA could continue to achieve the purpose of accessing the stadium with the pre-existing methods OF THE SUBSCRIPTION IN ITS THREE MODALITIES.. As for the documents that appear in the link for the exercise of Osasuna rights and the exercise of ArSol rights, this contains a form to, among others, revoke the consent On the Club's website, in news from 5/04/2022, the voluntary nature of the SBRF and its complementarity with the current methods are reported. In a statement via newsletter dated 04/09/2022, these aspects were also reported. SEVENTH: According to the information provided by C.A. OSASUNA in previous actions, and in its EIPD (2.2.1), access by persons who have opted for the SBRF once registered in it occurs through the Identification Terminals provided by DAS- GATE at the stadium entrance turnstiles to which the facial recognition software is incorporated that reads and identifies the facial vector of the season ticket holders. At the moment when season ticket holders registered in the SBRF access the stadium, if they wish to use this means of access, their image is captured by a tablet-screen-sized device placed at a distance of less than one metre. When approaching said device, the system is automatically activated when a face is detected. If the proximity is adequate, the system captures the image by processing it in the same way as the vector is generated, and the image obtained from the biometric facial vector of the user who wants to access is compared with the set of stored biometric vectors entered in the system. The following logs are recorded in the IDENTIFICATION terminal: date and time, ACCESS ID, biometric terminal identifier, anonymous identifier of the user most similar to the face being identified and the biometric similarity score obtained. In prior investigations, C.A. OSASUNA specifies fact THIRD, 2.3, and as stated in its EIPD 2.2.1., that once the authentication of the subscribers has been produced through the identification of their facial vector, a request will be sent to the server in charge of activating the turnstiles at the entrance to the stadium, consisting of communicating to the server managed by the SPANISH PROFESSIONAL FOOTBALL SOCIETY SAU (SEFPSA) with which it has a contract for the processing of data, of which it does not provide a copy. The transmission is limited to the ACCESS ID, in order to activate the corresponding turnstile, without providing any data related to the facial vector. SEFPSA does not carry out any biometric identifier processing, limiting itself to the ACCESS ID. C.A. OSASUNA states OSASUNA that, once access has been accepted, in addition to the user's ACCESS ID that is sent to SEFPSA, "the sending of this request is also logged (registered in logs by the terminal-date, time, terminal identifier, anonymous user ID recognized" According to the information reflected in the EIPD of C.A. OSASUNA, in "2.1.3. Storage of the information resulting from the process", "Once the identity of the subscriber has been verified, the system permanently stores and as long as the subscriber continues to use the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 75/128 system, the ACCESS ID, the USER ID previously encrypted with the (...) and the facial vector obtained from taking the selfie photo." The data collected temporarily during registration in the service, as well as the kept during the period in which the subscriber continues to use the system will be stored on servers contracted with ***EMPRESA.1 located in the European Union” It follows that each time the subscriber accesses the Sadar stadium of C.A. OSASUNA with the SBRF, it is necessary and inherent to the system that the facial vector is associated with the ACCESS ID, this in order to control that there are no duplicates in the access with the same title (subscription) ACCESS ID. C.A. OSASUNA stated in previous actions that “When processing the access request sent by the biometric terminal, SEFPSA decides whether or not to authorize the user's access and acts directly on the turnstile, commanding (or not) its opening. SEFPSA does not inform the biometric terminal of its authorization decision. It is worth mentioning at this point that SEFPSA, upon receiving this request, cannot distinguish between requests received from biometric terminals and QR or NFC readings; that is, it does not know how the user has been authenticated." EIGHTH: C.A. OSASUNA, responsible for the processing of the SBRF system data for deciding its implementation, the means and purposes of the system, in accordance with what was stated in the fact THIRD of previous actions, 03/13/2023, stated that it had the collaboration in the processing of data of DAS-GATE CONTROL SOLUTIONS SL, with which it signed a data processor contract, (provides document 10 “license for use of the system” of 01/24/2022, and Annex I, “personal data processing contract”) using facial recognition technology, hardware and software from VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, S.L, with which DAS-GATE signed a contract as a subprocessor as a provider of document validation technology and biometric recognition (documents 11 of 06/04/2021 and 11 bis of 17/02/2021 as stated in point 1.9 of the THIRD fact). Another subcontractor contract was signed by DAS-GATE with ***COMPANY.1 (hereinafter, “***COMPANY.1”) as a provider of (…) and (…) (a copy was provided in document 12 “terms of service” and 12 bis, and “data processing addendum ***COMPANY.1” as stated in point 1.9 of the THIRD fact). All services provided by these entities are located within the European Economic Area. The facial vectors extracted for the processing of biometric data, through the SBRF used by C.A. OSASUNA, are those developed by VERIDAS and include an artificial intelligence model of neural networks, with algorithms that are based on machine learning techniques (deep artificial neural networks, deep learning). The image from which the facial vector comes is deleted from the system as soon as the process of generating said vector is completed. NINTH: The evaluation of the necessity and proportionality of the processing operations with respect to their purpose carried out through the SBRF by C.A. OSASUNA is contained in section 6 of its EIPD of 4/02/2022 entitled "application of the principles of processing", and specifically in its section 6.4 "data minimization principle". In section 6.3, it indicates that this is a new means of access to the sports venue that is more suitable and effective in light of the current state of the art, indicating in 6 4.1 that “in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 76/128 design of a new data processing, it is necessary to analyse the suitability of the data processed for the intended purpose, the possible existence of another procedure that is equally or less intrusive to achieve that objective or purpose, the weighing of the benefits that its processing would bring against the risks or damages that could emerge as a consequence of it”…the principle of minimisation would require, as a general rule, the adoption of the one that was the least intrusive”. It considers that the treatment of the facial vector is suitable "for the fulfilment of carrying out this registration process, by allowing the full identification of the subscriber (6.4.3 EIPD) and is necessary "to achieve the purpose pursued by the treatment, which is to facilitate access to the sports venue for OSASUNA subscribers who so wish, through a quick and simple procedure. Certainly, at this point, it is possible to achieve the purpose pursued (access to the El Sadar stadium) using a less intrusive means (the use of the traditionally used means, such as the use of a QR code reader incorporated into the subscription). However, the implementation of the treatment analyzed in this DPIA does not prevent the use of this option. That is, the interested party can freely decide and without this causing any type of affectation to his rights as a subscriber, to opt for one or another treatment for access to the stadium. Thus, the need would be linked in this case to the will of the subscriber, which cannot be satisfied using a less intrusive means of access” (6.4.3 EIPD). TENTH: C.A. OSASUNA already acknowledged in the first response in previous investigation actions, on 03/13/2023, that its SBRF involves the processing of biometric personal data for identification purposes (1:N), so since it is a unique identification that such processing entails, it considered that they are special category data. It added that the circumstance that lifts the prohibition of the processing of biometric data that it uses for voluntary access to the El Sadar stadium is the explicit consent for the processing of said personal data for one or more of the specified purposes, contained in article 9.2.a) of the GDPR, consent that includes and subsumes that of article 6.1.a) which it considers to be the general legal basis. According to the information contained in the Record of processing activities, RAT; “Purposes: registration and management of access to the facilities using a facial recognition system”, and in its EIPD that the purpose was “to guarantee access, through facial recognition, to the El Sadar stadium by the subscribers”. The revocation of consent, according to C.A. OSASUNA in its response on 03/13/2023 in previous investigation actions and in the EIPD of 02/04/2022 ( 6.6 ) can be done at any time from the user portal and also on the C.A. website. OSASUNA in “exercise of ArSol rights”, and implies the deletion, keeping the data blocked for three years, the maximum period coinciding with the prescription of a breach in the matter of data protection, “which will mean the cessation of the processing of this data for such purposes” (5.2.2 final EIPD). ELEVENTH: The access process for subscribers to the El Sadar stadium of the C.A. OSASUNA using the SBRF, responded in the first response in preliminary investigation actions on 03/13/2023, appearing in fact THIRD, 1.6, and in point 6.6 of the EIPD of 02/04/2022, that “the system does not store the image captured by the reader located at the entrance to the premises nor the facial vector generated from it, only the information related to the fact of access, successful identification log, acceptance or denial of access is stored. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 77/128 In point 1.8 of preliminary investigation actions, fact FOUR, C.A. OSASUNA indicates that the operation of the terminal is recorded in its systems, DAS-GATE servers, each time an identification is made, recording the date and time, biometric terminal identifier, subscriber access identifier, and biometric similarity score, providing document 11 (authentication logs for access to the stadium extracted from the system, which begins the query through the data (…) to which (…), and that these records are stored on the servers of the provider ***COMPANY.1. C.A. OSASUNA meant that these logs are kept until the beginning of the season after the one to which the stored access refers, in which a period of three years is added (maximum period of prescription of infringements of the GDPR that may be required). In the document 11 that it provides, it can also be seen that it contains the (…), which contains the (…). The same document 11 shows an example record of data that remains in the blocked storage, indicating among available files the images captured of the interested party's ID during their registration process. In the user registration process, once the vector has been created, the image that was used to create the vector, those that appear on the subscription or on their ID and those provided by the interested party in the registration process are deleted, keeping only the facial vector, the subscription ACCESS ID, the hash of the user identifier in the System for the secure access by the user to the DAS-GATE portal, in order to be able to interact with the System (for example, to proceed with their cancellation or exercise their rights). These data will be kept as long as consent is not revoked or the user continues to hold the status of subscriber, being deleted in the event of revocation or cessation of the status of subscriber. If one of these circumstances occurs, in accordance with article 32 of the LODGDD, the data remains blocked for 3 years, coinciding with the maximum prescription period in personal data protection regulations. TWELFTH: C.A. OSASUNA responded in previous actions that it carried out measurements with personnel at different points in the El Sadar stadium, concluding that the rate/speed resulting from its observations resulted in the average rate of user access through a conventional turnstile using the season ticket - NFC reader or QR reader - or paper ticket - code reader, being 12 people per minute. On the other hand, the average rate of access of people through the turnstiles that have biometric technology implemented is 20 people per minute. The values provided represent the value that has the highest frequency in the access rates. It is also confirmed that the processing of personal data of subscribers to the SBRF of C.A. OSASUNA was, as of 03/13/2023, a volume of people that (…) and on 12/28/2023, the date of allegations, of (…). C.A. OSASUNA reported in allegations to the proposal, on 11/18/2024, that they have ceased to operate with the SBRF since the end of the 2023/2024 season. Furthermore, according to their statement, the administrative appeal filed against the provisional suspension of processing imposed in the start agreement is pending resolution C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 78/128 LEGAL BASIS I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of the RGPD and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Definition of personal data and biometric data C.A.OSASUNA processes personal data in accordance with the definition of these made in article 4.1 of the GDPR "«personal data»: all information about an identified or identifiable natural person («the interested party»); An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;” Biometric data as a type of personal data is defined in Article 4.14 of the GDPR, which states: “biometric data” means personal data obtained through specific technical processing, relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data;” The scope of the GDPR extends its protection, as established in its article 1.2, to the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data, defined in its article 4.1 of the GDPR. As already pointed out in Opinion 4/2007, of the Working Party (WG) of article 29 WP136), of 20/06/2007 (art. 29 of Directive 95/46 EC, as an EU body of advisory and independent character), on the concept of personal data, biometric data can be defined as: “… biological properties, physiological characteristics, personality traits or tics, which are, at the same time, attributable to a single person and measurable, even if the models used in practice to measure them technically imply a certain degree of probability. Typical examples of biometric data include fingerprints, retinal patterns, facial structure, voices, but also hand geometry, venous structures, and even a certain deep-rooted skill or other behavioural characteristic (such as handwriting, pulse, a particular way of walking or talking, etc.). A particularity of biometric data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 79/128 is that they can be considered both as the content of information about a particular person (So-and-so has these fingerprints) and as an element to link information to a particular person (this object has been touched by someone who has these fingerprints and these fingerprints correspond to So-and-so; therefore, So-and-so has touched this object). As such, they can serve as "identifiers". Indeed, since biometric data relates to a single person, it can be used to identify that person. This dual character also applies to DNA data, which provides information about the human body and allows for the unambiguous identification of one, and only one, person.” Biometric data irrevocably changes the relationship between the body and identity, as it makes the characteristics of the human body machine-readable and subject to further use. Biometric data can be processed and stored in different ways. Sometimes, the biometric information captured from a person is stored and processed in raw form, allowing the source from which it comes to be recognized without special knowledge; for example, a photograph of a face, a photograph of a fingerprint, or a voice recording. Other times, the raw biometric information captured is processed in such a way that only certain characteristics or features are extracted and saved as a biometric template, here called a “facial vector.” Biometric systems are closely linked to a person, since they can use a specific and unique property of an individual for identification. A biometric system works with the biometric data obtained from a person, from which an algorithm extracts features to create a biometric template or facial vector. The system then checks the person's identity against the biometric database. It can do this in a second, while comparing hundreds of millions of biometric data in the database. The performance of a biometric system can be measured from three main characteristics. These are: - false rejection rate (FRR), which represents the probability of detection errors by a biometric system, meaning that it cannot recognize a user whose biometric characteristics are already in the database. In case of rejection, the person must verify his or her identity again. From a security and safety perspective, this rate does not necessarily mean that it is a negative result. -False Acceptance Rate (FAR), is the probability that a system fails to match a person's biometric characteristics with an incorrect template, and gives them permission to access. This can be a potential threat, as the system grants permission to an unauthorized person to access an account, facility, etc., and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 80/128 -Equal Error Rate (ERR), which is an essential indicator according to which a system accepts or rejects biometric inputs. This rate is the equality value between FRR and FAR and represents the ideal number of errors of the two. Each biometric method, whether face, fingerprint, palm print, iris, etc., has different values for different rates, based on which a system rejects or accepts the inputs. Biometric data have the particularity of being produced by the body itself and characterize it definitively. Therefore, they are unique, permanent or definitive in time and the person cannot get rid of them, they cannot be changed at any time, not even with age, creating questions of responsibility in case of compromise, loss or intrusion into the system. Unlike a password, in case of loss they cannot be changed. The definition of biometric data refers to "technical processing", without specifying, except to point out that the purpose of such processing must be to identify a person. In order to be considered biometric data within the meaning of the GDPR, the processing of raw data, such as the physical, physiological or behavioural characteristics of a natural person, must involve a measurement of those characteristics. Thus, the concept should not lose sight of: -The nature of the data: data relating to the physical, physiological or behavioural characteristics of a natural person; -The means and methods of processing: data “obtained through specific technical processing”; this differentiates them, for example, from images of a person appearing in a video surveillance system, which cannot be considered biometric data if they have not been processed technically in a specific way in order to contribute to the unique identification of that person. Recital 51 of the GDPR also refers to the fact that photographs are not systematically considered as special category data processing, unless a specific technical means of processing is applied to them that "allows the unique identification or authentication of a natural person." - The purpose of the processing: the data must be used for the purpose of uniquely identifying a natural person. Biometric characteristics, if subjected to technical processing, can be used to recognize a person, including from an image or photograph, assuming for its implementation a chronological process that is contained in all biometric data processing: its capture or recording of data with its subsequent storage or processing and the comparison or correspondence phase. In this case, C.A. As an additional system to the previously existing methods of access to its sports venue, OSASUNA establishes that of access control to the stadium by the member-subscriber to attend football matches. In order to be able to use it, you must first register your identity as a user in the system by capturing a series of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 81/128 biometric parameters (the face in this case) which can be done and is done in this case by means of a photograph in a computer application preferably using a mobile phone, since what is intended is to process these parameters of the face to identify the person each time they re-enter through the access point. The so-called registration process includes the following phases: - Registration of biometric parameters. It covers all the processes that are carried out in a biometric system in order to extract biometric data from a biometric source and link this data to an individual. In this case the face. The biometric engine of the facial recognition system used has an AI algorithm that is responsible for this function. The software converts these measurements into a numerical code, a facial vector, which C.A. OSASUNA calls it. This numerical code, hash or facial vector, is what is saved to compare when you enter or leave the space where the facial recognition reader is located, which records the entry or exit through the eight biometric reading turnstiles used for access to the stadium at different access doors. Therefore, facial recognition techniques require a certain cooperation on the part of the user, since the camera must be placed in front of the face, while the photo is taken at the time of registration, and at the time of access the image is captured. -Processing: Creating a facial template or vector with the personal characteristics of the captured parameters of the user. A biometric template/facial vector is a digital representation of the unique characteristics that have been extracted from a biometric sample and can be stored in a biometric database that allows or confirms the unique identification of a natural person. Furthermore, “your biometric template is assumed to be unique and specific to each individual and, in principle, permanent over time”. Typically, in a comparison process intended to identify or authenticate a person using facial recognition, an incoming biometric template is compared to stored objects to verify a match or find one in a database. -Enrollment: of the processed facial template or vector, being saved on a suitable storage medium. The storage systems for the registered template or the facial vector may vary, storage on a card, in the hands of the person, for example, on their individual device, under their exclusive control, centralized in encrypted form within the responsible entity, under their control or in the cloud under the control of a third-party service provider. As an example, Opinion 11/2024 assesses the different ways in which it is decided to implement the way of technically carrying out the treatment, resulting in different effects on data protection. For example, the control of the template, if the template is stored on an individual device under the control of the user (usually the traditional user PIN and password are in the hands of the user), if the template is stored centrally within the C.A OSASUNA, or in the cloud, with the key encrypted within the Club, or if despite the template being registered and encrypted in centralized storage within the Club, it is decrypted by the user, as well as the storage period of the registration of the record. The arrangement of the intrinsic elements involved in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 82/128 processing technique may result in the loss of control of the data of its owner, depending on the architecture of the data storage and serves as an example and benchmark for analyzing the adjustment of the biometric facial recognition treatment to the principles of articles 5.1.e) f), art 25 and 32 of the GDPR. In all the potential risk scenarios examined in the aforementioned Opinion, their adjustment to the principles it examines is assessed, thus, it indicates that “The Committee concludes that the measures chosen could be considered to comply with the principle of necessity if the data controller can demonstrate that there are no less intrusive alternative solutions that can achieve the same objective effectively”, or adds, “by applying appropriate guarantees or safeguards”. In the case of those where, after its analysis, it does not estimate such compliance, such as in scenario 3 of the aforementioned Opinion, it is indicated that: “The Committee considers that a result similar to the rationalization of passenger flow at airports can be achieved in a less intrusive manner and that the negative impact on the fundamental rights and freedoms of data subjects that would result from a breach of data security in a centralized database of biometric data appears to be greater than the expected benefit derived from the processing. Therefore, the processing cannot comply with the principles of necessity and proportionality. On this basis, the Committee concludes that the processing provided for in the third scenario cannot be compatible with Article 25 of the GDPR. Furthermore, it would not comply with Articles 5 (1) (f) and 32 of the GDPR if a controller were to limit itself to the measures described in this scenario.” Once registration is complete, the system can begin to be used. -In the last phase, a biometric sample - such as the face - presented to the reader sensor will be compared with a previously recorded/stored facial vector. The phases are consistent with the enumeration of what could be a data processing operation (collection, storage, use). Thus, the in-person capture before the device results in obtaining an image, from which the characteristics are extracted through the artificial intelligence algorithm integrated into the software of the device that C.A. OSASUNA contracted with its processor/deputy processor DAS-GATE and VERIDAS. According to document 14 provided in previous investigations by the respondent, "Technical report" of VERIDAS, which explains the general operation of the system used by C.A. OSASUNA to create the template, the extraction of characteristics resulting from the input and output of the algorithm is what provides the facial vector, unique for each person, and requires information to distinguish between the faces of different people. The raw image of the biometric characteristics, in this case the faces, is reduced, transforming, but retaining outstanding discriminated information, which is essential for the recognition of the person. These extracted characteristics are kept in a biometric template or facial vector, which is a form of reduced mathematical representation of the original characteristic. A biometric template/facial vector is a digital representation of the unique characteristics that have been extracted from a biometric sample and can be stored in a biometric database that in this case confirms the unique identification of a natural person. Furthermore, “their biometric template is supposed to be unique and specific to each individual and, in principle, is permanent over time.” Normally, in a comparison process intended to identify a person, such as the SBRF used by C.A. OSASUNA through facial recognition, an incoming biometric template is compared with stored objects to verify a match or find one in a database. The reference facial vector is stored for comparison, in this case in a centralized database held by C.A. OSASUNA where the identification and biometric data of the subscribers who opted for this system are stored, (…) on the date of allegations to the start agreement, (…) on 13/03/2023 and which has identification functions 1:N, where N are all the facial vectors stored centrally by C.A. OSASUNA in its database where those of all users registered in the system are. As to the fact that it could be argued that it only identifies the group of previously registered users, this is not a reason for not being considered biometric data, since it is intended that natural persons are identified with the data generated from the extraction of their biometric characteristics. The reference included in article 4.14 of the GDPR as biometric data intended to "allow" can be understood as identification, the reference to "confirm" as verification. For a better understanding, the concepts of authentication/verification and identification, which have been successively outlined, and the importance of the common elements that stand out in their contents, are described. Opinion 3/2012 on the evolution of biometric technologies of 27/04/2012 of Working Group 29, stated: "-Biometric identification: the identification of an individual by a biometric system is normally the process of comparing their biometric data (acquired at the time of identification) with a series of biometric templates stored in a database (i.e. a one-to-many matching process). -Biometric verification: the verification of an individual by a biometric system is normally the process of comparing his or her biometric data (acquired at the time of verification) with a single biometric template stored on a device (i.e. a one-to-one matching process).” With slight nuances, the concepts are mentioned in the “White Paper on Artificial Intelligence of the European Commission”, dated 19/02/2020, referring to the facial image: “With regard to facial recognition, “identification” means that the template of a person’s facial image is compared with many other templates stored in a database to find out whether his or her image is stored there. “Authentication” (or “verification”), on the other hand, usually refers to the search for matches between two specific templates. It allows the comparison of two biometric templates that, in principle, are assumed to belong to the same person; Thus, the two templates are compared to determine whether the person in the two images is the same. This procedure is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 84/128 used, for example, at the automated border control gates used in border controls at airports.” In the recent Regulation EU 2024/1689 of the European Parliament and of the Council of 13/06/2024 laying down harmonised rules on artificial intelligence OJEU 12/07/2024, (AI Regulation) states its Recital 15 “The concept of ‘biometric identification’ referred to in this Regulation should be defined as the automated recognition of human physical, physiological or behavioural characteristics, such as face, eye movement, body shape, voice, intonation, gait, posture, heart rate, blood pressure, odour or keystroke characteristics, in order to determine the identity of a person by comparing his or her biometric data with biometric data of persons stored in a reference database, regardless of whether the person has given his or her consent or not. Excluded are AI systems intended for biometric verification, which includes authentication, the sole purpose of which is to confirm that a specific natural person is the person they claim to be, as well as the identity of a natural person for the exclusive purpose of having access to a service, unlocking a device or having secure access to a premises.” Guidelines 5/2022 of the European Data Protection Board (EDPB) on the use of facial recognition in law enforcement (see Version 2.0, of 26/04/2023), in section 10, state: “Like any biometric process, facial recognition can serve two different functions: • Authenticating a person in order to verify that said person is who they claim to be. In this case, the system compares a pre-recorded biometric template or sample (for example, stored on a smart card or biometric passport) with a single face, such as that of a person presenting themselves at a checkpoint, to verify whether they are the same person. This function is therefore based on comparing two templates. It is also called 1-to-1 verification. • Identifying a person in order to locate him or her among a group of individuals, within a specific area, in an image or in a database. In this case, the system must process each captured face to generate a biometric template and then check whether it matches a person known to the system. This function is therefore based on comparing a template with a database of templates or samples (baseline). It is also called "one-in-many" identification. For example, it may relate a record of personal names (surnames, first names) to a face, if the comparison is made with a database of photographs associated with surnames and first names. It may also involve tracking a person through a crowd, without necessarily establishing a link to the person's civil identity. The aforementioned Guidelines 05/2022, in their section 12, indicate that the concept of biometric data covers both “authentication” and “identification”, and although they are different concepts, both procedures process data aimed at uniquely identifying a natural person, so both are included in the concept of “data processing”, and more specifically, they are processing of personal data of special categories. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 85/128 This thesis would also be confirmed by reading recital 51 of the GDPR, which states: “The processing of photographs should not be systematically considered as processing of special categories of personal data, since they are only included in the definition of biometric data when the fact of being processed with specific technical means allows the unique identification or authentication of a natural person.” The adoption of Opinion 11/2024 on the use of facial recognition to rationalize the flow of passengers at airports, dated 23/05/2024 of the EDPB, confirms the distinction between such functions, and also that both would correspond to the concept of special category biometric data. The opinion is important because it clarifies the different importance of such functions in the architecture of the use and storage of data to deduce whether the purposes can be achieved in a less intrusive way and the level of impact on the fundamental rights and freedoms of the interested parties. In both cases, whether verification-authentication or identification, the facial recognition techniques used are based on an estimated match between templates, or vectors: the one being compared and the reference(s). From this point of view, they are probabilistic techniques: the comparison deduces a greater or lesser probability that the person is actually the person to be authenticated or identified; if this probability exceeds a certain threshold in the system, defined by its user or developer, the system will understand that there is a match. Therefore, both functions, identification or verification, can be considered as aimed at the unique identification that occurs in the person, and must be considered special category biometric data. Unique identification, on the other hand, goes beyond the fact that the data is from an identified or identifiable natural person. Data from an identified natural person is that this person is distinguished or isolated from a group of people. Unique can refer to the fact that the biometric data has such particularities that it can unambiguously identify an individual. In addition, as described in the concepts of identification/verification, the architecture of the design of the processing operations inserted in the functioning of the biometric system is of outstanding relevance for the assessment of the necessity and proportionality of the treatments. Recently, the European Data Protection Committee, in its Opinion 11/2024, on the use of facial recognition to rationalize the flow of airport passengers, adopted on 05/23/2024, has assessed its compatibility with articles 5.1.e), 5.1 f), 25 and 32 of the GDPR, which has only recalled what was already indicated in the “working document on biometrics” adopted on 08/01/2003 by GT 29, WP 80. Section 3.2 of the document indicates: “principle of purposes and proportionality.”, it was made clear that the risks for the protection of the fundamental rights and freedoms of people are different, in relation to whether the data is “processed in a centralized manner”, “central database” from those stored on a mobile device, and the compliance process is carried out on the card carried by the user, or when this is part of the mobile device and not in the sensor, “the data is not stored on the access control device”. This aspect will be discussed in the section on assessing the necessity and proportionality of processing operations. High level of risk in biometric treatments that have been reiterated in regarding their concurrence in successive opinions and guidelines on biometric data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 86/128 According to the information provided by C.A. OSASUNA, when passing through the space that collects the facial recognition image, placed for the purpose of access to the stadium, a facial vector has been generated that provides a unique value, which means that the image of the face has been processed following technical procedures (artificial intelligence among these) and the result of this process is stored ready for use. These patterns or facial vectors numerically record the physical characteristics that allow people to be differentiated. In the image collection space, the device software compares the pattern offered when it is presented to it, with the stored one, in order to grant access to the stadium. In this case, although not the entire image of the face is saved, but all the vectors of all the users of the solution ((…) as of the date of allegations 28/12/2023), each one of them is different, and is capable and effective in uniquely identifying each user by comparing in the space of the image capture, when accessing the stadium, with the rest of the existing stored images. The functions contained in the algorithm allow the extraction of the characteristics of the biometric samples and create templates or facial vectors, for their subsequent comparison with a CENTRALIZED database associated with the set of previously stored users, being able to identify the holder from among all the facial vectors, processing personal data based on the processing of facial recognition, uniquely and unambiguously identifying said person. Technically, the facial vector against which the sample is compared and which is stored together with the rest of the biometric information registered for the rest of the people subscribed to the C.A. OSASUNA system, results in the individual being uniquely and uniquely identified. The biometric data of each subscriber, acquired at the time of their capture and recorded, to be subjected to the technical procedure that converts the image into a facial vector through the algorithm, are stored, so that, with the samples introduced, when passing before the reader to gain access to the stadium, it identifies through the model (…), from among all the vectors, without a doubt, its owner, seeking the unique identification of said person. The use of the face in biometric facial recognition systems is capable of validating the identity, containing unique information about physical persons. The software algorithm, on the biometric sample, extracts the biometric characteristics, reduces and transforms that sample into a label or numbers, constituting a mathematical representation of the original biometric characteristic, which is the biometric template, or facial vector. The facial template or vector is stored for comparison in the last phase in which with the biometric sample - in the reader - and with the previously recorded template or vector, the user is uniquely identified, each time he or she enters by putting his or her face in front of the reader, so the data is considered to fall within the scope of special data, because it is a unique identification. But it is not the only type of identifying data that can be processed, there is also the possibility that, through biometric analysis, other special categories of data can be inferred and collected, and in particular, data related to health or data that reveal racial or ethnic origin, among others. In the present case, of course, it cannot be said that this is not information linked to personal data of a person identified in each access record, since, in addition, it should be noted that, if they did not allow the unequivocal identification of the user, access that is intended would not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 87/128 take place. It is thus proven that the facial vectors resulting from the specific technical processing of the solution implemented by C.A. OSASUNA are personal data that can identify subscribers, users of access through facial recognition in operation since April 2022 at the El Sadar stadium. Therefore, they are special category biometric data included in article 9.1 of the GDPR. III Regulations on ticket control and access to stadiums The legal regime in sports facilities where official competitions are held regarding the sale of tickets and access by spectators is mainly regulated by Law 19/2007 of 11/07 against violence, racism, xenophobia and intolerance in sport (Anti-violence Law). Regarding the relationship with the sale of tickets and access by spectators to stadiums, the Anti-violence Law transfers to the organizers of sports competitions and shows the appropriate measures to prevent the carrying out of prohibited conduct, as well as to guarantee compliance by spectators with the conditions of access and permanence in the venue through the appropriate control instruments to protect public order and security. Article 3.1 of the Law states as a general principle: “In general, the organizers of sports competitions and shows must adopt appropriate measures to prevent the conduct described in the first and second paragraphs of article 2, as well as to ensure that spectators comply with the conditions of access and permanence in the venue established in the second chapter of this title.” Article 6.2.a of the Law establishes that spectators must undergo pertinent controls to verify the conditions of access to the venue, and in particular its paragraph 2.b), their obligation to submit to personal searches in order to verify that they are not carrying weapons or other prohibited objects or are not carrying prohibited symbols or banners. To this end, they are also particularly obliged to “be recorded by closed-circuit television in the vicinity of the sports venue, at its entrances and inside them” (art. 6.2.a). Article 7 of the Law establishes the following conditions for spectators to remain in the venue: “1.g) Observe the security conditions duly provided for and those determined by regulation. In point 2: “b) Occupy the seats of the class and place that correspond to the title of access to the venue that they have, as well as show said title at the request of the Security Forces and Corps and of any employee or collaborator of the organizer. a) Comply with the internal regulations of the sports venue.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 88/128 Regarding the information that C.A. OSASUNA offers on the SBRF that would allow access without carrying the season ticket in its different modalities, as a title of access to the stadium, nothing was indicated. Article 11: “control and management of access and ticket sales” states: “1. All sports venues where state competitions of a professional nature are held must include a computerized system for controlling and managing ticket sales, as well as access to the venue... “ According to C.A. OSASUNA, the computerized system for access to the venue is implemented with access turnstiles that communicate the ACCESS ID to the SEFPSA servers, which will not be opened for access if it is known that the holder of that user ID is already registered for access to the stadium. It responds to the capacity control system and to avoid duplications of several people in the same seat assigned to each spectator. Article 12 of the Law states: “1. Given the inherent risk of the sporting event in question, the governing authority is authorized to impose the following measures on the organizers: “b) Install cameras in the surroundings, at the turnstiles and access doors and in the entire venue in order to record the behavior of the spectators” … “d) Install closed circuit television to record the entire venue throughout the entire show from the beginning of the event until the public leaves.” Article 13 of the Law states: “1. The State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport may decide to implement additional security measures for all sports competitions or events classified as high risk, or for venues that have been subject to closure sanctions in accordance with Titles Two and Three of this Law, and in particular the following: a) The installation of cameras in the surroundings, at the turnstiles and access doors and in the whole capacity. b) Promote systems for verifying the identity of persons trying to access sports venues. c) The implementation of ticket issuing and sales systems that allow the identity of ticket purchasers to be controlled. “2. In the cases contemplated in letters b) and c) of the previous section, information about the processing of personal data necessary to identify the spectator will be inserted in the admission tickets, as well as the procedures through which said identity will be verified, the processing being in all cases subject to the provisions of current regulations on data protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 89/128 Those who organise a sporting event will proceed to cancel the data of the people who access the event once it has concluded, unless it is appreciated that any of the conduct referred to in the first and second sections of article 2 of this Law has been carried out, in which case they will only retain the data necessary to identify the people who may have taken part in the conduct.” Royal Decree 203/2010, of 26/02, approving the regulations for the prevention of violence, racism, xenophobia and intolerance in sport, develops the aforementioned anti-violence Law. This RD, in its article 8, also establishes the obligation of the organizers responsible for all sports venues to establish a computerized system of control and management of ticket sales, as well as access to the venues, while in article 9, it obliges the organizers of sports venues where professional category football competitions are held to have numbered seats for all spectators. Its article 15: “sale of entrance tickets”, indicates: “2. All entrance tickets in sports venues where a computerized system of control and management of the same is installed must adapt their format and characteristics to the technical conditions required for their compatibility with the installed system. 3. In the cases contemplated in article 13.1 of Law 19/2007, of July 11, the verification and monitoring of the identity of those who acquire tickets or the control of the distribution of seats will be carried out by implementing systems for the sale of nominative tickets and developing procedures that allow the supervision of the distribution of assigned seats and the identification of the holders of access titles to the sports facilities. The processing of the data obtained in accordance with these procedures will be limited to providing information on those who access or intend to access the sports facilities, with the aim of guaranteeing compliance with the existing prohibitions and, where appropriate, determining the responsibilities that may arise. The organizers will cancel the data of the people who have accessed the sporting event when it concludes, keeping only the data necessary to identify those who may have carried out conduct prohibited by Law 19/2007, of 11/07, which may only be transferred to the authorities or competent bodies in matters of public safety.” For its part, article 17 of the aforementioned RD states: “Obligations of spectators regarding entrance tickets”: “1. Any person who intends to access a sports venue must be the bearer of an entrance ticket issued individually, a multiple ticket, a season ticket or any other title that authorizes the interested parties to access one or more than one event. 2. Spectators must occupy the seats of the class and place that correspond to the entrance tickets they hold. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 90/128 3. Each spectator is obliged to keep his/her entry ticket until he/she leaves the sports venue, and must present it at the request of any employee or collaborator of the organiser, as well as to the State Security Forces and Corps. 4. If a spectator is required to do so and does not present the entry ticket, he/she must choose to purchase one at the ticket office, paying its price if one is available. Otherwise, he/she must immediately leave the sports venue.” On the other hand, article 20, “Front and back of tickets”, states: “2. The tickets will indicate on the back that the sports venue is a video-monitored area for the safety of attendees and participants in the match, and will specify the reasons that prevent access to the sports venue or permanence in it, expressly incorporating, at least, the following: … … When the measures for monitoring and controlling the identity of ticket purchasers and holders of access titles to sporting events provided for in article 15.3 of this regulation are adopted, information will be inserted on the entry tickets about the processing of personal data derived from the acquisition and its control, as well as the procedures through which said identity will be verified.” The National Professional Football League, LNFP, in which the Clubs and Sports Societies are obligatorily included, approved as part of its General Regulations of the National Professional Football League, on 12/23/2015 Book XII, “Regulations for the sale of season tickets which “aims to use the sale of season tickets and tickets as a preventive element for the fight against violent, racist, xenophobic and intolerant behavior, establishing uniform criteria in the sale of tickets and season tickets for all clubs, raising the levels of security.” Article XII.1 of the RGLNFP establishes: “CONDITIONS FOR THE SALE OF SEASON TICKETS”, provides in its point 1, that their sale by the affiliated clubs will be carried out through the prior and proper identification of the purchasers of the same. “For this purpose, the purchaser of the season ticket must provide the Club/SAD, at the time of its acquisition, at least, with the following personal data, which will be processed, in accordance with the provisions of current regulations on the protection of personal data: a) affiliation data (name and surname and identity document) b) contact details (address for notifications, contact telephone number and email address). When, according to the Club/SAD policy, the transfer of season tickets is not permitted, it is recommended to request and include a photograph of the holder on the season ticket.” Article XII.2 of the RGLNFP establishes the conditions for the sale of season tickets in the animation stands, in which the subscriber is asked for biometric data, although due to the lack of C.A. OSASUNA of this type of tickets, no more than this reference will be made 3.7.- Conclusion C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 91/128 The regulations governing the legal regime of tickets and access to stadiums, at the moment, do not provide that persons who access the stadiums and carry their title enabling access must undergo any prior identification process for said access that may imply adding to the already existing data processing due to accessing with said title through the obligatory access turnstiles. It is a different matter that the sale is nominative, but it does not follow from what has been examined that the identity must be confirmed by the Club when accessing the sports venue. In any case, regardless of the fact that a means would be used for such access that could prove to be unnecessary or proportional which will be analyzed in another point. On the other hand, considering that the purchase of tickets to access football stadiums to watch the sporting event is governed by the general conditions governing the sale of the tickets, the framework of which has been drawn, the following conclusions are reached: It is reflected that, in general, article XII.1 of the RGNLFP provides for the sale of season tickets that the purchaser must provide: a) Affiliation data, name and surname and identity document, b) Contact information (address for notification purposes, contact telephone number and email address). Before the implementation of facial recognition in April 2022, C.A. OSASUNA had a nominative ticket system for access to the stadium in the form of a season ticket card, which could be with a physical card, a QR code or on the mobile phone for which personal affiliation and contact data must be provided. Furthermore, in accordance with the regulations governing the sale of tickets and access to sports venues, framed by the Anti-Violence Law, its implementing regulations and the RGLNFP, as a general rule, the collection of data used to identify people who have subscribed to access sports venues by biometric means or systems is not established as mandatory. Finally, regarding the allegation that the RGLNFP ticket and season ticket sales system does not apply to C.A. OSASUNA, it should be noted that, as a Club that is obligatory associated with the LNFP, it at least configures the general framework established for the sale of tickets and season tickets and serves as a reference for the minimum content required for the system of access to stadiums. IV Differences in data processing for stadium access. For the same purposes, access to the El Sadar football stadium, C.A. OSASUNA has a modality that is clearly less intrusive for the rights of the people who access the stadium: with the physical card or with the subscription on the mobile (NFC chip) or reading the QR code of the subscriber card, a system that was already working before the implementation of the SBRF. This system can be used by C.A. OSASUNA subscribers if they decide to stop using the SBRF system, according to information from C.A. OSASUNA, which always insists that it is not only voluntary, but that it can alternate the forms or withdraw consent for facial recognition. The modalities pre-existing to the SBRF always appear as an “access” to which one can return. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 92/128 Access to the El Sadar stadium using the methods that pre-exist the SBRF only leaves the access ID log in the access turnstile register. Access using SBRF leaves the successful identification logs as a trail: date and time, biometric terminal identifier, access identifier of the subscriber most similar to the one being identified, and biometric similarity score obtained or denial (unsuccessful identification). In the case of successful identification, the logs are kept until the beginning of the season following the one to which each stored access refers, then passing to a blocking status for three years. The subscription titles, the form that the stadium access titles take, contain personal data that C.A. OSASUNA demanded that it be necessary for the fulfilment and maintenance of said contractual relationship for the acquisition of a season ticket. These titles include: (name, ID, etc.), the power that it grants and is considered to be able to decide the means and ends for the fulfilment of the same, as the person responsible for data processing and being the organiser of the event to which it also has rights and duties. It is also these same starting data that the season ticket card contains in its various modalities (QR/mobile) that serve as the basis for implementing in April 2022 the registration and use of the SBRF, which C.A. OSASUNA decides to implement as voluntary and complementary to the previous one, in order to speed up entry and as indicated without the need to carry the season ticket card (obligation to carry an enabling title required by Law 11/2007). On the other hand, the SBRF needs several additional documents and personal data to create and register the facial vector. A group of data that is used by the SBRF and from which it starts, are those from the season ticket card, which the season ticket holders already had, and which would be the only ones used for access to the stadium by default in the pre-existing modality before the implementation by C.A. OSASUNA of the SBRF. The Social Statutes of the LNFP provide in its article 3.2.l) among its powers, that of determining the conditions that the sports facilities of the stadiums must meet for the holding of professional competitions, as well as the safety and access control standards that could be established. This regime is influenced by the fight against behaviors that promote violence, racism, xenophobia and intolerance in professional football. The RGLNFP establishes uniform criteria as objectives in the sale of tickets and season tickets for all affiliated Clubs/SAD and to raise the levels of security for all fans and participants in matches. The data on season ticket cards as a title enabling access to the stadiums, according to the RGLNFP, Title XII which regulates the sale of tickets, a matter intrinsically linked to the access that they provide, provides for: -the prior and proper identification of the purchasers of the season tickets by the affiliated Clubs/SAD, who must provide: affiliation data, name and surname, ID, address data for notification purposes, contact telephone numbers or email address (art XII.1) -“At the time of formalizing the season ticket, a clause will be included to respect the internal rules of the sports venue. 0 The other additional personal data that are not linked per se to the subscriber card, other than them, and that C.A. OSASUNA considered necessary for the SBRF process are obtained from other documents for the implementation of the aforementioned SBRF and would be the front and back of a public document such as the DNI that is used to compare the updated photo C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 93/128 that is made with the application and generates the facial vector by comparison with the DNI image. The front and back that are not recorded, must be provided in pre-existing modes of access to the stadium, and which are kept in its internal files after the registration and storage of the squad. Finally, but no less important, is the conservation of the personal data of the facial vector once the deletion has been requested by the user, which C.A. states. OSASUNA which remain blocked until the deadline for a possible infringement of the RGPD has elapsed. V Examination of necessity and proportionality 5.1.- High-risk processing The processing of SBRF through biometric reading and recording tools presents high risks for the fundamental rights and freedoms of the interested parties, to which are added those of artificial intelligence as an automated recognition system of human features. This consideration as high-risk processing was already reported in 2003 in the “working document on biometrics” adopted on 01/08/2003 by WG 29: “3.2 Principles of purposes and proportionality” “In accordance with article 6 of Directive 95/46/EC, personal data shall be collected for specified, explicit and legitimate purposes, and shall not be subsequently processed in a manner incompatible with those purposes. Furthermore, personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and subsequently processed (purposes principle). Compliance with this principle requires first of all a clear determination of the purposes for which biometric data are collected and processed… On the other hand, compliance with proportionality and legitimacy must be assessed, taking into account the risks to the protection of the fundamental rights and freedoms of individuals and especially whether the purposes pursued can or cannot be achieved in a less intrusive manner. Proportionality has been the main criterion in almost all decisions taken so far by data protection authorities on the processing of biometric data.” Before implementing a data processing project based on this technology, which represents a high probability of significant risk for the rights and freedoms of individuals, which may produce impacts on the rights and freedoms of individuals in different degrees of probability, it is necessary to audit its operation, not in isolation but within the framework of the specific treatment in which it is going to be used. The personal data protection impact assessment, EIPD, is the tool in the GDPR that deals with ensuring compliance with this aspect of the treatment. The GDPR establishes the obligations relating to the impact assessment related to Data Protection, mainly in articles 35 and 36. Article 35 establishes that: “1. Where a type of processing, in particular if it uses new technologies, is likely, by its nature, scope, context or purposes, to entail C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 94/128 a high risk for the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of the impact of the processing operations on the protection of personal data…” The DPIAs are intended to ensure preventively that, when the processing operations being considered may potentially entail risks that are especially relevant for the rights and freedoms of individuals, measures are taken to minimise such risks. Article 28 of the LOPDGDD establishes that “Those responsible and those in charge, taking into account the elements listed in articles 24 and 25 of Regulation (EU) 2016/679, shall determine the appropriate technical and organisational measures to be applied in order to guarantee and certify that the processing is in accordance with the aforementioned regulation, with this organic law, its implementing regulations and the applicable sectoral legislation. In particular, they shall assess whether it is appropriate to carry out the data protection impact assessment and the prior consultation referred to in Section 3 of Chapter IV of the aforementioned regulation” The content of the DPIA is listed in article 35.7 of the GDPR, which must include as a minimum: “a) a systematic description of the planned processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller; (b) an assessment of the necessity and proportionality of processing operations in relation to their purposes; (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other affected persons.” This assessment requires thoroughness, starting in this case from the need for processing in the sense of the GDPR, and not only from the prohibition of processing these data, provided for in article 9 of the GDPR, considering the risks, among others, of using intrusive technology, biases or the probability of an error in identification, its interoperability, identity theft and the type of unique, permanent and invariable identity that is processed, its impact on the privacy of individuals, the implications in terms of fundamental rights of such systems and the technical and organizational measures of all kinds that must be implemented, including security measures. The proactive accountability system implemented by the GDPR, focused on the continuous management of risks associated with data processing with data protection from the design and by default, reinforces the protection of data subjects in relation to their personal data by requiring data controllers to analyse what data they process, for what purposes and what type of processing they carry out, relating the potential risks that the processing entails for the rights and freedoms of natural persons, and from there, decide what technical and organisational measures of all kinds they adopt and apply, to ensure compliance based on the risks detected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 95/128 The GDPR establishes the obligation to manage the risk that the processing of personal data poses to the rights and freedoms of individuals. These rights and freedoms of data subjects not only protect natural persons with respect to the fundamental right to data protection, but may also imply other rights, fundamental or not, such as the prohibition of discrimination, freedom of movement, or maintaining anonymity in public spaces. These risks arise both from the very existence of the processing, and from the technical and organizational dimensions of the same. The risk arises from the purposes of the processing and its nature, and also from its scope and the context in which the processing takes place. A DPIA is a process designed to describe the processing of personal data, assess its necessity and proportionality, and help manage the risks to the rights and freedoms of natural persons arising from such processing, by identifying, assessing and determining the measures to mitigate them. DPIAs are important accountability tools, as they help controllers not only to comply with the requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. It is essential that the use of such technologies is done with due respect to the principles of legality, necessity, proportionality and data minimisation set out in the GDPR. While the use of these technologies may be perceived as particularly effective, controllers must first assess the impact on fundamental rights and freedoms and consider less intrusive means of achieving their legitimate processing aim. According to Article 35 of the GDPR: “3. The data protection impact assessment referred to in paragraph 1 shall be required in particular in the case of: (a) a systematic and in-depth assessment of personal aspects relating to natural persons which is based on automated processing, such as profiling, and on the basis of which decisions are taken which produce legal effects concerning natural persons or similarly significantly affect them; (b) large-scale processing of special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10, or (c) large-scale systematic monitoring of a publicly accessible area. 4. The supervisory authority shall establish and publish a list of the types of processing operations that require a data protection impact assessment in accordance with paragraph 1. The supervisory authority shall communicate those lists to the Committee referred to in Article 68. 5. … 6. Before adopting the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 if those lists include processing activities that are related to the offering of goods or services to data subjects or to monitoring their behaviour in several Member States, or processing activities that may substantially affect the free movement of personal data within the Union. … 11. If necessary, the controller shall examine whether the processing is in compliance with the data protection impact assessment, at least where there is a change in the risk posed by the processing operations.” In developing paragraph 4, the Director of the AEPD approved a non-exhaustive, indicative list of the types of processing that require a data protection impact assessment, stating: “When analysing data processing, it will be necessary to carry out a DPIA in most cases where such processing complies with two or more criteria from the list set out below, unless the processing is on the list of processing operations that do not require a DPIA referred to in article 35.5 of the GDPR. The list is based on the criteria set out by the “Guidelines on data protection impact assessments (DPIAs) and for determining whether processing is “likely to result in a high risk” for the purposes of the GDPR”, last revised and adopted on 4/10/2017, WP 248 rev.01 of WG 29 supplementing them, and should be understood as a non-exhaustive list: “4. Processing involving the use of special categories of data referred to in Article 9.1 of the GDPR… or inferring information about individuals related to special categories of data. 5. Processing involving the use of biometric data for the purpose of uniquely identifying a natural person.” 9. Processing of data of vulnerable subjects…” Recital 39 of the GDPR adds that “Personal data should only be processed if the purpose of the processing could not reasonably be achieved by other means.” As is apparent from the recital in the foregoing, this requirement of necessity is not met where the objective pursued can reasonably be achieved just as effectively by other, less costly means with less risk in relation to the rights and freedoms of the data subjects, in particular as regards the rights to respect for private life and to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter, since exceptions and restrictions to the right to the protection of such data must be provided for without going beyond the limits of what is strictly necessary (see, to that effect, judgment of 11 December 2019, Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraphs 46 and 47). The Article 29 Working Party, in its Opinion 3/2012 on the development of biometric technologies, states that “When analysing the proportionality of a proposed biometric system, it is necessary to first consider whether the system is necessary to meet the identified need, that is, whether it is essential to meet that need, and not just the most appropriate or cost-effective. A second factor to be taken into account is the likelihood that the system will be effective in meeting the need in question in light of the specific characteristics of the biometric technology to be used. A third aspect to consider is whether the resulting loss of privacy is proportionate to the expected benefits. If the benefit is relatively minor, such as increased convenience or slight savings, then the loss of privacy is not appropriate. The fourth aspect to assess the suitability of a biometric system is to consider whether a less invasive means of privacy would achieve the desired purpose.” This idea is reiterated in section 72 of the EDPB Guidelines 3/2019 on the processing of personal data using video devices, dated 29/01/2020, which states: “The use of biometric data and, in particular, facial recognition entails high risks for the rights of data subjects. It is essential that the use of such technologies takes place with due respect for the principles of lawfulness, necessity, proportionality and data minimisation as established by the GDPR. Although the use of these technologies may be perceived as particularly effective, data controllers must first assess the impact on fundamental rights and freedoms and consider less intrusive means of achieving their legitimate purpose of processing. That is, we would have to answer the question of whether this biometric application is something that is really essential and necessary, or is it just "convenient." These are cumulative requirements that provide an additional guarantee in the processing of the data of the data subject, which takes into account that, if the achievement of the intended purposes can be carried out without processing personal data, or with less extension and intensity of use of these data, this route will be preferable and will mean that it is not necessary to carry out any data processing, and subsidiarily, that the collection of data is necessary for the established or intended purpose and, if necessary, that it is proportional. 5.2.- Evaluation of the need and proportionality of the processing Those responsible for the processing of personal data must ensure that the evaluation of the need and proportionality considers an exhaustive evaluation of the less intrusive alternative options available. Consequently, the viability of other possible alternative options available that do not require the use of special data must be documented, all options must be compared and the conclusions documented. All of this, considered with reference to the nature, scope, context and purposes of the treatment that is planned. The minimum regulatory framework in force regarding the system of ticket sales and access to stadiums is Law 11/2007, its implementing regulations and the “Regulations on the sale of season tickets and tickets” book XII, approved on 23/12/2015, by the LNFP. To assess the need for the treatment, the proposed measure must be supported by evidence describing the problem that will be addressed with the measures, how this will be addressed with the measure, and why existing or less intrusive measures cannot sufficiently address it. The need for processing implies that a combined assessment is required, based on facts, on the effectiveness of the measure for the purpose pursued and on whether it is less intrusive compared to other options to achieve the same objective in the sense that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 98/128 there is no other equally effective and less intrusive means before the implementation of any system. This must be assessed from the principle of data protection by design, focusing the analysis on the risks to the rights and freedoms of the people whose data are to be processed. While C.A.OSASUNA is processing the personal data of users who access the stadium through the SBRF technique (which would include the processing of the data used to access with the pre-existing SBRF modality - the data of the season ticket card is collected as a starting point for registration) and more personal data is added for processing, such as the scan of the DNI, biometric data or the image, obtained from documents, the extent of the restriction on the rights and freedoms of the season ticket holders who use this system would be increased, compared to those who do not use this form of access. An access management process is carried out with facial recognition identifying the season ticket holders for, in principle, the time that the person wishes, who can withdraw consent, but after a season ends, they are kept for the next. Therefore, with the processing of biometric data, SBRF, the fundamental right to data protection of its holders would be restricted by being manifestly intrusive for the rights and freedoms of the interested parties, and to verify whether this restrictive measure of the fundamental right passes the proportionality test, it is necessary to verify whether it would comply with the three requirements or conditions that the Constitutional Court has been calling the triple proportionality test, consisting of: 1-If the measure is likely to achieve the proposed objective (suitability test). To establish the suitability of biometric processing, it is necessary to assess that there is a logical and direct link between the processing and the objective pursued, and determine the real effectiveness of the processing, that is, determine through objective evidence that it is capable of reaching a minimum level of effectiveness in resolving the need raised. It is about determining whether the processing is adequate for the purpose it pursues, can achieve the proposed objective. In this case, it is assumed that a SBRF is implemented through unique identification of the subscribers who access, identification that as a process is not used or required by C.A. OSASUNA to facilitate access to those who use the other physical card system. In principle, the access created with biometric means promoted by C.A. OSASUNA is additional to the existing ones, and voluntary, alternative in use to those already existing, and does not respond to a mandatory requirement. It is a modality that would facilitate agility in access. In the press release reported in fact 1, it was advertised as the first Club to implement this system. The result with one or the other means is the same, access to the premises. However, the processing operations and the technology used in both, at the level of inherent and derived risks of each of the processing operations that make up them, make biometrics more risky, more frequent and more repeated due to the use itself and time of use, which can produce more negative impacts on the rights and freedoms of the rights of those affected. C.A. OSASUNA bases the acceptance of the SBRF as such, because the “full identification of the subscriber” occurs, with other beneficial effects such as the difficulty of identity theft, and the security provided by knowing that this is the case, its possible use in the event that the card is stolen, which allows access with this means or the convenience of not having to present the physical subscriber card. In the alleged factors, identity theft, loss or theft, there is no evidence that this could be a problem for the subscribers to be treated, nor a study that biometric access with facial recognition could be the solution, since exceptional cases would not justify resorting to such a disproportionate means due to the high risks that SBRF entails. The intrinsic results of the two means of treatment for access to the sports venue are not equivalent in risks or impacts on the rights and freedoms of users, since the holder of the physical season ticket does not have to access the venue by any means of identification, much less any univocal means of processing their data when passing through the turnstiles at the entrances. In parallel, subscribers who use the SBRF are subject to this identification process, not only before accessing it with the proper registration in the system, but also afterwards with the conservation of their data and logs that remain from their passage. They are not even equivalent in the means or in the results, since more records and processing operations are generated with the SBRF, obtaining only access to the premises in common. This theory can be attributed to the fact that subscribers voluntarily wish to consent to these processing operations, which is not an obstacle to considering that this processing is not a necessary system nor equivalent in the risks that its processing operations entail. If the use of the SBRF as an identifier is a means of avoiding identity theft, apart from the fact that it is not justified that this is a problem, nor is it claimed that it is the main purpose, it is clear that in the legal relationship between the users of the season tickets they are already sufficiently identified with the season ticket card issued by the Club in its various formats (in addition to being able to request the DNI, as they assert in their allegations to the proposed resolution). On the other hand, the agility of the implemented SBRF, compared to the pre-existing mode of access, cannot by itself form a decisive part in the suitability of installing the system, and in any case, by itself it cannot justify the need for this system. It should also be noted that the Anti-Violence Law in its article 7 “conditions for staying in the premises”, states in its point 2 b), that of “Occupying the seats of the class and place that correspond to the title of access to the premises that they have, as well as showing said title at the request of the security forces and any employee or collaborator of the organizer”, so it is unknown how they comply in this case, which C.A. OSASUNA offers as an advantage of the system, not having to carry the subscriber card in any way if the SBRF is used. Obviously, it is possible to identify the subscriber who accesses, but this need is not accredited or because a verification system is not used, but the suitability and relevance for the purpose for which it is required is omitted. The EIPD does not make any assessment of the problem it is trying to address, because it does not explain it, it only offers this mode of access as voluntary and alternative to the one that already exists and to which one can return at any time. 2-If, in addition, it is necessary, in the sense that there is no other more moderate measure for the achievement of such purpose with equal effectiveness (judgment of necessity). It is a matter of determining whether the purpose pursued cannot be achieved in another way that is less harmful or invasive, that is, whether there is no alternative treatment that is equally effective for achieving the purpose pursued. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 100/128 The Court of Justice of the European Union (hereinafter CJEU) has examined in various judgments the necessity and proportionality of the processing of personal data, establishing that, based on the fact that the processing of personal data implies in itself a limitation to the right to data protection, it must be verified whether this limitation is proportionate to the objectives and purposes, and that therefore, it must be examined whether the processing operations allow the objectives and purposes to be achieved, without going beyond what is necessary to achieve them. Necessity should not be confused with the usefulness of the system. It may be easier not to have to carry a card, that it takes a few seconds less to access it, that it is automatic and instantaneous and not excessively expensive. Obviously, a SBRF can be useful, but it does not have to be objectively necessary (the latter being what really must be present). As established in Opinion 3/2012, on the evolution of biometric technologies- of WG 29-, it must be examined "whether it is essential to satisfy that need, and not just the most appropriate or cost-effective". Options and alternatives must be analyzed before establishing a new system that supposes an exaggerated limitation of the right of each user, when there may be less invasive means of privacy, and not opting for what is practical or agile and comfortable, when the rights of their owners are at stake. As for overcoming the analysis of strict necessity, it must be demonstrated that it solves a problem that must be real, present or imminent, and critical for the functioning of the treatment. In this regard, the ECHR established that “necessary” “…was not synonymous with indispensable…and neither does it have the flexibility of expressions such as ‘admissible’, ‘ordinary’, useful’, ‘reasonable’ or ‘desirable’”. Mere convenience or cost-effectiveness is not enough. In addition, the scope, extent and intensity of the interferences must be assessed in terms of their impact on fundamental rights, explaining with evidence why other possible alternatives are not sufficient to satisfy this need sufficiently. Even when assessing the options, the possibility of using a combination of measures, both automated and non-automated, organizational, legal or technical, must be taken into account. C.A. OSASUNA bases this need on facilitating access for subscribers because it is more agile and simple, recognizing that there are less intrusive means “the traditional ones such as the QR code reader incorporated into the subscription”, continuing, indicating that “However, the implementation of the treatment analyzed in this DPIA does not prevent the use of this option. That is, the interested party can freely decide and without this causing any type of affectation to their rights as a subscriber, to choose one or another treatment for access to the stadium. In this way, the need would be linked in this case to the will of the subscriber, which cannot be satisfied using a less intrusive means of access.”, and at the same time it contradicts itself as can be seen at the end of the paragraph, by pointing out that the need cannot be satisfied using a less intrusive means, when this, in addition, is the one that the majority of subscribers use. Regarding the need, it should be noted: a) That the need cannot depend on what the affected party decides. The concept of need, according to the jurisprudence of the CJEU, is that of a strict need, of a cross-cutting nature and there being a less intrusive means, C.A. OSASUNA avoids any analysis, leaving the assessment of the need in the hands of those affected because C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 101/128 it is an option and the interested party has chosen it, being the will of the subscriber. However, it is the person responsible for the treatment who must evaluate the need for the treatment, as well as comply, if applicable if it passes the assessment of need and proportionality, with the management of regulatory compliance with the GDPR. b) The computerised system for controlling and managing ticket sales, as well as access to football stadiums provided for by law, may lead to the fact that tickets must be nominative, which is a common and standardised type of access, and there is another less intrusive modality that the EIPD recognises, but which is removed, considering that there is freedom of the user, it is undoubtedly a measure that affects the right with less extension and intensity in the processing of personal data, and which should prevail because it is preferable to facial recognition. 3- Finally, if it is balanced or considered, because it results in more benefits or advantages for the general interest than damages to other goods or values in conflict (judgment of proportionality in the strict sense; “STC 66/1995, of 8 of 5, F. 5; STC 55/1996, of March 28, FF. 7, 8 and 9; STC 270/1996, of December 16, F. 4.e; STC 37/1998, of February 17, F. 8; STC 186/2000, of July 10, F. 6).” In this regard, the seriousness of the risk to the rights and freedoms of the treatment, and its intrusion into the fundamental right to the Protection of Personal Data must be appropriate to the objective pursued and proportionate to the urgency and seriousness of this. The benefit that the treatment from the point of view of Data Protection provides to society must be weighed, maintaining a balance with the impact it represents on other fundamental rights. However, although it may partially yield, in no case can the absolute denial of the right to Data Protection be assumed and emptied of its essential content. As for the additional means of security, they are not related to the proportionality of the treatment nor would they replace its evaluation, and the existence of alternative means of access cannot presuppose for this reason that the treatment is proportional, without such elements being able to validate such proportionality. In general, the principle of proportionality must contemplate that in order to achieve the intended objectives, they must be carried out through actions that do not exceed what is necessary, introducing here the concept of adequacy of the measure. There must be a logical link between the measure and the legitimate objective pursued. In order for the principle of proportionality to be respected, the advantages resulting from the measure must not be outweighed by the disadvantages that the measure causes with respect to the exercise of fundamental rights. One of the factors that play a role in proportionality is the effectiveness of the existing measures, over and above the proposed one. If measures for a similar or identical purpose already exist in the same context, they must be considered; if not, the assessment of proportionality has not been properly carried out. The principle of proportionality must assess whether the negative impact on the fundamental rights and freedoms of the interested parties is proportional to any expected benefit. If the benefit is relatively less, such impact may not be proportional. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 102/128 On the other hand, no assessment is made by C.A. OSASUNA on the need for security in the accesses to the stadium, which would derive from the Law 11/2007 Anti-violence, and which is expressly mentioned in the preamble of the RGLNFP, “conditions for the sale of tickets and season tickets”. In this respect, said regulation does not reach to establish as a general rule neither the identification of the person who enters the stadium with his ticket or title nor as a means, the biometric to control the identity in the access control. To this end, it must be assumed that inside the stadiums there are video surveillance systems, they can be placed at the entrances and surroundings of the stadium, and each seat is assigned to the person who acquires the ticket. It is deduced that the access system with facial recognition compared to the traditional system of selling personal tickets does not represent a clear and differentiated plus in security, because if it were, it should have been implemented in this case by a rule applicable to the case on a general, non-voluntary basis, and it does not seem that this is the ultimate purpose of access with the SBRF. Neither has C.A. OSASUNA accredited indices from which it is derived that spectators impersonate or try to impersonate each other to access with season tickets that are not their owner, or how they carry out such impersonations with the season tickets, so that this constitutes a problem to tackle, and that in this case perhaps, since it affects everyone, it would not seem serious to undertake it only for those who consent to the treatment of their biometric data. The SBRF system, in terms of cost-benefit, is not seen to be related to the general interest that sets the objectives of the anti-violence law, when the majority of football stadiums do not have the aforementioned system in place, and the security reasons for entering with biometric access, in addition to being voluntary, exceed the purpose of access to stadiums, that of full identification with a very high level of probability of identity, since it is not provided for in any regulation and is established in the field of a public entertainment spectacle, which must have other measures such as video surveillance and closed circuit television, and its use for this purpose is in any case disproportionate due to the sacrifices that they entail for data protection, privacy and other related rights. In the present case, it is also worth remembering what C.A. OSASUNA points out in this part in the EIPD, section 6.4.3, framed in the “analysis of compliance of the treatment of the data minimization principle”, and more specifically, of the “criteria in relation to the application of the minimization principle in the treatment of biometric data” (6.4.2), in which it expresses that it considers that a series of aspects (point 1.3 of the THIRD FACT) with seven differentiated points must be assessed for the necessity and proportionality of the treatment, and that act in its opinion as premises. Regarding these aspects, it must be indicated: The influence on the necessity and proportionality of the treatment operations in accordance with their purpose, which is what should be analyzed, has nothing to do with the assertions that the treatment is applied to vectors and not directly to images. This may be for security reasons, or the system may only be applied to (…) people, and not to the entire stadium, or remote recognitions are not carried out, which is understood to be a compliance requirement, or that those affected have freely agreed to the use of treatment with this biometric device, and much less with the requirements of the Anti-Violence Law, which only considers it mandatory to have a computerized system for control and management of ticket sales, as well as access to the venue, which does not mean that the identity of the holder of the title is controlled for the aforementioned access with such tickets or others, at the level of unique identification with the SBRF, as well as an access control system, which adds nothing to this need. None of the elements advances an analysis of the situation regarding the necessity and proportionality of the treatment referring to a balance between purposes (registering for the service, and guaranteeing access to the stadium) and means, and interference of the SBRF tool. As a consequence, it follows that C.A. OSASUNA has not correctly examined the necessity and proportionality of the SBRF treatment operations in accordance with the objectives of its purpose and to what extent it meets that objective with an evaluation of the scope, extent and intensity of the interference in terms of impact on fundamental rights. In no case is it recommended to continue with the DPIA when the treatment does not pass the need assessment and/or the proportionality assessment. Please note that these are compliance requirements required by the GDPR, requirements that cannot be addressed with alternative measures to compliance itself, such as technical and organizational measures. In addition to being able to assess various aspects of the EIPD, the mere failure to pass the judgment of necessity and proportionality of the processing of personal data carried out, consisting of the additional system established for facial recognition to access the Sadar stadium, would already imply the illegality of the same. 5.3.- Conclusion In summary, C.A. OSASUNA had a system for accessing the stadium and selling tickets that before the SBRF was implemented, covered the needs for the identification of users, and that could reflect the purposes and needs provided for by the ANTI-VIOLENCE LAW and the Royal Decree that develops it, 203/2010. Access was made with the subscriber card, or in its version of a subscriber card with a QR code or a subscriber card on the mobile phone, which required only basic, affiliation and contact data for its issuance. These data are the same personal data that are at the base of the process to start the SBRF registration, adding the front and back of the DNI and a photograph, so the establishment of this new system is a technical option in a situation, that of access to the stadium, which does not reflect a problem to be addressed through a new treatment, as it is covered with a pre-existing modality, and a lack of justification may arise in its suitability, necessity and proportionality. These reasons exempt from carrying out any additional examination contained in the aforementioned EIPD, as they do not exceed the minimum requirements of necessity and proportionality in the establishment of the system. On the other hand, it is clear that there are less intrusive means already established and in operation that meet the requirements for access to the stadium and that the SBRF is not strictly necessary since it is proven that the specific objectives pursued can be achieved with measures that constitute a lower level of interference and less serious in the rights and freedoms of users, having as an objective that personal data should only be subject to processing if the purpose of the processing cannot be reasonably achieved by other means. Although in practice there is usually no single way to achieve the purposes for which data processing is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 104/128 oriented, it can be seen that depending on how it is implemented, different risk scenarios can arise. When considering these other possible alternative treatments, it is necessary to identify those that, using fewer or less intrusive means, achieve at least equal effectiveness, that is, it must be evaluated whether the purpose pursued can be achieved by other means such as using other data (of a different nature or extension) or with less invasive technologies. Again, it is noted that a prior analysis must be carried out and separated on the need and proportionality of said treatment for the achievement of the purpose intended by the data controller, in the sense that there is no other equally effective and less intrusive means, before the implementation of any system, and in the present case such a system existed. It is important to note that, even if the subscribers explicitly accepted the use of their biometric data for the purpose of accessing the stadium, the principles of treatment contained in article 5 of the GDPR, in relation to necessity and proportionality continue to apply and must be complied with. In the present case, the intended purpose is access to the stadium of C.A. OSASUNA, the data controller, and considering the principle of data minimisation, which advocates that the data processed must be limited to what is necessary to achieve these purposes, for which a less intrusive access modality already existed, and the evaluation of necessity and proportionality in the SBRF for access to the stadium is not proven, it is considered that C.A.OSASUNA has infringed article 5.1.c) which indicates: “1. Personal data shall be: c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed («data minimisation»)”. VI Processing of biometric data: exception to article 9 of the GDPR, and legitimizing basis of article 6 of the GDPR In the present case, it is estimated that through the establishment of the biometric system for access to the stadium by C.A. OSASUNA for season ticket holders, personal data of a special category are being processed, with C.A.OSASUNA playing the role of data controller. The GDPR states in its definitions: 4.2"processing": any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, comparison or interconnection, limitation, deletion or destruction;” “4.7 “controller” or “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be determined by Union or Member State law;” Biometric data, classified as “special category” in article 9 of both the RGPD and the LOPDGDD, are personal data whose use may give rise to significant risks for fundamental rights and freedoms, and therefore, in principle, their processing is prohibited, as indicated in recital 51, when after its specification it indicates that: “Such personal data should not be processed unless their processing is permitted in specific situations contemplated in this Regulation”. C.A. OSASUNA in its EIPD dated 02/04/2022, and has thus stated in the procedure, bases the lifting of the prohibition of processing for SBRF data, and in order to access the stadium by this means, with the explicit consent given voluntarily, according to article 9.2.a) of the GDPR, and as indicated, this same explicit consent “is also subsumed in the content of this last rule”, “so that in addition, the processing will have the legal basis established in article 6.1.a), thus complying with the principle of legality”. Article 9.1) of the GDPR states: “The processing of personal data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data intended to uniquely identify a natural person, data relating to health or data relating to the sexual life or sexual orientation of a natural person are prohibited. The only exception to the prohibition of processing special category data may be made when one of the circumstances specified in section 2 of art. 9 of the GDPR, whose letter a), states: “2. Paragraph 1 shall not apply where one of the following circumstances applies: a) the data subject has given explicit consent to the processing of such personal data for one or more of the specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject;” The controller is obliged to assess very seriously and diligently whether it has a substantial reason to process special categories listed in said Article 9.2 of the GDPR. In the case of biometric data, in addition to lifting the prohibition on its processing, it must contain one of the legal bases legitimising the processing contained in Article 6.1 of the GDPR. This article is also based on the declared exception that supposes the processing of data, by stating that “1. The processing will only be lawful if at least one of the following conditions is met” …, understanding that it is assumed that any processing of such personal data restricts the rights of its owner by the mere fact of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 106/128 undergoing such processing, at which point, it will be increasingly identified with this mechanism. The list of bases is: “a) the interested party gave his consent for the processing of his personal data for one or several specific purposes; b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of the latter of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect vital interests of the interested party or another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the performance of their tasks. These are cumulative requirements that represent an additional guarantee in the processing of the data of its owner, which takes into account that, if the achievement of the intended purposes can be carried out without processing personal data, without said purpose being altered or harmed, the latter activity should be chosen, and this route will be preferable and will mean that it is not necessary to carry out any data processing, and subsidiarily, if data is required, that the data collection is necessary and proportional for the established or intended purpose. Note that what C.A. OSASUNA implements is an additional modality pre-existing to the one it already has, as in this case, with the use of biometric data for facial recognition with the same purpose as with the pre-existing modality, access to the stadium, and this is recognized by C.A. OSASUNA that in the purpose of the treatment it expresses it as “guaranteeing access”. For processing for the same purposes as those already fulfilled, since it involves special data such as biometric data, C.A. OSASUNA must have a circumstance that lifts the prohibition of processing regarding biometric data. Remembering that the regime established on access and tickets derived from Law 11/2017, is defined by: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 107/128 - A “computerized system for the control and management of ticket sales, as well as access to the venue”, - additional measures (for security reasons) such as “promoting systems for verifying the identity of people trying to access sports venues”, or “implementation of ticket issuing and sales systems that allow the control of the identity of ticket purchasers”, to know the identity of the holders of access tickets to sports facilities, additional measures that only appear implemented in relation to the animation stands, and that in accordance with the limitation that it supposes by having been thus determined with the CEVRXID by virtue of article 13.1 of the Law 19/2007, “will be carried out by implementing systems for the sale of NOMINATIVE TICKETS”, mandatory mode (article 15.3 of RD 203/2010). This system used by C.A.OSASUNA is an extra that is not the one approved by the LNFP in its RGLNFP on the sale of tickets and season tickets, and it also goes beyond what is indicated in the regulations which require that the access titles to sports facilities be nominative only in cases in which “additional measures” had been agreed, based on article 13.1 of Law 11/2007 and article 15.3 of its implementing regulations, and it is not stated that for the generality of spectators, not only the nominative tickets had been established, but for access to the sports venues in which sports competitions are held the use of biometric data identifying the subscribed persons, who appear identified in their own season ticket. Such a system of univocal identification by technological means that use artificial intelligence for its processing would respond to a much higher degree than necessary. Having charged a first and prior infringement due to the analysed absence of need for the processing carried out, the same purpose existing with means and personal data used with appreciable less intrusion into the fundamental right to data protection of the subscribers, it is worth referring to the obtaining of explicit consent and its effects for which this infringement was initially charged to C.A. OSASUNA. The consideration of the provision of explicit consent by the subscribers, in this case, for a high-risk processing that involves the category of special biometric data, is part of the legality of the processing. In this case, it is not possible to enter into an assessment of any legitimacy that may refer to a legal basis that has as its object the processing analysed, since, according to what has been analysed, it is considered that it is a processing whose necessity and proportionality is not in accordance with the processing operations in accordance with its purpose. In short, regarding the proposed treatment, since the restrictive measure that represents the restriction of the fundamental right that this treatment implies does not pass the test of necessity and proportionality, it is not necessary to consent to something that is not necessary, so the infringement of article 9 must be dismissed. VII Response to the allegations of C.A. OSASUNA Regarding the allegation of C.A. OSASUNA that the consideration of the start agreement as high risk to understand that the principle of necessity of the treatment is not fulfilled, must be indicated in response to it, that the assessment of the aforementioned C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 108/128 necessity is inextricably linked to suitability and proportionality in the strict sense in the treatment operations, with respect to the purpose of the treatment, and not exclusively to the fact that we are facing a high-risk treatment. In all personal data processing that the data controller intends to carry out, the necessity of the treatment must be assessed, in the terms of the RGPD, carrying out and overcoming the triple proportionality judgment so that said treatment can be carried out. Although the risks to the rights and freedoms of the interested parties arising from the treatment must be considered, it is one of the elements to be taken into account for this weighting, but not the only one. What is certain is that the use of biometric systems is classified as high risk, without qualifying the risk as being exclusively related to the security of the treatment. The successive opinions, guidelines and documents referring to these personal data processing processes issued by the EDPB or the AEPD have determined such a high-risk character, as has been made explicit throughout the procedure, especially with the implementation of systems containing artificial intelligence in public spaces, due to the difficulty and lack of transparency of the models implemented, regardless of whether they are not understood or do not meet the requirements of high-risk artificial intelligence in the regulation of Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 establishing harmonised standards on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Regulation). However, in the initial agreement the necessity factor is more related to the existence of other less intrusive means to obtain the same end, taking into consideration, as we have indicated, the necessity in relation to the purpose in consideration of the nature, scope and context of the treatment and the existing alternative, being a means that affected the right to the protection of personal data with less intensity and generating less risks. Regarding the claim made by the respondent party that the risk is minimized by the technology used, because the vector is not reversible, it must be agreed that, in the analysis of risks to the fundamental rights and freedoms of people derived from the processing of personal data, technology is only one factor to be considered. Firstly, because a correct understanding of the GDPR determines that within the management of GDPR compliance - compliance with all GDPR obligations within the concept of “strong accountability”, that is, compliance that is not merely formal but in substance, with the first and last aim of protecting natural persons in all their rights and freedoms (article 1 of the GDPR) - there is a part that is risk management, with security measures being in turn a part of risk management. Turning one part (security measures) into the whole (risk management) is a defective understanding of the regulation. Betting compliance management on the establishment and implementation of strictly security measures, however “safe” they may be, is emptying the regulation of content. It would be as much as saying that it would be correct to process personal data if there are security measures that minimize the risks, even when a treatment of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 109/128 personal data, for example, were prohibited by the legal system or did not surpass the judgment of necessity. This possibility is neither logical nor legal. Furthermore, and secondly, because the GDPR does not focus only on technical and organizational security measures, but the data controller must implement other types of appropriate technical and organizational measures, of all kinds, and not only security. The GDPR is marked by precepts that impose it, from several recitals of the RGPD, through articles 24, 25, 28 or 35 of the GDPR, among others. Thus, Recital 78 of the GDPR makes it clear that, “78. The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires the adoption of appropriate technical and organizational measures to ensure compliance with the requirements of this Regulation. In order to be able to demonstrate compliance with this Regulation, the controller shall adopt internal policies and implement measures that comply in particular with the principles of data protection by design and by default.” (emphasis added) Article 24 of the GDPR expressly mentions that, “1. Taking into account the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate compliance with this Regulation. Such measures shall be reviewed and updated as necessary.” (emphasis added) Article 35 of the GDPR, and specifically regarding the minimum content of a DPIA, states that, “d) measures designed to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other affected persons” (emphasis added) In the same vein, recital 90 of the GDPR links the content of the DPIA to measures of all kinds, without the name “security”, to mitigate the risk, where appropriate, “ 90. In such cases, the controller must carry out, prior to processing, a data protection impact assessment in order to assess the particular seriousness and likelihood of the high risk, taking into account the nature, scope, context and purposes of processing and the origins of the risk. This impact assessment must include, in particular, the measures, guarantees and mechanisms provided to mitigate the risk, guarantee the protection of personal data and demonstrate compliance with this Regulation.” (emphasis added) All measures of any kind that the data controller must determine and establish to see if it can mitigate the risk during the processing of personal data are obtained from a correct view of the risk, because where you don’t look, you don’t see. Although C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 110/128 the AEPD has highlighted the existence of a high risk in the present processing of personal data, the respondent party denies the majority, considering in its allegations that the processing does not entail a high risk, since these are “minimized” by the technology used and the measures adopted. It should be noted that the high risk of processing personal data does not cease to be so throughout the entire cycle of processing because appropriate measures are established, of whatever type, to mitigate its probability and impact, as well as measures to react if it materializes. A high-risk processing does not become a medium or low-risk processing by establishing and implementing measures. Thirdly, it should be noted that the risks to the rights and freedoms of the interested parties, in this case the subscribers, derived from the processing are not a fixed photo at the beginning of the material processing of personal data that is maintained throughout the process. The risks are changing in the current technological context. Various hashes, such as M5, which were not initially reversible, now have specific web pages in search engines to ensure the reversibility of these and obtain the original data. The personal data breaches reported to the AEPD are continuous regarding processing very similar or practically identical to that carried out by the complainant, in which the server of the data controller has been accessed and the database containing the biometric templates stolen. We must remember that the biometric data are inextricably linked to the individual. If they are stolen, they may lose their identity and this is a current, real and tangible risk. In this case, it was not considered that there was no proportionality or need in the processing derived from the high risks that this type of processing entails, but rather due to its analysis of the content derived from the EIPD and the analysis of the nature, scope, context and purpose of the described processing, and this is set out in legal basis V. In this sense, even if the image is converted into a code or vector, the processing continues to be biometric data and therefore of a special category and of high risk. Regarding the statement in the initiation agreement that the SBRF processing activity for the access of subscribed persons undertaken by C.A. OSASUNA generates additional risk due to its probabilistic nature, the initiation agreement points out another statement to the contrary, without concluding the one expressed by C.A. OSASUNA. It must be assumed that biometrics are based on probabilistic principles in the sense that they are, at the same time as attributable to a person, measurable and in practice, technical means involving probabilities are used to measure them. Facial recognition is a probabilistic technology that can automatically recognize people by their face for verification or identification. In both the identification and verification system, the facial recognition techniques used are based on an estimated match between templates/(vectors): the one that is compared and the reference(s). From this point of view, they are probabilistic techniques: the comparison deduces a greater or lesser probability that the person is actually the person to be verified or identified; if this probability exceeds a certain threshold in the system, defined by its user or developer, the system will understand that there is a match. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 111/128 The CEPD considers it important to remember that the Facial Recognition Technique, whether used for verification or identification purposes, does not provide a definitive result, but is based on probabilities that two faces, or images of faces, correspond to the same person. That is why the blunt explanation provided by the respondent now in its allegations to the proposed resolution of the need for the treatment taking into account its purpose (it now adds that it aims to guarantee that the subscriber who accesses is the one who really holds the right to carry out that access, without requiring an identification process through conventional means, avoiding impersonation in access as a consequence of the theft of documents proving the status of subscriber), specifically that the purpose of the treatment is to guarantee that the subscriber who accesses is the one who really holds the right to access, simply fails. The biometric system also has flaws, it is not one hundred percent definitive. And this is in addition to not knowing very well what this system adds with respect to identification and comparison with traditional methods, such as the display of the DNI, especially if its inefficiency has not been made clear. Regarding the allegation of the mistake of indicating in the start agreement, as an example, not referring to the specific case, that the system made relative measurements between nodal distance points of the image of each individual, and not meaning that it uses an artificial intelligence system to generate the facial vector, it was an example of the general operation of the method of extracting biometric characteristics to create a template, which C.A. OSASUNA also calls a facial vector, which is an end that does not vary with one or another extraction system. On the other hand, regarding the claim associated with the previous one that each version of the biometric engine is different to mean that the vectors derived from the service cannot be used by other engines and the facial vector is not reversible, it does not affect the fact that this biometric system of unique identification is used by creating facial vectors that are unique biometric personal data that uniquely identify the subscriber, as they fully identify the subscriber in order to access the sports venue to watch the sporting event. The agreement does indicate that the image of the face is processed with a technical procedure, artificial intelligence, and that in essence the algorithms create a facial vector capable of fulfilling the purposes, as they are special biometric data by uniquely identifying the person, a circumstance that is not denied by C.A. OSASUNA. It should be added that, for the purposes of the Artificial Intelligence Regulation, recital 19 states: “For the purposes of this Regulation, the concept of ‘publicly accessible space’ should be understood as referring to any physical space that can be accessed by an indeterminate number of natural persons and regardless of whether it is privately or publicly owned and regardless of the activity for which the space may be used, whether commercial activities, for example, shops, restaurants, cafés; service provision, for example, banks; professional activities, hospitality; sports, for example, swimming pools, gyms, stadiums; transport, for example, stations…” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 112/128 On said Regulation, the EDPB and the EDPS issued a joint Opinion 5/2021, on said proposed Regulation, on 18/06/2021, in which they request a general prohibition of the use of AI for the automated recognition of human features in spaces of public access, such as faces, but also fingerprints, due to the effects on the expectations of the population to maintain anonymity in said public spaces. It indicates in its allegations that the consideration of biometric systems as high risk to impute the two violations does not correspond to the system implemented by C.A. OSASUNA. He added that document 14, provided in previous proceedings, and document 1, confirm the strength of the security of the processing carried out by its manager, DAS-GATE, using VERIDAS technology. In this regard, it should be noted that the imputed infringements are deduced from the functioning of the system, the nature and description of the processing and the sectorial context, as well as from the evaluation of the necessity and proportionality of the processing operations with respect to their purpose. The purpose of the processing cannot be the tool or instrument with which to achieve the objective, so that the real purposes of the processing must not be confused with the measures that could be adopted to achieve these purposes. And all this is in addition to what has already been pointed out regarding the fact that the adoption of security measures, in this case, is not what determines the legality of a processing. According to the AEPD Guide on “risk management and impact assessment in the processing of personal data, of June 2021”, in its point III “risk management process for rights and freedoms”, it is indicated that the purpose of the treatment or its purposes, must be established before starting the risk management and to have guarantees that the purposes of the treatment have been correctly identified, these must comply with the following properties: “-Ultimate: The ultimate purpose of the treatment must be determined and not confuse it with intermediate objectives, instrumental means or treatment operations that take place in some phase of the treatment or that may be dependent on the way of implementing the treatment, -Specific: sufficiently precise and concrete, specifying the deficiencies, demands, requirements, obligations or objective and final opportunities that the end of the treatment is to resolve or respond to, -Measurable: They must define a future state that is desirable in qualitative terms. -Achievable and realistic: guarantees are determined to achieve the purposes of the treatment to the extent that it is possible to demonstrate that the ultimate goal will be achieved. -Limited: within a period of time and within the framework of a certain stage of the life cycle of the treatment” In this case C.A. In its EIPD, OSASUNA has stated that the purpose was to “guarantee access, through facial recognition, to the El Sadar stadium by OSASUNA subscribers” and in its RAT “Purposes: registration and management of access to the facilities through a facial recognition system.”, or added statements, such as “to provide the subscriber with a new means of access to the venue that is more appropriate and effective in view of the current state of the art, which even minimizes the risks derived from the other systems of access to the stadium”, “since the control of access to the stadium cannot be indicated to be carried out through a single system” “leaves it up to the affected party to determine whether or not they consider the treatment necessary to achieve a purpose that is put at their disposal”. However, it can be added that data is collected in the form of a biometric system for a specific purpose, the reason for the processing operations. Since the processing operations, collection-storage-use, are the instrument of access to the enclosure, it does not seem that this can be the end, the purpose or the objective of the treatment. The explicit, clear and specific purpose plays an important role in transparency and information to the user. It should be remembered that the specification of the purpose is a prerequisite for applying other requirements, including the adequacy, relevance, proportionality of the data collected. The specification of the purpose of the treatment establishes limits on the purposes for which the controllers can use the personal data collected, and also helps to establish the necessary data protection safeguards. However, between the content that a DPIA must contain in a mandatory manner, and the overcoming of the same, which in this case is not achieved, it has been based on the fact that it does not comply with the law, the aforementioned absence of necessity being proven, proportionality in accordance with the purpose of the treatment established with the SBRF. Regarding the allegation of the violation of the principle of legitimate trust that C.A. OSASUNA has argued that, based on various reports from the AEPD and the EDPB, special categories of data may be processed with the explicit consent of those affected, because it considers that, despite the proposal to archive the infringement of article 9, it also affects article 5.1.c of the GDPR in question, it must be considered that the principle of legitimate trust, together with that of good faith and institutional loyalty, are recognized in article 3.1.e) of Law 40/2015, of 1/10, on the Legal Regime of the Public Sector. The STS of 18 July 2017 (Rec. 4576/2016) recalls "that the jurisprudence of this Court, collected in the judgments of 10 May 1999 (RCA 594/1995); of 17 June 2003 (RCA 492/1999) 6 July 2012 (RCA 288/2011), 22 January 2013 (RCA 470/2011), and 21 September 2015 (RCA 721/2013), maintains that the principle of protection of legitimate expectations, related to the most traditional ones in our system of legal certainty and good faith in the relations between the Administration and individuals, entails "that the public authority cannot adopt measures that are contrary to the hope induced by the reasonable stability in the decisions of the latter, and based on which individuals have adopted certain decisions." This principle of legitimate trust finds its ultimate foundation, according to the judgment of this Court of 24 March 2003 (appeal 100/1998) and of 20 September 2012 (appeal 5511/2009), "in the protection that objectively requires the trust that may have been reasonably placed in the behaviour of others and the duty of coherence of said behaviour", and in the principle of good faith that governs administrative action, since as stated in the judgment of 15 April 2005 (appeal 2900/2002) and again the aforementioned judgment of 20 September 2012, "if the Administration develops an activity of such a nature that it may reasonably induce citizens to expect certain conduct on its part, its subsequent adverse decision would imply breaking the good faith that must be the basis for the action of the Administration. same and defraud the legitimate expectations that his/her conduct would have generated in the administered person." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 114/128 However, the protection of legitimate trust does not cover any type of subjective psychological conviction in the particular case, but as indicated by the judgments of this Court of October 30, 2012 (appeal 1657/2010) and June 16, 2014 (appeal 4588/2011), it refers to "the rational and well-founded belief that due to previous acts, the Administration will adopt a certain decision", and as indicated by the judgments of January 2, 2012 (appeal 178/2011) and March 3, 2016 (appeal 3012/2014), only that trust on specific aspects, "which is based on signs or external facts produced by the Administration that are sufficiently conclusive." The AEPD has not changed its opinion on the obligation to carry out and pass the assessment of the necessity and proportionality of the processing in the DPIA. The requirement to carry out and pass the assessment of the necessity and proportionality of the processing is not something new, and not only because it is expressly cited by the GDPR as an obligation, but because it was already pointed out by the Article 29 Working Party in its Guidelines on data protection impact assessments (DPIA) and to determine whether the processing "is likely to entail a high risk" for the purposes of the GDPR, dated 4/04/2017, last revised and adopted on 4/10/2017. Following this line, we can also mention all the documents prepared by the AEPD, in this case on the preparation of EIPD, which aim to be a means available to the general public to raise awareness and knowledge of issues related to data protection, serving the controller and the person in charge of the treatment, since many of them are addressed to them, trying to facilitate compliance with the management of regulatory compliance, which does not prevent the data controller from examining in the specific case the processing of personal data that is being carried out and what are its obligations in terms of data protection. Thus, we will highlight the Guide to risk management and impact assessment in personal data processing of the AEPD of June 2021, which has a specific section XIII on the evaluation of the necessity and proportionality of the treatment; Also in the list of tables of the Risk Management and Impact Assessment guide in editable format, there is table 48 relating to the “Judgment of suitability, necessity and proportionality in the strict sense” and table 49 on the “minimum information required in the assessment of the necessity and proportionality of the treatment”; the DPIA report model in the private sector also contains information on the analysis of necessity and proportionality, examining the judgment of suitability, necessity and proportionality in the strict sense; nothing new, therefore, in the Guide on presence control treatments using biometric systems of the AEPD of November 2023, which includes a specific section on passing the analysis of suitability, necessity and proportionality. Obviously, none of these guides or documents can be considered a source of law, either de facto or de jure, since, without prejudice to what is indicated in this regard by the Civil Code, article 35 of the GDPR is sufficient for this by itself, these guides collecting what the aforementioned article requires. As regards the contrary citation of the EDPB Opinion on the use of facial recognition technologies by airport operators and airlines to rationalise passenger flow at airports, in addition to the limitation of what constitutes the object of the same (examination of article 5.1.f), 25 and 32 of the GDPR in relation to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 115/128 solutions for storing personal data and in the airport area) which does not coincide with that examined in the present sanctioning procedure, it must be stated that the EDPB itself determines in its press release that “In the application, it is supposed that the treatment would be based on the consent of each passenger. However, on the basis of the limited scope of the request, the opinion does not examine the legal basis and, in particular, the validity of the consent for such processing.” (emphasis added) https://www.edpb.europa.eu/news/news/2024/facial-recognition-airports-individuals-should- have-maximum-control-over-biometric_en#:~:text=Brussels%2C%20May%24%20-%20During%20its%20last,%20streamlining%20the%20passenger%20flow %20at%20airports. On the other hand, it is also known that any data processing as a limitation of rights for its owner, in order to be legitimate and lawful, must comply, on the one hand, with the principles relating to data processing set out in article 5 of the GDPR and, on the other, with one of the principles relating to the lawfulness of processing listed in article 6 of said Regulation (see, in this regard, the judgment of 16/01/2019, Deutsche Post, C-496/17, EU:C:2019:26, paragraph 57 and cited case law), as well as having an exception from those of article 9.2 of the GDPR if it concerns special categories of personal data. It should be noted that at this time there is no discussion as to whether there is an exception of art. 9.2 of the GDPR and whether or not this could be consent, but whether the DPIA has carried out and passed the assessment of necessity and proportionality in the terms provided for in the GDPR, a question to which the response to the allegations is limited. The opinions and reports cited by C. A OSASUNA may not have changed the references to such a possibility of processing through consent in which they limit themselves to quoting without further ado, but the truth is that, in any assessment of any type of data processing, it is expressly indicated that as it is an intrusion into the right of the natural person, any use of the same constitutes a limitation of the right of the person, requiring therefore a series of guarantees and safeguards that limit and mitigate the possible consequences that may affect rights and freedoms. In addition, the purpose of the processing states that if the same purpose can be achieved without data processing, with less data, or less use, with similar effectiveness, this principle must be respected, and conduct that contains actions that imply its processing is opposed to this principle, violating article 5.1.c) of the GDPR. And this is regardless of whether there is an exception that lifts the prohibition of the processing of special categories of personal data, where applicable, and a legal basis that allows the processing of personal data, since extrapolating the above with respect to security measures, if a processing is not necessary, it is irrelevant whether there is a legal basis that could legitimize it, an exception to article 9.2 of the GDPR that could be present, or the presence of security measures. It is enough that the processing of personal data is not necessary (all the elements provided for by the GDPR must be present for it to be carried out). In this case, no resolution has been provided in which the AEPD had assessed a similar case, that dealing with special category data with a basis of legitimation based on explicit consent, and the overcoming of the judgment of necessity and proportionality of the processing operations in accordance with the purpose C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 116/128 prescribed in article 35 of the GDPR was analyzed. Therefore, it cannot be resolved that there was previously any interpretation of the case that offered a foreseeable confidence. Note, furthermore, that necessity and proportionality refers to the processing itself, related to its processing operations and its purposes, but that it would also apply to any processing principle, and that it constitutes a basic element of the design of the processing, before the processing, and also continuously at the time of the processing. Its objective is to integrate the necessary guarantees into the treatment in order to comply with the requirements and protect the rights and freedoms of the interested parties. For all the reasons set forth above, this claim cannot be upheld. In the proposal, C.A. OSASUNA alleges that the risk involved has not been analysed and that the data processing involved in the SBRF for access to its stadium cannot be classified as high risk. To do so, it relies on the fact that it uses an artificial intelligence system provided by its manager DAS-GATE, consisting of VERIDAS technology. It adds that it complies with security measures, all of them related to the facial vector, such as irreversibility, non-interoperability and non-reusability, and immediate revocation in the event of compromise, being limited exclusively to the system and version that created them and that the risk of unauthorised access to the facial vector is non-existent or minimal. The court claims that the file assesses the risks of a system that is not the one they have been using and that the proposal explains that they use another system based on point maps, a system that is the one that provides a high risk, and that additional measures were adopted in the treatment and in the life cycle, such as taking a photo as proof of life or complying with requirements to verify that the subscriber is over 14 years old. With respect to these statements, it is reiterated that the risks are only one aspect that is taken into account in the EIPD, and that, in this case, the risks were not analyzed in the start agreement or in the proposal. The alleged infringement has nothing to do with the risks. However, since it has been brought up, it is worth indicating the risk analysis that is provided with the EIPD: The risk analysis is divided into Legal risks, Organizational measures and Security risks. The latter includes the management of data security incidents (personal data breaches), which is a regulatory obligation imposed by article 33 and 34 of the GDPR, not referred to nor should it be included in the risk analysis part of a DPIA. In addition, it must be assumed that the risks are for the rights and freedoms of the subscribers derived from the processing, not for the management of a risk for the organization derived from a regulatory risk. It is difficult to adopt adequate measures if the risk approach is not the one provided for in the GDPR. The tables are limited to describing a risk and the measures adopted, they do not enter into an assessment of the potential risk scenarios that may occur, limiting the compliance section to a YES that serves for all the measures adopted. In others, the yes is preceded by the fact that the entity has a certification. As an example, in “organizational measures”, it is indicated that DAS-GATE has the ISO/IEC 27001 certification system and ISO/IEC 9001 quality management. In “Measures adopted” in the security risks, in table III, it reiterates ISO 27001 and that audits have been carried out on it. It should only be mentioned, for illustrative purposes only, that the certifications cited are not data protection certifications in the sense of art. 42 of the GDPR, but are C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 117/128 information security certifications or in relation to other issues or obligations that must be fulfilled by the data controller based on regulations other than data protection. In this regard, the report of the Legal Office 170/2018 of the AEPD establishes the difference between the security of information and the protection of personal data: “Therefore, there is no doubt that the guarantee of the security of personal data acquires special importance in terms of its protection, but without this being limited exclusively to the scope of the security of said information, since the protection of personal data has a much broader scope that covers, as we said, a much broader set of principles, rights and obligations.” In this regard, it should be noted that these certifications, in addition to the fact that they should be, in the terms of article 42 of the GDPR, a certification in terms of data protection and not information security, do not absolutely prove that sufficient guarantees in terms of data protection have been implemented and are acting effectively throughout the entire treatment cycle. The risk to the rights and freedoms of individuals is not stated, nor is its description and causes; the probability of their occurrence is not stated and what the residual risk is with the measures that are intended to be implemented. In some security measures listed in the DPIA, it is stated that after describing the risk very briefly (for example, they limit themselves to indicating “Security risks”, “Loss of personal data”), stating that in the measures adopted “The intelligent design of the solution causes it to be little prone to this type of scenario, in that there is no large centralized database”. In the same measures it also indicates that “there may be a loss of credentials for physical access”, but a yes is given in compliance, without detailing any aspect regarding compliance. It is also indicated that an annual (…) is carried out on the solution and on previous actions that was not provided. Likewise, in neither case are reaction and containment measures established for addressing the risk in case it materializes and for mitigating its effects. The measures adopted are based on art. 32 of the GDPR. We have already said that data protection measures are not only security measures. Finally, the conclusions in the EIPD indicate: “Based on the conclusions reached in the analyses carried out throughout this document in relation to the different legal risks that may affect the processing activity examined, as well as the legal measures implemented by OSASUNA to reduce or mitigate said risk, it can be considered that the treatment evaluated would not imply a high risk for the rights and freedoms of the interested parties.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 118/128 It seems to follow that the high risk ceases to be so when legal and security measures are applied, as they express in their allegations to the proposed resolution. We have already indicated the incorrectness of this way of understanding the GDPR. In any case, once the EIPD has been made, for which one of the elements for which it is carried out is because the treatment may pose a high risk to the rights and freedoms of individuals, C.A. OSASUNA subsequently determines in allegations that its treatment is not high risk, after having carried out the same, in whose content there is also no such express conclusion or the reasons that it has now expressed. The DPIA, due to its content and purpose, is more than an analysis of the security measures that affect the technology of the devices or the way in which the different processing operations are carried out. And specifically, in this case, what is charged is an infringement under article 5.1.c) that does not derive directly from the risks, regardless of whether C.A. OSASUNA considers that the aforementioned charge may arise from the assessment of the risks. The allegation therefore cannot be upheld. VIII Classification and classification of infringements Article 83.5 GDPR states: “Infringements of the following provisions shall be sanctioned, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of a company, of an amount equivalent to up to 4% of the total annual global turnover of the previous financial year, whichever is higher: “a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9;” The LOPDGDD establishes in its article 72: “1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations: “a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679” “e) The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679, without any of the circumstances provided for in said provision and in article 9 of this organic law occurring.” IX Determination of sanctions Article 58.2 of the GDPR provides the following: “Each supervisory authority shall have all of the following corrective powers indicated below: i) to impose an administrative fine in accordance with Article 83, in addition to or instead of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 119/128 measures mentioned in this section, according to the circumstances of each particular case;” The determination of the sanctions to be imposed in the present case requires observing the provisions of Articles 83.1 and 83.2 of the GDPR, which respectively provide the following: “1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” “2.Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as an alternative to the measures referred to in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them; (b) the intent or negligence of the infringement; (c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures implemented by them pursuant to Articles 25 and 32; (e) any previous infringement committed by the controller or processor; (f) the extent of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the controller or processor of the infringement; (i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 120/128 Within this section, the LOPDGDD provides in its article 76, entitled “Sanctions and corrective measures”: “1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continued nature of the infringement. b) The connection between the offender's activity and the processing of personal data. c) The benefits obtained as a result of committing the infringement. d) The possibility that the affected party's conduct could have led to the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Having, when not mandatory, a data protection officer. h) The submission by the controller or processor, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party. 3. It will be possible, additionally or alternatively, to adopt, where appropriate, the remaining corrective measures referred to in article 83.2 of Regulation (EU) 2016/679.” Since the proposal proposed to the Director of the AEPD the archiving of the infringement of article 9 of the GDPR, with regard to the violation of the data minimisation principle of article 5.1.c) of the GDPR, a penalty of 200,000 euros was agreed in the initiation agreement, considering: a) “The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation”. The specific purpose of the processing of personal data in relation to the needs to be covered, which constitutes the nature of the infringement and which opened the scope of those affected to any C.A. subscriber, was not correctly considered. OSASUNA, considering that the purpose of the treatment is a basic activity of the data controller, which is an aggravating factor. (83.2.a GDPR). b) A serious lack of diligence is included, given that it was available and documented that there was another less intrusive means of treatment and the use of the solution was left to the users' discretion, and the impact of the same was not foreseen, so this factor would operate as an aggravating factor (art. 83.2.b GDPR). c) The impact on one of the special categories of data, biometric data for unique identification, the need for protection of which is to that extent greater than that of other personal data, in accordance with the Constitutional Court's ruling 76/2019, dated 05/22/2019, appeal 1405/2019, which is an aggravating factor, in accordance with C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 121/128 Article 83.2.g) of the GDPR "the categories of personal data affected by the infringement". C.A. OSASUNA stated in its allegations to the agreement: - violation of the principle of proportionality of the amount of the sanctions, because mentions are made in the aggravating factors that are elements of the conduct itself that is intended to be sanctioned. -There is no negligence since the opinion of the AEPD was in no way contrary to the processing of data carried out on the legal basis of the consent of the interested parties, the same criterion being upheld by the EDPB. - that the conduct that constitutes the infringement of article 5.1.c) of the RGPD, would only affect those who joined the system, not all subscribers, and who have gone from (…) on 03/13/2023, to the time when the allegations are made, on 12/28/2023, counting with (…) registered persons. - In the lack of diligence of article 5.1.c) of the GDPR, according to the start agreement "it was provided and documented that there was another less intrusive means of treatment and the use of the solution was left to the users' discretion, and the impact of the same was not foreseen, so this factor would operate as an aggravating factor", it estimates that "these arguments, denied in any case by OSASUNA were those that, in the opinion of the AEPD, justify the imposition of the sanction, so it cannot be taken into consideration to aggravate it." In its allegations to the proposal, it adds: -the processing of special category data must be subsumed under the aggravating circumstance of the category of data in article 83.2.a) of the GDPR, considering that it forms part of the circumstances of the processing, considering that article 83.2.g) of the GDPR would not apply when the aggravating circumstance arises from the processing as a whole. - related to the nature, seriousness and duration of the infringement of art. 83.2.a) of the RGPD that it mentions, it causes defenselessness because the mention is incomprehensible to: "If what is intended to indicate is that the infringement is having carried out a treatment that was not necessary for the purposes that were intended to be covered with it", apart from denying that statement, such an aggravating circumstance would consist of an alleged breach of the principle of necessity, conduct that is included in the type itself, contrary to the principles of sanctioning law - Regarding the reference to the potential impact of the treatment on all OSASUNA subscribers, contained in the proposal, in the explanation of 83.2.a) of the RGPD of "if it is not stopped it may affect more subscribers", it is meaningless, it is impossible, since since the 2024/2025 season it is not processing the data with the SBRF. - Regarding the aggravating circumstance of article 83.2.b) of the GDPR, OSASUNA points out that the proposal was answered in an incomprehensible manner, and that if it is a question of considering gross negligence the fact of allowing the treatment to be carried out on the basis of consent and the free decision of the interested parties, such interpretation would not be negligent or artificial, since it considers that the criteria derived from the documents of the EDPB and the GT are not followed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 122/128 29. It considers that these facts cannot aggravate the liability of OSASUNA, but rather should exclude it. According to article 83.1 of the GDPR, it will be ensured that the imposition of administrative fines is in each case “individual, effective, proportionate and dissuasive”, and according to section 2 of the same article 83, “they will be imposed according to the circumstances of each individual case” and when deciding their amount, the circumstances indicated in said provision will be taken into account, as well as, in accordance with the provisions of article 83.2.k) of the GDPR, those established in article 76.2 of the LOPDGD. As indicated by the SSTS, Chamber 3, of 3/12/2008 (Rec. 6602/2004) and 12/04/2012 (Rec. 5149/2009) the principle of proportionality is the fundamental principle that beats and presides over the process of grading sanctions and implies, in legal terms, that there must be a "due adaptation between the seriousness of the fact constituting the infringement and the sanction applied", as provided in article 29.3 of Law 40/2015, on the Legal Regime of the Public Sector. This is about the proper weighing of the concurrent circumstances in order to achieve the necessary and proper proportion between the alleged facts and the liability required, given that all sanctions must be determined in accordance with the nature of the infringement committed and according to a criterion of proportionality in relation to the circumstances of the act. Thus, proportionality constitutes a normative principle that is imposed on the Administration and that reduces the scope of its sanctioning powers. As regards the considerations of the aggravating circumstance of article 83.2.a) of the GDPR, the purpose of the processing operation in relation to the scope of potential affected parties covered the total number of members of the entity, estimated at around 19,000 members of the C.A. OSASUNA, according to public data on its website, at the date of the second allegations the number of people registered in the SBRF had risen to (…), at which time it continued to carry out the aforementioned processing, given that the figure given previously was (…) members. The purpose was related to access to a public show. This processing includes various processing operations or a set of operations in various phases with periodic processing throughout the season and being saved for use in the following one. Although it did not reach the maximum potential of subscribers, in about two years since its implementation, it has risen to almost 10% of subscribers, which is a significant figure that must be related to the special nature of the processing of this data. Regarding the subsumption of the circumstance contemplated in article 83.2 g) that according to C.A. OSASUNA, these special category data cover the treatment as a whole to consider that it must be integrated into article 83.2.a) of the RGPD, as it forms part of the circumstances of the treatment. To this effect, it must be indicated that this broad sense of the elements contemplated in article 83, would allow, if such thesis were accepted, that other differentiated elements be integrated into said article. However, it is estimated that this category of data specifically affects conduct, in a concrete and differentiated way from the elements contained in article 83.2.a), and are of a different nature, so it cannot be integrated into article 83.2.a) of the GDPR. Furthermore, taking into C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 123/128 consideration that, once article 9.1 of the GDPR has been filed, special category data cannot be considered to be included in the type of article 5.1.c) of the GDPR in any case (not before either). And this, also taking into consideration that not all EIPD is linked to the processing of special categories of personal data, that not all failure to pass the assessment of the necessity and proportionality of the processing is linked to the processing of biometric data. In the case under consideration, since said data are directly related to failure to pass the assessment of the need and proportionality of the processing, they must necessarily be considered in the terms of art. 83 of the GDPR. Regarding the lack of diligence indicated in article 83.2 b) of the GDPR for the reasons that have been indicated, the legitimizing basis of the principle of data minimization is different, since there may be a legitimizing legal basis and an exception that lifts the prohibition of art. 9.2 of the GDPR, but there is no need to process the cited data. Likewise, even if it turns out that the fact of the infringement is denied, this does not mean that this circumstance cannot be ignored in the conduct indicated, it being a fact that in the documentation of the EIPD it was recognized that there were less intrusive means for processing, which contribute to highlighting the aforementioned lack of diligence. As regards the lack of culpability and, as a result, the circumstances noted in article 83.2.b), it has already been answered in the corresponding section that there is no such breach of trust, due to the differentiation between compliance with the requirements of legality for data processing and compliance with the principles of processing, which, although they are cumulative, must be complied with in their fair measure, each one, taking into account circumstances that are each sufficiently legally differentiated. Regarding the reference to article 83.2.b) of the GDPR, which is a serious lack of diligence, given that it was available and documented that there was another less intrusive means of processing and the use of the solution was left to the users' discretion, and the impact of the same was not foreseen, so this factor would operate as an aggravating factor (art. 83.2.b GDPR), it is understood that even if it is not intentional, the action is evidence of a serious lack of diligence, without being able to assess what it basically meant, which was that the judgment of the need for processing was transferred to the users' free disposition. It should also be noted that the conduct that leads to the infringement consists of various analyses from the DPIA with a conscious legal basis made clear as an example, which recognized not only the risks of any treatment of this type, but that the unique identification of the subscribers was more invasive and reiterated on several occasions that the use was voluntary and complementary, being alternative, as bases that contributed to the need. Regarding this same article, the allegation that there was confidence that the treatment could be undertaken with the legitimizing basis of consent, considering this interpretation reasonable, the differentiation of levels and cumulative requirements of principles and legitimizing basis has already been pointed out without one being able to replace the other, their legal formulations of compliance being different. In this sense, the set of such elements would reveal a lack of diligence in the fulfillment of the analysis of intrusion of the treatment carried out. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 124/128 As a consequence of the elements available, the sanction is quantified at 200,000 euros. X Corrective powers Article 58.2 of the GDPR provides the following: “Each supervisory authority shall have all of the following corrective powers indicated below: “d) order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period;” f) impose a temporary or permanent restriction on processing, including its prohibition; […]” i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this section, depending on the circumstances of each particular case;” The imposition of these measures is compatible with each other and with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR. C.A. OSASUNA will stop using the facial recognition system for access to the stadium based on the consent of the users, and which was imposed as a precautionary measure in the operative part of the initiation agreement. Article 69 of the LOPDGDD states: “1. During the conduct of the preliminary investigation actions or the initiation of a procedure for the exercise of the sanctioning power, the Spanish Data Protection Agency may agree, with reasons, on the necessary and proportionate provisional measures to safeguard the fundamental right to data protection and, in particular, those provided for in article 66.1 of Regulation (EU) 2016/679, the precautionary blocking of the data and the immediate obligation to comply with the requested right. 2. In cases where the Spanish Data Protection Agency considers that the continued processing of personal data, its communication or international transfer will entail a serious violation of the right to the protection of personal data, it may order those responsible for or in charge of the processing to block the data and cease its processing and, in the event of non-compliance with these orders, proceed to its immobilization.” The Preamble of the LOPDGDD states: “The protection of natural persons in relation to the processing of personal data is a fundamental right protected by article 18.4 of the Spanish Constitution. In this way, our Constitution was a pioneer in recognizing the fundamental right to the protection of personal data when it provided that “the law will limit the use of information technology to guarantee the honor and personal and family privacy of citizens and the full exercise of their rights.” This echoed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 125/128 the work carried out since the end of the 1960s in the Council of Europe and the few legal provisions adopted in countries around us. The Constitutional Court stated in its Judgment 94/1998, of 4 of 5, that we are faced with a fundamental right to data protection by which the person is guaranteed control over his or her data, any personal data, and over its use and destination, to avoid illegal trafficking of the same or that which is harmful to the dignity and rights of those affected; in this way, the right to data protection is configured as a right of the citizen to oppose certain personal data being used for purposes other than that which justified its acquisition. For its part, in Judgment 292/2000, dated 30 November, it is considered as an autonomous and independent right that consists of a power of disposition and control over personal data that empowers the person to decide which of these data to provide to a third party, be it the State or an individual, or which this third party may collect, and that also allows the individual to know who possesses these personal data and for what purpose, being able to oppose such possession or use. (…). On the other hand, it is also included in article 8 of the Charter of Fundamental Rights of the European Union and in article 16.1 of the Treaty on the Functioning of the European Union. Previously, at European level, Directive 95/46/EC had been adopted, the purpose of which was to ensure that the guarantee of the right to the protection of personal data did not constitute an obstacle to the free circulation of data within the Union, thereby establishing a common area of guarantee of the right which, at the same time, would ensure that in the event of international transfer of data, its processing in the country of destination was protected by safeguards appropriate to those provided for in the directive itself.” Article 56 of the LPACAP, insofar as it is applicable, states the following: “1. Once the procedure has been initiated, the administrative body competent to resolve may adopt, ex officio or at the request of a party and in a reasoned manner, the provisional measures it deems appropriate to ensure the effectiveness of the resolution that may be issued, if there are sufficient elements of judgment for this, in accordance with the principles of proportionality, effectiveness and less onerousness. … 3. In accordance with the provisions of the two preceding sections, the following provisional measures may be agreed upon, in the terms provided for in Law 1/2000, of 7/01, of Civil Procedure: a) Temporary suspension of activities. b) Provision of bonds. c) Withdrawal or intervention of productive assets or temporary suspension of services for reasons of health, hygiene or safety, the temporary closure of the establishment for these or other reasons provided for in the applicable regulatory regulations. d) Preventive seizure of assets, income and fungible things that can be computed in cash by applying certain prices. e) The deposit, retention or immobilization of movable property. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 126/128 f) The seizure and deposit of income obtained through an activity that is considered illegal and whose prohibition or cessation is sought. g) Deposit or constitution of a deposit of the amounts that are claimed. h) The retention of income on account that must be paid by the Public Administrations. i) Any other measures that, for the protection of the rights of the interested parties, are expressly provided for by the laws, or that are considered necessary to ensure the effectiveness of the resolution. 4. Provisional measures may not be adopted that may cause damage that is difficult or impossible to repair for the interested parties or that imply a violation of rights protected by law. 5. Provisional measures may be lifted or modified during the processing of the procedure, ex officio or at the request of a party, due to unforeseen circumstances or circumstances that could not be taken into account at the time of their adoption. In any case, they will expire when the administrative resolution that ends the corresponding procedure takes effect. In the data processing analysed, it was noted at the time of initiating the procedure that undoubtedly represented a high risk for the rights and freedoms of a high number of those affected, such as the loss of control and disposition of their personal data or the use of personal data that are not evidently necessary to access the stadium. Although it covers persons over 14 years of age, who may consent to the processing, it is unlikely that they understand the implications of the use and the risks of using a system that uses the body itself as an identifier. In addition, there were indications and evidence that recommended not continuing with the aforementioned processing that involves special categories of personal data. The continuation of the processing, which there is evidence that has not passed the triple proportionality test and therefore the failure to pass the EIPD could lead to a very serious and irreparable impairment of the rights of these users. The temporary suspension of the processing was the only measure that could be adopted to safeguard the Fundamental Right to Data Protection, and was also the least harmful, onerous, proportional and effective for C.A. OSASUNA. Based on these premises and in order to guarantee the rights and freedoms of those affected, it is considered appropriate to make the temporary suspension that prevents the continuation of the processing of personal data through the facial recognition system for access to the El Sadar stadium permanent, urging its prohibition. This measure would not prevent C.A. OSASUNA from continuing to control the entrance correctly and legally with the other systems it is using, nor would it mean the loss of service for fans, since they can continue to access the stadium normally as it is a “complementary” or “alternative” system to that of the SBRF, as C.A. OSASUNA continually states. In accordance with the provisions of art. 83.2 of the GDPR and article 76.3 of the LOPDGDD transcribed above, it is considered necessary, proportional, and effective to guarantee the rights and freedoms of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 127/128 those affected and of lesser burden for C.A. OSASUNA, to impose, additionally, the elevation to definitive of the suspension, in accordance with the provisions of art. 69 of the LOPDGDD. Therefore, in accordance with the applicable legislation and having assessed the grading criteria of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO ARCHIVE the infringement of article 9 of the GDPR, imputed to CLUB ATLÉTICO OSASUNA with NIF G31080179, in accordance with article 83.5 a) of the GDPR, and classified as very serious for the sole purposes of the prescription of said infringement, in article 72.1.e) of the LOPDGDD. SECOND: TO IMPOSE on CLUB ATLÉTICO OSASUNA, with NIF G31080179, for a violation of article 5.1.c) of the RGPD, in accordance with article 83.5 a) of the RGPD, and classified as very serious for the sole purposes of the prescription of said infringement, in article 72.1.a) of the LOPDGDD, a fine of 200,000 euros, THIRD: Regarding the temporary suspension included as a provisional measure in the start agreement, pursuant to article 58.2.f) of the RGPD, it is raised to definitive, requesting the prohibition of the treatment for access to the El Sadar stadium with the SBRF and the deletion of the records used for its operation since the resolution is enforceable, to safeguard the fundamental right of the (…) people subscribed to the system to 28/12/2023, and certified in this sense by the C.A. OSASUNA. FOURTH: NOTIFY this resolution to CLUB ATLÉTICO OSASUNA. FIFTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned party is warned that he/she must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of the LPACAP within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29/07, in relation to art. 62 of Law 58/2003, of 17/12, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account number IBAN: ES00- 0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period. Once notification has been received and enforced, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 128/128 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision may be provisionally suspended by administrative means if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, submitting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registries provided for in art. 16.4 of the aforementioned LPACAP. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the provisional suspension. 938-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es