Banner2.png

AEPD (Spain) - EXP202315637

From GDPRhub
AEPD - EXP202315637
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 35(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 04.11.2022
Decided: 12.11.2024
Published: 28.02.2025
Fine: 1000000 EUR
Parties: La Liga
National Case Number/Name: EXP202315637
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: cwa

LaLiga was fined €1,000,000 after failing to conduct a DPIA prior to mandating the implementation of biometric access controls for access to stadiums.

English Summary

Facts

In March 2023, LaLiga (data controller) issued a regulation to football clubs in Spain requiring the implementation of changes to how clubs allowed access to their stadiums. For ordinary ticket holders, patrons could either present their physical ticket and be given entry, or, provide an electronic ticket and use a fingerprint scanner. For access to the “animation stands”, reserved for the biggest fans of the home team, patrons had to subject to biometric identification through either fingerprinting or facial recognition, and provide consent to this processing at the point of entry, or be denied entry. The controller also offered to the clubs a system of access for implementing and complying with the updated access guidance.

On 4th November 2022, a fan filed a complaint against the controller with the AEPD.

Holding

The DPA firstly determined that LaLiga was the data controller, rejecting the contention by the controller that each club should be considered controllers in their own respect. In doing so, the DPA focused on the provision by the controller of the access system which complied with their regulation, and the speed with which it was made available to clubs who requested it.

The DPA found that the controller infringed Article 35 by not conducting a DPIA prior to the commencement of the processing. The DPA stressed both the high-risk nature of the processing in question, i.e. biometric processing, as well as the large scale.

The DPA imposed a fine of €1,000,000 for the infringement of Article 35(1). The also ordered the suspension of the biometric processing until a DPIA had been appropriately carried out, assessing the necessity and proportionality of the processing.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.