Banner1.jpg

AEPD (Spain) - EXP202212956

From GDPRhub
AEPD - EXP202212956
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(a) GDPR
Article 9 GDPR
Type: Complaint
Outcome: Upheld
Started: 22.11.2022
Decided: 21.01.2025
Published: 22.01.2025
Fine: 200,000 EUR
Parties: Club Atlético Osasuna
National Case Number/Name: EXP202212956
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ao

The DPA held that the implementation of an optional facial-recognition system, used to efficiently manage access to a football stadium, violated the principle of data minimisation as there were less invasive alternatives and therefore issued a €200,000 fine.

English Summary

Facts

A data subject lodged a complaint against the Spanish football club “Club Atlético Osasuna” with the Spanish DPA (Agencia Española de Protección de Datos – AEPD) on 22 November 2022.

The football club, here the controller, had implemented a facial recognition system at one of the stadium entrances on the 10 April 2022. By the 22 April 2022, the system had been added to several entrances. Fans were given the option to register for the system online to which they had to provide a selfie, a scan of their ID-card and agreement to the terms and conditions.

Traditional entry with physical or digital tickets was still possible at other entrances. The controller detailed that the purpose of the system was primarily limited to convenience. Therefore, security and identity verification purposes were not listed as the aim of the system.

The controller had carried out a data protection impact assessment and concluded that based on the legal basis of consent, the processing did not endanger data protection rights. The DPIA had shown that the data was only processed for the intended purpose.

The data subject alleged that the large-scale processing of biometric data lacked proportionality, that the controller did not provide sufficient safeguards and that consent alone was not enough to legitimise this processing.

Holding

Consent under Article 6(1)(a) GDPR

The AEPD confirmed that the opt-in design of the system proved that the use of the facial-recognition system was in fact voluntary. Fans were not confronted with any negatives if they refused to use the system or if they withdrew their consent. The sign-up system required multiple opt-ins in order to sign up, so the AEPD concluded that consent was informed and freely given. Further, people wanting to sign up were informed on data usage and storage by the controller.

Necessity of processing sensitive Article 9 GDPR data

However, the nature of the biometric data processed under Article 9 GDPR required further assessment. The AEPD highlighted that more information had to be provided on how and when data was deleted. The AEPD found that the amount of data processed (e.g., ID scans, selfies, and live facial recognition) exceeded what was required to achieve the system’s purpose which was managing efficient access to the stadium. It explained that the data minimisation principle required controllers to assess and make use of alternatives which would be less intrusive, but which would still fulfill the intended purpose.

Violation of Article 5(1)(c) GDPR

The AEPD found that even if the consent of data subjects is obtained, the processing of sensitive biometric data must be necessary especially when other options are viable. It held that the use of the facial-recognition was not adequately justified in light of other options such as QR codes and digital tickets. These methods already provided for viable and efficient methods to achieve the purpose (fast access to the stadium). The controller was ordered to reevaluate the system as it had violated Article 5(1)(c) GDPR as marginal benefits did not justify the processing.

Administrative fine

The AEPD held that the controller had showed negligence in implementing a system processing large-scale sensitive data without being necessary for quick access to the stadium. Therefore, the AEPD set a fine of €200,000 based on the controller’s income.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/128

 File No.: EXP202212956

SANCTIONING PROCEDURE RESOLUTION

BACKGROUND..........................................................................................................2

FIRST: Receipt of complaint dated 11/22/2022................................................2

SECOND: Director's agreement to initiate preliminary investigation proceedings.
...................................................................................................................................3

THIRD: First request to C.A. OSASUNA in the course of the preliminary investigation proceedings................................................................................................3

FOURTH: Second request to C.A.OSASUNA in the course of the preliminary investigation proceedings..................................................................................................25
FIFTH: Incorporation of documentation in the preliminary investigation proceedings................................................................................................................41

SIXTH: Brief analysis of the EIPD provided by C.A.OSASUNA in preliminary investigation proceedings...................................................................................................50

SEVENTH: Start agreement of 12/4/2023...................................................................51

EIGHTH: Sending a copy of the file..................................................................................52

NINTH: Allegations to the start agreement of 12/28/2023..................................................52
TENTH: Proposal for a resolution of 10/30/2024 and allegations..................................62

TENTH FIRST: Objections to the proposal.................................................................62

PROVEN FACTS................................................................................................................70

FIRST:..........................................................................................................................70

SECOND:..........................................................................................................................70

THIRD:........................................................................................................................70

FOURTH:.......................................................................................................................71
FIFTH:.......................................................................................................................71

SIXTH:.......................................................................................................................72

SEVENTH:...................................................................................................................74

EIGHTH:........................................................................................................................75

NINTH:........................................................................................................................75

TENTH:...................................................................................................................76
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/128

TENTH FIRST:.......................................................................................................76

TWELFTH:..........................................................................................................77

LEGAL BASIS...........................................................................................................77
I Jurisdiction.......................................................................................................77

II Definition of personal data and biometric data.......................................78

III Regulations on control of tickets and access to stadiums...................................86

IV Differences in data processing for access to the stadium...................................91

V Examination of necessity and proportionality........................................................92

VI Processing of biometric data: exception to article 9 of the GDPR, and legitimizing basis of article 6 of the GDPR.................................................................................103

VII Response to the allegations of C.A. OSASUNA..........................................106

VIII Classification and Classification of the infringements..........................................................116
IX Determination of the sanctions..........................................................................117

X Corrective powers............................................................................................122

RESOLVES:................................................................................................................125

From the procedure instructed by the Spanish Data Protection Agency and based on

the following

BACKGROUND

FIRST: Receipt of complaint dated 11/22/2022

On 11/22/2022, this AEPD received a complaint (hereinafter, the
complainant) against CLUB ATLÉTICO OSASUNA with NIF G31080179 (hereinafter, C.A.
OSASUNA). The reasons on which the complaint is based are that C.A. In April

2022, OSASUNA introduced a biometric facial recognition system (SBRF hereinafter) for spectator access to its El Sadar stadium.

The press release published on 05/22/2022 by elespañol.com is included at:
https://www.elespanol.com/invertia/disruptores-

innovadores/innovadores/tecnologicas/20220522/accesos-rapidos-seguros-sistema-
reconocimiento-laliga-operativo/673682724_0.html.

In summary, the news indicates that it has been a process in which from the beginning they have had the participation of La Liga, as the entity in charge of managing access to the stadiums of the First and Second Division, in the three ways that existed until now to access the stadium and that the process, available at the moment for members who register through the website, would be an optional form of access to the stadium.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/128

The complainant indicates that freedoms and fundamental rights are restricted, the lack of proportionality of which does not make the treatment legitimate, not even with an eventual consent

associated with its implementation.

SECOND: Director's agreement to begin preliminary investigation actions.

As a result of the complaint and the news that appeared in the press, the Director of the

Spanish Data Protection Agency sent a letter on 5/12/2022 to the General Subdirectorate of Data Inspection, so that preliminary inspection actions
are carried out ex officio in order to verify proper compliance with the regulations.

THIRD: First request to C.A. OSASUNA in the course of the preliminary investigation actions.

The General Subdirectorate for Data Inspection proceeded to carry out preliminary investigation actions AI/00417/2022 to clarify the facts in question,
by virtue of the functions assigned to the control authorities in article 57.1 and the
powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation,
hereinafter RGPD), and in accordance with the provisions of

Title VII, Chapter I, Section Two, of the LOPDGDD. On 02/14/2023, C.A. OSASUNA was asked to provide information "relating to the processing of biometric data
referred to in the news published in the media."

On the other hand, it should also be noted that, at that time, other actions were being carried out (file number EXP202213792) in which the situation regarding the use of biometric systems for access to the stadiums was being investigated (AI/00444/2022).

In the proceedings of the present case, dated 13/03/2023, as prior information, C.A.OSASUNA states that "the Facial Recognition Solution or System" (SBRF hereinafter) established, makes it possible to facilitate access control to the El Sadar stadium and is not configured as mandatory, being a complementary method to the remaining procedures established by the Club for admission and access control to the venue currently in existence, and those who choose between the different access methods available.

C.A. OSASUNA entered into contracts with DAS-GATE ACCESSS CONTROL SOLUTIONS SL,
(DAS-GATE hereinafter) provider of technological services that, through the use of

biometric technology generated by VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, S.L (hereinafter, "VERIDAS"), developed the System.

Prior to the implementation of the Solution, they carried out between the months
of November 2021 and February 2022, a Data Protection Impact Assessment (hereinafter, EIPD), the final version of which, dated 4/02/2022, is

attached as DOCUMENT 1, whose summary related to the essence of the matter is
summarized in the last of the FACTS.

Determination, for each of the activities that involve the processing of biometric data, of:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/128

1.1. Dates on which they began and, where applicable, the date of completion.

C.A. OSASUNA responded that a pilot test of the system was carried out on 04/10/2022.

Attached as DOCUMENT 2 is the announcement of the implementation of the System next Sunday in: “official news-communiqué of 04/05/2022”. It is reported that it will be the
first La Liga club to allow access to its stadium through facial recognition,

as a quick, convenient and safe way, without the need to carry the physical season ticket,

- “opening the turnstile in a process that lasts less than a second”,
- “it will be the fan who chooses how to enter the stadium, always having the option of
using the physical card, the digital season ticket on their mobile phone or biometric access”, -“…
following the protocol set by La Liga, a first turnstile with biometric access will be

opened at gate 7 of the stadium”, “Initially only members who enter through gate 7 will receive the link to register”.

- “user registration can be completed via mobile phone, following the steps
that the system will indicate and taking a photograph of both the membership card and the

ID.” “Once the registration process has been completed, the system will recognize the member in all
the matches of the season without having to repeat the process.”

C.A. OSASUNA stated that, on the occasion of the next match, on 04/22/2022, the number of access gates that have terminals for the operation

of the System was expanded, at gates 3, 8, 10, 11, 16, 21 and 27, thus completing the eight gates
initially planned. (ONE of the turnstiles at each gate having been enabled for this purpose.
To use it, you must register beforehand).

Attached as DOCUMENT NUMBER 3 is the “newsletter” from C.A. OSASUNA states
sent to members on 04/09/2022, with information that also includes that “Registration

does not prevent you from accessing the day you want with your physical card or with the subscription on your
mobile”, or that the SBRF “will allow you to access, even if you have forgotten your card, since you will not
need to carry it with you to enter”. DOCUMENT 4 is included, a newsletter that C.A.
OSASUNA states sent to members on 04/18/2022 that contains an infographic on the
explanation of registration and the messages that appear on the device. There is a link tab

to start the activation process (step 1) (registration landing page), “access
the following link to start the activation process” - Activate (in the tab) showing the
steps:

2 “start the process and accept the terms and conditions of the processing of your data”, with a

drawing of a mobile device that appears in all the steps, and “digitalization of the subscription -
start digitalization”.

3 “Enter your ID and your email address to begin the process”. The “enter your data” screen will appear, the first box to enter the DNI number including the letter, the next box for the email, and two boxes to tick:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/128

The first: “I expressly consent to the processing of my personal data,
including my image for the generation of a facial vector using an artificial intelligence system that allows my identification at the time of access to the stadium.”

The second: “I have read and accept the Privacy Policy,” with the Privacy Policy highlighted to create a link.

Below the second box, to tick, there is a START key and a Cancel key.

4. “Take a photo of the QR code on your club membership card” On the mobile device used to carry out the operation, there is a space for “Scan your membership QR code.

Place the QR code on your membership card in the square so that the camera can scan it.”

5. “Take a photo of your ID card from the front and back.” Place the front of your ID card in the

square.”

6. “Take a selfie” “Place your face in the oval and perform the movements indicated.”

7. “The system verifies that the photo on your ID card matches the features and identity of the
person who took the selfie.” A message appears on the mobile device screen

that “It's almost there...” with a message that preparations are being made to allow
access to the stadium with SBRF.

8 “The system verifies that the data provided matches that of the subscriber who is registering in the system and informs whether the process has been carried out correctly” “the

process has been completed successfully”. At your usual access gate you will find
duly marked fast access turnstiles with facial recognition.”

C.A. OSASUNA states that there is information on “QUESTIONS AND ANSWERS
regarding the new access system to the El Sadar stadium” available from the Club website, which

it provides as DOCUMENT 5.

It can be seen that it does not have a date, but it informs that the new system will be available
for gate 7 in the match on 10/04, and that for the next match on 20/04 until the end
of the season, access turnstiles by SBRF will be enabled at other gates.

It is also noted that it indicates, among other aspects, that “the activation process can be accessed from this link https://osasuna-socios.app.das-gate.com/”, and that the activation process requires “your mobile phone, your Osasuna season ticket and your ID”. In “How to activate access with DAS-GATE?”, it also refers to the Tablet or computer, accessing the website
www.osasuna.es “where you will find a communication with the system information and a

button to start the activation process, https://osasuna-socios.app.das-gate.com/
the explanations coinciding with DOCUMENT 4, already seen.

It is reiterated: “will I be able to continue accessing with my season ticket? Yes, you will always be able to choose how to
access the stadium. Access with DAS-GATE is just one more option available to you to

enter El Sadar” and that “the new system will be optional and voluntary,
while the rest of the access methods that have been used until
now will remain available”, “you will always be able to choose how to access the stadium”. It is also
reported that “you can unsubscribe at any time from the user area, at

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/128

cancel account.”, as well as the management by DAS-GATE and that they have carried out a
EIPD.

In “what advantages does it offer?”, it is indicated, among others, that “this type of access allows
control that it is you who uses the subscription. Enjoying the match with the peace of mind that
all the people present have the relevant permits is a benefit for
everyone”, and “This new access system strictly complies with the General Data Protection Regulation
and is endorsed by the League”.

C.A. OSASUNA states regarding the end date that: “Considering the objective of the
System to facilitate biometric access to the stadium to those fans who freely
wish to do so, there is no pre-established end date for the processing”.

1.2 Purposes and bases for legitimation of the processing activities (art. 6 RGPD).

If applicable, reasons for lifting the general prohibition of processing special categories of personal
data (art. 9 RGPD).

It reiterates that:

-The System offers its fans a complementary method of access to the stadium
to those currently existing (and which can continue to be freely used by the

fans), consisting of the recognition of biometric vectors of those
Club members who wish to use the System, instead of those derived from other
conventional means such as, for example, reading the QR code of the
member card or the NFC chip. In no case will members be obliged to use the System to be able
to access the venue.

- “even when a member has registered in the System, he/she may
decide at each match he/she attends the means of access to the stadium that he/she
deems appropriate, being able to opt for biometric recognition or for any of the other
access procedures or methods that C.A. OSASUNA makes available to him/her.

-The user may, at any time and immediately, revoke the
consent given, as will be indicated elsewhere in this document.”

It states that:

-“The purpose of the processing is to guarantee Osasuna fans who have freely decided to do so access to the stadium through facial recognition, as a
non-exclusive alternative to the different means of access made available to them by the Club.

-“Firstly, specific and free consent is required in all cases so that the

user can register in the System, so that subscribers are entirely free not to do so, and may continue to use the remaining means of access made available to them by the Club, under the same terms as they have done so until now.
To do this, two processing activities are carried out:

● The one related to the registration and verification of the user's identity by the System, in order
to include him in it and generate his biometric vector.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/128

● The reference to the corresponding biometric control of access to the stadium at the time of
each event, through its identification in the System.“

-“With regard to the basis of legitimacy for the treatment, it analyzed, first of all,
the applicability to the System of the provisions of article 9 of the RGPD, taking into account that
it implies the processing of biometric personal data for identification purposes
(1:N).This analysis concluded that this provision was applicable, so that,
together with the concurrence of one of the legal bases provided for in article 6.1 of the

RGPD, it was necessary that one of the exceptions to the prohibition provided for in article 9.2 of the RGPD be applicable to it.”

As indicated, the use of the System is constituted as an option that fans may choose freely and completely voluntarily. For this reason, given that
only the data of those interested parties who request it will be processed, without

conditioning said authorization on access to the stadium, the processing is covered by the provisions
of articles 9.2 a) and 6.1 a) of the RGPD, that is, by the explicit consent of the
interested party to the processing of their biometric data.”

The EIPD provided, analyses the concurrence of the requirements required for the validity of the

consent in its section 5.2.3 (in particular, its character of manifestation of free, specific, informed and unequivocal will), as well as the viability of this basis of
legitimation in the processing of biometric data, concluding on the validity of said legal basis.

Literally, the EIPD states, within section 5 “Legal basis of consent”, after

indicating that consent must be lawful for which it is required to comply with one of the legal bases of article 6.1 of the GDPR, it goes on to analyse whether there may be any cause that
lifts the prohibition of processing, because it is special data, “given that only in the event that
one of the prohibitions is applicable would the study of the legal basis of
processing make sense”.

In the following section of the EIPD, 5.2.1, it specifies that “the application of facial recognition techniques for biometric identification, and the subsequent processing of the personal identification data of the interested party linked to his or her facial pattern, or simply of the latter, has usually been the subject of analysis within the framework of the action of public surveillance and security.

Therefore, since such surveillance is based on systems that do not allow users to be discriminated against (i.e., the facial pattern of all persons who are exposed to the recording or collection of data by a particular device is collected), consent is not analyzed in these cases as a legal basis for processing, since it is not possible to obtain it or compliance with the requirements for it is clearly compromised (for example, consent cannot be considered to be given by the mere fact of crossing the area where the data is collected and, at the same time, such consent is hardly free, since the data will be collected in any case, without the interested party being able to refuse it or revoke an alleged consent given).”

The DPIA considers that, based on the analysis of, for example, the EDPB Guidelines 3/2019
adopted on 29/01/2020, on the processing of personal data by means of video devices, the existence of cases in which consent could be an adequate legal basis for the treatment is inferred, which in its point 77, within section 5.1
“general considerations for the processing of biometric data”, indicates:

“77. The use of video surveillance, including the biometric recognition function

installed by private entities for their own purposes (e.g., marketing, statistics or
even security), will require in most cases the explicit consent of all interested parties [Article 9, paragraph 2, letter a)]; However, another suitable exception to Article 9 could also be applied,” and gives the example:

“In order to improve its service, a private company replaces the passenger screening and identification points within an airport (baggage drop-off, boarding) with video surveillance systems that use facial recognition techniques to check the identity of passengers who have chosen to consent to such a procedure.

Since the processing falls within the scope of Article 9, passengers, who have previously given their explicit and informed consent, will have to be included in an automatic terminal, for example, to create and register their facial template associated with their identity card and their boarding pass. Facial recognition screening points must be clearly separated, for example, the system must be installed in a gantry so that the biometric templates of the person who has not given consent are not captured.

Only passengers who have previously given their consent and proceeded to register will use the gate equipped with the biometric system.”

The EIPD considers that, even if it is an identification system and not an authentication system, in its system, also an identification system, the interested party can freely decide to undergo the treatment, without negative consequences, "that is, the comparison system is still 1 to "n", in which "n is limited to those interested parties who voluntarily and freely decide and consent to the performance of the treatment"

The EIPD considers that the consent is valid based on Guidelines 5/2020 of
05/04/2020, on consent within the meaning of Regulation EU 2016/679, or on the

legal report of the Legal Office of the AEPD (G.J. of the AEPD) 36/2020, since it does not
entail any disadvantage or harm to those who do not give it, or withdraw it. Both means (referring
to access) will be essentially equivalent except for the intrinsic benefits of each of them,
for example, the greater or lesser speed of access.

It reviews the elements of consent, indicating in the EIPD, page 38, 5.2.2., that the

Club does not benefit those who opt for one access system or another, “without prejudice to promoting the
use of this access system, given its novel nature, both means being
essentially equivalent except for the intrinsic benefits of each of them -
for example, the greater or lesser speed of access”. It estimates that it meets all its requirements and
in its final section, 5.2.3 indicates:

“Therefore, it can be considered that the treatment is validly covered by the
establishments of article 9.2.a) of the RGPD.

The consequence of the above is that, since the consent required by article 9.2 a) is reinforced with respect to that established in article 6.1 a) as a general legal basis for the

processing of personal data, it must be considered that said consent is also
subsumed in the content of this last rule, so that, in addition, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/128

processing will have the legal basis established in article 6.1 a), thus complying with the
principle of legality.”

1.3 Proportionality judgments made for the execution of activities through the

processing of biometric data.

He replied that it is contained in section 6.4 of the EIPD, first analyzing the
fact that the processing of the biometric data of the interested parties “is suitable for
achieving the purpose of recognition for access control - following the doctrine
established by the AEPD in the resolution of procedure PS/ 00120/2021 (Mercadona case)

and in the report of the Legal Office 47/2021”, “showing that the system,
unlike those analyzed in the aforementioned AEPD documents, would be based on
consent, thus not producing recognition except for those fans
who so request and freely authorize it”.

-Section 6.4.3 of the EIPD, framed in the analysis of the principle of data minimization, and more specifically, of the "criteria in relation to the application of the principle of minimization in the processing of biometric data (6.4.2), indicates that "the following must be taken into consideration to assess the necessity and proportionality of the processing:"

A-The processing will be limited only to those who voluntarily
wish to use this procedure, it is not indiscriminate or massive, preserving the

alternative means of access.

B-The processing involves an identification process, "and not an authentication process, which would be
less invasive, although: it occurs on vectors and not directly on images or
on biometric information and the search for matches between vectors would not be
limited to all persons who access the stadium."

C- Facial recognition is not carried out remotely and in areas completely
open to the public, but the identification process takes place a few centimetres
from the machine in front of which the user must be located less than ONE metre from the terminal
so that their data can be captured, making it impossible for other interested parties who do not have the specific intention of accessing the sports venue
through the solution to try to “vectorise” the data.

D- “Data will only be processed on the basis of the consent of the interested parties
who freely wish to use the solution, which must be weighed favourably for the
purposes of verifying the proportionality of the processing, given that it is possible to appreciate from the
own conduct of the interested party, the concurrence in the processing of a mutual benefit for

the Club and the person, which speeds up access to the stadium”.

E- The use of the solution is limited to subscribers over 14 years of age under
Article 7 of the LOPDGDD in connection with Article 8 of the RGPD - the age will also be verified during the registration process, when the scanned image of the DNI is processed.

- It adds that this occurs within the framework of Article 11.1 of the Anti-Violence Law, which
establishes that "all sports venues in which state competitions of a professional nature are held must include a computerized system for controlling and managing ticket sales, as well as access to the venue."

C.A. OSASUNA considers that the treatment passes the triple test of suitability, necessity
and proportionality, indicating that:

“Indeed, the data processing carried out for registration in the solution is, as will be seen
later, suitable for carrying out this registration process, by allowing
full identification of the subscriber. Similarly, the treatment of the facial vector is

suitable for facilitating access to the El Sadar stadium through the readers incorporated
in addition to the entrance turnstiles, by simply reading the image of the interested party and
comparing it with the aforementioned facial vector.

Secondly, the processing is necessary to achieve the purpose pursued by the

processing, which is to facilitate access to the sports venue for OSASUNA subscribers who so wish through a
fast and simple procedure. Certainly, at this point, it is
possible to achieve the purpose pursued (access to the El Sadar stadium) using a
less intrusive means (the use of traditionally used means, such as the use
of a QR code reader incorporated into the subscription). However, the implementation of the

processing analyzed in this DPIA does not prevent the use of this option. That is, the interested party
can freely decide, without affecting their rights as a subscriber in any way, to opt for one or another treatment for access to the stadium. In this way, the
need would be linked in this case to the will of the subscriber, which cannot be
satisfied using a less intrusive means of access.

Finally, as regards compliance with proportionality, it is necessary to bring up what was pointed out by the AEPD in the documents reproduced above, in the sense that
this principle would be breached in the event that the subscribers were forced, without any possible alternative, to access the premises through the procedure described and it was not possible to
assess the concurrence of “more benefits or advantages for the general interest than

damages to other goods or values in conflict”. However, in this case it is the
subscriber himself who weighs up the preference between one or the other system (at the time of
registration and, additionally, at each access) and the prevalence of his particular interest over the
rights that he might consider affected, without his personal integrity being affected…).”

-C.A. states. OSASUNA, that the principle of minimization would be fulfilled, as stated in
point 6.4.5 of the EIPD “concluding that, given the terms of operation of the
System, the requirements of article 5.1 c) of the GDPR are met both in the process of registration of the
interested party who freely decides to do so and in the control of access by the same to the
stadium, if he wishes to use the aforementioned System. In any case, in section 2 of the EIPD

the data flows generated as a consequence of the System are detailed.”

C.A. states. OSASUNA, that: “In addition, the data processor DAS-GATE
provides additional technical guarantees, such as:

-It presents controlled vectorization measures in the registry
-It maintains security measures against unwanted interference
-It complies with official certifications

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/128

-As the Solution is a model based on Artificial Intelligence, the non-traceability of
facial features –reversibility- is reinforced with respect to previous or less advanced software and
models. Consequently, in accordance with the information

provided in the Descriptive Document, this would imply that the biometric vector resulting from
the facial image collected will be linked to the Solution without another facial
recognition system being able to reverse the vector. That is, the mathematical vector cannot be interpreted with the purpose of extracting information from the initial interested party, resulting in
practically a hash of the interested party's facial image.

In particular, in accordance with the information transferred by DAS-GATE, each DAS-GATE biometric engine and even each version of that biometric engine is unique so that the vectors derived from the Solution are not interoperable with other versions of the software.”

1.4 Where applicable, legal protection for the processing of personal data relating to
criminal convictions and offences (Article 10 of the GDPR and the LOPDGDD) and where applicable of
personal data relating to administrative offences and sanctions (Article 27 of the LOPDGDD).

He responded that the system does not collect data on these matters.

1.5 Procedures followed to comply with the duty of information (Articles 13 and 14 of the
RGPD). Evidence of compliance.

He replied that “since the personal data is collected by the Club, directly from the interested party at the time he decides to register in the System, information is provided in layers.”

With regard to the time at which the information is provided, the Club, at the address
www.osasuna.es/acceso-biometrico-a-el-sadar, makes available to the interested party basic information about the procedure adopted, as well as the most frequently asked questions in relation to the System, offering the interested party the possibility of continuing the
process through a link to the DAS-GATE portal.

It states that “Once the interested party has entered the DAS-GATE portal, through which the registration process will take place, the basic information regarding the treatment is reflected, which is provided as DOCUMENT 6, which includes a link to the

second information layer that is incorporated in the privacy policy available on the OSASUNA website, which is provided as DOCUMENT NUMBER 7.”
It can be seen that DOCUMENT 6 is called: “treatment of access control data to the facilities by facial recognition”, and the following information is listed as most notable:

“Responsible party: C.A. OSASUNA
Purpose: access control using a facial recognition system

Legitimation: consent of the interested party article 6.1. a) GDPR and article 9.2.a)
express authorization for the processing of images using an artificial intelligence system, facial recognition, generating a vector that allows the identification of the user for the control of access to the facilities.

Recipients: no transfers of data to third parties are planned.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/128

Rights: you have the right to access, rectify and delete data, as well as other rights,
indicated in the additional information, which you can exercise by contacting lopd@osasuna.es and
dpo@gfmservicios.com, clicking on the link on the website and the member portal “exercise of

ArSol rights”.
Additional information; You can consult additional and detailed information on Data Protection here https://www.osasuna.es/privacypolicy”, which then contains a tab to

accept and another to reject.
C.A. OSASUNA states that “this information includes the consent box
relating to the processing, which the interested party must check if they choose to give their

consent, having been previously informed of all aspects of the processing. Reading this information is mandatory in order to continue the process.”
C.A. OSASUNA states that “Once consent to the processing has been given, the OSASUNA

consent manager sends the subscriber an email (a copy of which is provided as DOCUMENT

NUMBER 8) in which the subscriber is provided with the technical details of the consent granted, as well as the privacy policy linked to the
processing of the data consented to by the subscriber, with said remission being recorded. In this way, the interested party not only accesses the privacy policy at the time of registration in

the System, but also personally receives the aforementioned policy, so that it can be used at

any time.
In any case, the way in which OSASUNA informs interested parties about the processing of

their data is analyzed and detailed in section 7.1 of the EIPD provided. “

It can be seen from DOCUMENT 7, “last update date January 2022”, second informative layer,
also includes the designated DPD and their email, the purposes are defined more broadly, indicating that “the personal data of the subscribers are processed for the

purpose of digitizing them and verifying the identity of the subscriber, with the aim of registering them in the DAS-GATE system, a contracted provider.”

“(REGISTRATION OF THE SUBSCRIBER) The data to be processed for this purpose will be the data provided
by the interested party (identification data), as well as the National Identity Document, the
image obtained from a selfie of the interested party and the contents of the QR code of the subscription

(subscriber and ID number, as well as access ID), and
(BIOMETRIC ACCESS): personal data will be processed for the purpose of allowing
access to the Club Atlético Osasuna stadium through facial recognition, an alternative entry system that allows strengthening the security of access to it, as well as
speeding up entry to it, facilitating this for the Club members.

LOG IN to the das-Gate portal (IS) – the personal data of the interested parties will be processed so that they can identify themselves and access the Das-Gate portal, so that they can manage access through facial recognition associated with the subscription, being able to request cancellation of this service or the transfer of the subscription, in those cases

where this is permitted.”

The retention period states that “The identification data of the member will be kept
for the duration of the process for generating the corresponding vectors,
being automatically deleted by the computer systems at that same time.

The irreversible vectors, as well as the access IDs and the user ID (created by the member), will be kept until the interested parties request their deletion, unless
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/128

other legally established provisions apply. In any case, the data will be deleted
if the user ceases to be a member of C.A. Osasuna or
assignee of a Club membership.”

“You may exercise your rights through the private area of each user on the DAS-GATE portal”

“You have the right to withdraw this consent at any time.”

“Data processed

- Member identification data (ID of the holder, front and back)
- Member email address
- Member subscription QR code data (ID, number of subscribers and access ID)
- Member number

- Member image
- “Vector” algorithm of the member image
- User ID on the Das Gate platform”.

Document 8, on the other hand, consists of an email informing the subscriber member with a

link to the privacy policy and the possibility of exercising their rights, containing the IP,
ID and email and the date on which they have given their consent, as “proof
of consent”.

1.6 Periods of conservation of personal data (obtained from the registration process, and from the identification process, whether positive or negative) or, when not possible, the

criteria used to determine this period. Evidence of compliance.

He responded that “in order to determine the conservation periods, it will be necessary
to distinguish between:

● The data subject to processing during the subscriber registration process.

- as for the data that is processed in the user registration process, its conservation
will be strictly limited to the period in which the verification of the subscriber's identity takes place to carry out his registration in the System, given that the only purpose that

justifies this processing is to achieve the aforementioned verification as a previous step to carrying out the
registration and the generation of the subscriber's facial vector from his selfie photo.

-On the other hand, regarding the image collected for the generation of the aforementioned vector,
this is deleted once it is verified that it corresponds to the one that appears on the DNI

provided by the user, having generated the corresponding facial vector.

In this way, upon completion of the registration process, the System only retains the subscriber's facial vector,
without associating it with any identifying data that appears on his DNI or on his subscription,
or with the data provided by the interested party in the registration process.

The System only retains (i) the facial vector; (ii) the anonymous access identifier
corresponding to the subscription, for the exclusive purpose of avoiding duplications in its use; and (iii) the hash of the user identifier in the System, which is collected for the
exclusive purpose of serving as the first authentication element for secure access

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/128

by the user to the DAS-GATE portal, in order to be able to interact with the System (for
example, to proceed with the deregistration or exercise their rights).

These data will be kept as long as the interested party does not revoke the consent

previously given or continues to hold the status of OSASUNA subscriber,
proceeding to its deletion in case of revocation or cessation of the status of subscriber.

The revocation of consent may be carried out directly and at any time
by the interested party from the user portal.”

Manifiesta C.A. OSASUNA that “In the event of one of these circumstances occurring, the data will be blocked, in accordance with article 32 of the LOPDGDD, for a period of 3 years, coinciding with the maximum period of prescription of violations in the field of personal data protection, in order to be able to respond to possible liabilities
derived from the treatment.

Attached, as DOCUMENT NUMBER 9, is a copy of the screenshots referring to the
exercise of rights on the OSASUNA website with the title “exercise of ArSol rights”,
consisting of a form to fill in “exercise of ARSOL rights”. It is reported
among other aspects that “If you have given your consent for a specific purpose,
you have the right to withdraw, revoke, the consent given at any time…”.

At the bottom there is a drop-down menu with the rights that are exercised and a field to
fill in “message”. It requires as mandatory for its exercise, the email, mobile, ID, name and surname and ID IMAGE, which must be selected as a file for

attachment.

● The data that is processed for the purpose of facilitating your access to the stadium.

"It is explained in greater detail in another section" (response to point 2.3 of this
writing). The System does not store the image captured by the reader located at the entrance to the

venue or the facial vector generated from it, which will only be processed and
kept for the minimum time essential to carry out the identification of the
subscriber as such. In this way, only the information related to the fact of access will be stored (i.e. records (logs) of successful

identification and acceptance or denial of access, associated with anonymous identifiers),

but in no case the image captured, or the facial vector associated with it. The data relating to the records (logs) linked to the identification and access to the stadium will be kept until the beginning of the season following that to which the stored access refers, at which time it will also be blocked for the period of three years mentioned above.

1.7 Where appropriate, determine the recipients or categories of recipients of the personal data collected by virtue of these treatments.

The data subject replied that no data transfers to third parties are planned. In order

to carry out the data processing for access by facial recognition,
they signed a contract under the provisions of article 28 of the GDPR in order to
provide OSASUNA with a service consisting of the processing of the subscriber's identification data and the generation of their facial vector, with the information remaining stored on

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/128

their servers, without the Club's servers storing any information related
to the development of the System.

The aforementioned system use license agreement (software and hardware) is provided as DOCUMENT NUMBER 10, and in ANNEX I the contract of assignment

1.8 Determine the existence or not of automated individual decisions in the terms
described in article 22 of the GDPR and, if applicable, describe the logic underlying the
decisions and the data involved in the process, and “Specify whether the processing activities
involve international transfers of personal data and, if so,

detail the guarantees applied”

The data controller responded that “the data collected are in no case subject to processing for the
adoption of automated individual decisions. At the same time, the processing of the
data is carried out in its entirety in the European Economic Area, with no
international transfers of personal data occurring.”

1.9 List of entities involved (data processors) in the procedure with

an indication of the role of each one, the set of personal data to which they have
access, the guidelines that have been provided to them, and the commitments they have
acquired in relation to the operation of the system.

He responded that:

“The personal data that will be subject to access by DAS-GATE are the following: (i)
National Identity Document number; (ii) image of the front and back of the

National Identity Document; (iii) subscriber number; (iv) email address; (v) selfie photo; (vi) proof of life consisting of an image of the interested party in
motion; (vii) data from the QR code of the member's subscription (ID, subscriber number and access ID); (viii) “Vector” of the image; and, (ix) User ID on the DAS-GATE platform.”

For its part, DAS-GATE has signed service provision agreements with two entities, which act as sub-processors, under the terms established

in article 28 of the GDPR, which are:

a) VERIDAS DIGITAL AUTHENTICATION SOLUTIONS, S.L., as a provider of document validation and biometric recognition
technology.

b) ***EMPRESA.1 (hereinafter, “***EMPRESA.1”) as a provider of (…) and (…)

The services provided by these entities are located within the European
Economic Area (more specifically, in Spain, Ireland and Germany) and therefore no international data transfers
take place.

Regarding the relationship formalized between DAS-GATE and VERIDAS, the contract for the use and distribution of platforms signed between VERIDAS and DAS-NANO, S.L. is provided as
DOCUMENTS NUMBERS 11 and 11 bis, as well as the agreement for the transfer of the
cited contract formalized by DAS-NANO, S.L. and DAS-GATE, by virtue of which the latter holds
the status of licensee in relation to the System. On the other hand, the terms and conditions signed by DAS-GATE

in relation to the service provided by ***EMPRESA.1 are provided as
DOCUMENTS NUMBERS 12 and 12 bis, as well as the agreement for the assignment
relating to the processing of personal data carried out by the aforementioned provider.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/128

2. Documentation/Description of the biometric data processing system or systems
used in each of the activities referred to above, which includes, at least, the
following information:

2.1- Architecture of the system with an indication of the places where each element is located and executed.

He responded by providing a schematic drawing showing the process and flow of data: “both in the phases of registration in the system and access to the stadium. Likewise, the way in which the user registered in the System can interact with it is detailed, revoking his

consent or exercising the rights established in the regulations for the protection of personal data”

Accompanying the diagram-graphics: “Registration process-Digitalization of season ticket”, to the right:
“Access to the stadium”. Below: “Access to the Club's DAS-GATE portal” and to the right
“Exercise of rights”.

The diagram-drawings contain boxes with arrows, which indicate where this information/data goes. By not describing them literally or explaining them, C.A. OSASUNA, are described
below:

In the “Subscription digitalization-registration process”, we start with a box that contains: “ID,
SELFIE, QR subscription card” with an arrow towards another central box called “Subscriber identity validation: ID,
SELFIE, QR subscription card” below the box it says: “deleted
in seconds”. From “validation…” two arrows emerge,

- one to a box “ID, SELFIE, QR subscription card blocked data”, from which

no arrow emerges.

-another, to the box with a cloud symbol: “facial vector, access ID, user ID hash
+ operation logs” with the note below: “data required for operation”. From this box,
an arrow emerges to the diagram of the following process: “ACCESS TO THE STADIUM”. In this

process, from the “facial photo” action, an arrow goes to the box: “Facial vector,
access id + operation logs” that has a drawing next to a device that captures the face.
From this, an arrow goes to the “Access ID” box, from which another arrow goes to the
“Door opening” box.

The graph below contains the process: “access to the DAS portal: GATE of the Club”, it originates
with the “User ID, SELFIE” box, with an arrow to the box called “Subscriber authentication:”, which contains the pair “User ID, user ID hash”, and “SELFIE-facial vector”. The
box has an arrow that comes to it, coming from the “User ID HASH-
Facial vector” box with the cloud symbol, and from the “subscriber authentication” box an arrow
that leads to “portal access”.

The last graph, “exercise of rights”

Explains the types of data “in the system”:

- “personal data of users”, “from the content of the member’s subscription and the process of digital verification of identity”, in its facets of:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/128

a) Generation: web services deployed in the cloud.

b) Storage: Encrypted data in databases in the cloud and images temporarily stored in S3 storage in the cloud. These are used
only for identity verification and generation of the biometric mathematical vector (embedding) and are automatically deleted after the retention time previously agreed with the client.

c) Distribution: none.

d) Access: Both (...) and (...) are not publicly accessible and only DAS-GATE services can consume them. The databases are located in (…) network. The

images are stored (…). At a logical level, both services are protected
by mechanisms (…) to ensure that the information is only (…).

- “Credentials: anonymized credentials belonging to users:
embedding and user identifier for La Liga access control.

a) Generation: web services deployed in the cloud.

b) Storage: vectors are stored in an encrypted database in the cloud.

c) Distribution: (…) to databases in (…). Secure communications (…), exchange of
(…) and algorithms (…). Authentication of the connection (…).

- Observability: information about the events that occur in the System
(status of the services in information about their use, warnings, possible errors, etc.). This
information is sent from the different services (…) authenticated to a database in
the cloud that is only accessed by the display service (…).”

2.2- Registration process of the persons to be identified with an indication of the

categories of interested parties and the categories of personal data collected. Also indicate the number of stored persons who will be subject to detection by the
system.

Respond through “description of the registration process in the System” that is
included in the EIPD, section 2.1 and following.

“To register in the system, the subscriber must enter the OSASUNA website,
where there will be an information screen of the system’s functionalities, as well as a
button that will allow them to start the process.

If they request the start of the process, the user is redirected to the DAS-
GATE website, where the process will be developed.

When accessing this website, the interested party is presented with the terms and conditions regarding the
processing of their data, which they must accept.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/128

You will also be asked for data regarding your National Identity Document number
(hereinafter, “DNI”), subscriber number and an email address, and the registration process will begin.

These data will be collected and stored directly on DAS-GATE’s own servers, with no data processing taking place on OSASUNA’s servers, which will be limited to redirecting interested parties to these. However, the email address, as well as the accreditation of the effective provision by the interested party of the consent to the treatment by the subscriber will be immediately transmitted to

OSASUNA, so that the requests for the exercise by the interested parties of the rights established by the data protection regulations can be adequately managed through it. The accreditation of consent will be kept on the Osasuna servers
through a software application integrated into the "consent manager" process,
thus recording all the consents of the interested parties for their subsequent

management by the Club. This complies with the requirements provided for in the RGPD for the
accreditation of the effective provision of consent by the interested parties.

Also, at this stage, the interested party must show the image of the QR code existing on
their subscriber card. This Code contains information about the subscriber's ID number,
their subscriber number and their access identifier. The system extracts the data corresponding to the DNI number and the subscriber number and compares them with the data previously entered by the user in order to verify their identity.

Once the aforementioned verification has been carried out, the user takes a screenshot of the front and back of their DNI, and then requests a selfie with their mobile phone, as well as a “proof of life”, consisting of a movement in front of the camera of their mobile phone, in order to ensure that it is a living person and not a static image.
The system then proceeds to check the facial patterns of the DNI photo and the selfie photo, proceeding to terminate the process if the comparison

gives a positive result.

At the same time, by taking the selfie photo, the facial vector of the interested party is generated, which will be processed and stored by DAS-GATE, in order to
allow the identification of the interested party and the access of the interested party to the stage in the development

of the second phase of the treatment.

-“Likewise, in this phase the subscriber will also be asked to create a user identifier
in the platform created for the development of the Solution. The purpose of the
creation of this identifier will be:

● In general, the establishment of a first authentication element that
will allow verification of their identity in the DAS-GATE portal.

● Likewise, the identifier will allow the future management by the interested party of their subscription
within the application, particularly in cases where the
transfers of the same will be carried out, in the terms analyzed in section 2.4 of
this DPIA, or the cancellation of their registration in the DAS-GATE system.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/128

The system will instruct the subscriber about the characteristics that their user identifier must meet to ensure its robustness (for example, that it may
consist of an alphanumeric code with certain characteristics).

The user identifier will be encrypted (…) by DAS-GATE, and will be
stored on its servers.

In any case, the system will issue a message informing whether the user registration process has been
successful. “

-“Through these operations, the system verifies that the person who is registering
is the holder of the subscription used for registration, given that:

● The National Identity Document number entered is verified with the one included in

the QR Code of the subscription card and the document shown for identity verification using their
photograph, so that all three match.
● It is verified that the membership number entered by the user corresponds to the QR code on the membership card.
● It is finally verified that the person who carries out the process is indeed the holder of the

pass, by authenticating their facial pattern with the one that appears in the photograph of
their National Identity Document.

-Additionally, in relation to the generation of the facial vector, it will be carried out through
a model based on Artificial Intelligence and, more specifically, on neural networks

developed by VERIDAS. In this way, the mathematical vector is not generated as a
consequence of the mere measurement of points of the subject's biometric characteristic, but
from Artificial Intelligence algorithms, linked where appropriate to other possible
components of the model.

This development implies that the vector resulting from the application of the engine used in the development of the Service does not correspond to that which could result from the use of a different artificial intelligence engine or even from the one derived from the use of a different version of the engine used, given that each version of the biometric engine is unique, which prevents the mathematical vectors derived from the Service from being used by other engines.

Thus, in this model with Artificial Intelligence, not even the expert engineer who designed the system would be able to interpret the mathematical vector with the purpose of extracting information from the individual to whom this vector refers. Therefore, in the current state of the art, it would be impossible to extract, from the vector, information about the individual to whom it belongs or that allows him to be identified, and in particular the image (selfie photo) from which the facial vector has been obtained.

At the same time, the documentation provided shows that the reliability and precision
of the model based on neural networks reaches (according to the analyses carried out
through laboratory tests, external evaluations, etc.) 99.8%, compared to the

precision of 95% of traditional models based on the recognition of distances from

certain facial points.

Likewise, the data used once the Service is operational are not
used for any purpose other than the identification of the interested party by

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/128

comparison with an image of the same, without being kept for any other purpose and without being
used for the training of the model itself. In this way, the image from which

the facial vector comes is deleted from the system as soon as the process of generating

the said vector is concluded.

To this end, as indicated in the documentation provided:

● For the training of the systems, VERIDAS makes use of public databases
intended for these purposes or, failing that, of private databases created by the entity
obtaining the consent of the subjects for this specific purpose.

● In relation to the above, it should be noted that in no case are the data that
are being processed by the biometric engine for the provision of the identification or authentication service in
production used for the automatic training of the system.
There is no training of the system during the identification or authentication of users in

production.

The biometric engine does not contain any data of the employees for its training. The
engines are a set of algorithms derived from the precise training carried out in the
development stages of the technology, but do not contain personal data”

-“Thus, with regard to the categories of interested parties, OSASUNA processes the data of the
Club's fans whose season ticket allows them to access through one of the stadium gates
in which a biometric access terminal is installed and who have voluntarily

registered in the System.

On the other hand, regarding the categories of personal data subject to processing, it follows from the
above that they are the following:

● Identification data of the member (ID of the holder, front and back).

● Email address of the member.

● Data from the QR code of the member's season ticket (ID, number of subscribers and access ID).

● Member number.

● Image of the member.

● “Vector” algorithm of the partner's image.

● User ID on the DAS-GATE platform.”

Finally, in relation to the number of people who are registered and therefore

can be identified by the System, as of 03/06/2023 it is (…).

2.3- Process of comparing the data captured with the registered data, indicating the
guarantees of accuracy and the moment or moments in which it is executed (in real time, on

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/128

recorded images, etc.). It is also requested to provide the list of data resulting from the comparison process, whether the result of the comparison is positive or negative,
determining, in each case, the actions to be carried out (registration, communication,

deletion, etc.).

He responded that “the biometric comparison process is as follows:

(i) “When a biometric access attempt occurs, the frame captured by the camera
of the person who activates the System is taken when he or she is less than one meter from the screen and
in front of it;

(ii) A face detection inference is made on said frame.

(iii) If the detected face exceeds a sufficient threshold of size and proximity to the biometric terminal, and quality in the detection, it is processed in such a way that the mathematical vector calculated by the neural network is generated.

(iv) The vector calculated for the face detected on the camera frame captured at that moment is compared based on mathematical distance with the vectors that are registered for users registered in the System. It should be noted that current biometric technology does not make these comparisons based on characteristic points of the face, such as the size of the mouth, the distance between the eyes or the curvature of the ciliary arch.

(v) The person present in front of the camera at that moment is considered to be identified as one of the registered persons when the similarity between both vectors (the one registered and the one processed at that moment) exceeds the established threshold.

(vi) In addition, inferences are made to determine whether that face is authentic and is not an attempt at impersonation (such as, for example, presentation of a printed image, use of a mask, presentation of an image or video from a screen, etc.).

Therefore, for an ongoing biometric access attempt, the person will only be identified as registered if all the above requirements are met: 1) a sufficiently close face is detected (less than ONE meter away from the terminal), with sufficient size and quality, in the frame being processed, 2) the degree of similarity between the mathematical vector calculated for the detected face and the vector recorded for the registered user is met, and 3) it is also considered that this is not an attempt at impersonation.

Once the interested party has been authenticated by identifying their facial vector, an access request will be sent to the server in charge of operating the turnstiles at the entrance to the stadium. This access request consists of communicating to the server that an anonymous access identifier is located at the terminal and has been authenticated according to the previous process. These servers are managed by the Sociedad Española de
Fútbol Profesional, S.A.U. (hereinafter, “SEFPSA”), which acts in the development of this activity on behalf of OSASUNA, which has entered into the corresponding contract with the latter as data processor under the terms established in article 28 of the
RGPD. Thus, the transmission of this data is only carried out between OSASUNA data processors, without constituting a transfer of personal data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/128

In any case, it is necessary to indicate that the aforementioned data processor does not at any time access or process any biometric data, limiting the
processing of the anonymous access identifier, in order to proceed to activate the

corresponding turnstile and check that there is no duplicate use of the subscription, without providing
any data related to the subscriber's facial vector or any other information that
allows their identification. Once this information has been received, if the use of the ticket for access to the event in which the access request is made is not already recorded, the acceptance of access will be confirmed by activating the turnstile at the entrance to the premises and proceeding to open it.

When the terminal tries to identify the user who has placed himself in front of it (as previously
explained), the following logs are recorded: 1) date-time, 2) identifier of the biometric
terminal, 3) anonymous identifier of the user most similar to the face being
identified, and 4) biometric similarity score obtained.

If the biometric similarity score exceeds the established security threshold
(positive comparison), the System shows the user on screen the message of successful identification.
In parallel, the System sends the access request to SEFPSA,
sending only the associated anonymous identifier. The sending of this request is also
logged by the terminal (date-time, terminal identifier, anonymous user identifier

recognized).

When processing the access request sent by the biometric terminal, SEFPSA decides whether or not to authorize the user's access and acts directly on the turnstile, commanding (or not) its opening. SEFPSA does not inform the biometric terminal of its authorization decision. It should be
mentioned at this point that SEFPSA, upon receiving this request, cannot distinguish between

requests received from biometric terminals and QR or NFC readings; that is, it does not know how the user has been authenticated.

SEFPSA "at no time accesses or carries out the processing of any biometric data,
limiting itself to the processing of the anonymous access identifier, in order to proceed to

activate the corresponding turnstile and check that there is no duplicate use of the subscription,
without providing any data related to the subscriber's facial vector or any other
information that allows their identification. Once this information has been received, if the use of the pass for access to the event in which the access request is made is not already recorded, the acceptance of access will be confirmed by activating the turnstile at the entrance to the premises and
proceeding to open it.

If the biometric similarity score does not exceed the established security threshold
(negative comparison), the System displays the message on the screen of
unsuccessful identification to the user and does not send any access request to SEFPSA.

It is expressly indicated that the established security threshold is (...). That is, it will

be necessary to exceed this threshold to consider that the comparison is positive. If the
comparison yields a lower result, it will be considered a negative comparison.

The VERIDAS facial recognition model used by biometric terminals has
been evaluated by the NIST (National Institute of Standards and Technology) of the USA, which
is the international body that has become, de facto, the evaluator of this type of

technology. The results of the NIST evaluations are public and can be consulted

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/128

on the official NIST website (https://pages.nist.gov/frvt/html/frvt1N.html), under the umbrella of the
FRVT (Face Recognition Vendor Test).

The current accuracy of the biometric technology that is in the state of the art

shows that it has surpassed the human capacity in comparing faces.

Also, as mentioned above, it should be noted that current biometric technology,
based on deep neural networks, does not make these comparisons based
on characteristic points of the face, such as the size of the mouth, the distance

between the eyes or the curvature of the ciliary arch.”

2.4- List of locations where cameras/data capture devices subject to identification have been installed. Measures used to prevent the recovery of personal data of third parties.

He replied that, “On the date of preparation of this document, the System has been

installed at eight different gates of the stadium, listed in the first section of
this document, (point 1.1 of this document), each of which houses a series of entrance turnstiles that allow access to a certain number of attendees.

Season ticket holders and, consequently, those likely to be users of the System,
have the gate through which they can enter the stadium assigned in their season ticket, and may, therefore, access indiscriminately through any of the turnstiles installed at said gate, so that they can choose, on the occasion of each match, to use or not to use the Facial Recognition System.

It indicates that there is a facial biometric terminal at a turnstile at each of the eight gates:
3, 7, 8, 10,11, 16, 21 and 27, in addition to the non-biometric turnstiles, it indicates the total number of

turntiles at each gate, and it is noted that there is no gate at which there are no non-biometric

turntiles.

It indicates that: “As can be seen, the System is in no case the only means of

access to the premises, there being sufficient alternative means at each gate to

facilitate the aforementioned access. DOCUMENT NUMBER 13 provides a photograph of one of the
gates of the stadium, in which it can be seen as an example how the biometric terminal is

implemented exclusively at one of the turnstiles.

The measures to ensure the confidentiality of personal data are applied at two

levels:

- (…) following the recommendations of the NIST.
(…)

- (…) of communications (…) through (…).

- The above is complemented by other security measures that are described
in detail in section 8.2 and the annexes of the EIPD. It should also be remembered that

all the measures implemented by DAS-GATE have been audited and certified based on
the certifications of its information security management system (ISO (…) etc.).”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/128

2.5- Security measures applied to each element of the system in which personal data are
processed.

He responded that:” Section 8 and the annexes of the EIPD include the details of the
security measures implemented in the solution. In summary, in this section, it is

indicated that all the measures shown in the (…) have been implemented.

In particular, the following should be mentioned:

● All data communications are encrypted:

○ (...).
○ At rest: they are encrypted (…).
● Restricted access and minimum privilege policies at the system and application level.

● A system is implemented (…).
● Users (…): it is avoided (…). Each person who accesses the System or applications has
(…).

● A design process is applied for the secure development of the product, including a review
of the security requirements during the validation processes prior to the delivery of
versions.

● Measures of (…).
● Measures aimed at preventing temporary unavailability of information with the
consequent limitation of the service.

● There is an internal DPO who has been duly registered and who ensures compliance
with data protection in the organization.
● There are (…).

3 Copy of:

3.1- Content included in the Register of Processing Activities (Article 30 of the GDPR)
relating to activities involving the processing of biometric data.

3.2- Content included in the Risk Analysis or Assessment (Article 32 of the GDPR)
relating to activities involving the processing of biometric data.

3.3- Data Protection Impact Assessment (Article 35 of the GDPR) relating
to activities involving the processing of biometric data.

3.4- Where applicable, contracts signed with data processors
involved in activities involving the processing of biometric data.

Respond in full, indicating that you have already provided the DPIA and other documents. They provide a copy of the RAT in DOCUMENT 14, from which the following content is extracted:

- Treatment: “FACIAL RECOGNITION ACCESS CONTROL”

o Purposes: registration and management of access to the facilities using a facial recognition system.

o Legal basis: consent of the interested party 6.1 a) and 9.2 a) of the RGPD).

o Categories of interested parties: members and subscribers.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/128

o Categories of personal data:

Identification: NIF/DNI; name and surname; image; email address.
Social circumstances: membership in clubs and associations;
Others: identification data of the member (ID of the holder, front and back); email address of the member; QR code data for membership (ID, membership number, and access ID);

membership number; Member image.

Special data: biometric data.

o Data source: the interested party.

Categories of recipients: “Organizations or persons directly related to the
data controller.” “Data transfers to third parties are not planned,
except in cases where the data is provided to companies and organizations that

provide services to the data controller, as they are necessary for the provision of the
service.”

o International transfers: none exist.

In this regard, it expressly states that “the hosting of data on the servers of
***EMPRESA.1 will always take place within the European Economic Area.”

o Expected deletion periods:

“Regarding facial recognition for access to the premises, it is indicated that “irreversible vectors, as well as access IDs and the user ID (created by the member), will be
kept until the interested parties request their deletion, unless other legally established
provisions apply. In any case, the data will be deleted if

the user ceases to hold the status of a C.A. Osasuna subscriber or transferee of a Club subscription”

Data processors: DAS-GATE.

FOURTH: Second request to C.A. OSASUNA in the course of the preliminary investigation
actions.

On 09/16/2023, the C.A. OSASUNA:

1. The information provided in the previous letter specified the category of interested parties
for the processing of biometric data as members and subscribers and the purpose of controlling access
to CLUB ATLÉTICO OSASUNA matches at the El Sadar stadium. In relation
to this data, and taking into account what has been published in the media, the following is
requested:

1.1 Indicate whether OSASUNA is using the system for other purposes, interested parties, and
locations other than those specified in the previous letter. In such case, provide the
information on the specific processing activities (date on which it was launched,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/128

description of the purpose, legal basis, judgment of proportionality, duty of information,
etc.) in what is different from what is indicated in the previous letter.

On 10/9/2023, he replied that the system that was reported on in March 2023 “is not

being applied for purposes other than those stated in said response.”

1.2 Specify the system expansion plan in terms of expected start-up dates, locations (gates, buildings, etc.), and categories of interested parties (season ticket holders, OSASUNA employees, purchasers of “match” tickets, etc.).

He replied: “Since the system was put into operation, internal
conversations have been held about its possible expansion to the entire El Sadar stadium. However, as of the date of submission of this document, a specific expansion plan for the system has not been specified. In any case, the possible future implementation of the system
in other access gates to the premises would be carried out with the same limitations and guarantees

that are currently being applied, also implementing the same technical and organizational
measures, analyzed in the DPIA to address the risks that the treatment
could generate in the interested parties.”

1.3 The Treatment Activities Register (RAT) document included in the previous letter

includes the following among the categories of personal data subject to treatment: voice,
social circumstances (accommodation and housing characteristics; properties and
possessions; “military” situation; hobbies and lifestyle; membership in clubs and
associations; licenses, permits and authorizations). It is requested to clarify for what purpose said personal data
are used and to provide the database scheme (or similar) that
collects all the categories of personal data of the subscribers treated by

OSASUNA.

He replied that: “As described in the DPIA and in the responses given by
OSASUNA to the previous request for information from that AEPD, as well as in the response
to other questions raised in this request, the processing does not include

data related to the voice nor, within “social circumstances”, those referring to the
characteristics of accommodation and housing, properties and possessions, “military” status,
hobbies and lifestyle or licenses, permits and authorizations. Only the data pertaining to the “social circumstances” of the interested parties are
those that prove “belonging to clubs or associations”, since the status of member of the Club is
implicit in the very nature of the processing, since it affects the members

subscribers of OSASUNA who request the use of this recognition system for access to the
stadium.” Taking into account the above, the RAT of
Treatment Activities related to the treatment subject of this request has been modified,
which is attached as DOCUMENT NUMBER 1 in which it no longer appears in “personal data categories” the voice, social circumstances (accommodation and housing characteristics;

properties and possessions; “military” situation).

The data that C.A. Osasuna collects from its subscribers, in order to manage their membership, and provided by the interested party at the time of REGISTERING OR RENEWING THEIR MEMBERSHIP STATUS, the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/128

- Name and surname
- ID
- Date of birth

- Sex
- Full address
- Telephone number
- Email address
- Bank details, for payment of the subscription

As internal data that is incorporated in the MEMBERSHIP CARD, the subscriber number,
the type of subscription with its price and, if applicable, applied discount, the assigned seat and the
zone through which the subscriber must access appear.

Additionally, if the member has REGISTERED IN THE ACCESS CONTROL SYSTEM BY FACIAL RECOGNITION, the hash of the user identifier will be available, as well as the facial biometric vector.

Provide a copy of a capture of three screens of the management application used by the Clubs belonging to the League, where the referred data can be seen, except those associated with the access control system by SBRF, which are not integrated into this application.

1.4 Indicate the number of existing turnstiles in the doors in which facial biometrics has been incorporated prior to its incorporation. Indicate whether the incorporation of the turnstile with opening by facial biometrics has meant the elimination of one of the previous ones.
Provide, for this purpose, photographs that show the before and after.

He states that, as of the date of writing this document, of the 29 total access gates to the El Sadar stadium, only EIGHT of them have a turnstile with biometric access. The distribution of the turnstiles - including both those with biometric reading and those without it implemented - is provided in a table in which the total number of turnstiles is indicated for each gate number, and it is broken down into the number of turnstiles with biometric reading and turnstiles with non-biometric reading.

The summary can be summarized as there are eight turnstiles with biometric reading, one at each of the eight gates mentioned, and at each of these eight gates, there is at least one turnstile with non-biometric reading, with some gates reaching a maximum of four turnstiles with non-biometric readings at the same gate.

In DOCUMENT TWO, a report is provided which includes the access doors to the premises
which incorporate the biometric recognition system in one of their turnstiles.
As there are no photographs prior to the time when the readers were installed,
it has been decided to show the situation of the doors with the turnstile folded (i.e.,
as it would be if it were not turned on) and deployed (i.e., as it
would happen in the case of holding meetings where access to the premises is possible
through the biometric recognition system).

1.5 Indicate whether the system is working “continuously” after starting it up (it

continuously captures images “tracking” if there is “something” to identify) or whether there is some
event that triggers the capture and identification process. Determine,
also, whether the system captures sounds during the process in addition to images. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/128

He replied that “a distinction must be made between the switching on of the turnstile and its activation once it is switched on. As regards switching on, this only occurs during

sporting matches where it is possible to access using this technology and always
together with the other access turnstiles. Thus, prior to each match, the
terminals are switched on and uncovered at the moment when the technicians switch on the
power supply to the turnstiles at the gates and uncover all the devices. It must,
however, be taken into account that there will be matches for which the system
will remain inactive, given that recognition only occurs in cases

where the season ticket holder could access the venue with his card without having to buy a ticket, so matches outside of the season ticket are excluded. In these
cases, the biometric system will be out of service and covered by an opaque cover.”

“As for the activation of the reader, when it is on and operational,
the system does not work “continuously”, but its activation only takes place in the event
that a specific situation is triggered that leads to the start of the image capture and identification process, which is described in the sixth section of this document.
The activation occurs by “proximity”, that is, by placing the interested party
who is going to access the El Sadar stadium within a range of less than ONE meter away from the

device. In this way, the system will only be able to capture and identify the image of the
person who is standing in front of the turnstile, in the access lane by means of facial recognition and
who does not exceed the maximum image capture distance. In order to ensure that the capture is only possible for the person who intends to access the premises,
it is necessary to indicate that the image capture systems are installed

within the restricted area of the stadium, that is, after the entry control point
exercised by the arms of the access turnstile (the one with biometric reading) with the aim
that only the images of those people who are positioned very close to the / of the turnstile with biometric reading, and looking in the direction of the system, are captured and processed. This
fact can be verified in the report provided as DOCUMENT NUMBER TWO.”

“The limitation of the capture range established in the system prevents images from being captured
of people who are in different rows or at a distance greater than one meter,
thus avoiding a “remote” and erroneous identification.”

DOCUMENT NUMBER THREE provides a graphic example of the distance between the arms of the lathe and the image capture system. Finally, as far as sound capture is concerned, the systems are not able to capture this type of personal data, they are limited exclusively to capturing images.

1.6 In relation to the consent of the interested parties, the following is requested:

-Determine the measures implemented in the system so that the images (frames) that it collects are restricted to the interested party who wants to be recognized (limitation of distance collected, physical devices, etc.) and so that people can estimate the area that the device captures.

He replied that “as far as the distance of image capture is concerned, the system
is configured in such a way that it does not perform any processing of the visible image

(hereinafter, “RGB”) if it does not detect any object less than ONE meter away from the
depth sensor. Thus, in the event of detecting any pixel in the depth image at
less than the predetermined distance, the terminal proceeds to search for faces in the scene

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/128

by applying proprietary algorithms (from the supplier) of computer vision
on the RGB channel. This is achieved because the biometric identification
devices are equipped with stereoscopic cameras that provide both an

RGB image and a depth map that represents the distance of each pixel in the
RGB image with respect to the camera sensor.

The aforementioned algorithms dedicated to capturing faces produce as a result
a series of bounding boxes -rectangles- on each region of the image in which the
algorithm considers that there is a face with a sufficient degree of certainty. In this

way, if these algorithms have generated a rectangle, the system proceeds to determine
using proprietary algorithms the distance of each region of interest to the camera sensor. Thus, if none of the regions of interest is less than the established
meter of distance, the system automatically discards the frame and waits for the
next one. In this regard, it should be noted that there is only one image processing

when the interested party is less than one meter from the terminal, but there is no
additional processing of personal data, since, the selection criterion being
proximity, the system only continues to process the region of interest that is in
the aforementioned range of less than one meter, therefore, there is no attempt to biometrically
recognize the captured subject nor are the images used for other purposes since
the captured region is discarded.

If the region of interest is within the capture distance, then the terminal
continues with the processing and only in that case applies the facial recognition algorithms
developed by VERIDAS to complete the user authentication process, that is, the calculation of the biometric vector, the 1: N comparison,

-the N being composed only of those users who have voluntarily registered in the system in advance- and proof of life. Finally, as a reinforced measure, biometric terminals are installed within the restricted area of the stadium, that is, after the entry control point operated by the arms of the access turnstile with biometric reading, with the aim that only those people who are very close to the turnstile and looking in the direction of the terminal, that is, those who intend to access the premises using the system, can be captured by it.”

- Provide the data available in relation to the rate/speed of access through the turnstiles to access the stadium with opening by facial recognition and the turnstiles to access the stadium with opening by the rest of the procedures.

He responded that: “An estimate has been made of the rate/speed of access of interested parties to the El Sadar stadium, both with regard to access through the turnstiles with biometric systems and access through the turnstiles that do not have the aforementioned technology. Thus, personnel have been deployed at different points in the El Sadar stadium
with the aim of obtaining an access rate based on observation and recording of results at
different times of use of the system. As a result of the observations, it was possible to conclude that the average rate of user access through
a conventional turnstile using the pass -NFC reader or QR reader- or paper ticket -code reader-
is 12 people per minute; on the other hand, the average rate of access of
interested parties through the turnstiles that have biometric technology implemented is
20 people per minute. The values provided represent the value that has the highest frequency
in the access rates.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/128

- Example of the record sent for a specific interested party from the DAS-GATE system
to OSASUNA as a result of the registration process for its storage and management in

its rights exercise platform.

Responded:

When a member decides to register in the system, he or she is first asked for
express acceptance of the privacy policy - as shown in Document

Number 14, referred to in section ten of this document - since, without reading and
accepting the privacy policy, it is not possible to continue with the registration.

In case of acceptance and registration in the system, DAS-GATE sends the following information to the OSASUNA consent manager:

(provides a screen with programming code),

stating that “This image shows the code fragment that implements the text
that will be sent to the OSASUNA consent manager, which includes the email and ID of the corresponding
user, as well as the two specific texts that the user consents to when
registering. It can be verified that:

1 The text is consistent with the consents that will be sent (consent1 and

consent2).

2 The email and ID values that depend on the user are provided to the function as
input arguments, that is, for each user they will take the pertinent values that correspond
to them.

With the previous process, OSASUNA receives a notification in its consent manager

in which the interested party is informed of the consent provided, the following image
can serve as an example of the notifications that OSASUNA receives in relation to the
consents: (it is a written report that contains the domain: Osasuna-
socios.app.das-gate.com, the DNI data, email, date, IP, and a literal that indicates "I expressly
consent to the processing of my personal data including my image for the
generation of a facial vector through an artificial intelligence (AI) system that allows

my identification at the time of accessing the stadium: Accepted checked: true. I have read and
accept the privacy policy. Accepted checked: true."

-Example of a record sent for a specific interested party from the DAS-GATE system to
OSASUNA as a result of the management process on its platform for exercising

rights:

It responded that "In relation to the exercise of rights, it is They distinguish two different ways
depending on whether the right exercised by the interested party corresponds to the
withdrawal of consent and deletion of personal data or whether the right exercised

corresponds to any of the other rights available to them.

In the first case, when the user wishes to exercise their right to withdraw
consent and delete, they have the possibility of exercising them from within their user account in the
system. In this case, the system sends the following information to the OSASUNA consent manager -
providing a printout of a screen with programming code -
indicating that it “shows the code fragment that implements the text that will be sent to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/128

the consent manager. Specifically, in the “notification-payload” function, it can be
checked that:

• The text is consistent with the cancellation that will be sent.
• The DNI value that depends on the user is provided to the function as an input argument,
that is, for each user it will take the relevant value that corresponds to it.

With this, OSASUNA receives the following notification in its consent manager
(it provides a written report similar to that indicated in the previous point with the text “cancel
account. Accepted checked: true”

“On the other hand, to exercise any of the remaining rights established by the
data protection regulations, which may not be related to the processing of

biometric data, from your user account you are sent directly to the specific site
where interested parties can find it available on the OSASUNA website.

Thus, OSASUNA will transfer the specific request to the system provider so that, once
analyzed, it will transfer a response to the interested party.

1.7. Identification of the specific biometric engine used by OSASUNA in the processing.
Also provide the following documentation:

- Official certifications issued for the same.

He responded that “The biometric engine installed in the access terminals that have the
biometric system in the El Sadar stadium corresponds to the “(...)” engine and this engine is
evaluated by NIST FRTE 1: N since November 2021 as specified in
the following section.

Additionally, the access control system using biometric identification is
within the scope of the information security and quality certifications of the
provider. Specifically, it complies with the following certifications: (i) (…), (ii) (…), (iii)
(…), (….), and (iv) (…).

Attached to this document as DOCUMENTS NUMBERS 4 to 7 is evidence of the
mentioned certifications.

On the other hand, the (…) VERIDAS engines are certified according to the (…).

The following documents related to the mentioned certifications are provided:

• 220406-VERIDAS-PAD-Level-1-Confirmation-Letter.pdf, as DOCUMENT NUMBER
8.

• 201215-VERIDAS-PAD-Level-2-Confirmation-Letter.pdf, as DOCUMENT NUMBER
9.

- Specify, within the NIST website indicated in the previous document, what are the
results corresponding to the evaluation of the biometric engine used by Osasuna.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/128

He replied that “The biometric engine used to identify interested parties has
been evaluated by NIST in the FTRE 1:1 and FRTE 1: N challenges. The results of the
mentioned analysis can be found in the following link of NIST FRTE 1: N: (…)”

- Procedure that would have to be followed to change the engine/version of the biometric engine
and make it available for stadium access control.

He replied that “The process of updating the biometric engine for access to the
El Sadar stadium would require, first of all, that the provider and the Club agree on the change of the
engine and jointly prepare a calendar in which will be reflected (i) the dates of the communications to the subscribers in which they would be informed of the
variations that would occur and; (ii) the technical actions on the cloud and the supplier's biometric terminals.

Thus, once the project schedules have been drawn up, the supplier will carry out an operation to
delete the active databases of the production environment, so that
there are no active users left in the information systems, in order to subsequently
update the biometric engine used in its cloud to generate the biometric vectors.

Next, all the biometric terminals for access control to the El Sadar stadium would be updated with a new software version that incorporates the new biometric engine. This is necessary because the biometric vectors generated by the VERIDAS facial recognition models are not interoperable between versions.

After updating the terminals, validation tests would be carried out to confirm
that the complete biometric registration flow and biometric access to the El Sadar stadium function
correctly through all the doors equipped with facial recognition terminals.

Finally, and in compliance with the deadlines established in the calendar, OSASUNA would inform
interested parties - subscribers who have consented to the processing of their data for
the purpose of accessing the El Sadar stadium using biometric technology- that the
biometric engine has been updated, indicating that if they wish to continue using
access via facial recognition, they must complete the registration process again.

The completion of this new process is essential, since, as has been said,
facial recognition models are not interoperable and, in application of the principle of
data minimisation, as stated in the EIPD, the system does not retain the
facial images - selfies - that users provided at the time of their registration, so
it is not possible to generate a vector from these images, making it necessary to
repeat the process so that the system can generate new vectors.

1.8 Determine the procedure followed to make effective the procedure for blocking
data incorporated during the registration process.

He replied by reiterating that the following personal data is requested from the interested parties
in order to register them in the system:

i DNI;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/128

ii Email address;
iii QR code of your membership card, which includes information on the DNI number, the

subscriber number and a unique access identifier in order to avoid several accesses with the same
membership card during the holding of a meeting.
iv Copy of the front and back of the DNI; and

v A selfie photograph.

Once the interested party is registered in the system, the aforementioned data will be
blocked, in the terms established by law, as they are not necessary to carry out the
biometric recognition, with the only exception being the unique identifier. This blocking, as indicated in the Data Protection Impact Assessment prepared with respect to the processing and provided in the response to the first of the requests made by the AEPD, will last for THREE years, coinciding with the maximum limitation period for violations of personal data protection.

Thus, the blocking process is configured as follows:

As a starting point, during the registration phase in the system, the personal data that the interested party provides are temporarily stored on the S3 server provided by ***EMPRESA.1 associated with a quick (“short”) deletion label.

This will allow the personal data to be permanently deleted if the user abandons the registration process without completing it.

If the interested party completes the registration, as a final action of the user registration process, the short label is replaced by a long-term label (“long”) and another one with restricted access (“restricted”), which will imply that the personal data cannot be accessed (“blocked” status) by any person who does not have an authorized account for this, in this case it will be the DPO account, and they are kept for a period of THREE years from the registration date coinciding with the period provided for in the personal data protection regulations.

The management of the life cycle of personal data is the responsibility of the provider and is established in relation to the S3 life cycle policies, which are defined through the short/long and restricted labels. In this way, the labels are configurable for each client of the provider, and in the case of OSASUNA they are configured as follows:

1 Long = 3 years
2 Short = 1 day.

Likewise, the following is requested:

- Sample record with the data that remains for a specific interested party in the
system once the registration process has been completed.

- Sample record of the data that remains for the same specific interested party in the

“blocked” storage.

- Record of the data of the same interested party incorporated into the access terminals.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/128

- Logs recorded in relation to the accesses of said interested party to the stadium to date, both of the process of recognizing the interested party in the terminal and of the

submissions made to the SEFPSA servers.

The respondent provided as DOCUMENT NUMBER 10, a report issued by VERIDAS
DIGITAL AUTHENTICATION SOLUTIONS, S.L. which includes a description of a specific example that relates the data stored in the system after the registration process, including: the hash of the ID number, access identifier, alphanumeric code that

represents the facial vector, and internal data (internal system identifier, creation and update dates, etc.). According to the document, if a user unsubscribes from the system (withdraws
their consent), this data is deleted.

Likewise, this document also includes a specific example of the data that

remains blocked. It identifies the files in which it states that the following data is recorded: screenshots of the front and back of the ID card taken during the registration process,
content of the QR scanned during the digitalisation process of the season ticket, results of the digital identity verification process, biometric vector generated from the user's selfie photo.

- Data incorporated in the stadium entrance recognition process. According to what has been seen above, the recognition process takes place in the access terminals themselves, where “the facial vector and the access identifier of the registered users are stored”. In this way, as explained, the comparison is made “between the biometric vector generated at the time of access and the biometric vector generated at the time of user registration” in the DAS-GATE systems.

Osasuna has provided (document 10) a specific example that relates the data stored in the stadium terminals. According to it, they coincide with those registered in the system after registration: hash of the DNI number, access identifier, alphanumeric code

that represents the facial vector, and internal data (internal system identifier, creation dates, update dates, etc.). According to it, if a user unsubscribes from the system (withdraws his/her consent), this data is deleted by virtue of the “established synchronization process”.

Furthermore, Osasuna stated in its first response that it “does not store the image captured
by the reader located at the entrance to the premises nor the facial vector generated from it, which
will only be processed and kept for the minimum time necessary to carry out the identification of the subscriber”.

Thus, it indicates that each time the terminal tries to perform an identification, the following data is recorded: date and time; biometric terminal identifier; access identifier
of the subscriber most similar to the one being identified; and biometric similarity score obtained; record of the request being sent to the SEFPSA servers (in the event that the score exceeds the stipulated minimum threshold). As provided in the
EIPD Report, this recorded information is stored on the DAS-GATE servers
contracted with ***EMPRESA.1 (hereinafter, ***EMPRESA.1). The storage time,
as quoted by Osasuna (EscritoOsasuna1), is "until the beginning of the season after
the one to which the stored access refers, when it will also be blocked for the aforementioned period of three years."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/128

The EIPD Report also indicates that the corresponding access identifier will be transferred to the SEFPSA servers only when the recognition is positive, in order to make the decision of whether or not to open the turnstile”, this data being necessary to avoid fraud in access to the premises such as duplicate entry to the stadium with the same season ticket, and constituting one of the measures imposed by the Anti-Violence Law, which in its article 11.1 determines:

It provides as DOCUMENT NUMBER 11, the authentication logs of the accesses by the interested parties to the El Sadar stadium of a specific user, with a section 1, entitled “Sample registration with the data that remain for a specific interested party in the system once the registration process has been completed”

It is indicated that in order to be able to To consult the requested data, it is necessary to access the databases of the production environment, an action only available to the system administrator, and

to obtain the data of a user registered in the system, it is necessary to know the
(…) to which a (…) is applied to obtain the (…). From there, access the object (…), which
contains the stored properties of the users. It indicates that the information is provided
of the identifier extracted from the QR, the subscriber's access ID, and then obtains the object “(…)”,
“type of data used by VERIDAS to be able to complete the authentication processes in

the biometric terminals through a query by (…) to the database. It indicates that
the data “(…) extracted during registration from (…) identified with the (…) appears.

In point “2. Example record of the data that remains of the same specific interested party
in the blocked storage”, it indicates that, among others, the files of the (…) are contained.

It also provides the logs that refer to access requests sent to the SEFPSA systems. Among other data, it contains: date, user access identifier, access terminal identifier, identification assessment (numeric, with values

between 993 and 999) and identification of the success of the identification (in all the exemplified cases it

has been successful).

1.9 As part of the previous letter, the information that would be presented in a
second layer of information has been provided. It is requested to identify the internet address where this
information is located.

It responded that "The information corresponding to the processing of personal data in

relation to access to the El Sadar stadium through the biometric system is accessible
at the link https://www.osasuna.es/facialRecognitionPolicy". However, in order to facilitate
the aforementioned access, DOCUMENT NUMBER 12 is provided, updated on January 22.
The document contains the same as that described in point 1.5 DOCUMENT 7.

1.10 Screenshots of the system showing how the interested party accesses his user account
in the DAS-GATE system and:

- Exercises the right of access and obtains the result.

- Revokes consent and exercises the right of deletion.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/128

He replied that “As DOCUMENT NUMBER 13, the screenshots corresponding to the access of the interested parties to their user account in the system, as well as the exercise of the rights of access, deletion and revocation of consent,

together with the results corresponding to the exercise of each of the aforementioned rights, are provided.”

In the screenshots of DOCUMENT 13, from the Osasuna website,
abonados.osasuna.es, in the “member area” tab, entering the username and password
if you are already registered, leads to a window that shows, among others, the “Your season ticket details”, “biometric access”. Clicking on the latter takes you to a Das GATE URL where you can
see the initial information screen of “Now you can access El Sadar with your face”
and a tab where you can start the process, with the “Start” tab. The screenshot
provided reiterates the registration process.

It starts with another “Register” screen, to access the registration system to access with
facial biometrics - We recommend using a smartphone - “Scan this QR with your mobile to
continue”
The next screen that appears is the one that contains the spaces to complete the DNI number
and the email. Below it appears “By clicking on Register you accept the privacy policy”,
and another “I consent…” Below the “register” tab

C.A. OSASUNA states that when clicking on the consent checkboxes, a pop-up is displayed
that obligatorily shows the text of the first layer”. “It is from
that pop-up where the treatment is accepted -opt-in- by giving consent, so that
the user will always see that information before being able to consent.” “If the user does

not accept both checkboxes - they are divided into two to ensure greater clarity - they cannot
continue with the process, they cannot click on “Register”

Attached copy of the reading of the informative literal “terms conditions basic information
on data protection.

Attached are the rest of the screenshots that continue the data registration process
for the already examined registration: “Scan the QR of your subscription”, “Scan the official document”,
“selfie”.

It also provides the process of accessing the user portal, also entering through “Member Area”, accessing the

same page when registering, showing the option:
Do you want to unsubscribe?, to do so according to C.A. OSASUNA, more clearly to the user, which “would trigger the withdrawal of consent and deletion of their data for that purpose in a
simple way”. The process continues by registering their ID, and asking the system to make a
SELFIE to complete access to their account.

Once they have accessed, the options for access rights appear, in the form of “consult my
data”.
It also provides as a complement the written model to exercise the exercise of rights, in which there are spaces to fill in the data of name and surname, ID,
e-mail, mobile phone, and upload a FILE, and a drop-down list with the rights, also showing the

“revocation”, and the “Send” tab.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/128

Señala C.A. OSASUNA states that when the right is exercised, the user receives an SMS on his/her mobile phone confirming that his/her request has been sent. It provides the impression of a message informing him/her:

“Touch the link to confirm your ARSOL request”, with a link to click on. “Thank you
for confirming your ARSOL request”.

“After this request, within the legally established time limits, the user receives a response by email.”

Regarding the revocation process, C.A. OSASUNA points out:

“Although the user could exercise this right through the Osasuna website for exercising ARSOL rights indicated above (in which case the steps would be equivalent to those

already indicated), the user is offered a faster and more direct way of revoking consent for the specific purpose of access through facial recognition.

In fact, Osasuna has always wanted users to be able to unsubscribe in a simple
way if they wished to stop using this access method (and continue accessing through the
other available methods). This is why, as previously mentioned, the user is

offered the clear button “Do you want to unsubscribe?” from the Biometric Access
section of their profile.
Once they access their user portal by clicking on this button, they are shown the
“Delete account” option, which appears next to the “check my data” option.

The process, according to the screenshot provided, requires entering the DNI number,
with C.A. OSASUNA stating that “this data is not being stored in the database,
which is necessary to trigger the deletion of the personal data that were active in
the system and the notification to the Osasuna consent manager that said user
has unsubscribed from using the facial recognition access system. It should

be noted that this specific withdrawal is from this system and does not imply that the member
loses his membership status - he will be able to continue accessing the system with his subscription as normal."
It ends by indicating that “said account is deleted without prejudice to the corresponding blocked data, deactivating the option for the user to access the Sadar stadium
through facial recognition. Likewise, the user portal will no longer be enabled.”

1-11 Evidence that the configuration of the services provided by ***EMPRESA.1 do not
involve international data transfers.

It responded by providing a list of the services of ***EMPRESA.1 (hereinafter,
“***EMPRESA.1”) involved in the provision of the access control service through

facial recognition.

It states that “Of all the above services, the only ones in which personal data reside or may reside
would be: Instances, RDS and S3. Likewise, personal data could be located in (...) in the event that a vulnerability is detected at the time of the
analysis.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/128

In relation to the aforementioned services, all personal data managed by them
remain in the ***EMPRESA.1 region where they are deployed, that is, eu-
west-1 (Ireland).

Furthermore, at the time of contracting the services of
***EMPRESA.1, an analysis was carried out of the services that applied to the
processing of access control through facial recognition in order to identify whether the
mentioned transfers of personal data did not actually occur.

After carrying out the aforementioned analysis, it was concluded that personal data could be
transferred from (...), however, such transfer would only be possible if
there was express approval from the client to allow it. In this respect, the provider
disabled this functionality so that it is not possible to transfer personal data. The following image shows evidence of the opt-out performed - it provides

a screenshot with an enabled configuration of “AI services opt ut policies”.

“Thus, once information has been provided on the services of ***COMPANY.1 that affect the
treatment, below, screenshots of the console of ***COMPANY.1 are shown as evidence where the region in which each piece of the
infrastructure mentioned above is deployed can be seen - all in eu-west-1 = Ireland-:” It provides several
screenshots.

It adds that “for personal data storage services, as can be
checked from the following screenshots, the data is stored encrypted”, and provides a
series of screenshots with the title of the files “encrypted”.

1.12 If it has been performed, report on (…) recommended by VERI-DAS DIGITAL
AUTHENTICATION SOLUTIONS, S.L. (hereinafter, VERIDAS) in the contract signed with
Das-gate.

It responded that “Considering that the provider has various certifications in

information security, (…) of various components used in the biometric identification access systems, OSASUNA has not
deemed it necessary to carry out an additional one, given the results and conclusions provided by the one already prepared.”

1.13 The Data Protection Impact Assessment attached to the previous document cites parts
of the document “Technical report. Facial biometric technology” from DAS-GATE. A copy of said document is requested.

It responded by providing it in DOCUMENT 14 “Technical report. (…)”, (14 pages) of VERIDAS, first version (…), which cites:

“Importance and need for secure recognition of real identity in the digital environment”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/128

“And just as in the physical environment we say that society recognizes us for what we are,
in the digital environment the accreditation of identity must also revolve around the person,
their attributes, and not around devices or cards that they may possess.

“The biometric systems that are the key to carrying out this accreditation of real identity in the digital environment”.

“Throughout the report (…) are analyzed.

From the study of the above, it is concluded that the use of biometric models based on
Artificial Intelligence allows to guarantee privacy by default and from the design of these
Systems”

“The use of biometric systems usually leads to doubts in four main
areas:

 Protection of personal data.
 Quality or precision of biometric technology.

 Non-discrimination of users.
 Detection of attempts at identity theft.

Throughout this document, we attempt to explain (…), which allows us to respond and avoid or

mitigate the risks that may arise.”

“Modern biometric verification systems (1:1 or one-to-one) and

identification (1:N or one-to-many) (…).”

In section 2 (…)”, it indicates that the key element of biometric recognition is the
engine used. It is from a technical point of view, to the extent that (…)”

It distinguishes (…) biometric engine models:

“Biometric models (…).

On the other hand, it analyses modern biometric models based on AI, specifically
based on neural networks.

“(…).

As a consequence, in this model (…).

Having this vector, therefore, does not mean that the biometric information has been

compromised or that it can no longer be cancelled.”

“In addition, the levels of precision of those that use neural networks are much higher
(…).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/128

Section 2.2 “(…)”:” The algorithms used are based on machine learning
techniques. Specifically on “deep” artificial neural networks (coined in English
as “Deep Learning”). (…).”

Explains the technical process based on (…).

Indicates that “each vector (…).”

“It is worth mentioning that all of the above refers to the intrinsic privacy of (…), but the rest of the security strategies that are applied to it should not be ignored, such as
(…).”

“The above in this section allows us to clarify that there is a clear misunderstanding in the
belief that biometric data are permanent over time and cannot be changed in the event of compromise or loss of the same. Our faces characterize us
and have always been used by humans to recognize people; now,

they also allow us to recognize them supported by technology. The face will always
continue to represent us, and it will not change (except, of course, for significant, aesthetic or health-related
operations), (…). Therefore, biometric vectors are not unique,
they change (…), so they can be modified at any time without compromising the
security of their use.”

It points out that

-NIST, an agency dependent on the US Department of Commerce, has
in October 2021 evaluated the VERIDAS RF system in the Face precognition Vendor Test on-
going, being among the 25% of the best systems presented in the category (…) of
FVVT 1:1

-The independent certification body (…) has accredited that VERIDAS accredits compliance with the standard (…) information (…) presentation (…). They provide a link

1.14. Technical documentation accompanying the contracts referred to in the previous document
(between Osasuna, DAS-GATE, and VERIDAS) as indicated in the

contracts themselves.”

He replied that the following documents are provided as DOCUMENTS NUMBER 15 to 17:

• Questions and answers regarding the new access system to the El Sadar stadium
(1).pdf

• Manual_instalacion_DAS-GATE _v1 (1).pdf
• Info_garantia_DAS-GATE _ENG_.pdf

FIFTH: Incorporation of documentation in the previous investigation actions.

On 10/26/2023, the Inspector carried out a diligence, noting the
incorporation of various documentation into the inspection actions, of which it is interesting

to highlight:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/128

1. General Regulations of the National Professional Football League (RGLNFP). Downloaded on
02/16/2023 from the internet address https://www.laliga.com/transparencia/normativa,

approved by the Board of Directors of the CSD on 11/7/2022.

2. Certification of the approval agreement of the Higher Sports Council of Book XII of the
RGLNFP. From the document with registration number REGAGE(...) corresponding to
file EXP202213792, with background of AI/00444/2022.

The letter from the CSD Board of Directors (competent to approve the modification of the
RGLNFP, pursuant to the provisions of articles 10. 2. b), of Law 10/1990, of 15/10, on
Sport, and 3.b), of Royal Decree 1242/1992, of 16/10, regulating the
composition and operation of the Board of Directors, certifies that at the session of
23/12/2015, the agreement was adopted in which, among others, book XII is incorporated, which
deals with the sale of season tickets and tickets.

3.Communication addressed by the Permanent Commission of the State Commission against
Violence, Racism, Xenophobia and Intolerance in Sport (CEVRXID) to the National Professional Football League on 15/03/2022. Originating from the document with registration number REGAGE(...) corresponding to EXP202213792.

4. Report 98/2022 of the Legal Office of the AEPD, dated 12/22/2022, extracted on 08/24/023 from the AEPD website (https://www.aepd.es/es/documento/2022-
0098.pdf).

This report responds to the query raised by CEVRXID on whether “the adoption of an agreement of the same within the scope of its powers (art. 13.1.b) Law 19/2007 of 11/07,
against violence, racism, xenophobia and intolerance in sport”, (hereinafter

ANTIVIOLENCE LAW) “establishing measures for the compliance of the clubs
consisting of the installation of biometric systems for the control of all access to
the animation stands that allows the unique identification of the fans who
access said stands, would be legally viable in accordance with the regulations governing
data protection.”

According to the consultant, the processing of the personal data of the fans, including their biometric data, would be carried out in accordance with Article 6.1.e)

of Regulation (EU) 2016/679 General Data Protection Regulation (GDPR), that is, the
processing of the data would be necessary “for the fulfillment of a mission carried out in the
public interest or in the exercise of public powers conferred on the data controller”.

After carrying out the analysis, it is concluded that “the adoption of the CEVRXID agreement within the scope of its powers, establishing measures for the compliance of the clubs
consisting of the installation of biometric systems for the control of all access to
the animation stands that allows the unique identification of the fans who
access said stands, is not in accordance with the regulations governing data protection.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/128

5. Communication sent by the CEVRXID to the League on 03/21/2023. Originating from the letter
with registration number REGAGE23e00022024546 corresponding to the action
EXP202213792, in which it communicates to the LNFP the agreement adopted at its meeting of

03/13/2023.

6. "Circular No. 19 of the 2022/2023 Season, of the League, of 03/23/2023", by which the
indications of the aforementioned CEVRXID were transferred to the Clubs, also reporting the AEPD report of 12/22/2022. From the document with registration number REGAGE(...),
corresponding to EXP202213792.

7. Content of the website https://VERIDAS.com/en/data-protection/ downloaded on

25/08/2023.

It advertises how “we believe in the right of people to use their
biometrics to be identified voluntarily and safely”, “privacy by default and

by design”.
It informs about “digital onboarding”, “a solution that allows the entire
identity verification procedure to be carried out remotely, both through an app and a website”, “a

photograph or video of the user and a document that allows them to prove their
identity will be taken. All the data contained in both the document and the image of the face
will be sent to the validation systems developed by VERIDAS.

In this phase, the veracity of the document will be analyzed by processing the data contained in it and the identity of the person, for which two biometric vectors will be created: one from the photo contained in the document and another from the selfie photo
taken by the user at that moment; by comparing them with each other in a process known as 1 to 1, it is possible to verify that a person is who they say they are.

After performing the verification, this data is sent to the VERIDAS client company that will
generally act as the controller (although there may be cases in which our

client acts as the processor, in which case it will transfer the information to the controller) and the VERIDAS systems are
instantly eliminated. “

Informs about.
- “facial authentication” “which involves verifying that a person is who they say they are,

but in this case the person must have already registered in the systems. Therefore, either it is in our client's database, or it has received a biometric QR code that will allow it to access it." It ends by indicating that "no data of yours will remain in our systems, since these will be used only to make the comparison and will then be deleted."

- "Measures to guarantee trust and security in the processing of personal data," pointing out among other aspects that they use biometric technology based on artificial intelligence with which "the data that will be processed by the biometric engine is collected and sent to it." In this engine, the data will be processed, generating what is known as a "biometric vector, which is nothing more than a way of representing people's features. At first glance, it is a very long numerical string..." which has the
following advantages:

- “it is irreversible, it is not possible to reconstruct the face from the vector, the numbers do
not represent distances between characteristic points of the face, but are a
unique interpretation that the biometric engine makes of it and that only it will understand”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/128

- “it is not interoperable, it is not possible to use the vector in other systems, whether
they are different biometric engines or other versions of the same engine that created it. This also
implies that, simply by updating the version of the biometric engine, the vectors created

by the previous version would be useless. Therefore, in the event of theft or unauthorized access, this data would be completely useless, there would only be a string of numbers
that could not be made sense of”.

- “VERIDAS does not retain the user's personal data or the biometric vectors that have been created: Once the process for which we have been contracted has been carried out and the relevant information has been sent to the client, we automatically delete all the information that has been on our servers.”

-In the FAQs section “What data is processed for the use of VERIDAS solutions?”, it is
explained that “VERIDAS only processes data from identification documents, images that the person has provided to verify their identity (using a photograph, video or recording) and that these will be different depending on the solution you are using.”

-Regarding international transfers, it reports that it “uses the servers that ***EMPRESA.1 has in Germany and Ireland to host its cloud services”

-Informs about: “biometric engine, is the name given to the set of algorithms that
transform the data of the face - obtained in our case through a photograph or

video - into what is known as a “biometric vector”: a biometric data, having been
subjected to a specific technical treatment, forming an irreversible chain of numbers

8. Content of the website https://VERIDAS.com/es/cumplimiento/ downloaded on
08/25/2023.

In which information is provided on the technological certifications available:
-National Institute or Standards and Technology, of the United States Department of Commerce,

-From the CCN, the certificate of compliance with the security requirements of Annex F.11 of the TIC-CCN-STIC-140 Security Guide with a high ENS category.

- (...) regulations that refer to the detection of attempts at impersonation or deception of the system,

-Provides services to trusted electronic service providers to comply with the
requirements of order ETD/465/2021 of 6/05, which regulates the methods of remote identification by video for the
issuance of qualified electronic certificates.
-Certificate in systems (...),

-Certificate of compliance with the ENS

-SOC 2 certificate of the services developed by VERIDAS. SOC 2 is a report
based on the auditing standards of the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board corresponding to the Trust Services Criteria (TSC). It is indicated that it “includes a description of more than 100

controls established to protect the data processed in the services offered by VERIDAS solutions”.

9. Content of the website https://www.osasuna.es/privacyPolicy downloaded on
09/06/2023 using forced loading with cache clearing.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/128

The document entitled “privacy policy” last updated November 2019.
It reflects C.A. OSASUNA as responsible, without any reference to the DPD. Among others,
because it is related to the subject, it appears:

a) In “Purpose of the treatment and nature of the data processed, it indicates that “Depending

on the form that the user completes in each case, the data may be processed for the

following purposes”:

-of a contractual nature: to facilitate the management of the provision of agreed services,

maintain the commercial relationship, as well as any other service that is contracted

later”,

-based on the consent of the interested party: for marketing purposes for the sending of

newsletters and technical communications related to our activity,

-based on compliance with a legal obligation, applicable to the person responsible for the

treatment in relation to sports and HR management and administration,

-based on the public interest, in relation to image processing for security purposes

through the various systems

b) “basis that legitimizes the data processing”

“It is the user's own consent that is expressed by checking the

acceptance box as step prior to sending each form. The user has the right
to withdraw consent at any time, without affecting the legality of the processing
based on the consent prior to its withdrawal.

-The exercise of rights is also reported

Additionally, the content returned for the address
https://www.osasuna.es/politica-de-privacidad on the same day 09/06/2023 is attached.

10. Access to the website https://osasuna-socios.app.das-gate.com and simulation of the
registration carried out on 09/07/2023.

Access by the Inspector, from the laptop to the internet address: osasuna-
socios.app.das-gate.com and view of the content of the page. The content of the view of the
page begins with the logo and “now you can access El Sadar with your face” “Through
this website you can register and enable your access with your face to the stadium. A faster, more

comfortable and safer way to access” with five other tabs with information.

“Your privacy comes first

During this registration we will ask you to take a selfie that will be used only to
facilitate your access to the stadium. This information will be kept by the club along with the
rest of your season ticket data

optional and voluntary

Biometric access with your face is optional and voluntary; you can continue to enter
el Sadar with the physical or digital (mobile) season ticket.

Access doors that will have this system
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/128

Initially, face-enabled access will be enabled for members at doors
3,7,8,10,11, 16, 21 and 27. However, you can continue to access all doors with
the physical or digital (mobile) season ticket.

What should you have on hand for registration?

Your membership card

Your ID”

There is a “start” tab and here the six information tabs end.

When you click on “start”, the page to start the registration called “register” is displayed, next to it is: “Do you want to unsubscribe?”

“Clicking the button to start the registration, shows us a QR code to scan, and recommends us to
continue with the smartphone because on a PC it may give an error. Alternatively, it gives

the option to continue from the PC”

 “The QR code directs us to the internet address: https://osasuna-socios.app.das-
gate.com/, and that address is the one referred to at the beginning of this document.”

If we continue from the PC, the registration process starts, with a box to

fill in NIF or NIE, email and a box that says “By clicking on register you accept our
privacy policy”

Below that is a second box that says “I expressly consent to the processing of my personal
data, including my image for the generation of a facial vector using an artificial
intelligence system that allows my identification when accessing the stadium”,
next to the “register” tab, and another that says “Do you already have an account? “log in”.

When you press the first “Check” of “By clicking on register you accept our privacy
policy”, a first layer of personal data protection information is shown on the screen, of which a printout is attached, under the literal: “terms and conditions”
“basic information on data protection”, with the details of the person responsible: C.A.
Osasuna, the “purpose: Access control through a facial recognition system,
legitimation: consent of the interested party art 6.1.a) and 9.2.a) RGPD, express authorization

for the processing of images through the artificial intelligence system,
facial recognition, generating a vector that allows the user to be identified for the control of access
to the facilities.

Informs about the recipients, and about the “rights of access and rectification and deletion”
“as well as other rights, indicated in the additional information” that can be exercised
by contacting lopd@osasuna.es and dpo@gfmservicios.com and/or clicking on the link
on the website and the member portal - “exercise of ArSol rights”

” Additional information: You can consult additional and detailed information on data protection
here: https://www.osasuna.es/politica-de-privacidad”,

On the right of the document there are the “reject” and “accept” boxes.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/128

When you click on the link to the privacy policy (additional information), you will get a “page not found” on the
Osasuna website.

If you click the “Reject” button on the right-hand side of the document, it will return you to the

form without the “Check”, while if you click “Accept”, it will return you with the “Check”
checked.

When you fill in all the “registration”, “NIF or NIE”, “e-mail”, “by clicking on
register you accept our privacy policy” box and the other “I consent…” box, the “register”

tab is activated.

“When you click the registration button, the process begins by requesting to show the QR code of the
ticket on camera:”.

11. Access to the internet addresses https://www.osasuna.es/politica-deprivacidad and
https://www.osasuna.es/acceso-biometrico-a-el-sadar and to the records of the same in the “internet archive” (https://web.archive.org/). Carried out on 10/10/2023.

At the first address, the 8 records from 2022 and 2023 are accessed through the “internet archive” tool, the last one from 06/01/2023, and all of them refer to the last update as November 2019. Its content is printed

Also, on 10/10/2023, https://www.osasuna.es/politica-deprivacidad is accessed and the
result shows “page not found”

On 10/10/2023, an attempt is made to access https://www.osasuna.es/acceso-biometrico-a-el-sadar
with “page not found” appearing

“Access on 10/10/2023 through Internet Archive (https://archive.org/web/) to the
historical records of the address https://www.osasuna.es/acceso-biometrico-a-el-sadar,

gives 4 versions of registrations for 2022 and 2023: 04/15/2022, 05/25/2022, 09/27/2022, and
05/31/2023”, printing its content.

In it, it is reported that the pilot test of access through biometric access with facial recognition will be established on 04/10/2022 and “on 04/20 there will be eight doors that will offer members the possibility of using this type of access”, it is indicated
that for those who wish to do so, as a faster, more comfortable and safer way of access

because it allows access without having the card. There is a FAQ section, and another one on
“register to use biometric access” “register in a minute”.

12. Downloading information relating to (…). (https://tienda.aenor.com/norma-(...)

A sheet of information is offered by the AENOR store on “Information technology,
security techniques, information security systems management, requirements”.

13. Download of information related to the (...) carried out on 10/19/2023 from the url:

***URL.1

Information is offered (...), on security assessment.

14. Download of information related to the standard (...) from the AENOR website on
10/21/2023. (***URL.2)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/128

This is a sheet with the AENOR store advertisement for “quality management
systems”.

15. Download of information related to the standard (...) from the website from AENOR on 10/22/2023. (***URL.3)

It consists of a folio that offers information on the sale of the product “biometric attack detection,
tests and reports.

16. Navigation through the NIST website and its programs on facial recognition

carried out on 10/22 and 10/23/2023.

17. Evaluation report of the algorithm (…) in the FRTE 1: N Identification evaluation,
downloaded from ***URL.4.pdf

18. Evaluation report of the algorithm (…) in the FRTE 1:1 Verification evaluation,
downloaded from ***URL.5.html

It consists of a graphic report from the NIST entity, generation date 09/28/2023.

19. Evaluation report of the algorithm (…) in the FRTE 1:1 Verification evaluation,
downloaded from ***URL.6.html

It consists of a graphic report from the NIST entity, generation date 09/28/2023.

20. Capture, on 10/23/2023, of the content of the website
https://www.osasuna.es/facialRecognitionPolicy and download of the documents linked to it
(privacy policy and responsible declaration)

Figure “PRIVACY POLICY RELATING TO FACIAL RECOGNITION”,
reporting that “it has implemented the requirements and measures of the RGPD and the LOPDGDD in
relation to the obligation established by article 35 of the RGPD regarding the processing of
biometric data for access through facial recognition”, below, two
downloadable:

1-PRIVACY POLICY RELATING TO FACIAL RECOGNITION: which contains
four pages and is entitled: “PROCESSING OF ACCESS CONTROL DATA TO

FACIAL RECOGNITION FACILITIES - complete information on
data protection”, Last update date: January 2022, indicating:

- data of the person responsible, the DPD,

- For what purpose do we process your personal data?

At CLUB ATLÉTICO OSASUNA we process the information provided to us by interested parties
in order to manage access to the facilities of members
through facial recognition created with the processing of images generating a vector
that allows the member to be identified.

CLUB ATLÉTICO OSASUNA will process this data for the following purposes:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/128

 Subscriber Registration (AA) – the personal data of subscribers will be processed for the
purpose of digitizing them and verifying the identity of the subscriber in order to
register them in the DAS-GATE system, a provider contracted by C.A. Osasuna for the provision

of the biometric access service. The data to be processed for this purpose will be the data
provided by the interested party (identification data), as well as the National Identity Document, the image obtained from a selfie of the interested party and the contents of the QR code
of the subscription (subscriber and ID number, as well as access ID).

 Biometric Access (AB) – personal data will be processed for the purpose of allowing

access to the Club Atlético Osasuna stadium through facial recognition, an alternative

entry system that strengthens the security of access to it, as well as
speeding up entry to it, making it easier for the Club's members.

 Login to das-Gate portal (IS) – personal data of interested parties will be

processed so that they can identify themselves and access the DAS-GATE portal, so that they can manage access through facial recognition
associated with the subscription, being able to request cancellation of this service or the transfer of the subscription, in those
cases where it is permitted.

No automated decisions will be made based on the data provided.

- How long will we keep your data?

The identifying data of the member will be kept for the duration of the process
for the generation of the corresponding vectors, being automatically eliminated

by the computer systems at that same time.

The irreversible vectors, as well as the access IDs and the user ID (created by the
member), will be kept until the interested parties request their deletion, unless
other legally established provisions apply. In any case, the data will be deleted

if the user ceases to have the status of a member of C.A. Osasuna or
assignee of a Club subscription.

- What is the legitimacy for the processing of your data?

We indicate the legal basis for the processing of your data:

 Consent of the interested party: Art. 6.1.a) RGPD EU 2016/679 and Art. 9.2.a) express authorization
for the processing of images using an AI (Artificial Intelligence) system, facial recognition, generating a vector that allows the identification of the member, for
access control to the facilities.

- To which recipients will your data be communicated? Data transfers to
third parties are not planned, except for those transfers made to third parties and
entities related to the data controller that are necessary for the provision of the
service, such as DAS-GATE, the entity that provides the devices and systems
necessary to carry out data processing for access through facial recognition.

-Data transfers to third countries

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/128

No data transfers to third countries are planned.

- What are your rights when you provide us with your data?

Any person has the right to obtain confirmation as to whether or not CLUB ATLÉTICO
OSASUNA is processing personal data that concerns them.

Interested persons have the right to access their personal data, as well as to
request the rectification of inaccurate data or, where appropriate, request its deletion when,

among other reasons, the data is no longer necessary for the purposes for which it was collected.
You also have the right to the portability of your data.

In certain circumstances, interested parties may request that the processing of their data be limited, in which case we will only retain them for the exercise or defence of

claims.

You may materially exercise your rights through the Private Area of each user in the
DAS-GATE Portal, in which the options for exercising your rights have been enabled
through forms in which the interested party must duly prove their identity.

You have the right to withdraw said consent at any time, without affecting the
lawfulness of the processing based on the consent prior to its withdrawal.

If you feel that your rights have been violated with regard to the protection of your
personal data, especially when you have not obtained satisfaction in the exercise of your
rights, you may file a claim with the competent Data Protection Control Authority
through its website: www.aepd.es.

- How did we obtain your data?

The personal data that we process at CLUB ATLÉTICO OSASUNA come from: The interested party.

Data that is processed:

- Identification data of the member. (ID of the holder, front and back)

- Email address of the member.
- Data from the QR code of the membership (ID, number of subscribers and access ID) - - Member number
- Image of the member
- “Vector” algorithm of the image of the member.

- User ID on the DAS-GATE platform.

The following categories of special data are processed: biometric data
“images” for facial recognition, that is, for the generation of the member identification Vector.

- 2 “RESPONSIBLE DECLARATION OF COMPLIANCE WITH THE RGPD AND LOPDGDD”, which
is structured in two sections:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/128

-The first contains a declaration dated 18/02/2022 that C.A.OSASUNA “has implemented the measures established in article 35 of the RGPD” regarding the processing of
biometric data for access through facial recognition and the index of the document.

-The second is a summary of the EIPD, which consists of an alternative and
complementary system of the currently existing entry admission procedures.
It contains an index, although not all the points are explained, dealing only with its introduction and

the 7th “duty of information and rights of interested parties”.

SIXTH: Brief analysis of the EIPD provided by C.A. OSASUNA in previous investigations

In addition to the above, the EIPD provided by C.A. OSASUNA should highlight:

- “3 Roles of the different parties involved in data processing”. 3.1. “In the present case, the data processing is carried out in relation to OSASUNA subscribers, with a prior relationship between them and the Club, consisting of the
acquisition of the subscription, the purpose of the processing being to guarantee the access by the subscribers to the El Sadar stadium as a consequence of the acquisition of the subscription

as a means of access to the sports venue.”

-In point 4.3, a section is dedicated to what various documents of the Working Group of WG 29 refer to, referring to the risk of processing biometric data, without being able to cite the
Guidelines 5/2022 adopted by the EDPB on 04/26/2023 (the DPIA was approved on 02/04/2022

and contributed to this procedure on 03/13/2023, which, although in terms of application of the Law,

refers to various cross-cutting arguments on the rights

Three tables are attached.

The first ones are titled “LEGAL RISKS.”

To describe the “measures to be adopted” (last column), they describe the “risk” in the first one,

and in the middle one: “current status”, describing the measures related to it, those that they have implemented and consider. In all the “measures to be adopted”, they appear “it is not

necessary to adopt measures additional”.

It highlights, for example; “risk of non-compliance with the principle of legality, current status; the legal basis of the treatments has been
determined.

The second tables, foresee and are called: “ORGANIZATIONAL MEASURES”. In these, the
“legal requirement”, the “measure”, and the “compliance” are indicated, which in all cases responds
YES. Among others, it states that “DAS-GATE has carried out an analysis of the risks derived

from the treatment and the measures necessary to alleviate them”, or that “the measures adopted have
been subject to evaluation and certification, taking into account the measure that “DAS-GATE has
ISO certifications with respect to (…)”

Table three, is called “security risks” and its structure is the same as the previous one,

appearing in the “compliance” section YES.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/128

The conclusion is: “Based on the conclusions reached in the analyses
carried out throughout this document in relation to the different legal risks
that may affect the processing activity examined, as well as the legal
measures implemented by OSASUNA to reduce or mitigate said risk, it can be
considered that the evaluated processing would not imply a high risk for the rights
and freedoms of the interested parties.”

SEVENTH: Agreement of initiation of 4/12/2023

On 4/12/2023, the director of the AEPD agreed:

“TO START SANCTIONING PROCEDURE against CLUB ATLÉTICO OSASUNA with NIF
G31080179, for the alleged infringement of the GDPR of the following articles:

-5.1.c), in accordance with article 83.5.a) of the GDPR, classified as very serious for the sole purposes of the prescription of said infringement, in article 72.1.a) of the

LOPDGDD.

- 9, in accordance with article 83.5.a) of the GDPR, classified as very serious for the sole purposes of the prescription of said infringement, in article 72.1.e) of the LOPDGDD.”

“ORDER as a provisional measure to CLUB ATLÉTICO OSASUNA, with NIF G31080179,

in accordance with the provisions of article 69 of the LOPDGDD and article 56 of the LPACAP, the
temporary suspension of all processing of personal data related to the facial recognition solution for access to the El Sadar stadium. The provisional measure must
be carried out within ten business days, counting from the notification of this
agreement to open the procedure, and will remain until its final resolution, in which

it must be confirmed, modified or lifted, without prejudice to the provisions of art. 56.5
of the LPACAP. To this end, it must justify before this Spanish Data Protection Agency
the attention to this request.”

“For the purposes provided for in art. 64.2 b) of the LPCAPAP, the sanction that could correspond would be for the infringement of article 5.1.c) of the RGPD is an administrative fine of 200,000 euros, and the infringement of article 9 of the RGPD, with another administrative fine of 200,000 euros, assuming a total amount of 400,000 euros, without prejudice to what results from the investigation.”

EIGHTH: Sending a copy of the file

On 7/12/2023, C.A. OSASUNA requests an extension of the deadline to make allegations
and a copy of the file.

The communication of the extension of the deadline was sent on 12/12/2023, together with the letter with the
copy of the file on encrypted USB storage, as it exceeded the maximum allowed in the
Notific@ system, formalizing the delivery by courier. Independently, through
electronic delivery it was sent on 12/13/2023, (…), which was notified on 12/14/2023.

The electronic delivery, like the start agreement, was delivered, but not the delivery by
courier, which was unsuccessful due to being “absent”, on 12/15 and 12/19 at c/ Sadar s/n in
Pamplona, Navarra, being returned on 12/22/2023, so that C.A.OSASUNA does not have,
after the time has elapsed, the letter of extension of the deadline or the copy of the file.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 52/128

On 12/28/2023, a letter was sent to C.A.OSASUNA to inform it that the sending of the
copy of the file was unsuccessful and it was requested to provide the delivery location and contact information
of the person and telephone number. C.A. OSASUNA, on 01/11/2014, provides

these data and sends a copy of the file that was delivered on 01/16/2024

NINTH: Allegations to the start agreement of 12/28/2023

On 12/28/2023, C.A.OSASUNA made allegations, stating:

1) Regarding the content of the operative part, referring to the adoption of the provisional measure imposed,
it states that it is not a procedural act, but that it may cause harm. and

that it will challenge it in the administrative-contentious manner in order to obtain the suspension
of the decision, because it affects its rights and interests susceptible to protection. In
announcing this interposition, it requests, in application of article 90.3 of Law 39/2015, of
1/10, of the Common Administrative Procedure of Public Administrations (hereinafter
LPACAP) for the provisional measure adopted to be provisionally suspended.

2) The reasoning of the initiation agreement is based on the premise for the two imputed infringements, that the establishment of the voluntary system of access to the El Sadar football stadium, through facial recognition, entails a high risk for the Club's subscribers.

Subsequently, the initiation agreement carries out an alleged description of the treatment

carried out by the biometric recognition systems, second part of legal ground two, in which it analyses the alleged risks generated to the rights and freedoms of the interested parties by the biometric recognition system established.

He states that in that second legal basis, it is insisted on describing the system used as based on the technology of measuring distances between different points of the face - recognition system by "landmarks" - obtaining as a result a mathematical vector and associating the risks indicated in the start agreement when knowing the vector generated with this engine and being standardized systems. This is stated in pages 49 and 50 - which describes the typology of biometric data and the correlation of the sample taking with personal data. Reviewing some paragraphs that tend to explain why
these personal data are considered, C.A.OSASUNA selects others,

concluding that: “Based on the evaluation and treatment as high risk in light of
the considerations just indicated, the start agreement considers that this
circumstance determines that the principle of necessity is not met in this case, since
the agreement considers that there are other alternatives for access to the stadium that guarantee,
as indicated, the full identification of the subscriber given that their data are already
sufficiently identified on the subscription card in its various formats.”

The start agreement, based on this consideration, shows that biometric
data generate an additional risk because they have a “merely probabilistic” character. It adds that, however, in the responses to the two requests,
it stated that its system does not respond to the systems described in legal basis
II of the start agreement but rather to artificial intelligence models based on neural

networks. He reiterates what he stated about the generation of the biometric vector contained in point 2.2 of the first request for preliminary investigation actions.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/128

He adds that, in addition, with his systems the risks derived from the probabilistic nature of the model and the immutability of the affected person's face are minimized. It states
that the risks had been analysed in the detailed impact assessment, being

minimised by the technology used in the treatment, appearing "in the aforementioned
assessment", a reference to the TECHNICAL REPORT issued by the provider of the technology
used, provided as DOCUMENT 14 in the second request for information of
the prior investigation actions

It states that, subsequently, the document analyses how the risks derived from the treatment are
minimised until their practical disappearance in the cases in which the biometric
recognition system is based on AI models of neural networks.

At the same time, regarding the possible treatment of other data belonging to
special categories, it is provided, as DOCUMENT 1, "Latest generation Facial and Voice Biometric Technology. Characteristics and application”, prepared by the entity providing the technology used by OSASUNA, which complements the one mentioned above, in which it is
expressly indicated that “the data is captured with the sole purpose of carrying out the
biometric recognition (facial or voice) of the person and is treated for this exclusive purpose, without VERIDAS technologies being able to infer other data from it

such as emotional state, disabilities, genetic characteristics, etc.”

“The document dates from October 2021, and although since then, and as a consequence of
the evolution of technology, it has been the subject of several additions, incorporating, among other
issues, new tools and certifications that improve what is indicated in the document,
it has been considered appropriate to provide this version of the document since it was the one used
by OSASUNA to prepare the EIPD for the treatment that is the subject of this

file.”

"If the premise followed by the AEPD to consider two violations of the provisions of the GDPR as imputable to my client is the high risk derived from facial recognition systems that are in no way similar to the one used by OSASUNA, all the reasoning followed by the same to impute responsibility to my client must

fail, given that the premise being erroneous it is not possible to apply to the system implemented by OSASUNA any of the consequences mentioned in the Start Agreement"

From the visualization of document 1, it is worth highlighting:

-The data will be processed by a biometric engine, that is, the software that processes the captured data to produce a "template" or biometric vector, that is,
a digital reference of a set of characteristics that are then used for the

authentication or identification of an individual.

-Once the vector of the individual to be identified or authenticated is available, the comparison against another vector or vectors can be
proceeded. It is important to note that the comparison is always
made between vectors between digital references and not between biometric characteristics
point the comparison between vectors is interpreted by the biometric engine that
created them providing a probabilistic result

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/128

-The mathematical vector that they use is not developed nor is it based on
characteristic points that imply taking measurements between multiple points of the biometric
characteristic obtaining a mathematical vector that is the summary of said measurements. However,

the mathematical vector generated with their artificial intelligence is not generated in such a
simple way indicating that the racial vectors created with their artificial intelligence
imply, for example, that, if a facial image is passed through two different biometric engines
or even two different versions of the same engine, the resulting vector will be
completely different

3) C.A. states. OSASUNA that, based on this alleged breach of the principle of

necessity, the agreement considers that the legal basis on which the treatment is based in the
present case is not adequate, given that it seems to try to avoid the guarantee of the
principle of necessity.

C.A. OSASUNA adds that the legal bases on which access with SBRF is based do not
require the value of necessity because they are based on the consent of "article 6.1 a)
and 9. 2 a" of the GDPR.

C.A.OSASUNA states that from reading the start agreement, it is clear that the legal basis that could really "justify facial recognition control of access to the stadium would be the development of the subscriber's contract with the club for which facial recognition is not necessary or the guarantee of security in the venue which, as a mission of public interest, would not be lawful as a legal basis for the treatment if there is no regulation with the rank of law that enables said access."

“This leads to a kind of circular reasoning, in virtue of which, given that there are other means
that are supposedly less invasive and more guaranteeing of the right of the interested parties to
access the stadium, the consent of the interested party could never be an adequate legal basis
to authorize the treatment, given that by requiring alternatives to guarantee that
it is freely provided and these being supposedly less restrictive of the
rights, the principle of necessity would never be fulfilled.

The aim is to base the alleged infringement of article 9 of the RGPD on an
argument similar to that which the AEPD has incorporated in its “guide on treatments of presence control,
using a biometric system”, published only a few days before the
notification of the start agreement, in terms that, as the guide indicates, are susceptible to a
similar analysis in relation to the cases of access control for purposes
other than work-related purposes.

That is, under the appearance that the treatment should have been based on other legal bases, which it also does not consider applicable, because they do not comply with the principle of necessity, what the AEPD intends with the start agreement is to deny validity to the fact that Osasuna subscribers, in exercising the power of disposition that consists of the fundamental right of Data Protection, can give consent to the processing of their personal data, since, as there are less invasive means, in the opinion of the AEPD, the principle of minimisation of personal data would be breached, which leads de facto to denying the possibility that in any case the processing of biometric data can be carried out on the basis of the consent of the interested party.”

Manifiesta C.A. OSASUNA “regarding the purpose of the processing carried out by

C.A.OSASUNA, the initiation agreement in its legal basis III reaches a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 55/128

conclusion that does not coincide with the one that actually governs the processing carried out by C.A.OSASUNA.

In the explanation of the regulations on the control of tickets and access to the
stadiums, it would be unnecessary, since it is not applicable, given that the El Sadar stadium does not have

animation stands.

The start agreement aims to transfer the criterion of need to the specific purpose that has been established by the LIGA in the Regulations for the Sale of Season Tickets and Tickets, RVAE in the animation stand or matches declared high risk in which the CEVRIXD declares the obligation to verify the identity of the attendees, which is not applicable to C.A. OSASUNA.

In addition, it estimates the conditions of the LIGA as minimum, not as a single mode of

mandatory access, so that "it would not exclude the existence of other systems that could be more reliable to facilitate the enjoyment of the matches by the subscribers that is deduced from their status as subscribers."

The agreement adds that it is not possible to establish an access system other than that established by the LIGA, even if it is based on the free will of the interested parties, indicating the agreement that "even when they give their consent, the conduct of C.A.

OSASUNA implies stealing the power of disposition and control over the personal data that concern him, power that belongs to the owner”.

C.A. OSASUNA states that “As stated in its EIPD, the purpose of the treatment does not
simply consist of the development of the contractual relationship derived from the acquisition
of the season ticket, but rather in “providing the season ticket holder with a new means of access to the venue that is
more appropriate and effective in view of the current state of the art, which even minimizes the risks
derived from the other systems of access to the stadium”, since the control of access to the
stadium cannot be indicated to be carried out through a single system.

C.A. states OSASUNA, which in the initial agreement, denies the interested party the free and voluntary exercise of the full exercise of his right to access his personal data, choosing the access system that he considers most appropriate to his own and

exclusive will and that C.A. OSASUNA only makes available to him so that the interested party can freely use it.

“This system is not based on the mere convenience of C.A. OSASUNA, but on its desire to
facilitate, as much as possible, access to the Stadium for its subscribers with the
maximum possible guarantees, avoiding the possible theft or loss of their subscriber card, as well as
improving the agility of access to the venue. Certainly, this is based on the existence of

a right of access by the subscriber to the Stadium, but this is not, but rather the aforementioned, the
purpose of the treatment.”

“The premise used by the Commencement Agreement to accuse OSASUNA of the lack of a legal basis for the processing, considering that the same must be based on other legal bases that would be based on an alleged need for the processing, as well as on what was agreed upon by LALIGA, must be abandoned. Neither is the purpose of the processing that which the Agreement claims to pursue, nor is there the slightest “theft” from OSASUNA subscribers of their free power of disposal over the data that concerns them.”

4) C.A. OSASUNA states that “Consent to access the stadium through facial recognition, as reflected in the start agreement, gives the interested party absolute control over their data, who can decide when the data can be processed, both for the preparation of their facial vector and for its comparison with their image when they access the stadium using the enabled readers, recalling that no gate of the Stadium where the facial recognition system is installed has ceased to have alternative means of access to the premises that the interested party, even when they have registered on the platform, can use whenever they want, without any limitation, without even losing the power of decision and control of the means of access to the Stadium at any time. However, the Commencement Agreement, in a way that we can even dare to consider paternalistic, does not cease to consider that the free

decision of the interested party about the means chosen for access to the Stadium, as well as to
register on the platform and make use of the facial recognition system in each of the
matches, implies a loss of the power of disposition that the interested party must have over
the data that concerns him, or the use of personal data that are not evidently
necessary to access the stadium, which may also include minors.

It states that C.A. OSASUNA expressly indicated that the aforementioned
treatment would only be possible for those to whom the regulations grant the power to give consent, over
14 years of age.

The agreement also considers that it contains the error of indicating that C.A. OSASUNA “avoids

any analysis by leaving the assessment of the need in the hands of those affected because
it is an option and the interested party has chosen it, being the will of the subscriber. That is to say, the
AEPD considers that the fact of granting the OSASUNA subscriber all the power to
freely dispose of his data by authorizing whether he wants to use the facial recognition
system and when he wants to use that system, is what would apparently

vitiate, in the opinion of the AEPD, said system, because it leaves in the hands of the affected party the
possibility of determining whether or not he considers the treatment necessary to achieve a
purpose that is made available to him and that he freely authorizes. This means that the AEPD
positions itself even above the legislator by establishing when it is really possible
to exercise the power of disposal and when it will be the AEPD that deprives the interested party of that
faculty even if it is a power of disposal that is what constitutes the
fundamental right to data protection.”

“The legal basis for consent is only limited because it must be provided for the
processing of your personal data for one or more specific purposes, without the
objective of the AEPD being the one to determine in an all-encompassing manner what those purposes are,
but rather that the interested party clearly knows the scope of the disposition that he makes of his
data.”

“If the interested party clearly knows the scope of the consent that is requested, the
purposes of the processing and even the details of the same and the way in which it will be
carried out, it is not possible to conclude that the interested party has not freely made use of the power of
disposition and control over his own data that consists of the fundamental right.”
C.A. OSASUNA considers that users are informed in detail of the way in which

the processing will take place, granting them the ability to decide when and how the
processing occurs.

5) C.A. indicates OSASUNA that the only restriction as an enabling basis for the processing of personal data contained in the GDPR is found in article 9.2.a) of the GDPR,
reflected in article 9.1 of the LOPDGDD. It follows from this that the processing, when the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 57/128

interested party gives their explicit consent for the processing of said personal data
for one or more of the specified purposes” is applicable”, and this has been recognized by the AEPD
as, for example, in the reports of the Legal Office 36/2020, in 47/2021, or

98/2022. In the same sense, in the Guidelines 3/2019, on the processing of personal data by means of video devices, approved on 01/29/2020, in its section 77,
on the use of video surveillance including the biometric recognition function installed
by private entities for their own purposes, for example, marketing, statistics or
security, it will require in most cases the explicit consent of all interested parties, and details the example that it indicates is similar to the object of analysis, consisting

of the access of passengers in the boarding or baggage check-in at the airport through
video surveillance systems that use facial recognition techniques to verify
the identity of the passengers who have chosen to consent to said procedure.

C.A. OSASUNA states that “Likewise, in relation to the consent of the interested party, section 86 of the Guidelines adds that when article 9 of the GDPR requires consent, the data controller cannot make access to its services conditional on the acceptance of biometric processing. In other words, and especially when biometric processing is used for authentication purposes, the data controller must offer an alternative solution that does not involve biometric processing, without restrictions or additional cost for the interested party. That is, the EDPB itself, of which, it is necessary to reiterate, the AEPD is a part, considers the processing of biometric data based on the consent of the interested party to be lawful as long as the data controller makes available to interested parties another alternative means that does not include the processing of biometric data and allows the same result without implying a restriction or additional cost for the interested party.”

C.A. OSASUNA, that this criterion seems to have been broken by the Guide referring to
the processing of these data for labor and access control, published on 11/23/2023, and

from which “it seems to be caused even though no reference is made to it in the notified
initiation agreement”.

It reiterates the allegation that said guide uses a circular argument, and that “in this way,
the AEPD reaches a surprising conclusion that supposes de facto the extension of the
scope of the first paragraph of article 9.1 of the LOPDGDD to any categories of

data belonging to special categories, the will of the legislator to limit this prohibition to specific
categories being entirely irrelevant for the Control Authority. And we say that it affects any category because with respect to the
other categories, that is, data that reveal the health of the interested parties or genetic data,
the circular reasoning to which we have referred is identical (the existence of
less intrusive means excludes the possibility of giving consent)”.”Such

a conclusion, which imposes a de facto prohibition of data processing, repealing what is
established in the LOPDGDD in the sense of prohibiting any processing of data
belonging to special categories on the basis of the consent of the interested party, is
carried out, in a completely surprising way and through what is nothing but a Guide
whose purpose should not go beyond showing an interpretative criterion of the AEPD for

the knowledge of the recipients of the rule.”

C.A. OSASUNA also considers that, in accordance with the content of the start-up agreement,
denying it the possibility of establishing a system based on the consent of the
interested parties for access by means of facial recognition to the “El Sadar” Stadium, limiting itself
to indicating that the procedures for access to football stadiums must be subject to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 58/128

minimum criteria established by LA LIGA, makes any treatment based
on the power of disposition over the data that consists of the right to data protection unviable, even when it complies with all the requirements established in the RGPD.

C.A. OSASUNA considers that it has proven that it complies with all the requirements

required for the processing of biometric data based on consent under the GDPR
and the LOPDGDD, many of which are analysed in the EIPD, and therefore considers that article 9 of the GDPR is not
violated.

6) C.A. OSASUNA states that the infringement of article 5.1.c) of the GDPR is not respected, as the data exceeds those necessary to achieve the purpose, which is exhaustively analysed in the EIPD in which it is
contained, taking into account the circumstances surrounding the processing and the consequences that it may cause to the rights and freedoms of the interested parties. The risks that may arise for the interested parties from this technology are analysed in the same.

C.A. states OSASUNA that the EIPD analyses at the highest level the scope of the

guarantees that must be adopted in the processing of data, even taking into
consideration what is established in the proposed regulation on Artificial Intelligence from which
it is not deduced that “the non-remote processing of biometric data entails a high
risk for the rights and freedoms of the interested parties”.

C.A. OSASUNA reiterates that the system used provided by the provider, VERIDAS, which
has various certifications that guarantee greater reliability, analyzing and assessing

in the EIPD the “biases of probability of an error in identification”, and the “supplanting of identity” that could be carried out through the use of these systems.

Reference was also made to the guarantee of integrity of the information being processed, given that

the “facial recognition engines are in no case interoperable or
reversible”, so that not even the developer of the system could
reverse the face of an interested party from a vector. In other words, the “immutable nature of the

face of people” is taken into account, adopting measures to avoid the risk to the interested parties of

the “type of unique, permanent and invariable identity that is being processed”, or the “interoperability” between
facial recognition systems. It states that the facial vector would vary if any
technical change or evolution were to occur in the facial recognition engine, which would
make the previous vector obsolete, as well as not being able to be recognized by this new

version.

The EIPD also analyses the life cycle of the data, the registration in the system for the
verification process when it seeks to access the stadium, which has not been taken into
consideration by the AEPD judging by the content of the start agreement. The EIPD on this aspect
shows how measures are adopted aimed at guaranteeing the identification of the interested party, so that there are no risks related to a possible

identity theft “for which certain data are collected, on an exclusively temporary basis,
that allow their image to be compared with the resulting selfie photo
used to generate their facial vector.” “The identity of the interested party is guaranteed
by requiring, at the time of taking the selfie photo that will allow the extraction of the facial vector,
proof of life, by performing a certain movement, which prevents the

use of sophisticated impersonation systems.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 59/128

C.A. OSASUNA concludes that the EIPD analyses in detail the way in which all the
risks derived from the treatment are assessed and how in this case they are minimised or
directly excluded.

C.A. OSASUNA states that “the initial agreement seems to consider that such an effort is not

sufficient, given that the EIPD must become a document in which, regardless of whether, from the design, the solution that implies a lesser
interference in the rights and freedoms of people is chosen, the alternatives discarded because they imply the generation of a greater risk must be taken into account. From the initial agreement it seems that the AEPD is not so much interested in analysing the risks

derived from a treatment as in carrying out a kind of abstract analysis
that is what determines the option for one treatment system or another”

7) C.A. states. OSASUNA, regarding the assessment of the legality carried out by the agreement
on the initiation of the principle of data minimization, through compliance with the triple judgment of
proportionality applicable to a measure that could imply restriction of rights of
people, that the agreement focuses on the assessment of the judgment of necessity, deducing

that the AEPD does not deny that the SBRF is suitable, inadequate or not pertinent, extracting:

“regarding suitability, the Agreement states:

“C.A. OSASUNA bases the acceptance of the facial recognition system as such, because
the “full identification of the subscriber” occurs, but this problem to be addressed does not occur in
this case, since the holders of the subscriptions are already sufficiently identified with the
subscription card in its various formats. The agility of the system advocated, of the RF system

as opposed to the traditional system, cannot by itself be a decisive part of the
suitability for installing the system, and in any case, by itself it cannot justify the
need for this system.”

C.A. OSASUNA states that it is appropriate that the AEPD “does not deny that

facial recognition is suitable for identifying the interested party, but rather considers it
unnecessary for this purpose, as the data is contained in the subscription card.

C.A. OSASUNA considers that the “assessment made by the start agreement on the judgment of
need is conditioned by the initial premise that the purpose must be determined in
the abstract and does not depend on the scope that can be given to it in light of the context in
which the treatment is carried out, that is, each treatment admits a single solution, the
least intrusive for the rights of the interested parties, so that any solution that
implies a supposed or apparently superior intrusion must be discarded”.

C.A. OSASUNA considers that with the reference in the start agreement to the fact that since April
2022 C.A. OSASUNA already had at least three modalities of user access to the
stadium, “the delimitation of the judgment of need of the free will and the
consent of the interested parties is being excluded.” If this literal meaning of each of the
different modes or options for accessing the stadium is followed, only one would be in accordance with the

principle of necessity, the one that involved the processing of a smaller number of data,
and the rest should be discarded, since the purpose of the processing could be achieved with
less intrusion into the rights of the interested parties.” C.A. OSASUNA indicates that, applying
this to the category of biometric data, according to the criteria of the AEPD, “any procedure in which the interested party freely decides to access a

certain service through biometric means should be discarded, even when, as has been

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 60/128

analyzed in the previous allegation, article 9.1 of the LOPDGDD has not ruled out the legality
of the aforementioned consent.” That is to say, the AEPD is considering that the interested party should not be free to decide freely the use of their biometric data for access to their mobile terminal or to certain applications of the same that provide them with certain services, given that it would always be possible to resort to other less intrusive means, regardless of whether the risk of identity theft is greater, such as the inclusion of a password, more or less extensive, to access said services.

C.A. OSASUNA indicates that the system it has implemented guarantees the treatment

avoiding any risk of identity theft in the access to a certain
service, correlating that the service has been effectively requested by the
person and not by a third party who has been able to access the necessary means, such as the extraction
of the interested party's subscription card or the theft or coercion of the interested party to
provide their access codes. It considers that, in a facial recognition system, to

achieve identity theft, it would need to have the face of the interested party to achieve this
identification, and the system used by C.A. OSASUNA also has certified tools
for the detection of identity theft attacks. Furthermore, the system would allow
that, in the event of theft of the season ticket card, the right that such acquisition entails would not be deprived, since access would be possible with the biometric reader, and "no one would be able

to access later through the alternative procedures that OSASUNA makes available to its season ticket holders." It is estimated that the system is implemented, therefore, for the benefit of the
interested parties themselves, who will be able to access the stadium in a more agile and simple way, not even requiring the carrying of the title that accredits the status of season ticket holder.

“In short, following the reasoning of the Commencement Agreement, it will never be possible to base a
treatment on the consent of the interested party, given that if in order to guarantee that the
treatment is free it is necessary that the interested party can have other alternatives so that the
purpose pursued by the treatment is fulfilled, given that it will never be possible
to consider that both alternatives imply an identical level of intrusion in the rights and
freedoms of the interested parties, at least one of them, generally the one based on

consent, should be discarded as intrusive, since the judgment of necessity required by the RGPD is not adequately fulfilled. And OSASUNA respectfully understands that it is
not possible to reach such a conclusion on the basis of the aforementioned argument, given that
this would in fact be repealing the provisions of article 6.1 a) of the RGPD.”

C.A. OSASUNA carried out an assessment of necessity in its EIPD not at an abstract level,

but considering all the circumstances and the context.

“Contrary to the reasons stated in the start agreement, C.A. OSASUNA does not seek a supposed
usefulness of the treatment for itself, nor for economic reasons. Contrary to what the agreement
intends to indicate, the establishment of an additional system for access to the
Stadium, “does not bring any kind of savings or reduction in cost or inconvenience to OSASUNA,
for the simple reason that this system is implemented in addition to those already

existing.”

C.A. concludes. OSASUNA, indicating that the vision of the start agreement on the application in this case of the principle of minimization, and on the need for treatment, would determine the
infeasibility of consent as an adequate legal basis for carrying out a
treatment of personal data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 61/128

8) C.A.OSASUNA, referring to the principle of guilt, as contained in those cited
by the CJEU of 5/12/2023, case C-907/21 Deutsche Wohnen SE and Staatsanwaltschaft Berlin,
and that of 5/12/2023 case C-683/21, deduces that it could be considered guilty, "the conduct

in which the controller should have been aware of the illegality of his action, it not being
unforeseeable that it would be punishable by the controller competent body for this,
so that “it could not ignore the infringing nature of its conduct, whether or not it was aware
of infringing the provisions of the GDPR”.

This requires considering the circumstances of the case examined in the present file,

in which C.A. OSASUNA was aware that both the EDPB and, on a minimum of
five occasions at the time of starting the treatment, the AEPD, had
expressly recognized the legality of the processing of biometric data on the basis of the
consent of the interested party, this criterion having even been reiterated by the AEPD in
its report 98/2022, after the establishment of the access system to the “El
Sadar” Stadium. C.A. OSASUNA could not venture to the contrary, nor the surprising modification of its

criterion after what was indicated that it was in accordance with said Regulation. Such
change represents a breach of the principle of legitimate trust, a principle that the
Public Administrations must respect in their actions in relations, in accordance with
article 3.1.e) of Law 40/2015 of 1/10 of the legal regime of the Public Sector.

This principle, according to C.A. OSASUNA, is contained in the Supreme Court ruling of

22/02/2016, appeal 1354/2014, and that of the National Court, of 4/02/2009
(appeal 304/2007).

It considers that the AEPD has modified its criteria by means of a sanctioning procedure and
that the application of the principle of legitimate trust should lead to the archiving of the
procedure, since the element of guilt required for the application of the sanctioning rule to proceed is not present.

9) Alternatively, C.A. points out OSASUNA that the principle of proportionality is infringed
in the determination of the sanction. In the circumstances concurrent with the infringements, elements of the conduct itself that is intended to be sanctioned have been
taken into account, refuted in
this written statement of allegations, or "the alleged negligence that, as indicated, is
impossible to apply if one takes into account that the opinion of the AEPD "was in no way
contrary to the treatment carried out on the legal basis of the consent of the

interested parties, this same criterion being upheld by the EDPB with which the AEPD has
decided to disagree".

10) C.A. OSASUNA indicates regarding the application of article 5.1.c) of the RGPD, that it only affects
a small number of subscribers, who decided to register, (…), not the totality as

indicated in the start agreement.

C.A. OSASUNA indicates that the aggravating circumstance of lack of diligence in the sanction of article 5.1.c) of the GDPR does not exist, since the reason contemplated cannot be accepted,
given that said arguments, denied, were those that, in the opinion of the AEPD, justify the
imposition of the sanction, and therefore cannot be taken into account to aggravate it.

C.A. OSASUNA indicates that, regarding the circumstances taken into account in assessing the

circumstances to determine the infringement of Article 9 of the GDPR, the subscribers who gave their consent to the use of the system were taken into account, unlike in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 62/128

the infringement of Article 5.1.c) of the GDPR, and that “Mention is made of a supposed
amalgam of factors that would operate as aggravating factors, without the agreement mentioning
any of them.”

C.A.OSASUNA, also on the same article 9 of the GDPR, points out: regarding the

alleged negligence of C.A.OSASUNA, "even though the AEPD had considered in accordance
with the EDPB's criteria that the processing was lawful, the agreement is based on the principle that the
responsibility was greater, based on a criterion completely identifiable with
objective responsibility, taking into account its activity, the object of which cannot,
evidently, be considered directly linked to the processing of personal

data."

TENTH: Proposed resolution of 10/30/2024 and allegations.

On 10/30/2024, a resolution proposal was issued, with the following literal:

“FIRST: That by the Director of the Spanish Data Protection Agency, regarding

CLUB ATLÉTICO OSASUNA, with NIF G31080179:

-The infringement of article 9 of the GDPR be declared closed, in accordance with
article 83.5 a) of the GDPR, and classified as very serious for the sole purposes of the
prescription of said infringement, in article 72.1.e) of the LOPDGDD.

-A violation of article 5.1.c) of the GDPR shall be sanctioned, in accordance with article
83.5 a) of the GDPR, and classified as very serious for the sole purposes of the prescription of said violation, in article 72.1.a) of the LOPDGDD, with a fine of 200,000 euros,

SECOND: Regarding the temporary suspension included as a provisional measure in the initiation agreement,

by virtue of article 58.2.f) of the GDPR, it is proposed that it be raised to definitive,
urging its prohibition. This will mean that regarding the processing of personal data
relating to the biometric facial recognition system for access by persons subscribed to the C.A. OSASUNA to the El Sadar stadium, that within 30 days from the
resolution that ends this procedure is enforceable, with the prohibition of the

treatment of the aforementioned data for this purpose and the deletion of all data that
is related to the operation of the aforementioned system, to safeguard the
fundamental right of the (…) people who subscribed to the system on 12/28/2023, and in this
sense it is certified by the C.A. OSASUNA.”

ELEVENTH: Objections to the proposal

On 11/18/2024, objections were received from the C.A. OSASUNA

1) Regarding the elevation to definitive of the provisional measure adopted in the start agreement,

consisting of the prohibition of the treatment, C.A. states OSASUNA that since
the end of the 2023/2024 season, the data processing through the SBRF analyzed
in this file is not operational. It also indicates that the aforementioned suspension

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 63/128

imposed is pending resolution by the administrative litigation chamber,
ordinary procedure 5/2024.

2) In view of the fact that the infringement of article 9 of the GDPR has been filed in the proposal, he adds that,
nevertheless, the AEPD intends to exclude from the debate the ultimate reason, the exclusion of the

consent of the interested party as a legal basis for the processing of biometric data in access control systems
to a specific location. 3) Reiterates that it was aware that both the EDPB and the AEPD, on up to five occasions, had expressly recognized the lawfulness of the processing of biometric data on the basis of consent and Opinion 11/2024 on the use of facial recognition to speed up the flow of passengers at airports (compatibility

with articles 5.1 e), 5.1) f, 25 and 32 of the GDPR, adopted on 23/05/2024, in which it is
"considered respectful of the principles of minimization and necessity, a processing of biometric data whose purpose is to improve the efficiency and streamline an access system." The Court gives as an example “scenario 1” of the aforementioned Opinion, which expressly states that the measures chosen could be considered to comply with the principle of necessity in relation to the purpose pursued – rationalising the flow of passengers – if, depending on the circumstances of the processing, the data controller can demonstrate that there are no less intrusive alternative solutions that could achieve the same objective with the same effectiveness. It adds that the Opinion establishes as a reason justifying the processing of the data the effectiveness of the result and the streamlining of the process, and the “non-existence of a breach of the principle of necessity in the processing, given that the remaining alternatives do not offer this benefit provided that there is a volitional element on the part of the passenger who is aware that the more agile procedure would involve the processing of data that would not be provided in the alternative process”. The AEPD “denies in the resolution proposal that such an option is possible, given that the fact of proceeding to the processing of this category of data

implies an alleged unacceptable risk to the rights and freedoms of the interested parties, that is, a conclusion diametrically opposed to that expressed by the EDPB”. Therefore,
it reiterates that the violation of the principles of good faith, legal certainty and legitimate trust
and the prohibition of arbitrariness of public powers remains fully
applicable to the case, being reinforced with the aforementioned arguments of the aforementioned Opinion
11/2024.

Finally, it reinforces its argument in the recent judgment of the Supreme Court, appeal for cassation
5039/2022 of 15/07/2024 in which, invoking the principle of predictability in
Administrative Law on sanctions, it is clearly indicated that it is not possible for the AEPD
to exercise its corrective sanctioning powers by assessing on its part a sanction of the
Data Protection regulations that the data controller could not
reasonably foresee, implying the action of the AEPD the requirement of compliance

with an obligation not expressly provided for in the aforementioned regulations. The Supreme Court
considers that, in the event that the enforceability of these additional requirements is assessed, the
control authority may make use of these other powers that the legal system grants it,
but in no case of the sanctioning powers. It considers that this is the case with
C.A. OSASUNA, having planned a treatment with a SBRF based on the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 64/128

consent of the interested parties, knowing that it was not considered by the AEPD or
by the EDPB contrary to the data protection rules, without this implying the
violation of the principles of proportionality, minimisation, necessity and legality. “It is

not possible for the AEPD to agree to the imposition of a sanction based on an
integration of the principle of necessity that was not foreseeable” by C.A.
OSASUNA, “since the principle of predictability referred to by the
Supreme Court is affected.”

It indicates that said treatment criterion was altered with the “Guide on the treatment of presence control through biometric systems” (v. November 2023), which is de facto considered a source of data protection law and changes its criteria, breaking the principle of legitimate trust on the first paragraph of article 9.1 of the LOPDGDD. It considers that this does not imply that the same effect does not occur in the imputation of article 5.1c), that a treatment based on the mere will of the interested party - his consent - would be illegal, because it will never be respectful of the principle of necessity, so it will never be possible to base such treatment on the mere will of the interested parties.

4) The respondent states that in the proposed resolution the AEPD cannot
categorise the SBRF it implemented as high risk a priori, considering that it
does not entail, as it claims in the proposal, "a high risk for the rights and
freedoms of the interested parties". In its proposal, the AEPD has not carried out a real analysis

of the risks in the case in which the treatment is carried out with the SBRF, considering
the means, such as the technology used, the way in which the facial vector data will be
processed, the security measures adopted, the conservation periods, etc., considering that such factors are irrelevant. It points out that, in
the proposal, it is omitted that the reason that leads the GT 29 to consider the existence of a
high risk of interference of the treatment in the rights and freedoms of the interested parties,

derives fundamentally from the technology used for the treatment and the format of
the biometric data obtained. In the proposed resolution, some of these risks are indicated in the legal basis V.1, which it states are also cited in Opinion 11/2024. For the AEPD, in the proposal, the facial vector is nothing more than the mere mathematical representation of a map of characteristic points from which it is possible to derive and reverse the identity of the person, despite the fact that they have reiterated that their techniques use artificial intelligence based on neural networks, considering that the techniques are different from those that consist of mathematical representation of a map of characteristic points, and from those traditionally referred to, for example, in the 2003 working document on biometrics, and C.A. OSASUNA estimates that the AEPD considers that this fact is what generates this high risk to the rights and freedoms of the interested parties. After indicating that with the mentions of the risks referred to by the AEPD in the proposal "as well as the EDPD in its Guidelines 11/2012", it is concluded that these would be:

 Uniqueness of the biometric vector. The proposal understands that, given that the biometric template is generated from the features of a certain person and these being
unrepeatable, if the template is compromised it cannot be modified or replaced by

another, given that its generation always starts from the same immutable model (the face of the
subject) and the same procedure for generating said template.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 65/128

 Reversibility of the biometric vector. Likewise, the AEPD considers that the risk is
high given that from a stored biometric template it is possible to reconstruct
the original information and, therefore, the face of the person, given that the template

represents specific and characteristic points of the interested party's face. Therefore, when
the templates are stored in centralized databases, which can be the target of
attacks and security breaches, it would be possible to reconstruct the model from which
the template was generated or, at least, the reconstruction of the points that characterize
that pattern, with the consequent risk of identity theft, compromising

both their privacy and the possible exercise of other rights.

 Interoperability of the SBRF. The proposed Resolution expressly refers to
this characteristic of the aforementioned systems, so that the biometric templates, once
created, could be reused in different systems for multiple purposes, so that

a much higher risk is produced, given that, if a template is compromised
in a system, the attacker can access other services using the same template.

In fact, there are other models of biometric data processing, in particular,
recognition through fingerprints, based on the establishment of international
standards, applied by the different systems.

 Immutability of the biometric vector. As already indicated when referring to uniqueness,

and unlike other authentication methods, biometric templates cannot be
modified or revoked, because they are essentially a “written” representation of features that are
immutable to the person (the face cannot be changed). Therefore, in the event of a compromise or security breach of a biometric database, given that the interested party does not have
the ability to change his facial identity, the attacker will be able to use it,

while the interested party will not be able to alter it, thus being exposed to a risk situation permanently.

The Resolution Proposal, as indicated, takes as its main premise the
classification of the processing carried out by OSASUNA through the SBRF as
high-risk processing, which leads it to reach the conclusion that, since it implies
an inadmissible interference in the rights and freedoms of individuals, said processing

can never respect the principle of necessity if there are other processing activities
capable of achieving the same purpose (it has already been indicated that the one assessed by the AEPD
-simply, access to the Stadium- is not the real purpose of the processing), it will never be
possible for the processing carried out by OSASUNA to be respectful of the principle of
minimisation.

It considers that the AEPD establishes an a priori assessment of the risk, since its Risk Management Guide and Impact Assessment in the processing of personal data
mention the adoption of technical and organizational measures to determine whether the inherent risks of the treatment are susceptible to being minimized to determine the
residual risk.

In the proposal, the AEPD has assessed the inherent risk through the factors
mentioned, ignoring whether said intrinsic and inherent risks concur in the SBRF.

It has decided to equate the inherent risk - obtained without the prior evaluation of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 66/128

characteristics of the treatment with the residual risk, in order to reach the determined premise of

considering the treatment to be unlawful.

He reiterates that the technology used in the treatment of the SBRF that he has used, to which he
refers in the “technical report on facial biometric technology” (DOCUMENT 14)

(folios 440 and following) and in the EIPD, does not take the “landmarks” as a point of reference for the
generation of the facial vector.

His SBRF for the recognition of the person does not start from the establishment of maps
of points or distances between characteristic points of the human face, but rather from the
recognition of an innumerable number of features that differ from one face to another

(such as, to give simple examples, the shape or colour of the eyes, the size of the
nose, the colour of the skin, the volume of the lips, cheekbones, chin, etc.).

This same system is followed in the present case, in which, based on an image of the
face, which, let us not forget, must in any case be accompanied by the realization by the interested party of a proof of life that accredits that it is not a question of usurping the identity of the
interested party (thus avoiding such usurpation), the SBRF will interpret in an abstract manner information on more than five hundred characteristic elements of said face.

This SBRF differs from that established in the resolution proposal.

Unlike a model generated from “Landmarks”, in which the numerical value
would be immutable from the characteristic points obtained (since their characteristic
map or the distances between them will be invariable in any case with respect to the

interested party to whom the SBRF is applied, since they are a direct representation of their
features), in the RBR (Renewable Biometric Reference) model implemented in the
SBRF used by OSASUNA, the vector is generated by association and referencing of the
face subjected to recognition with respect to a series of faces (generally
greater than a million) used in the training of the model and with respect to each of the
more than 500 distinctive features used by the model.

“When the interested party requests the generation of their facial vector for biometric
recognition, the SBRF attributes a numerical value to it in relation to each of the
mentioned features. This value is not generated from a scale referring to the specific feature, but from the comparison of that feature with those that constitute the aforementioned training sample.

In addition, it is relevant that “each of the SBRFs that are generated, and even each of the versions of the same system, will differ from the rest, either in the delimitation of the faces used to train the system or in the order assigned to each characteristic feature for the formation of the aforementioned matrix, or in both. This implies that the same face will receive a different value in each system and in each version of the former, so that the facial vector of the same person would be modified even as a consequence of the fact that a single face in the sample used in training is altered or the location of the parameter corresponding to two features in the matrix generating the facial vector is simply exchanged.”

He estimates that the system used by C.A. OSASUNA is characterized by:

“● The representation of the same human face can give rise to multiple vectors,
so that each SBRF will generate a different vector from the others and each version

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 67/128

of the same SBRF will also generate a different vector from the one generated by its
previous version. That is, there would not be uniqueness, but rather multiplicity in the vectors generated by the
same face depending on the SBRF or its version.

● The facial vector is always irreversible, since it is generated by reference to the position
of the interested party with respect to each of the features within the set of faces
used as a training model. Thus, it is impossible to proceed to the
reconstruction of the face (or of the characteristic features) from the obtained

matrix, even if both the order of assignment of each of the features and the total of the images of the sample were known, which is technically unfeasible,
since the absence of even one of them would alter the numerical result derived from the
positioning of the face with respect to which the vector has been generated.

● The facial vector would never be interoperable, since, as has been said, both the
sample and the positioning of each of the features in the generation of the vector
would change from one SBRF to another, or even between versions of the same SBRF. In this way,
the use of the vector is limited to the system that created it since only this can

understand the positional references that each of the components used for its generation represents. Therefore, the reuse of a vector by
any system other than the one that generated the data would not be possible.

● The SBRF is immediately revocable, so that in the event of compromise (although

it has already been seen that the risk of unauthorized access to the facial vector under the RBR model is non-existent or minimal) it would be possible to generate a new reference,
simply by modifying a configuration variable in the system,
such as the introduction of an additional comparison element. In this way, the facial vector
obtained by the SBRF analyzed in this procedure would be, by definition,

susceptible to mutating into another (given the multiplicity characteristic referred to in the first point), thus eliminating the risks generated as a
consequence of the immutability of the vector. “

It indicates that the NIST page accredits compliance with the SBRF of C.A.

OSASUNA from VERIDAS, model “(...)” indicating the link that leads to the report of
XX/XX/2021, concluding that the model is certified and audited and the accuracy of the data is
guaranteed

C.A. OSASUNA disagrees with the response given in the proposal that indicates that “technology is only one factor to be considered, since other types of

measures must be implemented that may include technical and organizational measures of all kinds, and not only security measures.

In this case, it was not considered that there was no proportionality or necessity in the treatment
derived from the high risks that this type of treatment entails, but rather due to its analysis

of the content derived from the EIPD and the analysis of the nature of the treatment described,
and this is set out in legal basis V. In this sense, even if the image is
converted into a code or vector, the treatment continues to be biometric data and therefore of a special category.”

He adds that the proposal does not take into account additional measures in the processing and in the life cycle of the processing aimed at guaranteeing the rights and freedoms of the interested parties that minimise the residual risk that could arise from the processing, recalling the one aimed at avoiding identity theft or meeting the requirements for incorporation with specific reference to being over 14 years of age.

He also disagrees with the statement that

“the SBRF needs several additional documents and personal data to create and
register the facial vector. A group of data that is used for the SBRF and from which it is based is that from the subscription card, which the members who have subscribed already had, and which would be the only ones used for access to the stadium by default in the pre-existing modality before the implementation by C.A. OSASUNA of the SBRF.”, since
said data is processed only at the time of registration in order to guarantee the
accuracy and integrity and during the registration process in the system.

It concludes that it is not possible to maintain the assessment of the judgment of necessity made by the AEPD if the risks considered inherent to the treatment do not actually occur as a consequence of the technology of the system through which this treatment is carried out.

1) The purpose of the implementation of the SBRF is not only, as indicated in the proposal, to access the El Sadar stadium, when its additional aims are to provide agile access, without having to wait in long queues, since it processes the recognition in milliseconds, guaranteeing that the subscriber who accesses is the one who really has the right to carry out this access, without requiring an identification process through conventional means (for example, by comparing the DNI) in the cases in which this could be established, specifically for a specific event, avoiding identity theft in access as a consequence of the theft of documents proving the status of subscriber. The possibility of basing data processing on these
additional qualities, such as speeding up or facilitating access to the stadium, is

contained in the aforementioned Opinion 11/2014, without referring to these being
a mere "convenience" or "usefulness" for the controller as indicated in the proposal. It adds
that these reasons justify the processing of data and the absence of a violation of the
principle of necessity in the processing (given that the remaining alternatives do not offer
this benefit).

The assessment of the need for processing has only taken into account mere access

to the stadium, when it is access under conditions of greater agility and security
for the interested party, such as avoiding identity theft, not for the purposes of
Law 19/2007.

It reiterates that the suitability requirement is met, since it achieves the proposed objective, which
is to access more quickly and guarantee that the interested party cannot be
impersonated by a third party.

Regarding the analysis of the assessment of the need, it is stated in the proposal that:

“Although in practice there is not usually a single way to achieve the purposes for which
data processing is oriented, it can be seen that depending on how it is
implemented, different risk scenarios can arise. When

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 69/128

considering these other possible alternative treatments, it is necessary to identify those
that, using fewer means or less intrusive means, achieve at least equal
effectiveness, that is, it must be assessed whether the intended purpose can be achieved by other

means, such as using other data (of a different nature or extension) or with
less invasive technologies.”, with which C.A. OSASUNA does not agree
due to the conclusions reached therein. Considers that, given that beyond
excluding the processing of biometric data based on the free consent of the interested party, there will always be less intrusive options, it establishes the premise that
there is only one correct way of carrying out the processing of data to the exclusion of

any other option that may imply greater intrusion, with this the majority of the processing carried out by any responsible party would be
considered to be removed from the judgment of necessity. It gives the example of hosting data in the cloud
which is riskier than on own servers, which, therefore, would never be necessary to process it using those providers.

Regarding the consideration in the proposal that the agility in access to the stadium is not

sufficient, C.A. OSASUNA states that the EDPB, in its Opinion 11/2024,
considers the agility of access as an end that would justify the need to carry out a processing of biometric data of the interested parties.

Regarding the statement in the proposal that the 1:1 authentication system involves
less risk in the processing than the identification system, “the assumption extracted from

Opinion 11/2024 is based on a premise that does not occur in this case, which is that in the former
the risks of the systems are described, which, in this case, “do not concur with the system
based on artificial intelligence”.

It considers that the arguments used by the proposal to deny the concurrence of the
principle of necessity do not conform to either the purpose of the processing, or to the risks themselves that are intended to be avoided by using this technology, so it is not possible

to achieve the objectives of the processing in a less intrusive way.

As regards the assessment of proportionality, C.A. OSASUNA points out that the
advantages derived from the processing are greater than the risks generated by it,
showing that the processing does not entail a high risk for the rights and
freedoms of the interested parties, and that the risks generated by its processing are
minimized by the technology used and by the measures adopted.

6) In the event that the procedure is not archived because it is considered that the imputed infringement exists, C.A. OSASUNA subsidiarily reiterates that the principle of
proportionality is violated in determining the amount of the sanction. C.A. OSASUNA
states that in the infringement of article 5.1.c) of the GDPR, the aggravating circumstance of the
nature, seriousness and duration of the infringement must subsume that of the processing of

special categories of data. It is based on the fact that “given that if the AEPD considers that there is an aggravation of the conduct given the circumstances of the treatment, it is obvious that one of them is that there would be a treatment of special categories of data, which on the other hand is not included as an autonomous aggravating factor in article 83.2 of the RGPD or in article 76.2 of the LOPDGDD, given that it can be considered that the reference to the categories of data made by article 83.2 g) of the RGPD would not be applicable when the aggravating factor is appreciated from the treatment as a whole.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 70/128

-In addition, regarding the assessment of the aggravating factor related to the nature, seriousness and
duration of the infringement mentioned, it causes defenselessness because it is incomprehensible. “If
what is intended to indicate is that the infringement is having carried out a

treatment that was not necessary for the purposes that were intended to be covered by it, apart from denying that statement, such an aggravating circumstance would consist of an alleged
breach of the principle of necessity, conduct that is included in the type itself,
contrary to the principles of sanctioning law”

He adds that the reference to the potential impact of the treatment on all OSASUNA subscribers, contained in the proposal, in the explanation of 83.2.a) of the

RGPD of “if it is not stopped it may affect more subscribers, is meaningless”, since it is not
possible to aggravate a sanction for a fact whose occurrence is impossible, since since
the 2024/2025 season it is not processing the data with the SBRF.

Regarding the second aggravating factor, in article 83.2.b) of the GDPR, OSASUNA points out that the proposal was answered in an incomprehensible manner, and that if it is a question of considering gross negligence the fact of allowing the treatment to be carried out on the basis of the consent and free decision of the interested parties, such interpretation would not be negligent or artificial, and would not follow the criteria derived from the documents of the EDPB and GT 29. It considers that these facts cannot aggravate the liability of OSASUNA, but should exclude its liability, leading to the archiving of the file.

PROVEN FACTS

FIRST:
On 11/22/2022, a complaint was received by the AEPD referring to a press release

published on 05/22/2022 by elespañol.com in which it reports the implementation of a
biometric facial recognition system -SBRF- in the sports venue, El Sadar stadium, of C.A.

Osasuna. As a result, the Director of the AEPD agreed to initiate
preliminary actions.,

SECOND:

In preliminary actions, dated 03/13/2023 C.A. OSASUNA acknowledged that it had established a
non-mandatory SBRF, complementary to the existing one to date and that would coexist with it,
to facilitate access control throughout the stadium, of members/subscribers (subscribers) to its stadium, as well as that its system complies with the requirement of being a
1:N biometric identification, accepting that these are biometric data of a
special category.

The SBRF, once the subscribers have been registered in the SBRF as users, allows subscribers from
now to choose between this type of access and the one established and in force
previously, with TWO access methods available at any match. The
first day, as a pilot test of use of the SBRF was 04/10/2022, only for subscribers who had been assigned access through gate 7, with the
installation in one of its turnstiles, of a combined one with biometric access at said gate. turnstile that was added to the existing turnstiles at the same gate for access by the ordinary system for the access to the stadium of season ticket holders.

At the football match on 22/04/2022, the number of access gates that have terminals for the operation of the SBRF was expanded to numbers: 3, 8, 10,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 71/128

11, 16, 21 and 27, with a combined turnstile with biometric access at each gate, which was added to the turnstiles facilitating access with the ordinary system. According to the information in the elespañol.com news item, 500 people used facial recognition to enter the stadium
in this match, and the system allows up to 20 people to enter the stadium
per minute, and “until now there were three ways to access the stadium when the spectator

arrived at the turnstiles: showing the membership card, using RFID technology that integrates these
cards, or with the digital subscription downloaded to the mobile phone”.

THIRD:
C.A. OSASUNA emphasizes in previous actions and in its Data Protection Impact
Assessment that registering to use the SBRF to access the El Sadar sports
ground is one more means, since the previous pre-existing methods can be used,
being added as one more option, keeping the rest of the access modalities used until then available, and the subscribed member can use any modality to access. This is added to the information on the C.A. website.
Osasuna, on 04/05/2022 (doc 2 provided in previous actions, first response,
03/13/2023, fact THIRD) that it is not necessary to carry the “physical pass” “or digital on the
mobile” to enter, if the SBRF is used.

In frequently asked questions about the system on the C.A. website OSASUNA,

DOCUMENT 5 provided in previous actions, first response, 03/13/2023, made
THIRD, 1.1, it is indicated that the system will be used for season ticket holders over
14 years of age, with a “nominal season ticket”, “modern access system that has been installed as an
additional option to enter the stadium, improve the experience of people visiting El
Sadar, modernize the facilities, and that in the turnstiles enabled for this type of access
you will be able to automatically open the barrier and enter the stadium “by bringing your face closer to the

small screen that exists in said turnstiles. As advantages, it points out the speed, the
comfort, security, voluntary, easy to use for everyone and that the system is trained
to recognize you”, despite the changes in appearance.”

Before the implementation by the C.A. OSASUNA del SBRF, 10/04/2022, the current means used for access to its stadium by subscribers were the physical subscriber card, or the digital one on the mobile phone, or with QR code reading, which coexist from 10/04/2022, with the implementation of the SBRF. It is accredited from the previous investigation actions and the responses of C.A. OSASUNA, that, with the season ticket cards, access to the stadium is only obtained by passing the season ticket card in its three forms,
be it a physical card, a digital card on a mobile phone or a QR code, through the access turnstile that
every stadium must have by express mandate of Law 19/2007 of 11/07 against violence, racism, xenophobia and intolerance in sport, in its article 11 "computerized
system for the control and management of ticket sales, as well as access to the venue".

FOURTH:

As the purpose of the treatment, in previous actions, on 03/13/2023, the C.A. OSASUNA
indicated that the SBRF implemented for access to the El Sadar stadium for subscribers is to
guarantee Osasuna fans who have freely decided to do so access to the El Sadar stadium sports
venue “through an agile and simple procedure” using said system, as a non-exclusive
alternative to the different means of access made available to them by the Club. In the Registry of
Treatment Activities (RAT) it appears in document 14, provided in
previous investigation actions on 03/13/2023, fact THIRD, 3.5., that the purposes of the
treatment “access control by facial recognition” are: “registration and management of
access to the facilities using a facial recognition system”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 72/128

FIFTH:
In previous actions, C.A. OSASUNA stated, and this is stated in its EIPD of 4/02/2022,
that the user registration process in the SBRF for C.A. OSASUNA subscribers must only be carried out once and is done remotely and in a guided manner. Its
characteristics are that it can be done from the user's mobile phone

(preferably), tablet or computer with an internet connection and camera. It can be started
from the OSASUNA website, www.osasuna.es, where there is a notice with
general information about the system and a button to start the guided registration and
activation process at the link: https://osasunasocios.app.das-gate.com/, and for its
activation it is necessary:

- data entry: ID and email, with two boxes to

check on consent and privacy policy, the details of which are analyzed in the following
proven fact. To continue the process, the boxes must be checked and the
"Start" tab must be clicked

-- photo of the QR code of the Club membership card ("Scan QR of your membership" according to the
screen information) – (it should be noted that the QR code contains the data of each member, the ACCESS ID, the member number and ID number that are part of the
basic data contained in the membership cards).

- Capture of a photo of the DNI from the front and back.

- Take a selfie, placing your face in the oval that appears in the image and make the
movements indicated (The system verifies that the photo on the DNI matches the features and

identity of the person who took the selfie). The selfie image is compared with the
image obtained from the DNI.

After the aforementioned verification, it is reported that the registration process has been
correctly carried out, adding that “At your usual access door you will find the access turnstiles with RF duly
marked”

Due to the fact that, for the registration process and storage of the biometric data,
various data already indicated are used, C.A. SASUNA, stated that the image of the photograph used
for verification with the one that appears on the DNI, because it is not necessary, is deleted.

In addition, C.A. stated OSASUNA, which at the end of the registration process (subscriber registration) only keeps:

- the ACCESS ID, corresponding to the subscription and which appears on the subscription (C.A. OSASUNA says
that it is anonymous, but in the EIPD of said entity, dated 4/02/2022, section 6.4.4, 4

b) it is indicated that all subscriptions "contain a unique identifier that does not single out the
subscriber, but allows the individualization of the subscription itself. This data is necessary to
prevent the access system from allowing duplicate access to the stadium with the same
subscription, so that once access is authorized, the use of the subscription will be impossible").

-“the hash of the user identifier in the System, which is collected for the exclusive purpose of
serving as the first authentication element for the secure access by the user to the
DAS-GATE portal, in order to be able to interact with the System (for example, to

deregister or exercise their rights)”, as stated in the response in previous investigation actions,
THIRD fact, point 1.6.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 73/128

- the facial vector identifier of the subscribed persons, about which C.A. OSASUNA states, “without associating it with any identifying data that appears on their ID or in their subscription or
with the data provided by the interested party in the registration process”.

Determines C.A. OSASUNA that these data are kept as long as the subscribers do not revoke their consent, and will be deleted "in the event of revocation or cessation of the

subscriber status."

With the completion of the user registration process in the SBRF, C.A. OSASUNA indicated
that the data used for registration appear in the blocked status, except for the
access ID, email and the facial vector.

SIXTH:
The information process on the collection and processing of the data collected by
C.A. OSASUNA for the SBRF for access to the El Sadar stadium, appears on the same screen of

user access registration through which registration in the system is activated, on the page
https://osasunasocios.app.das-gate.com/.

According to document 4 provided in the previous actions, first response,
point 1, in the registration process as a user, on the first screen,
together with the introduction of the first data: ID and email, there are two blank boxes to
check.

The first, with the “I expressly consent to the processing of personal data for the

generation of a facial vector that allows identification at the time of accessing the stadium”, the second with “I have read and accept the privacy policy”. After checking it, there is
the “start” tab.

Document 6, which is reflected in the THIRD FACT 1.5, entitled: “processing of
access control data to the facilities by facial recognition”, contains the
first layer of information with the person responsible, purpose: access control by
facial recognition system, legitimation 6.1.a and 9.2.a of the GDPR, “express authorization

for the processing of images by means of an artificial intelligence system,
facial recognition, generating a vector that allows the user to be identified for access control
to the facilities”. In “rights”, the rights of access, rectification and
deletion appear, “as well as other rights indicated in the additional information, which can be
exercised by contacting” two addresses, one of Osasuna and another of the DPO “and/or by clicking on the

link to the website and the partner portal “exercise of ArSol rights”. In this first layer
there is no reference to the information on the possibility of withdrawing consent.

At the end of the first layer, there is an accept button.

The first layer contains a link to additional information:

https://www.osasuna.es/privacypolicy”, (provided in document 7, in previous actions,
THIRD FACT, 1.5,) entitled “Complete Information on Data Protection” which indicates that it is an alternative entry system that allows strengthening the security of access to it, as well as speeding up entry, making it easier for the Club's members.

In the second layer, according to document 7, there is added information such as the processing of personal data in the DAS-GATE portal to manage the right of access

through facial recognition, being able to request the cancellation of the service and the details of the
data retention periods, indicating here the reference to the withdrawal of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 74/128

consent. Here it is also indicated that rights can be exercised through the
private area of each user in the DAS-GATE portal.

According to what was stated by C.A. OSASUNA, the withdrawal of the consent
previously given for the use of the SBRF through the facial vector, will mean the cessation of the
processing of this data for such purposes, since as indicated, the data will not be

used for any other purpose, however, the subscribers in this case,
according to C.A. OSASUNA could continue to achieve the purpose of accessing the stadium with
the pre-existing methods OF THE SUBSCRIPTION IN ITS THREE MODALITIES..

As for the documents that appear in the link for the exercise of Osasuna rights and the
exercise of ArSol rights, this contains a form to, among others, revoke the
consent

On the Club's website, in news from 5/04/2022, the voluntary nature of the SBRF and its
complementarity with the current methods are reported. In a statement via newsletter dated

04/09/2022, these aspects were also reported.

SEVENTH:
According to the information provided by C.A. OSASUNA in previous actions, and
in its EIPD (2.2.1), access by persons who have opted for the SBRF once
registered in it occurs through the Identification Terminals provided by DAS-
GATE at the stadium entrance turnstiles to which the facial recognition software is

incorporated that reads and identifies the facial vector of the season ticket holders. At the moment when season ticket holders registered in the SBRF access
the stadium, if they wish to use this means of access, their image is captured by a
tablet-screen-sized device placed at a distance of less than one metre. When approaching
said device, the system is automatically activated when a face is detected. If the proximity is adequate, the system captures the image by processing it in the same way
as the vector is generated, and the image obtained from the biometric facial vector of the
user who wants to access is compared with the set of stored biometric vectors entered in the
system. The following logs are recorded in the IDENTIFICATION terminal:
date and time, ACCESS ID, biometric terminal identifier, anonymous identifier of the
user most similar to the face being identified and the biometric similarity score
obtained.

In prior investigations, C.A. OSASUNA specifies fact THIRD, 2.3, and
as stated in its EIPD 2.2.1., that once the authentication of the subscribers has been produced through the identification of their facial vector, a request will be sent to the server in charge of
activating the turnstiles at the entrance to the stadium, consisting of communicating to the server managed

by the SPANISH PROFESSIONAL FOOTBALL SOCIETY SAU (SEFPSA) with which it
has a contract for the processing of data, of which it does not provide a copy. The transmission
is limited to the ACCESS ID, in order to activate the corresponding turnstile, without providing any
data related to the facial vector. SEFPSA does not carry out any biometric identifier
processing, limiting itself to the ACCESS ID. C.A. OSASUNA states OSASUNA that, once access has been

accepted, in addition to the user's ACCESS ID that is sent to SEFPSA, "the
sending of this request is also logged (registered in logs by the terminal-date, time,
terminal identifier, anonymous user ID recognized"

According to the information reflected in the EIPD of C.A. OSASUNA, in "2.1.3.
Storage of the information resulting from the process", "Once the identity of the

subscriber has been verified, the system permanently stores and as long as the subscriber continues to use the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 75/128

system, the ACCESS ID, the USER ID previously encrypted with the (...) and the
facial vector obtained from taking the selfie photo." The data collected temporarily
during registration in the service, as well as the kept during the period in which

the subscriber continues to use the system will be stored on servers contracted
with ***EMPRESA.1 located in the European Union”

It follows that each time the subscriber accesses the Sadar stadium of
C.A. OSASUNA with the SBRF, it is necessary and inherent to the system that the facial vector is
associated with the ACCESS ID, this in order to control that there are no duplicates in the access
with the same title (subscription) ACCESS ID.

C.A. OSASUNA stated in previous actions that “When processing the access request
sent by the biometric terminal, SEFPSA decides whether or not to authorize the user's access and

acts directly on the turnstile, commanding (or not) its opening. SEFPSA does not inform
the biometric terminal of its authorization decision. It is worth mentioning at this point that
SEFPSA, upon receiving this request, cannot distinguish between requests received from
biometric terminals and QR or NFC readings; that is, it does not know how the user has
been authenticated."

EIGHTH:
C.A. OSASUNA, responsible for the processing of the SBRF system data for deciding its
implementation, the means and purposes of the system, in accordance with what was stated in the fact

THIRD of previous actions, 03/13/2023, stated that it had the collaboration in
the processing of data of DAS-GATE CONTROL SOLUTIONS SL, with which it signed a
data processor contract, (provides document 10 “license for use of the system”
of 01/24/2022, and Annex I, “personal data processing contract”) using facial recognition technology, hardware and software from VERIDAS
DIGITAL AUTHENTICATION SOLUTIONS, S.L, with which DAS-GATE signed a contract

as a subprocessor as a provider of document validation technology and biometric
recognition (documents 11 of 06/04/2021 and 11 bis of 17/02/2021
as stated in point 1.9 of the THIRD fact). Another subcontractor contract
was signed by DAS-GATE with ***COMPANY.1 (hereinafter, “***COMPANY.1”) as a provider
of (…) and (…) (a copy was provided in document 12 “terms of service” and 12 bis, and “data processing addendum ***COMPANY.1” as stated in point 1.9 of the THIRD fact). All services provided by these entities are located
within the European Economic Area.

The facial vectors extracted for the processing of biometric data, through the SBRF
used by C.A. OSASUNA, are those developed by VERIDAS and include an artificial intelligence model of neural networks, with algorithms that are based on

machine learning techniques (deep artificial neural networks, deep learning). The image
from which the facial vector comes is deleted from the system as soon as the process of generating said vector is completed.

NINTH:
The evaluation of the necessity and proportionality of the processing operations

with respect to their purpose carried out through the SBRF by C.A. OSASUNA is
contained in section 6 of its EIPD of 4/02/2022 entitled "application of the principles of
processing", and specifically in its section 6.4 "data minimization principle". In
section 6.3, it indicates that this is a new means of access to the sports venue that is more
suitable and effective in light of the current state of the art, indicating in 6 4.1 that “in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 76/128

design of a new data processing, it is necessary to analyse the suitability of the data
processed for the intended purpose, the possible existence of another procedure that is
equally or less intrusive to achieve that objective or purpose, the weighing of the benefits that its
processing would bring against the risks or damages that could emerge as a consequence of it”…the principle of minimisation would require, as a general rule, the adoption of the one that
was the least intrusive”. It considers that the treatment of the facial vector is suitable "for the
fulfilment of carrying out this registration process, by allowing the full identification of the
subscriber (6.4.3 EIPD) and is necessary "to achieve the purpose pursued by the
treatment, which is to facilitate access to the sports

venue for OSASUNA subscribers who so wish, through a quick and simple procedure. Certainly, at this point, it is
possible to achieve the purpose pursued (access to the El Sadar stadium) using a
less intrusive means (the use of the traditionally used means, such as the use
of a QR code reader incorporated into the subscription). However, the implementation of the
treatment analyzed in this DPIA does not prevent the use of this option. That is, the interested party

can freely decide and without this causing any type of affectation to his rights
as a subscriber, to opt for one or another treatment for access to the stadium. Thus, the
need would be linked in this case to the will of the subscriber, which cannot be
satisfied using a less intrusive means of access” (6.4.3 EIPD).

TENTH:

C.A. OSASUNA already acknowledged in the first response in previous investigation actions, on 03/13/2023, that its SBRF involves the processing of biometric personal data for identification purposes (1:N), so since it is a unique identification that such processing entails, it considered that they are special category data. It added
that the circumstance that lifts the prohibition of the processing of biometric data that

it uses for voluntary access to the El Sadar stadium is the explicit consent for the
processing of said personal data for one or more of the specified purposes, contained
in article 9.2.a) of the GDPR, consent that includes and subsumes that of article
6.1.a) which it considers to be the general legal basis. According to the information contained in the
Record of processing activities, RAT; “Purposes: registration and management of access to the
facilities using a facial recognition system”, and in its EIPD that the purpose was

“to guarantee access, through facial recognition, to the El Sadar stadium by the
subscribers”.

The revocation of consent, according to C.A. OSASUNA in its response on
03/13/2023 in previous investigation actions and in the EIPD of 02/04/2022 ( 6.6 ) can be done at any time from the user portal and also on the C.A. website.

OSASUNA in “exercise of ArSol rights”, and implies the deletion, keeping the data blocked
for three years, the maximum period coinciding with the prescription of a
breach in the matter of data protection, “which will mean the cessation of the processing of
this data for such purposes” (5.2.2 final EIPD).

ELEVENTH:
The access process for subscribers to the El Sadar stadium of the C.A. OSASUNA using

the SBRF, responded in the first response in preliminary investigation actions on
03/13/2023, appearing in fact THIRD, 1.6, and in point 6.6 of the EIPD of 02/04/2022,
that “the system does not store the image captured by the reader located at the entrance to the premises
nor the facial vector generated from it, only the information related to
the fact of access, successful identification log, acceptance or denial of access is stored.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 77/128

In point 1.8 of preliminary investigation actions, fact FOUR, C.A. OSASUNA
indicates that the operation of the terminal is recorded in its systems, DAS-GATE servers, each time an identification is made, recording the date and time,

biometric terminal identifier, subscriber access identifier, and biometric similarity score, providing document 11 (authentication logs for access to the stadium
extracted from the system, which begins the query through the data (…) to which (…), and that
these records are stored on the servers of the provider ***COMPANY.1. C.A. OSASUNA meant that these logs are kept until the beginning of the season after
the one to which the stored access refers, in which a period of three years is added (maximum

period of prescription of infringements of the GDPR that may be required). In the
document 11 that it provides, it can also be seen that it contains the (…), which contains the (…).

The same document 11 shows an example record of data that remains in the blocked storage, indicating among available files the images captured
of the interested party's ID during their registration process.

In the user registration process, once the vector has been created, the image that was used to create the vector, those that appear on the subscription or on their
ID and those provided by the interested party in the registration process are deleted, keeping only the facial vector, the subscription ACCESS ID, the hash of the user identifier in the System for the
secure access by the user to the DAS-GATE portal, in order to be able to interact with the
System (for example, to proceed with their cancellation or exercise their rights).

These data will be kept as long as consent is not revoked or the user continues to hold the status of subscriber, being deleted in the event of revocation or cessation of the status of subscriber. If one of these circumstances occurs, in accordance with article
32 of the LODGDD, the data remains blocked for 3 years, coinciding with the
maximum prescription period in personal data protection regulations.

TWELFTH:
C.A. OSASUNA responded in previous actions that it carried out measurements with personnel at
different points in the El Sadar stadium, concluding that the rate/speed resulting from its
observations resulted in the average rate of user access through a
conventional turnstile using the season ticket - NFC reader or QR reader - or paper ticket - code reader,
being 12 people per minute. On the other hand, the average rate of access of people
through the turnstiles that have biometric technology implemented is 20 people
per minute. The values provided represent the value that has the highest frequency in the access
rates.

It is also confirmed that the processing of personal data of subscribers to the SBRF of C.A. OSASUNA was, as of 03/13/2023, a volume of people

that (…) and on 12/28/2023, the date of allegations, of (…).

C.A. OSASUNA reported in allegations to the proposal, on 11/18/2024, that they have
ceased to operate with the SBRF since the end of the 2023/2024 season. Furthermore, according to
their statement, the administrative appeal filed against the provisional suspension of processing imposed in the start agreement is pending resolution

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 78/128

LEGAL BASIS

I Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of the RGPD and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed
by the Spanish Data Protection Agency shall be governed by the provisions of
Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II Definition of personal data and biometric data

C.A.OSASUNA processes personal data in accordance with the definition of these made in

article 4.1 of the GDPR "«personal data»: all information about an identified or identifiable
natural person («the interested party»); An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;”

Biometric data as a type of personal data is defined in Article
4.14 of the GDPR, which states:

“biometric data” means personal data obtained through specific technical processing,

relating to the physical, physiological or behavioural characteristics of a natural person which
allow or confirm the unique identification of that person, such as facial images or dactyloscopic data;”

The scope of the GDPR extends its protection, as established in its article 1.2, to the fundamental rights and freedoms of natural persons and, in particular, their

right to the protection of personal data, defined in its article 4.1 of the GDPR.

As already pointed out in Opinion 4/2007, of the Working Party (WG) of article 29 WP136), of
20/06/2007 (art. 29 of Directive 95/46 EC, as an EU body of advisory and independent character), on the concept of personal data, biometric data
can be defined as:

“… biological properties, physiological characteristics, personality traits or tics, which
are, at the same time, attributable to a single person and measurable, even if the models
used in practice to measure them technically imply a certain degree of
probability. Typical examples of biometric data include fingerprints, retinal patterns, facial structure, voices, but also hand geometry, venous structures, and even a certain deep-rooted skill or other behavioural characteristic (such as handwriting, pulse, a particular way of walking or talking, etc.). A particularity of biometric data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 79/128

is that they can be considered both as the content of information about a particular person (So-and-so has these fingerprints) and as an element to link information to a particular person (this object has been touched by someone who

has these fingerprints and these fingerprints correspond to So-and-so; therefore, So-and-so has touched this object). As such, they can serve as "identifiers". Indeed, since biometric data
relates to a single person, it can be used to identify
that person. This dual character also applies to DNA data, which
provides information about the human body and allows for the unambiguous
identification of one, and only one, person.”

Biometric data irrevocably changes the relationship between the body and identity,

as it makes the characteristics of the human body machine-readable and
subject to further use.

Biometric data can be processed and stored in different ways. Sometimes, the
biometric information captured from a person is stored and processed in raw form,
allowing the source from which it comes to be recognized without special knowledge; for
example, a photograph of a face, a photograph of a fingerprint, or a voice recording.

Other times, the raw biometric information captured is processed in such a way that only
certain characteristics or features are extracted and saved as a biometric template, here called
a “facial vector.”

Biometric systems are closely linked to a person, since they can
use a specific and unique property of an individual for identification.

A biometric system works with the biometric data obtained from a person, from which
an algorithm extracts features to create a biometric template or facial

vector.

The system then checks the person's identity against the biometric database.

It can do this in a second, while comparing hundreds of millions of biometric

data in the database.

The performance of a biometric system can be measured from three main

characteristics. These are:

- false rejection rate (FRR), which represents the probability of detection errors by a biometric

system, meaning that it cannot recognize a user whose biometric characteristics are

already in the database. In case of rejection, the person must

verify his or her identity again. From a security and safety perspective, this

rate does not necessarily mean that it is a negative result. -False Acceptance Rate (FAR), is the probability that a system fails to match a person's biometric characteristics with an incorrect template, and gives them permission

to access. This can be a potential threat, as the system grants permission
to an unauthorized person to access an account, facility, etc., and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 80/128

-Equal Error Rate (ERR), which is an essential indicator according to which a system accepts
or rejects biometric inputs. This rate is the equality value between FRR and FAR and
represents the ideal number of errors of the two.

Each biometric method, whether face, fingerprint, palm print, iris, etc.,
has different values for different rates, based on which a system rejects or
accepts the inputs. Biometric data have the particularity of being produced by
the body itself and characterize it definitively. Therefore, they are unique, permanent or

definitive in time and the person cannot get rid of them, they cannot be changed
at any time, not even with age, creating questions of responsibility in case of compromise, loss or intrusion into the system. Unlike a password, in case of loss they cannot be
changed. The definition of biometric data refers to "technical processing", without
specifying, except to point out that the purpose of such processing must be to identify

a person.

In order to be considered biometric data within the meaning of the GDPR, the processing of raw data, such as the physical, physiological or behavioural characteristics of a natural person,

must involve a measurement of those characteristics. Thus, the concept should not lose sight of:

-The nature of the data: data relating to the physical, physiological or behavioural characteristics of a natural person;

-The means and methods of processing: data “obtained through specific technical processing”; this differentiates them, for example, from images of a person appearing in a video surveillance system, which cannot be considered biometric data if they have not been

processed technically in a specific way in order to contribute to the unique identification of that person. Recital 51 of the GDPR also refers to the fact that photographs are not systematically considered as special category data processing, unless a specific technical means of processing is applied to them that
"allows the unique identification or authentication of a natural person."

- The purpose of the processing: the data must be used for the purpose of uniquely identifying a natural person.

Biometric characteristics, if subjected to technical processing, can be used to
recognize a person, including from an image or photograph, assuming for its implementation a chronological process that is contained in all biometric data processing: its capture or recording of data with its subsequent storage or
processing and the comparison or correspondence phase.

In this case, C.A. As an additional system to the previously existing methods of access to its sports venue, OSASUNA establishes that of access control to the stadium by the member-subscriber to attend football matches. In order to be able to use it, you must first register your identity as a user in the system by capturing a series of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 81/128

biometric parameters (the face in this case) which can be done and is done in this case
by means of a photograph in a computer application preferably using a mobile phone, since what is intended is to process these parameters of the face to identify the person each time they re-enter through the access point.

The so-called registration process includes the following phases:

- Registration of biometric parameters. It covers all the processes that are carried out in

a biometric system in order to extract biometric data from a biometric source and
link this data to an individual. In this case the face. The biometric engine of the facial recognition
system used has an AI algorithm that is responsible for this
function. The software converts these measurements into a numerical code, a facial vector,
which C.A. OSASUNA calls it.

This numerical code, hash or facial vector, is what is saved to compare when you
enter or leave the space where the facial recognition reader is located, which records the
entry or exit through the eight biometric reading turnstiles used for access to the
stadium at different access doors. Therefore, facial recognition techniques
require a certain cooperation on the part of the user, since the camera must be

placed in front of the face, while the photo is taken at the time of registration, and at the
time of access the image is captured.

-Processing: Creating a facial template or vector with the personal characteristics of the
captured parameters of the user. A biometric template/facial vector is a

digital representation of the unique characteristics that have been extracted from a biometric
sample and can be stored in a biometric database that allows or
confirms the unique identification of a natural person. Furthermore, “your biometric template is
assumed to be unique and specific to each individual and, in principle, permanent over time”. Typically, in a comparison process intended to identify or

authenticate a person using facial recognition, an incoming biometric template is compared to stored objects to verify a match or find one in a database.

-Enrollment: of the processed facial template or vector, being saved on a suitable storage medium. The storage systems for the registered template or the

facial vector may vary, storage on a card, in the hands of the person, for
example, on their individual device, under their exclusive control, centralized in encrypted form
within the responsible entity, under their control or in the cloud under the control of a
third-party service provider.

As an example, Opinion 11/2024 assesses the different ways in which it is decided
to implement the way of technically carrying out the treatment, resulting in different effects
on data protection. For example, the control of the template, if the template is stored
on an individual device under the control of the user (usually the traditional user PIN and
password are in the hands of the user), if the template is stored

centrally within the C.A OSASUNA, or in the cloud, with the key encrypted within the
Club, or if despite the template being registered and encrypted in centralized storage
within the Club, it is decrypted by the user, as well as the storage period of the
registration of the record. The arrangement of the intrinsic elements involved in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 82/128

processing technique may result in the loss of control of the data of its owner, depending
on the architecture of the data storage and serves as an example and benchmark for
analyzing the adjustment of the biometric facial recognition treatment to the principles of articles

5.1.e) f), art 25 and 32 of the GDPR.

In all the potential risk scenarios examined in the aforementioned Opinion, their adjustment to the principles it examines is
assessed, thus, it indicates that “The Committee concludes that
the measures chosen could be considered to comply with the principle of necessity if the
data controller can demonstrate that there are no less intrusive alternative

solutions that can achieve the same objective effectively”, or adds, “by applying
appropriate guarantees or safeguards”. In the case of those where, after its analysis, it does not estimate such compliance, such as in scenario 3 of the aforementioned Opinion, it is indicated that:

“The Committee considers that a result similar to the rationalization of passenger flow at

airports can be achieved in a less intrusive manner and that the negative impact on the fundamental rights and freedoms of data subjects that would result from a breach of data security in a centralized database of biometric data appears to be
greater than the expected benefit derived from the processing. Therefore, the processing cannot
comply with the principles of necessity and proportionality. On this basis, the Committee concludes
that the processing provided for in the third scenario cannot be compatible with Article 25

of the GDPR. Furthermore, it would not comply with Articles 5 (1) (f) and 32 of the GDPR if a controller were to
limit itself to the measures described in this scenario.”

Once registration is complete, the system can begin to be used.

-In the last phase, a biometric sample - such as the face - presented to the reader sensor will be compared with a previously recorded/stored facial vector.

The phases are consistent with the enumeration of what could be a data processing operation (collection, storage, use).

Thus, the in-person capture before the device results in obtaining an image,
from which the characteristics are extracted through the artificial intelligence algorithm

integrated into the software of the device that C.A. OSASUNA contracted with its
processor/deputy processor DAS-GATE and VERIDAS.

According to document 14 provided in previous investigations by the respondent,
"Technical report" of VERIDAS, which explains the general operation of the system used
by C.A. OSASUNA to create the template, the extraction of characteristics resulting from the

input and output of the algorithm is what provides the facial vector, unique for each
person, and requires information to distinguish between the faces of different people.

The raw image of the biometric characteristics, in this case the faces, is reduced,
transforming, but retaining outstanding discriminated information, which is essential
for the recognition of the person. These extracted characteristics are kept in a

biometric template or facial vector, which is a form of reduced mathematical representation
of the original characteristic.
A biometric template/facial vector is a digital representation of the unique

characteristics that have been extracted from a biometric sample and can be stored in a biometric
database that in this case confirms the unique identification of a natural person. Furthermore, “their biometric template is supposed to be unique and specific to each individual and, in principle, is permanent over time.” Normally, in a comparison process intended to identify a person, such as the SBRF used by C.A. OSASUNA through facial recognition, an incoming biometric template is compared with stored objects to verify a match or find one in a database.

The reference facial vector is stored for comparison, in this case in a centralized database held by C.A. OSASUNA where the identification and biometric data of the subscribers who opted for this system are stored, (…) on the date of
allegations to the start agreement, (…) on 13/03/2023 and which has identification functions
1:N, where N are all the facial vectors stored centrally by C.A.

OSASUNA in its database where those of all users registered in the system are.

As to the fact that it could be argued that it only identifies the group of previously registered users,
this is not a reason for not being considered biometric data, since it is intended that natural persons are identified with the data generated from the extraction of their
biometric characteristics.

The reference included in article 4.14 of the GDPR as biometric data intended to
"allow" can be understood as identification, the reference to "confirm" as verification.

For a better understanding, the concepts of authentication/verification and
identification, which have been successively outlined, and the importance of the common elements that
stand out in their contents, are described.

Opinion 3/2012 on the evolution of biometric technologies of 27/04/2012 of

Working Group 29, stated:

"-Biometric identification: the identification of an individual by a biometric system is
normally the process of comparing their biometric data (acquired at the time of
identification) with a series of biometric templates stored in a database (i.e. a one-to-many matching process).

-Biometric verification: the verification of an individual by a biometric system is
normally the process of comparing his or her biometric data (acquired at the time of verification) with a single biometric template stored on a device
(i.e. a one-to-one matching process).”

With slight nuances, the concepts are mentioned in the “White Paper on Artificial Intelligence of the European Commission”, dated 19/02/2020, referring to the facial image:

“With regard to facial recognition, “identification” means that the template of a person’s facial image is compared with many other templates stored in

a database to find out whether his or her image is stored there. “Authentication”
(or “verification”), on the other hand, usually refers to the search for matches
between two specific templates. It allows the comparison of two biometric templates that, in principle, are assumed to belong to the same person; Thus, the two templates are compared
to determine whether the person in the two images is the same. This procedure is

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 84/128

used, for example, at the automated border control gates used in border controls at airports.”

In the recent Regulation EU 2024/1689 of the European Parliament and of the Council of 13/06/2024 laying down harmonised rules on artificial intelligence OJEU 12/07/2024, (AI Regulation) states its Recital 15 “The concept of
‘biometric identification’ referred to in this Regulation should be defined
as the automated recognition of human physical, physiological or behavioural characteristics, such as face, eye movement, body shape, voice, intonation, gait, posture, heart rate, blood pressure, odour or keystroke characteristics, in order to determine the identity of a person by comparing his or her biometric data with biometric data of persons stored in a reference database, regardless of whether the person has given his or her consent or not. Excluded are AI systems intended for biometric verification,

which includes authentication, the sole purpose of which is to confirm that a specific natural person is the person they claim to be, as well as the identity of a natural person for the
exclusive purpose of having access to a service, unlocking a device or having
secure access to a premises.”

Guidelines 5/2022 of the European Data Protection Board (EDPB) on the use of

facial recognition in law enforcement (see Version 2.0, of
26/04/2023), in section 10, state:

“Like any biometric process, facial recognition can serve two
different functions:

• Authenticating a person in order to verify that said person is who they claim

to be. In this case, the system compares a pre-recorded biometric template or sample (for example, stored on a smart card or biometric passport) with a single face, such as that of a person presenting themselves at a checkpoint, to verify whether they are the same person. This function is therefore based on comparing two templates. It is also called 1-to-1 verification.

• Identifying a person in order to locate him or her among a group of individuals,

within a specific area, in an image or in a database. In this case, the
system must process each captured face to generate a biometric template and then
check whether it matches a person known to the system. This function is therefore
based on comparing a template with a database of templates or samples
(baseline). It is also called "one-in-many" identification. For

example, it may relate a record of personal names (surnames, first names) to a
face, if the comparison is made with a database of photographs associated with
surnames and first names. It may also involve tracking a person through
a crowd, without necessarily establishing a link to the person's civil identity.

The aforementioned Guidelines 05/2022, in their section 12, indicate that the concept of
biometric data covers both “authentication” and “identification”, and although they are
different concepts, both procedures process data aimed at uniquely identifying
a natural person, so both are included in the concept of “data processing”, and more specifically, they are processing of personal data of special
categories.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 85/128

This thesis would also be confirmed by reading recital 51 of the GDPR, which states:
“The processing of photographs should not be systematically considered as processing of
special categories of personal data, since they are only included in the definition of biometric data

when the fact of being processed with specific technical means allows the unique identification or authentication of a natural person.”

The adoption of Opinion 11/2024 on the use of facial recognition to rationalize the flow of passengers at airports, dated 23/05/2024 of the EDPB, confirms the distinction between
such functions, and also that both would correspond to the concept of special category biometric data. The opinion is important because it clarifies the different
importance of such functions in the architecture of the use and storage of data
to deduce whether the purposes can be achieved in a less intrusive way and the level of impact on
the fundamental rights and freedoms of the interested parties.

In both cases, whether verification-authentication or identification, the facial recognition
techniques used are based on an estimated match between templates, or
vectors: the one being compared and the reference(s). From this point of view, they are
probabilistic techniques: the comparison deduces a greater or lesser probability that the person
is actually the person to be authenticated or identified; if this probability exceeds a
certain threshold in the system, defined by its user or developer, the system

will understand that there is a match.

Therefore, both functions, identification or verification, can be considered as aimed at
the unique identification that occurs in the person, and must be considered special category biometric data. Unique identification, on the other hand, goes beyond the fact that the data is from an identified or identifiable natural person. Data from an identified natural person
is that this person is distinguished or isolated from a group of people. Unique
can refer to the fact that the biometric data has such particularities that it can

unambiguously identify an individual.

In addition, as described in the concepts of identification/verification, the architecture of the design of the processing operations inserted in the

functioning of the biometric system is of outstanding relevance for the assessment of the necessity and proportionality of the
treatments. Recently, the European Data Protection Committee, in its Opinion 11/2024, on the use of facial recognition to rationalize the flow of airport passengers, adopted on 05/23/2024, has assessed its compatibility
with articles 5.1.e), 5.1 f), 25 and 32 of the GDPR, which has only recalled what was
already indicated in the “working document on biometrics” adopted on 08/01/2003 by
GT 29, WP 80. Section 3.2 of the document indicates: “principle of purposes and

proportionality.”, it was made clear that the risks for the protection of the fundamental rights and
freedoms of people are different, in relation to whether the data is
“processed in a centralized manner”, “central database” from those stored on a mobile device, and the compliance process is carried out on the card carried by the user, or
when this is part of the mobile device and not in the sensor, “the data is not stored

on the access control device”. This aspect will be discussed in the section on
assessing the necessity and proportionality of processing operations.

High level of risk in biometric treatments that have been reiterated in
regarding their concurrence in successive opinions and guidelines on biometric data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 86/128

According to the information provided by C.A. OSASUNA, when passing through the space
that collects the facial recognition image, placed for the purpose of access to the stadium, a facial vector has been
generated that provides a unique value, which means that the image

of the face has been processed following technical procedures (artificial intelligence among
these) and the result of this process is stored ready for use. These patterns or
facial vectors numerically record the physical characteristics that allow people to be
differentiated. In the image collection space, the device software compares the pattern offered when it is presented to it, with the stored one, in order to grant access to the stadium.

In this case, although not the entire image of the face is saved, but all the vectors of all the users of the solution ((…) as of the date of allegations 28/12/2023), each one of them is different, and is capable and effective in uniquely identifying each user by
comparing in the space of the image capture, when accessing the stadium, with the rest of the existing stored images. The functions contained in the algorithm allow the extraction of the
characteristics of the biometric samples and create templates or facial vectors, for
their subsequent comparison with a CENTRALIZED database associated with the set of
previously stored users, being able to identify the holder from among all the
facial vectors, processing personal data based on the processing of facial
recognition, uniquely and unambiguously identifying said person.

Technically, the facial vector against which the sample is compared and which is stored
together with the rest of the biometric information registered for the rest of the people subscribed to the
C.A. OSASUNA system, results in the individual being uniquely and uniquely identified.

The biometric data of each subscriber, acquired at the time of their capture
and recorded, to be subjected to the technical procedure that converts the image into a
facial vector through the algorithm, are stored, so that, with the samples
introduced, when passing before the reader to gain access to the stadium, it identifies
through the model (…), from among all the vectors, without a doubt, its owner, seeking the
unique identification of said person.

The use of the face in biometric facial recognition systems is capable of
validating the identity, containing unique information about physical persons. The software algorithm, on the biometric sample, extracts the biometric characteristics, reduces and
transforms that sample into a label or numbers, constituting a mathematical
representation of the original biometric characteristic, which is the biometric template, or facial vector. The facial template or vector is stored for comparison in the last phase in which

with the biometric sample - in the reader - and with the previously recorded template or vector,
the user is uniquely identified, each time he or she enters by putting his or her face
in front of the reader, so the data is considered to fall within the scope of special data,
because it is a unique identification.

But it is not the only type of identifying data that can be processed, there is also the

possibility that, through biometric analysis, other special categories of data can be inferred and collected, and in particular, data related to health or data that reveal
racial or ethnic origin, among others.

In the present case, of course, it cannot be said that this is not information linked
to personal data of a person identified in each access record, since,

in addition, it should be noted that, if they did not allow the unequivocal identification of the user, access that is intended would not

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 87/128

take place.

It is thus proven that the facial vectors resulting from the specific technical
processing of the solution implemented by C.A. OSASUNA are personal data
that can identify subscribers, users of access through facial recognition in operation
since April 2022 at the El Sadar stadium. Therefore, they are special category biometric data
included in article 9.1 of the GDPR.

III Regulations on ticket control and access to stadiums

The legal regime in sports facilities where official competitions are held regarding the sale of tickets and access by spectators is

mainly regulated by Law 19/2007 of 11/07 against violence, racism, xenophobia and
intolerance in sport (Anti-violence Law).

Regarding the relationship with the sale of tickets and access by spectators to
stadiums, the Anti-violence Law transfers to the organizers of sports competitions and
shows the appropriate measures to prevent the carrying out of prohibited

conduct, as well as to guarantee compliance by spectators with the conditions of access and
permanence in the venue through the appropriate control instruments to
protect public order and security.

Article 3.1 of the Law states as a general principle:

“In general, the organizers of sports competitions and
shows must adopt appropriate measures to prevent the conduct described in
the first and second paragraphs of article 2, as well as to ensure that spectators comply with the conditions of access and permanence in
the venue established in the second chapter of this title.”

Article 6.2.a of the Law establishes that spectators must undergo
pertinent controls to verify the conditions of access to the venue, and in particular its paragraph
2.b), their obligation to submit to personal searches in order to verify that they are not carrying
weapons or other prohibited objects or are not carrying prohibited symbols or banners. To this end,
they are also particularly obliged to “be recorded by closed-circuit television
in the vicinity of the sports venue, at its entrances and inside them” (art. 6.2.a).

Article 7 of the Law establishes the following conditions for spectators to remain in the venue:

“1.g) Observe the security conditions duly provided for and those determined by regulation.

In point 2:

“b) Occupy the seats of the class and place that correspond to the title of access to the venue that they have, as well as show said title at the request of the Security Forces and Corps and of any employee or collaborator of the organizer.

a) Comply with the internal regulations of the sports venue.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 88/128

Regarding the information that C.A. OSASUNA offers on the SBRF that would allow access without
carrying the season ticket in its different modalities, as a title of access to the stadium, nothing was indicated.

Article 11: “control and management of access and ticket sales” states:

“1. All sports venues where state competitions of a professional nature are held must include a computerized system for controlling and managing ticket sales, as well as access to the venue... “

According to C.A. OSASUNA, the computerized system for access to the venue is implemented
with access turnstiles that communicate the ACCESS ID to the SEFPSA servers,
which will not be opened for access if it is known that the holder of that user ID is already

registered for access to the stadium. It responds to the capacity control system and to avoid
duplications of several people in the same seat assigned to each spectator.

Article 12 of the Law states:

“1. Given the inherent risk of the sporting event in question, the governing authority is authorized to impose the following measures on the organizers:

“b) Install cameras in the surroundings, at the turnstiles and access doors and in the entire venue in order to record the behavior of the spectators”

…

“d) Install closed circuit television to record the entire venue throughout the entire show from the beginning of the event until the public leaves.”

Article 13 of the Law states:

“1. The State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport may decide to implement additional security measures for all

sports competitions or events classified as high risk, or for venues that

have been subject to closure sanctions in accordance with Titles Two and Three of

this Law, and in particular the following:

a) The installation of cameras in the surroundings, at the turnstiles and access doors and in the
whole capacity.

b) Promote systems for verifying the identity of persons trying to access

sports venues.

c) The implementation of ticket issuing and sales systems that allow the identity of ticket purchasers to be controlled.

“2. In the cases contemplated in letters b) and c) of the previous section, information about the processing of personal data necessary to identify the spectator will be inserted in the
admission tickets, as well as the procedures through which said identity will be verified, the processing being in all cases
subject to the provisions of current regulations on data protection.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 89/128

Those who organise a sporting event will proceed to cancel the data
of the people who access the event once it has concluded, unless it is
appreciated that any of the conduct referred to in the first and second
sections of article 2 of this Law has been carried out, in which case they will
only retain the data necessary to identify the people who may have taken part
in the conduct.”

Royal Decree 203/2010, of 26/02, approving the regulations for the prevention
of violence, racism, xenophobia and intolerance in sport, develops the aforementioned
anti-violence Law.

This RD, in its article 8, also establishes the obligation of the organizers responsible for all sports venues to establish a computerized system of control and management of ticket sales, as well as access to the venues, while in article 9, it obliges the organizers of sports venues where professional category football competitions are held to have numbered seats for all spectators.

Its article 15: “sale of entrance tickets”, indicates:

“2. All entrance tickets in sports venues where a computerized system of control and management of the same is installed must adapt their format and characteristics to the technical conditions required for their compatibility with the installed system.

3. In the cases contemplated in article 13.1 of Law 19/2007, of July 11, the

verification and monitoring of the identity of those who acquire tickets or the control of
the distribution of seats will be carried out by implementing systems for the sale of
nominative tickets and developing procedures that allow the supervision of the distribution of
assigned seats and the identification of the holders of access titles to the
sports facilities.

The processing of the data obtained in accordance with these procedures will be limited to

providing information on those who access or intend to access the sports
facilities, with the aim of guaranteeing compliance with the existing prohibitions and,
where appropriate, determining the responsibilities that may arise.

The organizers will cancel the data of the people who have accessed the
sporting event when it concludes, keeping only the data
necessary to identify those who may have carried out conduct prohibited by Law 19/2007, of 11/07, which may only be transferred to the authorities or competent
bodies in matters of public safety.”

For its part, article 17 of the aforementioned RD states: “Obligations of spectators regarding
entrance tickets”:

“1. Any person who intends to access a sports venue must be the bearer of an
entrance ticket issued individually, a multiple ticket, a season ticket or any

other title that authorizes the interested parties to access one or more than one event.

2. Spectators must occupy the seats of the class and place that correspond
to the entrance tickets they hold.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 90/128

3. Each spectator is obliged to keep his/her entry ticket until he/she leaves the sports venue, and must present it at the request of any employee or
collaborator of the organiser, as well as to the State Security Forces and Corps.

4. If a spectator is required to do so and does not present the entry ticket, he/she must choose to

purchase one at the ticket office, paying its price if one is available. Otherwise, he/she must
immediately leave the sports venue.”

On the other hand, article 20, “Front and back of tickets”, states:

“2. The tickets will indicate on the back that the sports venue is a video-monitored area
for the safety of attendees and participants in the match, and will specify the
reasons that prevent access to the sports venue or permanence in it,

expressly incorporating, at least, the following: …

…

When the measures for monitoring and controlling the identity of ticket purchasers and holders of access titles to sporting events provided for in
article 15.3 of this regulation are adopted, information will be inserted on the entry tickets
about the processing of personal data derived from the acquisition and its

control, as well as the procedures through which said identity will be verified.”

The National Professional Football League, LNFP, in which the
Clubs and Sports Societies are obligatorily included, approved as part of its General Regulations of the National Professional Football League, on 12/23/2015 Book XII, “Regulations for the sale of season tickets
which “aims to use the sale of season tickets and tickets as a preventive element for the fight
against violent, racist, xenophobic and intolerant behavior, establishing uniform

criteria in the sale of tickets and season tickets for all clubs, raising the levels of
security.”

Article XII.1 of the RGLNFP establishes: “CONDITIONS FOR THE SALE OF SEASON TICKETS”, provides in its point 1, that their sale by the affiliated clubs will be
carried out through the prior and proper identification of the purchasers of the same.

“For this purpose, the purchaser of the season ticket must provide the Club/SAD, at the time of its

acquisition, at least, with the following personal data, which will be processed, in
accordance with the provisions of current regulations on the protection of personal data:

a) affiliation data (name and surname and identity document)

b) contact details (address for notifications, contact telephone number and email address).

When, according to the Club/SAD policy, the transfer of season tickets is not permitted, it is recommended
to request and include a photograph of the holder on the season ticket.”

Article XII.2 of the RGLNFP establishes the conditions for the sale of season tickets in the animation
stands, in which the subscriber is asked for biometric data, although due to the lack of C.A.
OSASUNA of this type of tickets, no more than this reference will be made

3.7.- Conclusion

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 91/128

The regulations governing the legal regime of tickets and access to stadiums, at the moment, do not
provide that persons who access the stadiums and carry their title enabling access
must undergo any prior identification process for said access that may

imply adding to the already existing data processing due to accessing with said title
through the obligatory access turnstiles. It is a different matter that the sale is
nominative, but it does not follow from what has been examined that the identity must be confirmed by the Club
when accessing the sports venue. In any case, regardless of the fact that a means would be used for such access that could prove to be unnecessary or proportional
which will be analyzed in another point.

On the other hand, considering that the purchase of tickets to access football stadiums
to watch the sporting event is governed by the general conditions governing the sale of
the tickets, the framework of which has been drawn, the following conclusions are reached:

It is reflected that, in general, article XII.1 of the RGNLFP provides for the sale of
season tickets that the purchaser must provide:

a) Affiliation data, name and surname and identity document,

b) Contact information (address for notification purposes, contact telephone number and

email address).

Before the implementation of facial recognition in April 2022, C.A. OSASUNA had
a nominative ticket system for access to the stadium in the form of a season ticket card,
which could be with a physical card, a QR code or on the mobile phone for which personal affiliation and contact data must be
provided. Furthermore, in accordance with the

regulations governing the sale of tickets and access to sports venues, framed
by the Anti-Violence Law, its implementing regulations and the RGLNFP, as a general rule, the collection of data used to identify people who have subscribed to access sports venues by biometric means or systems is not
established as mandatory.

Finally, regarding the allegation that the RGLNFP ticket and season ticket sales system does not apply to C.A. OSASUNA, it should be noted that, as a Club that is
obligatory associated with the LNFP, it at least configures the general framework established for the sale of
tickets and season tickets and serves as a reference for the minimum content required for the system of access to stadiums.

IV Differences in data processing for stadium access.

For the same purposes, access to the El Sadar football stadium, C.A. OSASUNA has a
modality that is clearly less intrusive for the rights of the people who
access the stadium: with the physical card or with the subscription on the mobile (NFC chip) or reading the
QR code of the subscriber card, a system that was already working before the

implementation of the SBRF.

This system can be used by C.A. OSASUNA subscribers if they decide to
stop using the SBRF system, according to information from C.A. OSASUNA, which always
insists that it is not only voluntary, but that it can alternate the forms or withdraw consent for
facial recognition. The modalities pre-existing to the SBRF always appear as an
“access” to which one can return.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 92/128

Access to the El Sadar stadium using the methods that pre-exist the SBRF only leaves the access ID log in the
access turnstile register. Access using SBRF leaves the successful identification logs as a
trail: date and time, biometric terminal identifier,

access identifier of the subscriber most similar to the one being identified, and
biometric similarity score obtained or denial (unsuccessful identification). In the
case of successful identification, the logs are kept until the beginning of the season
following the one to which each stored access refers, then passing to a
blocking status for three years. The subscription titles, the form that the stadium access
titles take, contain personal data that C.A. OSASUNA demanded that it be necessary for

the fulfilment and maintenance of said contractual relationship for the acquisition of a season ticket.
These titles include: (name, ID, etc.), the power that it grants and is considered to be able to
decide the means and ends for the fulfilment of the same, as the person responsible for
data processing and being the organiser of the event to which it also has rights and duties.

It is also these same starting data that the season ticket card contains in its

various modalities (QR/mobile) that serve as the basis for implementing in April 2022 the
registration and use of the SBRF, which C.A. OSASUNA decides to implement as voluntary and
complementary to the previous one, in order to speed up entry and as indicated without the need to
carry the season ticket card (obligation to carry an enabling title required by Law 11/2007).

On the other hand, the SBRF needs several additional documents and personal data to

create and register the facial vector. A group of data that is used by the SBRF and from which it starts, are those from the season ticket card, which the season ticket holders
already had, and which would be the only ones used for access to the stadium by default in
the pre-existing modality before the implementation by C.A. OSASUNA of the SBRF.

The Social Statutes of the LNFP provide in its article 3.2.l) among its powers, that of
determining the conditions that the sports facilities of the stadiums must meet

for the holding of professional competitions, as well as the safety and access control standards that could be established. This regime is influenced by the fight
against behaviors that promote violence, racism, xenophobia and
intolerance in professional football. The RGLNFP establishes uniform criteria as objectives
in the sale of tickets and season tickets for all affiliated Clubs/SAD and to raise the levels of

security for all fans and participants in matches.

The data on season ticket cards as a title enabling access to the stadiums, according to
the RGLNFP, Title XII which regulates the sale of tickets, a matter intrinsically linked to the
access that they provide, provides for:

-the prior and proper identification of the purchasers of the season tickets by the affiliated Clubs/SAD, who must provide: affiliation data, name and surname, ID,

address data for notification purposes, contact telephone numbers or email address
(art XII.1)

-“At the time of formalizing the season ticket, a clause will be included to respect the internal rules of the sports venue.
0
The other additional personal data that are not linked per se to the subscriber card, other than them, and that C.A. OSASUNA considered necessary for the SBRF process are obtained from other documents for the implementation of the aforementioned SBRF and would be
the front and back of a public document such as the DNI that is used to compare the updated photo
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 93/128

that is made with the application and generates the facial vector by comparison with the DNI image. The front and back that are not recorded, must be provided in pre-existing modes of access to the stadium, and which are kept in its internal files after the

registration and storage of the squad.

Finally, but no less important, is the conservation of the personal data of the facial vector once the deletion has been requested by the user, which C.A. states. OSASUNA
which remain blocked until the deadline for a possible infringement of the
RGPD has elapsed.

V Examination of necessity and proportionality

5.1.- High-risk processing
The processing of SBRF through biometric reading and recording tools presents

high risks for the fundamental rights and freedoms of the interested parties, to which are added those of artificial intelligence as an automated recognition system of
human features.

This consideration as high-risk processing was already reported in 2003 in the
“working document on biometrics” adopted on 01/08/2003 by WG 29:

“3.2 Principles of purposes and proportionality” “In accordance with article 6 of Directive
95/46/EC, personal data shall be collected for specified, explicit and
legitimate purposes, and shall not be subsequently processed in a manner incompatible with those purposes.
Furthermore, personal data must be adequate, relevant and not excessive in relation to

the purposes for which they are collected and subsequently processed (purposes principle).

Compliance with this principle requires first of all a clear determination of the
purposes for which biometric data are collected and processed… On the other hand, compliance with proportionality and legitimacy must be
assessed, taking into account the risks to the protection of the fundamental rights and freedoms of individuals and

especially whether the purposes pursued can or cannot be achieved in a less
intrusive manner. Proportionality has been the main criterion in almost all decisions
taken so far by data protection authorities on the processing of biometric data.”

Before implementing a data processing project based on this technology, which
represents a high probability of significant risk for the rights and freedoms of individuals, which may produce impacts on the rights and freedoms of individuals
in different degrees of probability, it is necessary to audit its operation, not in isolation
but within the framework of the specific treatment in which it is going to be used. The personal data protection impact assessment, EIPD, is the tool in the GDPR that
deals with ensuring compliance with this aspect of the treatment.

The GDPR establishes the obligations relating to the impact assessment related to Data
Protection, mainly in articles 35 and 36.

Article 35 establishes that: “1. Where a type of processing, in particular if it uses new technologies, is likely, by its nature, scope, context or purposes, to entail

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 94/128

a high risk for the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of the impact of the processing operations on the protection of personal data…”

The DPIAs are intended to ensure preventively that, when the processing operations being considered may potentially entail risks

that are especially relevant for the rights and freedoms of individuals, measures are taken
to minimise such risks. Article 28 of the LOPDGDD establishes that “Those responsible and those in charge, taking into account

the elements listed in articles 24 and 25 of Regulation (EU) 2016/679,
shall determine the appropriate technical and organisational measures to be applied in order
to guarantee and certify that the processing is in accordance with the aforementioned regulation, with
this organic law, its implementing regulations and the applicable sectoral legislation. In
particular, they shall assess whether it is appropriate to carry out the data protection impact assessment and the prior consultation referred to in Section 3 of Chapter IV of the aforementioned

regulation”

The content of the DPIA is listed in article 35.7 of the GDPR, which must include as
a minimum:

“a) a systematic description of the planned processing operations and the
purposes of the processing, including, where applicable, the legitimate interest pursued
by the data controller;

(b) an assessment of the necessity and proportionality of processing operations in relation to their purposes;

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other affected persons.”

This assessment requires thoroughness, starting in this case from the need for processing in the sense of the GDPR, and not only from the prohibition of processing these data, provided for in article 9 of the GDPR, considering the risks, among others, of using intrusive technology, biases or the probability of an error in identification, its interoperability, identity theft and the type of unique, permanent and invariable identity that is processed, its impact on the privacy of individuals, the implications in terms of fundamental rights of such systems and the technical and organizational measures of all kinds that must be implemented, including security measures.

The proactive accountability system implemented by the GDPR, focused on the continuous management of risks associated with data processing with data protection from the design and by default, reinforces the protection of data subjects in relation to their personal data by requiring data controllers to analyse what data they process, for what purposes and what type of processing they carry out, relating the potential risks that the processing entails for the rights and freedoms of natural persons, and from there, decide what technical and organisational measures of all kinds they adopt and apply, to ensure compliance based on the risks detected.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 95/128

The GDPR establishes the obligation to manage the risk that the processing of personal data poses to the rights and freedoms of individuals. These rights and

freedoms of data subjects not only protect natural persons with respect to the
fundamental right to data protection, but may also imply other rights,
fundamental or not, such as the prohibition of discrimination, freedom of
movement, or maintaining anonymity in public spaces. These risks arise
both from the very existence of the processing, and from the technical and
organizational dimensions of the same. The risk arises from the purposes of the processing and its nature,

and also from its scope and the context in which the processing takes place.

A DPIA is a process designed to describe the processing of personal data,

assess its necessity and proportionality, and help manage the risks to the rights and freedoms of natural persons arising from such processing,

by identifying, assessing and determining the measures to mitigate them. DPIAs are important accountability tools, as they help controllers not only to
comply with the requirements of the GDPR, but also to demonstrate that appropriate
measures have been taken to ensure compliance with the Regulation.

It is essential that the use of such technologies is done with due respect to the
principles of legality, necessity, proportionality and data minimisation
set out in the GDPR. While the use of these technologies may be perceived as
particularly effective, controllers must first assess the impact on fundamental
rights and freedoms and consider less intrusive means of achieving their
legitimate processing aim.

According to Article 35 of the GDPR:

“3. The data protection impact assessment referred to in paragraph 1 shall be required in particular in the case of:

(a) a systematic and in-depth assessment of personal aspects relating to natural persons which is based on automated processing, such as profiling, and on the basis of which decisions are taken which produce legal effects concerning natural persons or similarly significantly affect them;

(b) large-scale processing of special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10, or

(c) large-scale systematic monitoring of a publicly accessible area.

4. The supervisory authority shall establish and publish a list of the types of processing operations that require a data protection impact assessment in accordance with paragraph 1. The supervisory authority shall communicate those lists to the Committee referred to in Article 68.

5. …

6. Before adopting the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 if those lists include processing activities that are related to the offering of goods or services to data subjects or to monitoring their behaviour in several Member States, or processing activities that may substantially affect the free movement of personal data within the Union.

…

11. If necessary, the controller shall examine whether the processing is in compliance with the data protection impact assessment, at least where there is a change in the risk posed by the processing operations.”

In developing paragraph 4, the Director of the AEPD approved a non-exhaustive, indicative list of the types of processing that require a data protection impact assessment, stating: “When analysing data processing, it will be necessary to carry out a DPIA in most cases where such processing complies with two or more criteria from the list set out below, unless the processing is on the list of processing operations that do not require a DPIA referred to in article 35.5 of the GDPR. The list is based on the criteria set out by the “Guidelines on data protection impact assessments (DPIAs) and for determining whether processing is “likely to result in a high risk” for the purposes of the GDPR”, last revised and adopted on 4/10/2017, WP 248 rev.01 of WG 29 supplementing them, and should be understood as a non-exhaustive list:

“4. Processing involving the use of special categories of data referred to in Article 9.1 of the GDPR… or inferring information about individuals related to special categories of data.

5. Processing involving the use of biometric data for the purpose of uniquely identifying a natural person.”

9. Processing of data of vulnerable subjects…”

Recital 39 of the GDPR adds that

“Personal data should only be processed if the purpose of the processing could not reasonably be achieved by other means.”

As is apparent from the recital in the foregoing, this requirement of necessity is not met

where the objective pursued can reasonably be achieved just as effectively by
other, less costly means with less risk in relation to the rights and freedoms of the data subjects, in particular as regards the rights to respect for private life and to the
protection of personal data, guaranteed by Articles 7 and 8 of the Charter, since

exceptions and restrictions to the right to the protection of such data must be provided for without going beyond the limits of what is strictly necessary (see, to that

effect, judgment of 11 December 2019, Asociaţia de Proprietari bloc M5A-ScaraA,
C-708/18, EU:C:2019:1064, paragraphs 46 and 47).

The Article 29 Working Party, in its Opinion 3/2012 on the development of biometric technologies, states that “When analysing the proportionality of a proposed biometric system, it is necessary to first consider whether the system is necessary to meet the identified need, that is, whether it is essential to meet that need, and not just the most appropriate or cost-effective. A second factor to be taken into account is the likelihood that the system will be effective in meeting the need in question in light of the specific characteristics of the biometric technology to be used. A third aspect to consider is whether the resulting loss of privacy is proportionate to the expected benefits. If the benefit is relatively minor, such as increased convenience or slight savings, then the loss of privacy is not appropriate. The fourth aspect to assess the suitability of a biometric system is to consider whether a less invasive means of privacy

would achieve the desired purpose.”

This idea is reiterated in section 72 of the EDPB Guidelines 3/2019 on the processing of personal data using video devices, dated 29/01/2020, which states: “The use of
biometric data and, in particular, facial recognition entails high risks for the rights of data subjects. It is essential that the use of such technologies takes place
with due respect for the principles of lawfulness, necessity, proportionality and
data minimisation as established by the GDPR. Although the use of these

technologies may be perceived as particularly effective, data controllers
must first assess the impact on fundamental rights and freedoms and
consider less intrusive means of achieving their legitimate purpose of processing. That is, we
would have to answer the question of whether this biometric application is something that is really
essential and necessary, or is it just "convenient."

These are cumulative requirements that provide an additional guarantee in the processing of

the data of the data subject, which takes into account that, if the achievement of the intended purposes can
be carried out without processing personal data, or with less extension and intensity of use
of these data, this route will be preferable and will mean that it is not necessary to carry out any
data processing, and subsidiarily, that the collection of data is necessary
for the established or intended purpose and, if necessary, that it is proportional.

5.2.- Evaluation of the need and proportionality of the processing
Those responsible for the processing of personal data must ensure that the
evaluation of the need and proportionality considers an exhaustive evaluation of the
less intrusive alternative options available. Consequently, the viability of other possible alternative options available that do not require the use of
special data must be documented, all options must be compared and the conclusions documented. All of this,
considered with reference to the nature, scope, context and purposes of the treatment
that is planned. The minimum regulatory framework in force regarding the system of
ticket sales and access to stadiums is Law 11/2007, its implementing regulations and

the “Regulations on the sale of season tickets and tickets” book XII, approved on 23/12/2015, by the
LNFP.

To assess the need for the treatment, the proposed measure must be supported by
evidence describing the problem that will be addressed with the measures, how this will

be addressed with the measure, and why existing or less intrusive measures cannot
sufficiently address it.

The need for processing implies that a combined assessment is required, based on
facts, on the effectiveness of the measure for the purpose pursued and on whether it is less
intrusive compared to other options to achieve the same objective in the sense that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 98/128

there is no other equally effective and less intrusive means before the implementation of
any system. This must be assessed from the principle of data protection by
design, focusing the analysis on the risks to the rights and freedoms of the
people whose data are to be processed.

While C.A.OSASUNA is processing the personal data of users who
access the stadium through the SBRF technique (which would include the processing of
the data used to access with the pre-existing SBRF modality - the data of the season ticket card is collected as a starting point for registration) and more personal data is added for processing, such as the scan of the DNI, biometric data or the image,

obtained from documents, the extent of the restriction on the rights and freedoms of the season ticket holders who use this system would be increased, compared to those who
do not use this form of access. An access management process is carried out with
facial recognition identifying the season ticket holders for, in principle, the time that the person wishes, who can withdraw consent, but after a season ends,
they are kept for the next.

Therefore, with the processing of biometric data, SBRF, the fundamental right to data protection of its holders would be restricted by being manifestly intrusive for the rights and freedoms of the interested parties, and to verify whether this restrictive measure of the fundamental right passes the proportionality test, it is necessary to verify whether it would comply with the three requirements or conditions that the Constitutional Court has been

calling the triple proportionality test, consisting of:

1-If the measure is likely to achieve the proposed objective (suitability test).

To establish the suitability of biometric processing, it is necessary to assess that there is a
logical and direct link between the processing and the objective pursued, and determine the real
effectiveness of the processing, that is, determine through objective evidence that it is capable of
reaching a minimum level of effectiveness in resolving the need raised.

It is about determining whether the processing is adequate for the purpose it pursues, can

achieve the proposed objective. In this case, it is assumed that a
SBRF is implemented through unique identification of the subscribers who access,
identification that as a process is not used or required by C.A. OSASUNA to facilitate
access to those who use the other physical card system.

In principle, the access created with biometric means promoted by C.A. OSASUNA is

additional to the existing ones, and voluntary, alternative in use to those already existing, and does
not respond to a mandatory requirement. It is a modality that would facilitate agility in
access. In the press release reported in fact 1, it was advertised as the first Club
to implement this system. The result with one or the other means is the same, access to the
premises. However, the processing operations and the technology used in both, at the level of inherent and derived risks of each of the processing operations that make up them, make biometrics more risky, more frequent and more
repeated due to the use itself and time of use, which can produce more negative impacts on the rights and freedoms of the rights of those affected.

C.A. OSASUNA bases the acceptance of the SBRF as such, because the “full identification of the subscriber” occurs, with other beneficial effects such as the difficulty of identity theft,

and the security provided by knowing that this is the case, its possible use in the event that the card is
stolen, which allows access with this means or the convenience of not having to present the physical subscriber card. In the alleged factors, identity theft, loss or theft, there is no evidence that this could be a problem for the subscribers to be treated, nor a study that biometric access with facial recognition could be the solution, since exceptional cases would not justify resorting to such a disproportionate means due to the high risks that SBRF entails.

The intrinsic results of the two means of treatment for access to the sports venue are not equivalent in risks or impacts on the rights and freedoms of users, since the holder of the physical season ticket does not have to access the venue by any means of identification, much less any univocal means of processing their data when passing through the turnstiles at the entrances. In parallel, subscribers who use the SBRF are subject to this
identification process, not only before accessing it with the proper registration in the system,
but also afterwards with the conservation of their data and logs that remain from their passage. They are not
even equivalent in the means or in the results, since more records and
processing operations are generated with the SBRF, obtaining only access to the premises in common.

This theory can be attributed to the fact that subscribers voluntarily wish to

consent to these processing operations, which is not an obstacle to considering that this
processing is not a necessary system nor equivalent in the risks that its processing
operations entail.

If the use of the SBRF as an identifier is a means of avoiding identity theft,
apart from the fact that it is not justified that this is a problem, nor is it claimed that it is the
main purpose, it is clear that in the legal relationship between the users of the season tickets they are
already sufficiently identified with the season ticket card issued by the Club in its
various formats (in addition to being able to request the DNI, as they assert in their
allegations to the proposed resolution). On the other hand, the agility of the implemented SBRF,
compared to the pre-existing mode of access, cannot by itself form a decisive part in the
suitability of installing the system, and in any case, by itself it cannot justify the

need for this system. It should also be noted that the Anti-Violence Law in its
article 7 “conditions for staying in the premises”, states in its point 2 b), that of
“Occupying the seats of the class and place that correspond to the title of access to the premises that they have, as well as showing said title at the request of the security forces and
any employee or collaborator of the organizer”, so it is unknown

how they comply in this case, which C.A. OSASUNA offers as an advantage of the system, not having to
carry the subscriber card in any way if the SBRF is used.

Obviously, it is possible to identify the subscriber who accesses, but this need is not accredited
or because a verification system is not used, but the suitability and relevance for the purpose for which it is required is omitted.

The EIPD does not make any assessment of the problem it is trying to address, because it does not explain it,

it only offers this mode of access as voluntary and alternative to the one that already exists and to which one
can return at any time.

2-If, in addition, it is necessary, in the sense that there is no other more moderate measure for
the achievement of such purpose with equal effectiveness (judgment of necessity).

It is a matter of determining whether the purpose pursued cannot be achieved in another
way that is less harmful or invasive, that is, whether there is no alternative treatment that is

equally effective for achieving the purpose pursued.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 100/128

The Court of Justice of the European Union (hereinafter CJEU) has examined in various
judgments the necessity and proportionality of the processing of personal data,
establishing that, based on the fact that the processing of personal data implies in

itself a limitation to the right to data protection, it must be verified whether this
limitation is proportionate to the objectives and purposes, and that therefore, it must
be examined whether the processing operations allow the objectives and purposes to be achieved, without going
beyond what is necessary to achieve them.

Necessity should not be confused with the usefulness of the system. It may be easier not to have
to carry a card, that it takes a few seconds less to access it, that it is
automatic and instantaneous and not excessively expensive. Obviously, a SBRF can be useful,
but it does not have to be objectively necessary (the latter being what really

must be present). As established in Opinion 3/2012, on the evolution of biometric technologies-
of WG 29-, it must be examined "whether it is essential to satisfy that need, and
not just the most appropriate or cost-effective". Options and alternatives must be analyzed before
establishing a new system that supposes an exaggerated limitation of the right of each user,
when there may be less invasive means of privacy, and not opting for what is
practical or agile and comfortable, when the rights of their owners are at stake.

As for overcoming the analysis of strict necessity, it must be demonstrated that it
solves a problem that must be real, present or imminent, and critical for the functioning of the
treatment. In this regard, the ECHR established that “necessary” “…was not synonymous with
indispensable…and neither does it have the flexibility of expressions such as ‘admissible’, ‘ordinary’,

useful’, ‘reasonable’ or ‘desirable’”. Mere convenience or cost-effectiveness is not enough. In addition, the scope, extent and intensity of the interferences must be assessed in terms of
their impact on fundamental rights, explaining with evidence why other possible alternatives are not sufficient to satisfy this need sufficiently.

Even when assessing the options, the possibility of using
a combination of measures, both automated and non-automated, organizational,
legal or technical, must be taken into account.

C.A. OSASUNA bases this need on facilitating access for subscribers because it is more agile
and simple, recognizing that there are less intrusive means “the traditional ones such

as the QR code reader incorporated into the subscription”, continuing, indicating that “However, the
implementation of the treatment analyzed in this DPIA does not prevent the use of this option. That is, the interested party can freely decide and without this causing any type of
affectation to their rights as a subscriber, to choose one or another treatment for access to the
stadium. In this way, the need would be linked in this case to the will of the subscriber,

which cannot be satisfied using a less intrusive means of access.”, and at the same time it
contradicts itself as can be seen at the end of the paragraph, by pointing out that the need cannot be
satisfied using a less intrusive means, when this, in addition, is the one that the majority
of subscribers use.

Regarding the need, it should be noted:

a) That the need cannot depend on what the affected party decides. The concept of

need, according to the jurisprudence of the CJEU, is that of a strict need, of a
cross-cutting nature and there being a less intrusive means, C.A. OSASUNA avoids
any analysis, leaving the assessment of the need in the hands of those affected because

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 101/128

it is an option and the interested party has chosen it, being the will of the subscriber.

However, it is the person responsible for the treatment who must evaluate the need for the
treatment, as well as comply, if applicable if it passes the assessment of need and

proportionality, with the management of regulatory compliance with the GDPR.

b) The computerised system for controlling and managing ticket sales, as well as access to football stadiums provided for by law, may lead to the fact that tickets must be
nominative, which is a common and standardised type of access, and there is another less intrusive modality that the EIPD recognises, but which is removed, considering that there is freedom

of the user, it is undoubtedly a measure that affects the right with less extension and
intensity in the processing of personal data, and which should prevail because it is preferable to
facial recognition.

3- Finally, if it is balanced or considered, because it results in more benefits or advantages for the general interest than damages to other goods or values in conflict
(judgment of proportionality in the strict sense; “STC 66/1995, of 8 of 5, F. 5; STC 55/1996,
of March 28, FF. 7, 8 and 9; STC 270/1996, of December 16, F. 4.e; STC 37/1998, of February 17,

F. 8; STC 186/2000, of July 10, F. 6).”
In this regard, the seriousness of the risk to the rights and freedoms of the treatment, and its
intrusion into the fundamental right to the Protection of Personal Data must

be appropriate to the objective pursued and proportionate to the urgency and seriousness of this. The benefit that the treatment from the point of view of Data Protection provides to society must be weighed, maintaining a balance with the impact it represents on other fundamental rights. However, although it may partially yield, in no case can the absolute denial of the right to Data Protection be assumed and

emptied of its essential content.
As for the additional means of security, they are not related to the proportionality

of the treatment nor would they replace its evaluation, and the existence of alternative means of access
cannot presuppose for this reason that the treatment is proportional, without such
elements being able to validate such proportionality.

In general, the principle of proportionality must contemplate that in order to achieve the
intended objectives, they must be carried out through actions that do not exceed what is necessary,
introducing here the concept of adequacy of the measure. There must be a logical link
between the measure and the legitimate objective pursued. In order for the principle of proportionality to be respected, the advantages resulting from the measure must not be outweighed by the

disadvantages that the measure causes with respect to the exercise of fundamental rights.
One of the factors that play a role in proportionality is the effectiveness of the existing
measures, over and above the proposed one. If measures for a similar or identical purpose already exist in the same context, they must be considered; if not, the assessment of proportionality has not been properly carried out.

The principle of proportionality must assess whether the negative impact on the fundamental rights and
freedoms of the interested parties is proportional to any expected benefit.
If the benefit is relatively less, such impact may not be proportional.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 102/128

On the other hand, no assessment is made by C.A. OSASUNA on the need for security
in the accesses to the stadium, which would derive from the Law 11/2007 Anti-violence, and which is expressly
mentioned in the preamble of the RGLNFP, “conditions for the sale of tickets and season tickets”.

In this respect, said regulation does not reach to establish as a general rule neither the
identification of the person who enters the stadium with his ticket or title nor as a means, the biometric
to control the identity in the access control. To this end, it must be assumed that inside the stadiums there are video surveillance systems, they can be placed
at the entrances and surroundings of the stadium, and each seat is assigned to the person who
acquires the ticket. It is deduced that the access system with facial recognition compared to

the traditional system of selling personal tickets does not represent a clear and differentiated plus in
security, because if it were, it should have been implemented in this case by a rule
applicable to the case on a general, non-voluntary basis, and it does not seem that this is the
ultimate purpose of access with the SBRF.

Neither has C.A. OSASUNA accredited indices from which it is derived that spectators
impersonate or try to impersonate each other to access with season tickets that are not their
owner, or how they carry out such impersonations with the season tickets, so that this
constitutes a problem to tackle, and that in this case perhaps, since it affects everyone, it
would not seem serious to undertake it only for those who consent to the treatment of their biometric data.

The SBRF system, in terms of cost-benefit, is not seen to be related to the general interest that sets the objectives of the anti-violence law, when the majority of football stadiums do not have the aforementioned system in place, and the security reasons for entering with biometric access, in addition to being voluntary, exceed the purpose of access to stadiums, that of full identification with a very high level of probability of identity, since it is not provided for in any regulation and is established in the field of a public entertainment spectacle, which must have other measures such as video surveillance and closed circuit television, and its use for this purpose is in any case disproportionate due to the sacrifices that they entail for data protection, privacy and other related rights.

In the present case, it is also worth remembering what C.A. OSASUNA points out in this part
in the EIPD, section 6.4.3, framed in the “analysis of compliance of the treatment of the
data minimization principle”, and more specifically, of the “criteria in relation to

the application of the minimization principle in the treatment of biometric data” (6.4.2), in
which it expresses that it considers that a series of aspects (point 1.3 of the THIRD FACT) with seven differentiated
points must be assessed for the necessity and proportionality of the
treatment, and that act in its opinion as premises. Regarding these aspects, it must
be indicated:

The influence on the necessity and proportionality of the treatment operations in accordance
with their purpose, which is what should be analyzed, has nothing to do with the assertions

that the treatment is applied to vectors and not directly to images. This
may be for security reasons, or the system may only be applied to (…) people, and
not to the entire stadium, or remote recognitions are not carried out, which is understood to be a
compliance requirement, or that those affected have freely agreed to the
use of treatment with this biometric device, and much less with the requirements of the

Anti-Violence Law, which only considers it mandatory to have a computerized system
for control and management of ticket sales, as well as access to the venue, which does

not mean that the identity of the holder of the title is controlled for the aforementioned access with such tickets or others, at the level of unique identification with the SBRF, as well as an access control system, which adds nothing to this need. None of the elements advances an

analysis of the situation regarding the necessity and proportionality of the treatment referring to a
balance between purposes (registering for the service, and guaranteeing access to the stadium) and means,
and interference of the SBRF tool.

As a consequence, it follows that C.A. OSASUNA has not correctly examined the
necessity and proportionality of the SBRF treatment operations in accordance
with the objectives of its purpose and to what extent it meets that objective with an evaluation of the

scope, extent and intensity of the interference in terms of impact on fundamental rights.

In no case is it recommended to continue with the DPIA when the treatment does not pass the

need assessment and/or the proportionality assessment. Please note that these are
compliance requirements required by the GDPR, requirements that cannot be addressed with
alternative measures to compliance itself, such as technical and organizational
measures. In addition to being able to assess various aspects of the EIPD, the mere failure to pass the judgment of
necessity and proportionality of the processing of personal data carried out,
consisting of the additional system established for facial recognition to access
the Sadar stadium, would already imply the illegality of the same.

5.3.- Conclusion
In summary, C.A. OSASUNA had a system for accessing the stadium and selling tickets that
before the SBRF was implemented, covered the needs for the identification of users,
and that could reflect the purposes and needs provided for by the ANTI-VIOLENCE LAW and the Royal

Decree that develops it, 203/2010. Access was made with the subscriber card, or in
its version of a subscriber card with a QR code or a subscriber card on the mobile phone, which
required only basic, affiliation and contact data for its issuance. These data are the same personal data that are at the base of the process to
start the SBRF registration, adding the front and back of the DNI and a photograph, so the

establishment of this new system is a technical option in a situation, that of access to the
stadium, which does not reflect a problem to be addressed through a new treatment, as it is
covered with a pre-existing modality, and a lack of justification may arise in
its suitability, necessity and proportionality.

These reasons exempt from carrying out any additional examination contained in the aforementioned EIPD, as they

do not exceed the minimum requirements of necessity and proportionality in the establishment of the system.

On the other hand, it is clear that there are less intrusive means already established and
in operation that meet the requirements for access to the stadium and that the SBRF is
not strictly necessary since it is proven that the specific objectives pursued

can be achieved with measures that constitute a lower level of interference and less serious in
the rights and freedoms of users, having as an objective that personal data
should only be subject to processing if the purpose of the processing cannot be reasonably

achieved by other means.

Although in practice there is usually no single way to achieve the purposes for which data processing is

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 104/128

oriented, it can be seen that depending on how it is

implemented, different risk scenarios can arise. When considering
these other possible alternative treatments, it is necessary to identify those that, using

fewer or less intrusive means, achieve at least equal effectiveness, that is, it must be
evaluated whether the purpose pursued can be achieved by other means such as
using other data (of a different nature or extension) or with less invasive technologies.

Again, it is noted that a prior analysis must be carried out and separated on the
need and proportionality of said treatment for the achievement of the purpose
intended by the data controller, in the sense that there is no other equally
effective and less intrusive means, before the implementation of any system, and in the present
case such a system existed.
It is important to note that, even if the subscribers explicitly accepted the use

of their biometric data for the purpose of accessing the stadium, the principles of treatment
contained in article 5 of the GDPR, in relation to necessity and proportionality
continue to apply and must be complied with.

In the present case, the intended purpose is access to the stadium of C.A. OSASUNA, the data controller, and considering the principle of data minimisation, which advocates that the data processed must be limited to what is necessary to

achieve these purposes, for which a less intrusive access modality already existed, and the

evaluation of necessity and proportionality in the SBRF for access to the stadium is not proven, it is considered that C.A.OSASUNA has infringed article 5.1.c) which indicates:

“1. Personal data shall be:

c) adequate, relevant and limited to what is necessary in relation to the purposes for which

they are processed («data minimisation»)”.

VI Processing of biometric data: exception to article 9 of the GDPR, and legitimizing basis of article 6 of the GDPR

In the present case, it is estimated that through the establishment of the biometric system for
access to the stadium by C.A. OSASUNA for season ticket holders, personal data of a special category are being processed, with C.A.OSASUNA playing the role of
data controller.

The GDPR states in its definitions:

4.2"processing": any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means,
such as collection, recording, organization, structuring, storage, adaptation or
modification, extraction, consultation, use, communication by transmission, dissemination or

any other form of enabling access, comparison or interconnection, limitation, deletion or
destruction;”

“4.7 “controller” or “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be determined by Union or Member State law;”

Biometric data, classified as “special category” in article 9 of both the
RGPD and the LOPDGDD, are personal data whose use may give rise to
significant risks for fundamental rights and freedoms, and therefore, in principle, their processing is prohibited, as indicated in recital 51, when after its
specification it indicates that: “Such personal data should not be processed unless their
processing is permitted in specific situations contemplated in this
Regulation”.
C.A. OSASUNA in its EIPD dated 02/04/2022, and has thus stated in the procedure,

bases the lifting of the prohibition of processing for SBRF data, and in order
to access the stadium by this means, with the explicit consent given
voluntarily, according to article 9.2.a) of the GDPR, and as indicated, this same
explicit consent “is also subsumed in the content of this last rule”,
“so that in addition, the processing will have the legal basis established in article

6.1.a), thus complying with the principle of legality”.

Article 9.1) of the GDPR states:

“The processing of personal data revealing ethnic or racial origin,
political opinions, religious or philosophical beliefs, or trade union membership, and the
processing of genetic data, biometric data intended to uniquely identify a natural person, data relating to health or data relating to the sexual life or sexual orientation of a natural person are prohibited.

The only exception to the prohibition of processing special category data may be made when one of the circumstances specified in section 2
of art. 9 of the GDPR, whose letter a), states:

“2. Paragraph 1 shall not apply where one of the following circumstances applies:

a) the data subject has given explicit consent to the processing of such personal data for one or more of the specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject;”

The controller is obliged to assess very seriously and diligently whether it has a
substantial reason to process special categories listed in said Article 9.2
of the GDPR.

In the case of biometric data, in addition to lifting the prohibition on its processing,

it must contain one of the legal bases legitimising the processing contained in
Article 6.1 of the GDPR. This article is also based on the declared exception that supposes the
processing of data, by stating that “1. The processing will only be lawful if at least one of the following conditions is met” …, understanding that it is assumed that any
processing of such personal data restricts the rights of its owner by the mere fact of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 106/128

undergoing such processing, at which point, it will be increasingly identified with this
mechanism.

The list of bases is:

“a) the interested party gave his consent for the processing of his personal data for one

or several specific purposes;

b) the processing is necessary for the execution of a contract to which the interested party is a
party or for the application at the request of the latter of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the
data controller;

d) the processing is necessary to protect vital interests of the interested party or another
natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.

These are cumulative requirements that represent an additional guarantee in the processing of the data of its owner, which takes into account that, if the achievement of the intended purposes can be carried out without processing personal data, without said purpose being altered or

harmed, the latter activity should be chosen, and this route will be preferable and will mean that it is not necessary to carry out any data processing, and subsidiarily, if data is required, that the data collection is necessary and proportional for the established or intended purpose. Note that what C.A. OSASUNA implements is an additional modality pre-existing to the one it already has, as in this case, with the use of biometric data for facial recognition with the same purpose as with the pre-existing modality, access to the stadium, and this is recognized by C.A. OSASUNA that in the purpose of the treatment it expresses it as “guaranteeing access”. For processing for the same purposes as those already fulfilled, since it involves special data such as biometric data,
C.A. OSASUNA must have a circumstance that lifts the prohibition of processing regarding biometric data.

Remembering that the regime established on access and tickets derived from Law

11/2017, is defined by:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 107/128

- A “computerized system for the control and management of ticket sales, as well as
access to the venue”,

- additional measures (for security reasons) such as “promoting systems for
verifying the identity of people trying to access sports venues”,

or “implementation of ticket issuing and sales systems that allow the control of the
identity of ticket purchasers”, to know the identity of the holders of
access tickets to sports facilities, additional measures that only appear
implemented in relation to the animation stands, and that in accordance with the limitation that
it supposes by having been thus determined with the CEVRXID by virtue of article 13.1 of the Law

19/2007, “will be carried out by implementing systems for the sale of NOMINATIVE TICKETS”,
mandatory mode (article 15.3 of RD 203/2010).

This system used by C.A.OSASUNA is an extra that is not the one approved by the LNFP in its
RGLNFP on the sale of tickets and season tickets, and it also goes beyond what is indicated in the regulations

which require that the access titles to sports facilities be nominative only in
cases in which “additional measures” had been agreed, based on article 13.1
of Law 11/2007 and article 15.3 of its implementing regulations, and it is not stated that for the
generality of spectators, not only the nominative tickets had been established,
but for access to the sports venues in which sports competitions are held
the use of biometric data identifying the subscribed persons, who appear identified

in their own season ticket. Such a system of univocal identification by technological
means that use artificial intelligence for its processing would respond to a much higher degree than necessary.

Having charged a first and prior infringement due to the analysed absence of need for the
processing carried out, the same purpose existing with means and personal data

used with appreciable less intrusion into the fundamental right to data protection
of the subscribers, it is worth referring to the obtaining of explicit consent and its
effects for which this infringement was initially charged to C.A. OSASUNA.

The consideration of the provision of explicit consent by the subscribers,
in this case, for a high-risk processing that involves the category of
special biometric data, is part of the legality of the processing. In this case, it is
not possible to enter into an assessment of any legitimacy that may refer to a legal basis that
has as its object the processing analysed, since, according to what has been analysed, it is
considered that it is a processing whose necessity and proportionality is not in accordance with the
processing operations in accordance with its purpose.

In short, regarding the proposed treatment, since the restrictive measure that represents the restriction of the fundamental right that this treatment implies does not pass the test of necessity and proportionality, it is not necessary to consent to something that is not necessary, so the

infringement of article 9 must be dismissed.

VII Response to the allegations of C.A. OSASUNA

Regarding the allegation of C.A. OSASUNA that the consideration of the start agreement as high risk to understand that the principle of necessity of the treatment is not fulfilled, must be indicated in response to it, that the assessment of the aforementioned

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 108/128

necessity is inextricably linked to suitability and proportionality in the strict sense in the treatment operations, with respect to the purpose of the treatment, and not
exclusively to the fact that we are facing a high-risk treatment.

In all personal data processing that the data controller intends to carry out, the necessity of the treatment must be assessed, in the terms of the RGPD, carrying out and

overcoming the triple proportionality judgment so that said treatment can be carried out. Although the risks to the rights and freedoms of the interested parties arising from the
treatment must be considered, it is one of the elements to be taken into account for this
weighting, but not the only one.

What is certain is that the use of biometric systems is classified as high risk,
without qualifying the risk as being exclusively related to the security of the
treatment.

The successive opinions, guidelines and documents referring to these personal data processing processes issued by the EDPB or the AEPD have determined such a high-risk character, as has been made explicit throughout the procedure, especially with the implementation of systems containing artificial intelligence in public spaces, due to the difficulty and lack of transparency of the models implemented, regardless of whether they are not understood or do not meet the requirements of high-risk artificial intelligence in the regulation of Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 establishing harmonised standards on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Regulation).

However, in the initial agreement the necessity factor is more related to the
existence of other less intrusive means to obtain the same end, taking into

consideration, as we have indicated, the necessity in relation to the purpose in
consideration of the nature, scope and context of the treatment and the existing alternative,
being a means that affected the right to the protection of personal data with less
intensity and generating less risks.

Regarding the claim made by the respondent party that the risk is
minimized by the technology used, because the vector is not reversible, it must be agreed
that, in the analysis of risks to the fundamental rights and freedoms of people

derived from the processing of personal data, technology is only one factor to be considered.

Firstly, because a correct understanding of the GDPR determines that within the management of GDPR compliance - compliance with all GDPR obligations
within the concept of “strong accountability”, that is, compliance that is not merely formal
but in substance, with the first and last aim of protecting natural persons in all their rights and freedoms (article 1 of the GDPR) - there is a part that is risk management,

with security measures being in turn a part of risk management.
Turning one part (security measures) into the whole (risk management) is a
defective understanding of the regulation.

Betting compliance management on the establishment and implementation of
strictly security measures, however “safe” they may be, is emptying the
regulation of content. It would be as much as saying that it would be correct to process personal data if
there are security measures that minimize the risks, even when a treatment of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 109/128

personal data, for example, were prohibited by the legal system or did not
surpass the judgment of necessity. This possibility is neither logical nor legal.

Furthermore, and secondly, because the GDPR does not focus only on technical and
organizational security measures, but the data controller must implement other
types of appropriate technical and organizational measures, of all kinds, and not only security.

The GDPR is marked by precepts that impose it, from several recitals of the
RGPD, through articles 24, 25, 28 or 35 of the GDPR, among others.

Thus, Recital 78 of the GDPR makes it clear that,

“78.  The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires the adoption of appropriate technical and organizational measures to ensure compliance with the requirements of this Regulation. In order to be able to demonstrate compliance with this Regulation, the controller shall adopt internal policies and implement measures that comply in particular with the principles of data protection by design and by default.” (emphasis added)

Article 24 of the GDPR expressly mentions that,

“1.  Taking into account the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate compliance with this Regulation. Such measures shall be reviewed and updated as necessary.” (emphasis added)

Article 35 of the GDPR, and specifically regarding the minimum content of a DPIA,
states that,

“d) measures designed to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, and to
demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other affected persons”

(emphasis added)

In the same vein, recital 90 of the GDPR links the content of the DPIA to
measures of all kinds, without the name “security”, to mitigate the risk, where appropriate,

“ 90. In such cases, the controller must carry out, prior to processing, a
data protection impact assessment in order to assess the particular seriousness and likelihood of the high risk, taking into account the
nature, scope, context and purposes of processing and the origins of the risk.

This impact assessment must include, in particular, the measures, guarantees and mechanisms provided to mitigate the risk, guarantee the protection of personal data and demonstrate compliance with this Regulation.” (emphasis added)

All measures of any kind that the data controller must determine and establish to see if it can mitigate the risk during the processing of personal data are obtained from a correct view of the risk, because where you don’t look, you don’t see. Although

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 110/128

the AEPD has highlighted the existence of a high risk in the present processing of personal data, the respondent party denies the majority, considering in its allegations that the processing does not entail a high risk, since these are “minimized” by the technology used and the measures adopted. It should be noted that the high risk of processing personal data does not cease to be so throughout the entire cycle of processing because appropriate measures are established, of whatever type, to mitigate its probability and impact, as well as measures to react if it materializes. A high-risk processing does not become a medium or low-risk processing by establishing and implementing measures.

Thirdly, it should be noted that the risks to the rights and freedoms of the interested parties, in this case the subscribers, derived from the processing are not a fixed photo at the beginning of the material processing of personal data that is maintained throughout the process. The risks are changing in the current technological context.
Various hashes, such as M5, which were not initially reversible, now have specific web pages in search engines to ensure the reversibility of these and obtain the original data.

The personal data breaches reported to the AEPD are continuous regarding
processing very similar or practically identical to that carried out by the
complainant, in which the server of the data controller has been accessed and the database containing the biometric templates stolen. We must remember that the
biometric data are inextricably linked to the individual. If they are stolen,

they may lose their identity and this is a current, real and tangible risk.

In this case, it was not considered that there was no proportionality or need in the processing
derived from the high risks that this type of processing entails, but rather due to its analysis of the
content derived from the EIPD and the analysis of the nature, scope, context and purpose of the
described processing, and this is set out in legal basis V. In
this sense, even if the image is converted into a code or vector, the processing continues
to be biometric data and therefore of a special category and of high risk.

Regarding the statement in the initiation agreement that the SBRF processing activity for
the access of subscribed persons undertaken by C.A. OSASUNA generates additional risk

due to its probabilistic nature, the initiation agreement points out another statement to the contrary,
without concluding the one expressed by C.A. OSASUNA. It must be assumed that biometrics
are based on probabilistic principles in the sense that they are, at the same time as
attributable to a person, measurable and in practice, technical means involving probabilities are used to measure them.

Facial recognition is a probabilistic technology that can automatically
recognize people by their face for verification or identification. In both the
identification and verification system, the facial recognition techniques
used are based on an estimated match between templates/(vectors): the one that is
compared and the reference(s). From this point of view, they are probabilistic techniques: the

comparison deduces a greater or lesser probability that the person is actually
the person to be verified or identified; if this probability exceeds a certain threshold in
the system, defined by its user or developer, the system will understand that there is a
match.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 111/128

The CEPD considers it important to remember that the Facial Recognition Technique, whether used
for verification or identification purposes, does not provide a definitive result,
but is based on probabilities that two faces, or images of faces,

correspond to the same person.

That is why the blunt explanation provided by the respondent now in
its allegations to the proposed resolution of the need for the treatment taking into account
its purpose (it now adds that it aims to guarantee that the subscriber who accesses is the one who
really holds the right to carry out that access, without requiring an
identification process through conventional means, avoiding impersonation in access
as a consequence of the theft of documents proving the status of subscriber), specifically that the purpose of the treatment is to guarantee that the subscriber
who accesses is the one who really holds the right to access, simply fails. The
biometric system also has flaws, it is not one hundred percent definitive. And this is in addition to not

knowing very well what this system adds with respect to identification and comparison with
traditional methods, such as the display of the DNI, especially if its
inefficiency has not been made clear.

Regarding the allegation of the mistake of indicating in the start agreement, as an example, not
referring to the specific case, that the system made relative measurements between nodal
distance points of the image of each individual, and not meaning that it uses an artificial
intelligence system to generate the facial vector, it was an example of the general operation of the method of extracting biometric characteristics to create a template, which
C.A. OSASUNA also calls a facial vector, which is an end that does not vary with one or another extraction system.

On the other hand, regarding the claim associated with the previous one that each version of the biometric engine is different to mean that the vectors derived from the service cannot be used by other engines and the facial vector is not reversible, it does not affect the fact that this biometric system of unique identification is used by creating facial vectors that are unique biometric personal data that uniquely identify the subscriber, as they fully identify the subscriber in order to access the sports venue to watch the sporting event.

The agreement does indicate that the image of the face is processed with a technical procedure, artificial intelligence, and that in essence the algorithms create a facial vector capable of fulfilling the purposes, as they are special biometric data by uniquely identifying the person, a circumstance that is not denied by C.A. OSASUNA. It should be added that, for the purposes of the Artificial Intelligence Regulation, recital 19 states:
“For the purposes of this Regulation, the concept of

‘publicly accessible space’ should be understood as referring to any physical space that can be accessed by an
indeterminate number of natural persons and regardless of whether it is privately or publicly owned and regardless of the activity for which the space may be used, whether commercial activities, for example, shops, restaurants,
cafés; service provision, for example, banks; professional activities, hospitality; sports, for example, swimming pools, gyms, stadiums;
transport, for example, stations…”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 112/128

On said Regulation, the EDPB and the EDPS issued a joint Opinion 5/2021, on
said proposed Regulation, on 18/06/2021, in which they request a general prohibition
of the use of AI for the automated recognition of human features in spaces of
public access, such as faces, but also fingerprints, due to the effects

on the expectations of the population to maintain anonymity in said public spaces.

It indicates in its allegations that the consideration of biometric systems as high risk to impute the two violations does not correspond to the system implemented
by C.A. OSASUNA. He added that document 14, provided in previous proceedings, and document 1, confirm the strength of the security of the processing carried out by its manager, DAS-GATE, using VERIDAS technology. In this regard, it should be noted that the imputed infringements are deduced from the functioning of the system, the nature and description of the processing and the sectorial context, as well as from the evaluation of the necessity and proportionality of the processing operations with respect to their purpose. The purpose of the processing cannot be the tool or instrument with which to achieve the objective, so that the real purposes of the processing must not be confused with the measures that could be adopted to achieve these purposes. And all this is in addition to what has already been pointed out regarding the fact that the adoption of security measures, in this case, is not what determines the legality of a processing.

According to the AEPD Guide on “risk management and impact assessment in the processing of personal data, of June 2021”, in its point III “risk management process for rights and freedoms”, it is indicated that the purpose of the treatment or its purposes,
must be established before starting the risk management and to have guarantees that the purposes of the treatment have been correctly identified, these must comply with the
following properties:

“-Ultimate: The ultimate purpose of the treatment must be determined and not
confuse it with intermediate objectives, instrumental means or treatment operations that take place in some phase of the treatment or that may be
dependent on the way of implementing the treatment,

-Specific: sufficiently precise and concrete, specifying the deficiencies,
demands, requirements, obligations or objective and final opportunities that the
end of the treatment is to resolve or respond to,

-Measurable: They must define a future state that is desirable in qualitative terms.

-Achievable and realistic: guarantees are determined to achieve the purposes of the
treatment to the extent that it is possible to demonstrate that the ultimate goal will be

achieved.

-Limited: within a period of time and within the framework of a certain stage of the
life cycle of the treatment”

In this case C.A. In its EIPD, OSASUNA has stated that the purpose was to “guarantee access, through facial recognition, to the El Sadar stadium by OSASUNA subscribers” and in its RAT “Purposes: registration and management of access to the facilities through a facial recognition system.”, or added statements, such as “to provide the subscriber with a new means of access to the venue that is more appropriate and effective in view of the current state of the art, which even minimizes the risks derived from the other systems of access to the stadium”, “since the control of access to the stadium cannot be indicated to be carried out through a single system” “leaves it up to the affected party to determine whether or not they consider the treatment necessary to achieve a purpose that is put at their disposal”.

However, it can be added that data is collected in the form of a biometric system for
a specific purpose, the reason for the processing operations. Since the
processing operations, collection-storage-use, are the instrument of access to the
enclosure, it does not seem that this can be the end, the purpose or the objective of the treatment.

The explicit, clear and specific purpose plays an important role in transparency and
information to the user. It should be remembered that the specification of the purpose is a
prerequisite for applying other requirements, including the adequacy, relevance, proportionality of
the data collected. The specification of the purpose of the treatment establishes limits on the
purposes for which the controllers can use the personal data collected, and

also helps to establish the necessary data protection safeguards.

However, between the content that a DPIA must contain in a mandatory manner, and the
overcoming of the same, which in this case is not achieved, it has been based on the fact that it does not
comply with the law, the aforementioned absence of necessity being proven, proportionality

in accordance with the purpose of the treatment established with the SBRF.

Regarding the allegation of the violation of the principle of legitimate trust that C.A. OSASUNA
has argued that, based on various reports from the AEPD and the EDPB, special categories of data may be processed with the
explicit consent of those affected, because it considers that, despite the proposal to
archive the infringement of article 9, it also affects article 5.1.c of the GDPR in question, it must be considered that the principle of legitimate trust, together with that of good faith and institutional loyalty, are recognized in article 3.1.e) of Law 40/2015, of 1/10, on the
Legal Regime of the Public Sector.

The STS of 18 July 2017 (Rec. 4576/2016) recalls "that the jurisprudence of this

Court, collected in the judgments of 10 May 1999 (RCA 594/1995); of 17 June
2003 (RCA 492/1999) 6 July 2012 (RCA 288/2011), 22 January 2013 (RCA
470/2011), and 21 September 2015 (RCA 721/2013), maintains that the principle of
protection of legitimate expectations, related to the most traditional ones in our
system of legal certainty and good faith in the relations between the Administration
and individuals, entails "that the public authority cannot adopt measures that

are contrary to the hope induced by the reasonable stability in the decisions of
the latter, and based on which individuals have adopted certain decisions."

This principle of legitimate trust finds its ultimate foundation, according to the
judgment of this Court of 24 March 2003 (appeal 100/1998) and of 20 September 2012
(appeal 5511/2009), "in the protection that objectively requires the trust that
may have been reasonably placed in the behaviour of others and the duty of
coherence of said behaviour", and in the principle of good faith that governs
administrative action, since as stated in the judgment of 15 April 2005 (appeal 2900/2002) and

again the aforementioned judgment of 20 September 2012, "if the Administration
develops an activity of such a nature that it may reasonably induce
citizens to expect certain conduct on its part, its subsequent adverse decision
would imply breaking the good faith that must be the basis for the action of the Administration. same and
defraud the legitimate expectations that his/her conduct would have generated in the administered person."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 114/128

However, the protection of legitimate trust does not cover any type of subjective psychological
conviction in the particular case, but as indicated by the judgments of this Court of
October 30, 2012 (appeal 1657/2010) and June 16, 2014 (appeal 4588/2011), it

refers to "the rational and well-founded belief that due to previous acts, the Administration
will adopt a certain decision", and as indicated by the judgments of January 2, 2012
(appeal 178/2011) and March 3, 2016 (appeal 3012/2014), only that trust on specific aspects, "which is based on signs or external facts produced by the Administration that are sufficiently conclusive."

The AEPD has not changed its opinion on the obligation to carry out and pass the

assessment of the necessity and proportionality of the processing in the DPIA. The requirement to
carry out and pass the assessment of the necessity and proportionality of the processing
is not something new, and not only because it is expressly cited by the GDPR as an obligation,
but because it was already pointed out by the Article 29 Working Party in its Guidelines on
data protection impact assessments (DPIA) and to determine whether the
processing "is likely to entail a high risk" for the purposes of the GDPR, dated 4/04/2017,

last revised and adopted on 4/10/2017.

Following this line, we can also mention all the documents prepared by the
AEPD, in this case on the preparation of EIPD, which aim to be a means available to
the general public to raise awareness and knowledge of issues
related to data protection, serving the controller and the person in
charge of the treatment, since many of them are addressed to them, trying to facilitate

compliance with the management of regulatory compliance, which does not prevent the
data controller from examining in the specific case the processing of personal data
that is being carried out and what are its obligations in terms of data protection.

Thus, we will highlight the Guide to risk management and impact assessment in personal data
processing of the AEPD of June 2021, which has a specific section XIII
on the evaluation of the necessity and proportionality of the treatment; Also in the

list of tables of the Risk Management and Impact Assessment guide in editable format, there is table 48 relating to the “Judgment of suitability, necessity and
proportionality in the strict sense” and table 49 on the “minimum information required in the
assessment of the necessity and proportionality of the treatment”; the DPIA report model in the private sector also contains information on the analysis of necessity and

proportionality, examining the judgment of suitability, necessity and proportionality in the
strict sense; nothing new, therefore, in the Guide on presence control treatments using biometric
systems of the AEPD of November 2023, which
includes a specific section on passing the analysis of suitability, necessity and
proportionality.

Obviously, none of these guides or documents can be considered a source of law, either de facto or de jure, since, without prejudice to what is indicated in this regard by the Civil Code, article 35 of the GDPR is sufficient for this by itself, these guides collecting what the aforementioned article requires. As regards the contrary citation of the EDPB Opinion on the use of facial recognition technologies by airport operators and airlines
to rationalise passenger flow at airports, in addition to the limitation of what
constitutes the object of the same (examination of article 5.1.f), 25 and 32 of the GDPR in relation to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 115/128

solutions for storing personal data and in the airport area) which
does not coincide with that examined in the present sanctioning procedure, it must be
stated that the EDPB itself determines in its press release that “In the application, it is

supposed that the treatment would be based on the consent of each passenger. However,
on the basis of the limited scope of the request, the opinion does not examine the legal basis and,
in particular, the validity of the consent for such processing.” (emphasis added)

https://www.edpb.europa.eu/news/news/2024/facial-recognition-airports-individuals-should-
have-maximum-control-over-biometric_en#:~:text=Brussels%2C%20May%24%20-%20During%20its%20last,%20streamlining%20the%20passenger%20flow

%20at%20airports. On the other hand, it is also known that any data processing as a limitation of rights

for its owner, in order to be legitimate and lawful, must comply, on the one hand,
with the principles relating to data processing set out in article 5 of the GDPR and,
on the other, with one of the principles relating to the lawfulness of processing listed in
article 6 of said Regulation (see, in this regard, the judgment of 16/01/2019,
Deutsche Post, C-496/17, EU:C:2019:26, paragraph 57 and cited case law), as well as

having an exception from those of article 9.2 of the GDPR if it concerns special categories of
personal data.

It should be noted that at this time there is no discussion as to whether
there is an exception of art. 9.2 of the GDPR and whether or not this could be consent,
but whether the DPIA has carried out and passed the assessment of necessity and proportionality
in the terms provided for in the GDPR, a question to which the response to
the allegations is limited.

The opinions and reports cited by C. A OSASUNA may not have changed the

references to such a possibility of processing through consent in which they limit themselves to
quoting without further ado, but the truth is that, in any assessment of any type of data
processing, it is expressly indicated that as it is an intrusion into the right of the
natural person, any use of the same constitutes a limitation of the right of the
person, requiring therefore a series of guarantees and safeguards that

limit and mitigate the possible consequences that may affect rights and freedoms. In addition, the purpose of the processing states that if the same purpose can be achieved
without data processing, with less data, or less use, with similar effectiveness, this principle must
be respected, and conduct that contains actions that imply its processing is opposed to this principle, violating article 5.1.c) of the GDPR.

And this is regardless of whether there is an exception that lifts the prohibition of the
processing of special categories of personal data, where applicable, and a legal basis

that allows the processing of personal data, since extrapolating the above with respect to
security measures, if a processing is not necessary, it is irrelevant whether there is a
legal basis that could legitimize it, an exception to article 9.2 of the GDPR that could
be present, or the presence of security measures. It is enough that the
processing of personal data is not necessary (all the elements provided for by the

GDPR must be present for it to be carried out). In this case, no resolution has been provided in which the AEPD had

assessed a similar case, that dealing with special category data with a basis of
legitimation based on explicit consent, and the overcoming of the judgment of
necessity and proportionality of the processing operations in accordance with the purpose
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 116/128

prescribed in article 35 of the GDPR was analyzed. Therefore, it cannot be resolved that there was previously
any interpretation of the case that offered a foreseeable confidence.

Note, furthermore, that necessity and proportionality refers to the processing itself,
related to its processing operations and its purposes, but that it would also apply to
any processing principle, and that it constitutes a basic element of the design of the

processing, before the processing, and also continuously at the time of the
processing. Its objective is to integrate the necessary guarantees into the treatment in order to
comply with the requirements and protect the rights and freedoms of the interested parties.

For all the reasons set forth above, this claim cannot be upheld.

In the proposal, C.A. OSASUNA alleges that the risk involved has not been analysed and that the data processing involved in the
SBRF for access to its stadium cannot be classified as high risk. To do so, it relies on the fact that it uses an artificial
intelligence system provided by its manager DAS-GATE, consisting of VERIDAS
technology. It adds that it complies with security measures, all of them related to the
facial vector, such as irreversibility, non-interoperability and non-reusability, and immediate
revocation in the event of compromise, being limited exclusively to the system and version
that created them and that the risk of unauthorised access to the facial vector is non-existent or minimal.
The court claims that the file assesses the risks of a system that is not the one they

have been using and that the proposal explains that they use another system based on point maps,
a system that is the one that provides a high risk, and that additional measures were adopted in the
treatment and in the life cycle, such as taking a photo as proof of life or
complying with requirements to verify that the subscriber is over 14 years old.

With respect to these statements, it is reiterated that the risks are only one aspect that is
taken into account in the EIPD, and that, in this case, the risks were not analyzed in the
start agreement or in the proposal. The alleged infringement has nothing to do with the risks.

However, since it has been brought up, it is worth indicating the risk analysis that is

provided with the EIPD:
The risk analysis is divided into Legal risks, Organizational measures and
Security risks. The latter includes the management of data security incidents
(personal data breaches), which is a regulatory obligation imposed by article 33
and 34 of the GDPR, not referred to nor should it be included in the risk analysis part of a
DPIA.

In addition, it must be assumed that the risks are for the rights and freedoms of the
subscribers derived from the processing, not for the management of a risk for the organization
derived from a regulatory risk. It is difficult to adopt adequate measures if the
risk approach is not the one provided for in the GDPR.

The tables are limited to describing a risk and the measures adopted, they do not enter into an assessment of the
potential risk scenarios that may occur, limiting the compliance section to a YES that serves for all the measures adopted. In others, the yes is
preceded by the fact that the entity has a certification. As an example, in “organizational measures”, it is indicated that DAS-GATE has the ISO/IEC 27001 certification system and ISO/IEC 9001 quality management. In “Measures adopted” in the security risks, in table III, it reiterates ISO 27001 and that audits have been carried out on it.
It should only be mentioned, for illustrative purposes only, that the certifications cited are not
data protection certifications in the sense of art. 42 of the GDPR, but are
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 117/128

information security certifications or in relation to other issues or
obligations that must be fulfilled by the data controller based on regulations other
than data protection. In this regard, the report of the Legal Office 170/2018 of the AEPD establishes the difference between the security of information and the protection of personal data: “Therefore, there is no doubt that the guarantee of the security of personal data acquires special importance in terms of its protection, but without this being limited exclusively to the scope of the security of said information, since the protection of personal data has a much broader scope that covers, as we said, a much broader set of principles, rights and obligations.”

In this regard, it should be noted that these certifications, in addition to the fact that they should be, in the terms of article 42 of the GDPR, a certification in terms of data protection and not information security, do not absolutely prove that sufficient guarantees in terms of data protection have been implemented and are acting effectively throughout the entire treatment cycle.

The risk to the rights and freedoms of individuals is not stated, nor is its description and causes; the probability of their occurrence is not stated and what the residual risk is with the measures that are intended to be implemented.

In some security measures listed in the DPIA, it is stated that after describing the risk very briefly (for example, they limit themselves to indicating “Security risks”, “Loss of personal data”), stating that in the measures adopted “The intelligent design of the solution causes it to be little prone to this type of scenario, in that there is

no large centralized database”. In the same measures it also indicates that “there may be a loss of credentials for physical access”, but a yes is given in compliance,
without detailing any aspect regarding compliance.

It is also indicated that an annual (…) is carried out on the solution and on previous actions

that was not provided.

Likewise, in neither case are reaction and containment measures established for addressing the risk in case it materializes and for mitigating its effects.

The measures adopted are based on art. 32 of the GDPR. We have already said that data protection measures are not only security measures.

Finally, the conclusions in the EIPD indicate:

“Based on the conclusions reached in the analyses carried out throughout this document in relation to the different legal risks that may affect the
processing activity examined, as well as the legal measures implemented
by OSASUNA to reduce or mitigate said risk, it can be considered that the
treatment evaluated would not imply a high risk for the rights and freedoms of the
interested parties.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 118/128

It seems to follow that the high risk ceases to be so when legal and security measures are applied, as they express in their allegations to the proposed resolution. We have already
indicated the incorrectness of this way of understanding the GDPR.

In any case, once the EIPD has been made, for which one of the elements for which it is carried out is because the treatment may pose a high risk to the rights and freedoms of individuals, C.A. OSASUNA subsequently determines in allegations that its treatment
is not high risk, after having carried out the same, in whose content there is also no such express
conclusion or the reasons that it has now expressed.

The DPIA, due to its content and purpose, is more than an analysis of the security measures
that affect the technology of the devices or the way in which the different
processing operations are carried out. And specifically, in this case, what is charged is an infringement
under article 5.1.c) that does not derive directly from the risks, regardless of whether

C.A. OSASUNA considers that the aforementioned charge may arise from the assessment of the risks.

The allegation therefore cannot be upheld.

VIII Classification and classification of infringements

Article 83.5 GDPR states: “Infringements of the following provisions shall be
sanctioned, in accordance with paragraph 2, by administrative fines of
up to EUR 20,000,000 or, in the case of a company, of an amount equivalent to
up to 4% of the total annual global turnover of the previous financial year,

whichever is higher:

“a) the basic principles for processing, including the conditions for
consent pursuant to Articles 5, 6, 7 and 9;”

The LOPDGDD establishes in its article 72:

“1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a

substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:

“a) The processing of personal data in violation of the principles and guarantees established in

article 5 of Regulation (EU) 2016/679”

“e) The processing of personal data of the categories referred to in article 9 of
Regulation (EU) 2016/679, without any of the circumstances provided for in
said provision and in article 9 of this organic law occurring.”

IX Determination of sanctions

Article 58.2 of the GDPR provides the following: “Each supervisory authority shall have
all of the following corrective powers indicated below:

i) to impose an administrative fine in accordance with Article 83, in addition to or instead of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 119/128

measures mentioned in this section, according to the circumstances of each particular case;”

The determination of the sanctions to be imposed in the present case requires observing
the provisions of Articles 83.1 and 83.2 of the GDPR, which respectively
provide the following:

“1. Each supervisory authority shall ensure that the imposition of administrative fines
pursuant to this Article for infringements of this Regulation referred to in

paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.”

“2.Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as an alternative to the measures referred to in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:

(a) the nature, gravity and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;

(b) the intent or negligence of the infringement;

(c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures implemented by them pursuant to Articles
25 and 32;

(e) any previous infringement committed by the controller or processor;

(f) the extent of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement;

(g) the categories of personal data affected by the infringement;

(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the controller or processor of the infringement;

(i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;

(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as

financial benefits obtained or losses avoided, directly or indirectly, through the infringement.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 120/128

Within this section, the LOPDGDD provides in its article 76, entitled “Sanctions and
corrective measures”:

“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU)
2016/679 shall be applied taking into account the grading criteria established in
section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:

a) The continued nature of the infringement.
b) The connection between the offender's activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.

d) The possibility that the affected party's conduct could have led to the commission of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection officer.

h) The submission by the controller or processor, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are disputes between them and any interested party.

3. It will be possible, additionally or alternatively, to adopt, where appropriate, the

remaining corrective measures referred to in article 83.2 of Regulation (EU)
2016/679.”

Since the proposal proposed to the Director of the AEPD the archiving of the infringement of
article 9 of the GDPR, with regard to the violation of the data minimisation principle of
article 5.1.c) of the GDPR, a penalty of
200,000 euros was agreed in the initiation agreement, considering:

a) “The nature, seriousness and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation”. The

specific purpose of the processing of personal data in relation to the needs to be
covered, which constitutes the nature of the infringement and which opened the scope of those affected to
any C.A. subscriber, was not correctly considered. OSASUNA, considering that the purpose of the treatment is a
basic activity of the data controller, which is an aggravating factor. (83.2.a GDPR).

b) A serious lack of diligence is included, given that it was available and documented that there was another less intrusive means of treatment and the use of the solution was left to the users' discretion, and the impact of the same was not foreseen, so this factor
would operate as an aggravating factor (art. 83.2.b GDPR).

c) The impact on one of the special categories of data, biometric data for unique

identification, the need for protection of which is to that extent greater than that of other

personal data, in accordance with the Constitutional Court's ruling
76/2019, dated 05/22/2019, appeal 1405/2019, which is an aggravating factor, in accordance with

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 121/128

Article 83.2.g) of the GDPR "the categories of personal data affected by

the infringement".

C.A. OSASUNA stated in its allegations to the agreement:

- violation of the principle of proportionality of the amount of the sanctions, because
mentions are made in the aggravating factors that are elements of the conduct itself that is intended to be
sanctioned.

-There is no negligence since the opinion of the AEPD was in no way
contrary to the processing of data carried out on the legal basis of the consent of the
interested parties, the same criterion being upheld by the EDPB.

- that the conduct that constitutes the infringement of article 5.1.c) of the RGPD, would only

affect those who joined the system, not all subscribers, and who have gone from
(…) on 03/13/2023, to the time when the allegations are made, on 12/28/2023, counting
with (…) registered persons.

- In the lack of diligence of article 5.1.c) of the GDPR, according to the start agreement "it was
provided and documented that there was another less intrusive means of treatment

and the use of the solution was left to the users' discretion, and the impact of the same was not foreseen,
so this factor would operate as an aggravating factor", it estimates that "these arguments, denied
in any case by OSASUNA were those that, in the opinion of the AEPD, justify the imposition of the
sanction, so it cannot be taken into consideration to aggravate it."

In its allegations to the proposal, it adds:

-the processing of special category data must be subsumed under the aggravating circumstance of the
category of data in article 83.2.a) of the GDPR, considering that it forms part of the
circumstances of the processing, considering that article 83.2.g) of the GDPR would not

apply when the aggravating circumstance arises from the processing as a whole.

- related to the nature, seriousness and duration of the infringement of art. 83.2.a) of the
RGPD that it mentions, it causes defenselessness because the mention is incomprehensible to: "If what is
intended to indicate is that the infringement is having carried out a treatment that was not
necessary for the purposes that were intended to be covered with it", apart from

denying that statement, such an aggravating circumstance would consist of an alleged breach of the principle of
necessity, conduct that is included in the type itself, contrary to the principles of
sanctioning law

- Regarding the reference to the potential impact of the treatment on all
OSASUNA subscribers, contained in the proposal, in the explanation of 83.2.a) of the RGPD

of "if it is not stopped it may affect more subscribers", it is meaningless, it is impossible, since
since the 2024/2025 season it is not processing the data with the SBRF.

- Regarding the aggravating circumstance of article 83.2.b) of the GDPR, OSASUNA points out that the proposal was answered in an incomprehensible manner, and that if it is a question of considering gross negligence the fact of allowing the treatment to be carried out on the basis of consent and the free decision of the interested parties, such interpretation would not be negligent or artificial, since it considers that the criteria derived from the documents of the EDPB and the GT are not followed.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 122/128

29. It considers that these facts cannot aggravate the liability of OSASUNA, but rather
should exclude it.

According to article 83.1 of the GDPR, it will be ensured that the imposition of administrative fines is in each case “individual, effective, proportionate and dissuasive”, and according to section 2 of the same article 83, “they will be imposed according to the circumstances of each individual case” and when deciding their amount, the circumstances indicated in said provision will be taken into account, as well as, in accordance with the provisions of article 83.2.k) of the GDPR, those established in article 76.2 of the LOPDGD.

As indicated by the SSTS, Chamber 3, of 3/12/2008 (Rec. 6602/2004) and 12/04/2012 (Rec.
5149/2009) the principle of proportionality is the fundamental principle that beats and presides over the process of grading sanctions and implies, in legal terms, that there must be a

"due adaptation between the seriousness of the fact constituting the infringement and the sanction applied", as provided in article 29.3 of Law 40/2015, on the Legal Regime of the Public Sector. This is about the proper weighing of the concurrent circumstances in order to
achieve the necessary and proper proportion between the alleged facts and the liability
required, given that all sanctions must be determined in accordance with the nature of the
infringement committed and according to a criterion of proportionality in relation to the
circumstances of the act. Thus, proportionality constitutes a normative principle
that is imposed on the Administration and that reduces the scope of its sanctioning powers.

As regards the considerations of the aggravating circumstance of article 83.2.a) of the GDPR, the purpose
of the processing operation in relation to the scope of potential affected parties covered the

total number of members of the entity, estimated at around 19,000 members of the C.A. OSASUNA, according to public data on its website, at the date of the second allegations the
number of people registered in the SBRF had risen to (…), at which time
it continued to carry out the aforementioned processing, given that the figure given previously was
(…) members. The purpose was related to access to a public

show. This processing includes various processing operations or a set of operations in various phases with periodic processing throughout the season and
being saved for use in the following one.

Although it did not reach the maximum potential of subscribers, in about two years since its

implementation, it has risen to almost 10% of subscribers, which is a
significant figure that must be related to the special nature of the processing of
this data.

Regarding the subsumption of the circumstance contemplated in article 83.2 g) that according to C.A.

OSASUNA, these special category data cover the treatment as a whole to
consider that it must be integrated into article 83.2.a) of the RGPD, as it forms part of the
circumstances of the treatment. To this effect, it must be indicated that this broad sense of the
elements contemplated in article 83, would allow, if such thesis were accepted, that other differentiated elements
be integrated into said article. However, it is estimated that this category of data

specifically affects conduct, in a concrete and differentiated way from
the elements contained in article 83.2.a), and are of a different nature, so it cannot be integrated into article 83.2.a) of the GDPR. Furthermore, taking into
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 123/128

consideration that, once article 9.1 of the GDPR has been filed, special category data
cannot be considered to be included in the type of article 5.1.c) of the GDPR
in any case (not before either). And this, also taking into consideration that not all

EIPD is linked to the processing of special categories of personal data, that not all

failure to pass the assessment of the necessity and proportionality of the processing is
linked to the processing of biometric data. In the case under consideration, since said data are
directly related to failure to pass the assessment of the need and
proportionality of the processing, they must necessarily be considered in the
terms of art. 83 of the GDPR.

Regarding the lack of diligence indicated in article 83.2 b) of the GDPR for the reasons that
have been indicated, the legitimizing basis of the principle of data minimization is
different, since there may be a legitimizing legal basis and an exception that
lifts the prohibition of art. 9.2 of the GDPR, but there is no need to process the
cited data. Likewise, even if it turns out that the fact of the infringement is denied,
this does not mean that this circumstance cannot be ignored in the conduct indicated,
it being a fact that in the documentation of the EIPD it was recognized that there were
less intrusive means for processing, which contribute to highlighting the aforementioned lack of
diligence.

As regards the lack of culpability and, as a result, the circumstances noted in article 83.2.b), it has already been answered in the corresponding section that there is no such breach of trust, due to the differentiation between compliance with the requirements of legality for data processing and compliance with the principles of processing, which, although they are cumulative, must be complied with in their fair measure, each one, taking into account circumstances that are each sufficiently legally differentiated.

Regarding the reference to article 83.2.b) of the GDPR, which is a serious lack of diligence, given that it was available and documented that there was another less intrusive means of processing and the use of the solution was left to the users' discretion, and the impact of the same was not foreseen, so this factor would operate as an aggravating factor (art. 83.2.b GDPR), it is understood that even if it is not intentional, the action is evidence of a serious lack of diligence, without being able to assess what it basically meant, which was that the judgment of the need for processing was transferred to the users' free disposition.

It should also be noted that the conduct that leads to the infringement consists of various

analyses from the DPIA with a conscious legal basis made clear as an

example, which recognized not only the risks of any treatment of this type, but
that the unique identification of the subscribers was more invasive and reiterated on
several occasions that the use was voluntary and complementary, being alternative, as bases
that contributed to the need.

Regarding this same article, the allegation that there was confidence that the treatment could
be undertaken with the legitimizing basis of consent, considering this
interpretation reasonable, the differentiation of levels and cumulative requirements of
principles and legitimizing basis has already been pointed out without one being able to replace the other, their

legal formulations of compliance being different. In this sense, the set of such elements
would reveal a lack of diligence in the fulfillment of the analysis of intrusion of the treatment
carried out.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 124/128

As a consequence of the elements available, the sanction is quantified at 200,000 euros.

X Corrective powers

Article 58.2 of the GDPR provides the following: “Each supervisory authority shall have
all of the following corrective powers indicated below:

“d) order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a
specific manner and within a specified period;”

f) impose a temporary or permanent restriction on processing, including its prohibition;

[…]”

i) impose an administrative fine pursuant to Article 83, in addition to or instead of the
measures referred to in this section, depending on the circumstances of each particular

case;”

The imposition of these measures is compatible with each other and with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR.

C.A. OSASUNA will stop using the facial recognition system for access to the stadium based on the consent of the users, and which was imposed as a precautionary measure
in the operative part of the initiation agreement.

Article 69 of the LOPDGDD states:

“1. During the conduct of the preliminary investigation actions or the initiation of a
procedure for the exercise of the sanctioning power, the Spanish Data Protection Agency

may agree, with reasons, on the necessary and proportionate provisional measures to
safeguard the fundamental right to data protection and, in particular, those provided for in article 66.1 of Regulation (EU) 2016/679, the precautionary blocking
of the data and the immediate obligation to comply with the requested right.

2. In cases where the Spanish Data Protection Agency considers that the

continued processing of personal data, its communication or international
transfer will entail a serious violation of the right to the protection of personal
data, it may order those responsible for or in charge of the processing to block the
data and cease its processing and, in the event of non-compliance with these
orders, proceed to its immobilization.”

The Preamble of the LOPDGDD states: “The protection of natural persons in relation
to the processing of personal data is a fundamental right protected by article
18.4 of the Spanish Constitution. In this way, our Constitution was a pioneer in
recognizing the fundamental right to the protection of personal data when it
provided that “the law will limit the use of information technology to guarantee the honor and
personal and family privacy of citizens and the full exercise of their rights.” This echoed
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 125/128

the work carried out since the end of the 1960s in the Council of Europe and
the few legal provisions adopted in countries around us. The Constitutional Court
stated in its Judgment 94/1998, of 4 of 5, that we are faced with a

fundamental right to data protection by which the person is guaranteed control
over his or her data, any personal data, and over its use and destination, to avoid
illegal trafficking of the same or that which is harmful to the dignity and rights of those affected; in this
way, the right to data protection is configured as a right of the citizen
to oppose certain personal data being used for purposes other than
that which justified its acquisition. For its part, in Judgment 292/2000, dated 30

November, it is considered as an autonomous and independent right that consists of a
power of disposition and control over personal data that empowers the person to
decide which of these data to provide to a third party, be it the State or an individual, or
which this third party may collect, and that also allows the individual to know who possesses
these personal data and for what purpose, being able to oppose such possession or use. (…). On the other

hand, it is also included in article 8 of the Charter of Fundamental Rights of the
European Union and in article 16.1 of the Treaty on the Functioning of the European Union.
Previously, at European level, Directive 95/46/EC had been adopted, the purpose of which was to ensure that the guarantee of the right to the protection of personal data did not constitute an obstacle to the free circulation of data within the Union, thereby establishing a common area of guarantee of the right which, at the same time, would ensure that in the event of international transfer of data, its processing in the country of destination was protected by safeguards appropriate to those provided for in the directive itself.”

Article 56 of the LPACAP, insofar as it is applicable, states the following:

“1. Once the procedure has been initiated, the administrative body competent to resolve may

adopt, ex officio or at the request of a party and in a reasoned manner, the provisional measures it
deems appropriate to ensure the effectiveness of the resolution that may be issued, if there are
sufficient elements of judgment for this, in accordance with the principles of proportionality,
effectiveness and less onerousness.

…

3. In accordance with the provisions of the two preceding sections, the
following provisional measures may be agreed upon, in the terms provided for in Law 1/2000, of 7/01, of
Civil Procedure:

a) Temporary suspension of activities.

b) Provision of bonds.

c) Withdrawal or intervention of productive assets or temporary suspension of services for
reasons of health, hygiene or safety, the temporary closure of the establishment for these or

other reasons provided for in the applicable regulatory regulations.

d) Preventive seizure of assets, income and fungible things that can be computed in cash by applying certain prices.

e) The deposit, retention or immobilization of movable property.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 126/128

f) The seizure and deposit of income obtained through an activity that is
considered illegal and whose prohibition or cessation is sought.

g) Deposit or constitution of a deposit of the amounts that are claimed.

h) The retention of income on account that must be paid by the Public Administrations.

i) Any other measures that, for the protection of the rights of the interested parties,
are expressly provided for by the laws, or that are considered necessary to ensure the effectiveness
of the resolution.

4. Provisional measures may not be adopted that may cause damage that is difficult or impossible to repair for the interested parties or that imply a violation of rights protected by law.

5. Provisional measures may be lifted or modified during the processing of the procedure, ex officio or at the request of a party, due to unforeseen circumstances or circumstances that could not be taken into account at the time of their adoption. In any case, they will expire when the administrative resolution that ends the corresponding procedure takes effect.

In the data processing analysed, it was noted at the time of initiating the procedure that
undoubtedly represented a high risk for the rights and freedoms of a
high number of those affected, such as the loss of control and disposition of their personal data or the use of personal data that are not evidently necessary to
access the stadium. Although it covers persons over 14 years of age, who may consent to the
processing, it is unlikely that they understand the implications of the use and the

risks of using a system that uses the body itself as an identifier. In addition,
there were indications and evidence that recommended not continuing with the aforementioned
processing that involves special categories of personal data.

The continuation of the processing, which there is evidence that has not passed the triple
proportionality test and therefore the failure to pass the EIPD could lead to a

very serious and irreparable impairment of the rights of these users. The temporary
suspension of the processing was the only measure that could be adopted to
safeguard the Fundamental Right to Data Protection, and was also the least harmful,
onerous, proportional and effective for C.A. OSASUNA.

Based on these premises and in order to guarantee the rights and freedoms of those affected, it is
considered appropriate to make the temporary suspension that prevents the continuation of
the processing of personal data through the facial recognition system for access to the El Sadar stadium permanent, urging its prohibition.

This measure would not prevent C.A. OSASUNA from continuing to control the entrance correctly

and legally with the other systems it is using, nor would it mean the
loss of service for fans, since they can continue to access the stadium normally as it is
a “complementary” or “alternative” system to that of the SBRF, as C.A. OSASUNA continually states.

In accordance with the provisions of art. 83.2 of the GDPR and article 76.3 of the LOPDGDD transcribed above,

it is considered necessary, proportional, and effective to guarantee the rights and freedoms of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 127/128

those affected and of lesser burden for C.A. OSASUNA, to impose, additionally,
the elevation to definitive of the suspension, in accordance with the provisions of art. 69 of the
LOPDGDD.

Therefore, in accordance with the applicable legislation and having assessed the grading criteria
of the sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency

RESOLVES:

FIRST: TO ARCHIVE the infringement of article 9 of the GDPR, imputed to CLUB ATLÉTICO

OSASUNA with NIF G31080179, in accordance with article 83.5 a) of the GDPR, and
classified as very serious for the sole purposes of the prescription of said infringement, in
article 72.1.e) of the LOPDGDD.

SECOND: TO IMPOSE on CLUB ATLÉTICO OSASUNA, with NIF G31080179, for a

violation of article 5.1.c) of the RGPD, in accordance with article 83.5 a) of the RGPD, and
classified as very serious for the sole purposes of the prescription of said infringement, in
article 72.1.a) of the LOPDGDD, a fine of 200,000 euros,

THIRD: Regarding the temporary suspension included as a provisional measure in the

start agreement, pursuant to article 58.2.f) of the RGPD, it is raised to definitive, requesting the prohibition
of the treatment for access to the El Sadar stadium with the SBRF and the deletion of the
records used for its operation since the resolution is enforceable,
to safeguard the fundamental right of the (…) people subscribed to the system to 28/12/2023, and certified in this sense by the C.A. OSASUNA.

FOURTH: NOTIFY this resolution to CLUB ATLÉTICO OSASUNA.

FIFTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned party is warned that he/she must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of the LPACAP within the voluntary payment period established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of 29/07, in relation to art. 62 of Law 58/2003, of 17/12,
by depositing it, indicating the NIF of the sanctioned party and the procedure number that
appears in the heading of this document, in the restricted account number IBAN: ES00-
0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period.

Once notification has been received and enforced, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making voluntary payment will be
until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second

following month or the next business day thereafter.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 128/128

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution

will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision may be provisionally suspended by administrative means if the interested party expresses
his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, submitting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the
other registries provided for in art. 16.4 of the aforementioned LPACAP. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification

of this resolution, it will terminate the provisional suspension.

938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es