AEPD (Spain) - 0098/2022

From GDPRhub
Revision as of 11:27, 31 January 2023 by Kk (talk | contribs) (shortened the Holding, deleted unclarities and repetitions, shortened soem sentences)
AEPD - 0098/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(e) GDPR
Article 9(2)(g) GDPR
Act Against Violence, Racism, Xenophobia and Intolerance in Sport
Type: Advisory Opinion
Outcome: n/a
Started:
Decided:
Published: 20.01.2023
Fine: n/a
Parties: Comisión Estatal contra la Violencia, el Racismo, la Xenofobia y la Intolerancia
National Case Number/Name: 0098/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

In a prior consultation, the Spanish DPA held that the State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport could not rely on Article 9(2)(g) GDPR in order to process biometric data of football fans entering stadiums.

English Summary

Facts

The State Commission Against Violence, Racism, Xenophobia and Intolerance in Sport (the Commission) wanted to install biometric identification systems at the entrances to sport stadiums in order to univocally identify football fans. In this regard, Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport gives the Commission the power to implement additional security measures for high risk competitions and events.

The Commission asked the Spanish DPA for a prior consultation (presumably under Article 36 GDPR) regarding the compliance of the envisaged processing with the GDPR. According to the Commission, the legal basis was Article 6(1)(e) GDPR, as processing was necessary for the performance of a task carried out in the public interest, such interest being the safety and integrity of persons attending football stadiums, as well as prevention of fundamental rights violations in the form of hate crimes and discrimination. Additionally, the Commission relied on Article 9(2)(g) GDPR, which refers to processing of sensitive data that is necessary for reasons of a substantial public interest.

The Commission indicated that it would issue a resolution defining the adequate and specific measures that clubs should undertake in order to protect the interests and fundamental rights of data subjects. The Commission also stated that it would carry out a proportionality assessment and a DPIA under Article 35 GDPR, in order to guarantee the adherence to the principles of Article 5 GDPR.

Holding

First, the Spanish DPA stated that the installation of biometric identification systems would constitute processing of special categories of data within the meaning of Article 9 GDPR. The DPA recalled the definition of ‘biometric data’ as meaning 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data' (Article 4(14) GDPR).

Second, the DPA emphasised the need to distinguish between biometric identification and biometric authentication, as defined by the Article 29 Working Party in Opinion 3/2012 on developments in biometric technologies. According to this Opinion, biometric identification means the identification of an individual by comparing biometric data acquired at the time of the identification to a number of biometric templates stored in a database, whereas biometric authentification means the verification of an individual by comparing the biometric data acquired at the time of the verification to a single biometric template stored in a device. The DPA relied in its assessment on the EDPB's Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement which uphold that both techniques constitute processing of special categories of data. The DPA manifested its concern for the proliferation of biometric identification systems, which are considered to be particularly intrusive for the rights and freedoms of data subjects.

Third, with regards to the envisaged legal basis, the DPA noted that Article 9(2)(g) GDPR makes reference to a substantial public interest, as opposed to the (standard) public interest contained in other provisions. Hence, according to the DPA, the interpretation of public interest must be more restrictive. The DPA referred to the Spanish Constitutional Court, which ruled that any limitations of the right to data protection must be set out in law and exist prior to any processing. Further, a legitimate aim pursued by the public interest cannot be laid down by general, indeterminate, or vague concepts and the limitation must be proportionate to the aim pursued. With reference to this, the DPA concluded that such a law did not exist in the Spanish acquis. The law referred to by the Commission (Article 13(1) of the Act Against Violence, Racism, Xenophobia and Intolerance in Sport) did not identify a justified substantial public interest or contain specific rules, nor did it provide for suitable and specific measures to safeguard the fundamental rights and interests of data subjects. While the provision referred to identity verification systems, it did not mention the specific possibility of using biometric systems.

Therefore, the DPA concluded that the envisaged processing, as schemed by the the Commission, could not rely on the legal basis of Article 9(2)(g) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Legal cabinet



                                                                 N/REF: 0098/2022




       The consultation asks if the adoption of an agreement of the State Commission

against Violence, Racism, Xenophobia and Intolerance, in the field of
their powers, establishing measures for the compliance of the clubs
consisting of the installation of biometric systems to control all
the accesses to the stands of animation that allows the unequivocal identification of
fans who access said stands, it would be legally viable

in accordance with the regulatory data protection regulations.

       Said possibility would be protected, according to the consultation, in the competition
legally attributed by article 13.1 of Law 19/2007, of July 11,
against violence, racism, xenophobia and intolerance in sport, which
the power to decide the implementation of additional security measures

for the set of competitions or highly rated sporting events
risk, or for venues that have been subject to closure sanctions with
according to the second and third titles of this Law, including in particular that of
b) Promote systems for verifying the identity of persons who process
access to sports venues.


       Therefore, in the opinion of the consultant, the treatment of the data
personal data of fans, including their biometric data, would be carried out in
application of article 6.1.e) of Regulation (EU) 2016/679 General of
Data Protection (RGPD), that is, that the processing of the data would be
necessary “for the fulfillment of a mission carried out in the public interest or

in the exercise of public powers conferred on the data controller”.
In this case, the mission carried out by the Clubs/SAD in the public interest would be the
to guarantee the safety and integrity of the people who come to the
football stadiums, as well as prevent and avoid violations of rights
of people, such as hate crimes and discrimination, to
through the measures listed above.


       Likewise, when referring to the requested measure to the treatment of categories
special data, the exception regulated in article 9.2.g) of the
GDPR, that is, that the processing of biometric data "is necessary for
reasons of essential public interest, on the basis of Union law

or of the Member States, which must be proportional to the objective pursued,
essentially respect the right to data protection and establish
appropriate and specific measures to protect the interests and rights
fundamentals of the interested party." In this regard, the agreement that in your case
adopts the CEVRXID, it would also establish the appropriate measures and
that the Clubs/SAD must adopt to protect the interests and

c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                        1 Legal Office

fundamental rights of the interested parties regarding the implementation of the
additional measure required, as required by article 9.2.g) of the GDPR,
previously referred to.


       It is also indicated that given that the additional measure would require the
treatment of special categories of data, the agreement adopted by the
CEVRXID in relation to the obligation to adopt the requested measure will require
also that, before implanting it, the following is carried out:


             - A trial of proportionality, where it is analyzed from the point
       From a data protection point of view, both the suitability of the measure and the
       need for treatment and its proportionality in the sense
       strict.
             - An Impact Assessment on Data Protection that
       meets the requirements of article 35 of the GDPR.

             In short, the measure would guarantee that the treatment of
       personal identification data (including biometrics) that perform
       Clubs/SAD is carried out with due respect for the principles
       legality, loyalty and transparency, purpose limitation, minimization
       of data, accuracy, conservation, security, as well as

       proactive responsibility, as established in article 5 of the GDPR.


       In this way, according to the consultant, the measure would guarantee that the
processing of personally identifiable data (including biometric data)
carried out by the Clubs/SAD is carried out duly respecting the

principles of legality, loyalty and transparency, limitation of purpose,
data minimization, accuracy, conservation, security, as well as
proactive responsibility, as established in article 5 of the GDPR.



                                           Yo

       Regulation (EU) 2016/679, of the European Parliament and of the Council of
April 27, 2016 regarding the protection of natural persons in what
regarding the processing of personal data and the free circulation of these
data and which repeals Directive 95/46/EC (General Regulation of

data protection, GDPR) defines in its article 4.14 the biometric data
as “personal data obtained from a specific technical treatment,
relating to the physical, physiological or behavioral characteristics of a
natural person that allow or confirm the unique identification of said
person, such as facial images or dactyloscopic data.


       Article 9 of said standard regulates the treatment of categories
special data types, including biometric data,
establishing a general prohibition of its treatment in the following
terms:
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                        2 Legal Office


       “The processing of personal data that reveals the
ethnic or racial origin, political opinions, religious convictions or
philosophical, or union affiliation, and the treatment of genetic data, data
biometrics aimed at uniquely identifying a natural person,

data relating to health or data relating to sexual life or orientation
sex of a physical person.”

       In relation to the processing of biometric data, in our
Report 36/2020, analyzing article 9.1 in relation to Recital 51
of the GDPR, as well as the Protocol of amendment to the Convention for the Protection

of Individuals regarding the processing of personal data, approved
by the Committee of Ministers at its 128th session in Elsinore on the 18th of
May 2018 (108+ Agreement) we pointed out that

             In order to clarify the interpretative doubts that arise
       regarding the consideration of biometric data as categories

       special data can resort to the distinction between identification
       biometrics and biometric verification/authentication that established the
       Article 29 Group in its Opinion 3/2012 on the evolution of the
       biometric technologies:
              Biometric identification: the identification of an individual by a
       biometric system is normally the process of comparing your data

       biometrics (acquired at the time of identification) with a series
       of biometric templates stored in a database (i.e.,
       a one-to-many mapping process).
             Biometric verification/authentication: Verification of a
       individual by a biometric system is normally the process of
       comparison between your biometric data (acquired at the time of

       verification) with a single biometric template stored in a
       device (i.e., a one-to-one mapping process
       to-one).

             This same differentiation is included in the White Paper on the
       artificial intelligence from the European Commission:


             “Regarding facial recognition, by “identification”
       it is understood that the facial image template of a person is
       compares with many other templates stored in a database
       to find out if your image is stored on it. The
       "authentication" (or "verification"), for its part, usually refers to

       searching for correspondences between two specific templates.
       Allows the comparison of two biometric templates that, in principle,
       they are supposed to belong to the same person; so, the two templates are
       are compared to determine if the person in the two images is the
       same. This procedure is used, for example, in the doors of

c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                       3 Legal Office

       automated border control used in border controls
       of the airports.

             Considering the aforementioned distinction, it can be interpreted that, if
       In accordance with article 4 of the GDPR, the concept of biometric data

       would include both assumptions, both the identification and the
       verification/authentication. However, and in general, the
       biometric data will only be considered as a category
       of data in the cases in which they are submitted to treatment
       technique aimed at biometric identification (one-to-many) and not in the
       biometric verification/authentication case (one-to-one).


             However, this Agency considers that it is a question
       complex, subject to interpretation, with respect to which it is not possible to
       draw general conclusions, having to attend to the specific case
       according to the data processed, the techniques used for its treatment and
       the consequent interference in the right to data protection,

       should, as long as the Committee does not rule on the matter
       European Data Protection Agency or the courts,
       In case of doubt, the most favorable interpretation for the
       protection of the rights of those affected.”

       Consequently, in said report this Agency already highlighted the

difficulty of separating the concepts of identification and authentication, which
requires to be aware of the specific case and the particular techniques used in
relation to the purpose pursued by the treatment, as well as the need
to grant maximum protection to the rights of those affected against the use
of techniques that can be more invasive to your privacy and generate more
risks to their rights and freedoms.


       However, said criterion was subject to what could be
established by the European Data Protection Committee or, where appropriate, by
the courts. And, in this sense, the Guidelines 5/2022 of the Committee
European Data Protection (Guidelines 05/2022 on the use of facial
recognition technology in the area of law enforcement) pending in this

time of final adoption after completion of the consultation process
public, they clearly depart from said differentiation between
authentication/verification and identification for the purpose of determining treatment
of biometric data as a special category in section 12, concluding
that both cases imply the treatment of special categories of
data:


             While both functions – authentication and identification – are
       distinct, they both relate to the processing of biometric data related to an
       identified or identifiable natural person and therefore constitute a
       processing of personal data, and more specifically a processing of
       special categories of personal data.
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                       4 Legal Office



       Consequently, if said criterion is maintained at the time the
proceeds to its final adoption, it will be necessary to review our criteria

to adapt it to that maintained by the European Committee for Data Protection,
understanding that the processing of biometric data, both in the cases of
authentication/verification as identification implies a treatment of
special categories of data, subject to the regime of general prohibition and
exceptions of article 9 of the GDPR.


       In any case, in the present case there is no doubt that the consultation was
refers to biometric data processing aimed at uniquely identifying
to a natural person and, therefore, which implies the treatment of categories
personal data specials.



                                           II

       The query refers to a case of biometric data processing
with the purpose of verifying to identify, unequivocally, the fans who

access the animation stands, implying, as indicated in the
previous section, a treatment of special categories of data subject to the
general rule of prohibition of the same (art. 9.1. GDPR).

       However, article 9.2 of the GDPR regulates exceptions to said
general prohibition, invoking in the consultation, specifically, the collection

in its letter g):

             g) the treatment is necessary for reasons of personal interest
       essential public, on the basis of Union or State law
       members, which must be proportional to the objective pursued, respect in

       the essential right to data protection and establish measures
       adequate and specific to protect the interests and rights
       fundamentals of the interested party;

       It is appropriate, therefore, to analyze whether in the present case the
budgets established in article 9.2.g) to lift the prohibition of

processing of biometric data, also taking into account the
jurisprudence of the Constitutional Court, the European Court of Rights
Rights and the Constitutional Court regarding the limitations of the right
fundamental to the protection of personal data.


       This Agency has had the opportunity to pronounce, on various occasions,
with respect to the requirements established by article 9.2.g) of the GDPR for
be able to cover the processing of biometric data, particularly with respect to
those based on facial recognition, given the proliferation of proposals
received in relation to them from different spheres, which shows
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                        5 Legal Office

manifest the growing interest in using these systems and the constant
concern of this control authority, as they are systems of
very intrusive to the fundamental rights and freedoms of
natural persons. Concern that is shared by the rest of

control authorities for years, as evidenced by the
Biometrics Working Paper, adopted on August 1, 2003 by the
Group of 29, or the subsequent Opinion 3/2012 on the evolution of the
biometric technologies, adopted on April 27, 2012, and which has led to
that the Community legislator himself include these data among the categories

special data in the GDPR. Thus, being prohibited
treatment in general, any exception to said prohibition will have
to be subject to restrictive interpretation.

       In this regard, it should be noted, in addition to the aforementioned report 36/2020,
referred to the use of facial recognition techniques in carrying out

online assessment tests, report 31/2019 on the incorporation of
facial recognition systems in video surveillance services under the
of article 42 of the Private Security Law or Report 97/2020 regarding the
Draft Order of the Minister of Economic Affairs and Transformation
Digital on non-presential identification methods for the issuance of

qualified electronic certificates. In all these cases it was concluded that
there was a legal standard in the Spanish legal system that met the
requirements of article 9.2.g) of the GDPR, so that the treatment only
could rely on the consent of those affected as long as it remained
guaranteed that it is free.


       Analyzing the requirements of article 9.2.g) in our Report 36/2020
we pointed out the following:

                                             V


             The next question that arises in the consultation is whether the
       processing of biometric data by recognition systems
       facial expression in online evaluation processes could rely on the
       existence of an essential public interest in accordance with article 9.2.g) of the
       GDPR:


             g) the processing is necessary for reasons of public interest
       essential, on the basis of Union or Member States law
       members, which must be proportional to the objective pursued, respect in
       the essential right to data protection and establish measures
       adequate and specific to protect the interests and rights

       fundamentals of the interested party.


             As we indicated previously, the data processing
       personnel necessary for the provision of the public service of
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                       6 Legal Office

       Higher education is legitimized, in general, in the existence of
       a public interest under the provisions of article 6.1.e) of the
       GDPR. However, in the case of special categories of data, the
       case contemplated in letter g) of article 9.2. does not refer only to

       the existence of a public interest, as it does in many other of
       its precepts the RGPD, but it is the only precept of the RGPD that
       requires that it be "essential", an adjective that comes to qualify
       said public interest, taking into account the importance and necessity of
       greater protection of the data processed.


             Said precept finds its precedent in article 8.4 of the
       Directive 95/46/EC of the European Parliament and of the Council of 24
       October 1995, regarding the protection of natural persons in terms of
       that respects the processing of personal data and the free movement of
       these data: “4. As long as they have adequate guarantees, the

       Member States may, for reasons of important public interest,
       establish other exceptions, in addition to those provided for in section 2,
       either through their national legislation, or by decision of the authority
       of control". However, its reading results in greater rigor in a new
       regulation by the GDPR, since the adjective "important" is replaced by

       "essential" and it is not allowed that the exception can be established by the
       control authorities.

             In relation to what should be understood by public interest
       essential, the Jurisprudence of the
       European Court of Human Rights, which under Article 8

       of the European Convention on Human Rights, has been considering that
       the processing of personal data constitutes a lawful interference in the
       right to respect for private life and can only be carried out if
       performed in accordance with the law, serves a legitimate purpose, respects the
       essence of fundamental rights and freedoms and it is necessary and

       provided in a democratic society to achieve an end
       legitimate ( D.L. against Bulgaria, nº 7472/14, May 19, 2016,
       Dragojević v. Croatia, no. 68955/11, January 15, 2015, Peck
       v. United Kingdom, No. 44647/98, January 28, 2003, Leander v.
       Sweden, no. 9248/81, March 26, 1987, among others). As he points out
       In the last sentence cited, "the concept of necessity implies that the

       interference responds to a pressing social need and, in particular,
       that is proportionate to the legitimate aim that it pursues”.

             Likewise, the doctrine of the Court must be taken into account
       Constitutional regarding the restrictions to the fundamental right to

       data protection, which is summarized in judgment 292/2000, dated 30
       November, in which after configuring the fundamental right to
       protection of personal data as an autonomous right and
       independent power that consists of a power of disposition and control
       on personal data that empowers the person to decide which
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                       7 Legal Office

      of these data to provide to a third party, be it the State or an individual, or
      which this third party can collect, and which also allows the individual
      know who owns that personal data and for what, being able to
      oppose that possession or use, analyzes its limits, pointing out

      in the following:

             More specifically, in the Judgments mentioned regarding the
      data protection, this Court has declared that the right to
      Data protection is not unlimited, and although the Constitution does not

      expressly impose specific limits, nor refer to the Powers
      Public for its determination as it has done with other rights
      fundamental, there is no doubt that they will find them in the
      remaining fundamental rights and legal rights
      constitutionally protected, as required by the principle of unity
      of the Constitution (SSTC 11/1981, of April 8, F. 7; 196/1987, of April 11,

      December [RTC 1987, 196], F. 6; and regarding art. 18, JTS
      110/1984, F. 5). These limits may either be direct restrictions of the
      fundamental right itself, which has been alluded to before, or
      may be restrictions on the way, time or place of exercise of the
      fundamental right. In the first case, regulating those limits is a

      form of development of the fundamental right. In the second, the limits
      that are fixed are to the concrete form in which it is possible to exert the beam of
      faculties that make up the content of the fundamental right in
      matter, constituting a way of regulating its exercise, which
      The ordinary legislator can do in accordance with the provisions of art. 53.1
      EC. The first observation that must be made, which is not obvious, is

      less capital, is that the Constitution has wanted the Law, and only the
      Law, can set the limits to a fundamental right. Rights
      Fundamentals can, of course, yield to goods, and even
      constitutionally relevant interests, provided that the cut that
      undergo is necessary to achieve the intended legitimate purpose,

      provided to achieve it and, in any case, be respectful of the
      essential content of the restricted fundamental right (SSTC 57/1994,
      of February 28 [RTC 1994, 57], F. 6; 18/1999, of February 22 [RTC
      1999, 18], F. 2).

             Precisely, if the Law is the only one authorized by the Constitution

      to set limits to fundamental rights and, in the case
      present, to the fundamental right to data protection, and those
      limits cannot be different from those constitutionally established, which
      for the case are none other than those derived from the coexistence of this
      fundamental right with other legal rights and goods of rank

      constitutional, the legal empowerment that allows a Public Power
      collect, store, process, use and, where appropriate, transfer personal data,
      it is only justified if it responds to the protection of other rights
      constitutionally protected assets or assets. So if
      those operations with the personal data of a person are not
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                      8 Legal Office

       carried out with strict observance of the norms that regulate it,
       violates the right to data protection, since limits are imposed
       constitutionally illegitimate, either to its content or to the exercise of the
       bundle of faculties that compose it. How will that violate it too?
       Limitative law if it regulates the limits in such a way that they make the

       fundamental right affected or ineffective the guarantee that the Constitution
       grants you And so it will be when the Law, which should regulate the limits to
       fundamental rights with scrupulous respect for their content
       essential, is limited to empowering another Public Power to establish in each
       the restrictions that may be imposed on the rights
       fundamentals, whose unique determination and application will be at risk

       of the decisions adopted by that Public Power, who may decide, in
       what interests us now, about obtaining, storing,
       treatment, use and transfer of personal data in the cases that it deems
       convenient and brandishing, even, interests or assets that are not
       protected with constitutional rank […]”. (Legal Basis 11)




             “On the one hand, because although this Court has declared that the
       The Constitution does not prevent the State from protecting legal rights or assets to
       cost of the sacrifice of others equally recognized and, therefore, that the
       legislator may impose limitations on the content of rights

       fundamentals or their exercise, we have also specified that, in such
       assumptions, these limitations must be justified in the protection
       of other rights or constitutional goods (SSTC 104/2000, of 13 December
       April [ RTC 2000, 104] , F. 8 and those cited there) and, in addition, they must be
       proportionate to the purpose pursued with them (SSTC 11/1981, F. 5, and
       196/1987, F. 6). Well, otherwise they would incur in arbitrariness

       proscribed by art. 9.3 EC.
             On the other hand, even having a constitutional foundation and
       being proportionate the limitations of the fundamental right
       established by Law ( STC 178/1985 [ RTC 1985, 178] ), these
       may violate the Constitution if they suffer from a lack of certainty and
       predictability in the very limits they impose and their way of

       application. Conclusion that is corroborated by the Court's jurisprudence
       European Commission on Human Rights that has been cited in F. 8 and that here
       must be reproduced. And it should also be noted that not only
       would harm the principle of legal certainty (art. 9.3 CE), conceived
       as certainty about the applicable law and expectation
       reasonably founded of the person on what should be the performance

       of power applying the Law (STC 104/2000, F. 7, for all), but
       that at the same time said Law would be harming the essential content
       of the fundamental right thus restricted, given that the way in which it is
       have set their limits make it unrecognizable and make it impossible, in the
       practice, its exercise (SSTC 11/1981, F. 15; 142/1993, of April 22
       [ RTC 1993, 142] , F. 4, and 341/1993, of November 18 [ RTC 1993,
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                       9 Legal Office

       341], F. 7). So that the lack of precision of the Law in the
       material assumptions of the limitation of a fundamental right is
       likely to generate an indeterminacy about the cases to which
       apply such a restriction. And when this result occurs, beyond all

       reasonable interpretation, the Law no longer fulfills its function of guaranteeing the
       own fundamental right that it restricts, since it allows instead
       simply operate the will of who has to apply it, undermining
       thus both the effectiveness of the fundamental right and the legal certainty
       […]”. (FJ 15).


             “More specifically, in relation to the fundamental right to
       privacy we have highlighted not only the need for your
       possible limitations are based on a legal provision that has
       constitutional justification and that they be proportionate (SSTC 110/1984,
       F. 3, and 254/1993, F. 7) but the Law that restricts this right must

       accurately express each and every material budget
       of the limiting measure. Otherwise, it is wrong to understand that the
       judicial resolution or the administrative act that applies it are founded
       in the Law, since what it has done, making abandonment of its
       functions, is to empower other Public Powers so that they are

       who set the limits to the fundamental right (SSTC 37/1989, of 15
       of February [RTC 1989, 37], and 49/1999, of April 5 [RTC 1999, 49]).
             Similarly, regarding the right to data protection
       personal, it can be estimated that the constitutional legitimacy of the
       restriction of this right cannot be based, by itself, on the
       activity of the Public Administration. Nor is it enough that the Law

       empowers it to specify its limits in each case, limiting itself to
       indicate that you must make such precision when there is any right or
       well constitutionally protected. It is the legislator who must
       determine when that good or right that justifies the
       restriction of the right to the protection of personal data and in what

       circumstances can be limited and, furthermore, it is he who must do it
       by means of precise rules that make the interested party foreseeable
       imposition of such limitation and its consequences. Well, in another case
       legislator would have transferred to the Administration the performance of a
       function that only corresponds to him in terms of fundamental rights in
       By virtue of the legal reservation of art. 53.1 CE, that is, establish

       clearly the limit and its regulation. […] (FJ 16)”.


             Likewise, our Constitutional Court has already had the opportunity
       to rule specifically on article 9.2.g) of the GDPR,

       as a consequence of the challenge of article 58 bis of the Law
       Organic 5/1985, of June 19, of the General Electoral Regime,
       introduced by the third final provision of Organic Law 3/2018, of
       December 5, Protection of Personal Data and guarantee of the
       digital rights, regarding the legitimacy of data collection
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                      10 Legal Office

      personal information relating to the political opinions of the persons who carry
      carried out by political parties in the framework of their electoral activities,
      precept that was declared unconstitutional by Judgment no.
      76/2019 of May 22.


             Said sentence analyzes, firstly, the legal regime to which
      that is subject to the treatment of the special categories
      of data in the GDPR:

             In accordance with paragraph 1 of art. 9 GDPR, the
      processing of personal data that reveal political opinions,

      in the same way as the processing of personal data that reveals
      ethnic or racial origin, religious or philosophical convictions or
      trade union membership and processing of genetic data, biometric data
      aimed at uniquely identifying a natural person, data
      relating to health or data relating to sexual life or orientation
      sex of a natural person. However, section 2 of the same

      precept authorizes the processing of all such data when concurs
      any of the ten circumstances provided therein [letters a) to j)]. Some of
      These circumstances have a limited scope of application (labor,
      social, associative, health, judicial, etc.) or respond to a purpose
      determined, therefore, in themselves, delimit the treatments
      that authorize as an exception to the general rule. Besides, the

      enabling efficacy of several of the assumptions provided therein is
      conditioned to the fact that the Law of the Union or that of the States
      members expressly foresee and regulate them in their scope of
      competences: this is the case of the circumstances included in letters
      a), b), g), h), i) and j).
             Processing of special categories of personal data

      is one of the areas in which the Regulation expressly
      General of Data Protection has recognized the Member States
      "room for manoeuvre" when it comes to "specifying its rules", as
      qualifies its recital 10. This margin of legislative configuration
      extends both to the determination of the enabling causes for
      the processing of specially protected personal data -is

      that is, to the identification of the purposes of essential public interest and the
      assessment of the proportionality of the treatment to the end
      persecuted, essentially respecting the right to protection of
      data - such as the establishment of "adequate measures and
      to protect the interests and fundamental rights
      of the interested party" [art. 9.2 g) GDPR]. The Regulation contains, for

      Therefore, a concrete obligation of the Member States of
      establish such guarantees, in the event that they enable to treat
      specially protected personal data.

             In relation to the first of the requirements demanded by article
      9.2.g), the invocation of an essential public interest and the necessary
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                      11 Legal Office

       specification thereof, the High Court recalls what was stated in its
       judgment 292/2000 in which it was rejected that the identification of the
       legitimate purposes of the restriction could be done through concepts
       generic or vague formulas, considering that the restriction of the right

       fundamental to the protection of personal data cannot be based,
       by itself, in the generic invocation of an indeterminate "interest
       public" :

             In the aforementioned STC 292/2000 (RTC 2000, 292), in which

       Legislative interference in the right to
       protection of personal data, we reject that the identification of the
       legitimate purposes of the restriction could be done through concepts
       generic or vague formulas:
             "16. [...] In the same way, regarding the right to the protection of
       personal data, it can be estimated that the constitutional legitimacy of the

       restriction of this right cannot be based, by itself, on the
       activity of the Public Administration. Nor is it enough that the Law
       empowers it to specify its limits in each case, limiting itself to
       indicate that you must make such precision when there is any right or
       well constitutionally protected. It is the legislator who must

       determine when that good or right that justifies the
       restriction of the right to the protection of personal data and in what
       circumstances can be limited and, furthermore, it is he who must do it
       by means of precise rules that make the interested party foreseeable
       imposition of such limitation and its consequences. Well, in another case
       legislator would have transferred to the Administration the performance of a

       function that only corresponds to him in terms of fundamental rights in
       By virtue of the legal reservation of art. 53.1 CE, that is, establish
       clearly the limit and its regulation.
             17. In the present case, employment by the LOPD (RCL 2018, 1629)
       in his art. 24.1 of the expression "control and verification functions", opens

       a space of uncertainty so wide that it causes a double and
       perverse consequence. On the one hand, by enabling the LOPD to the
       Administration to restrict fundamental rights invoking
       such an expression is renouncing to set the limits itself,
       empowering the Administration to do so. And in such a way that
       As the Ombudsman points out, it allows redirecting the same

       practically all administrative activity, since all activity
       administration that involves establishing a legal relationship with a
       administered, which will be the case in practically all cases in which
       the Administration needs someone's personal data, it will entail
       Ordinarily the authority of the Administration to verify and control that this

       administered has acted in accordance with the administrative legal regime of
       the legal relationship established with the Administration. which, in view of
       reason for restriction of the right to be informed of art. 5 LOPD, leave
       in the most absolute uncertainty to the citizen about in which cases
       this circumstance will occur (if not in all) and add to the inefficiency
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                      12 Legal Office

      any jurisdictional guardianship mechanism that must prosecute
      Such an assumption of restriction of fundamental rights without another
      complementary criterion that comes to the aid of its control of the
      administrative action in this matter.

             The same reproaches also deserve the use in art. 24.2
      LOPD of the expression "public interest" as the basis of the
      imposition of limits to the fundamental rights of art. 18.1 and 4 CE,
      because it contains an even greater degree of uncertainty. just notice
      that all administrative activity, ultimately, pursues the

      safeguarding of general interests, the achievement of which constitutes the
      purpose to which the Administration must objectively serve with
      according to art. 103.1 CE."
             This argument is fully transferable to the present
      prosecution. Similarly, therefore, we must conclude that the
      constitutional legitimacy of the restriction of the fundamental right to

      personal data protection cannot be based, by itself, on the
      generic invocation of an indeterminate "public interest". well in another
      case, the legislator would have transferred the political parties -whom the
      challenged provision empowers to collect personal data relating to
      to the political opinions of people in the framework of their activities

      elections - the performance of a function that is the sole responsibility of him in
      matter of fundamental rights by virtue of the reservation of the Law of the
      art. 53.1 CE, that is, clearly establish its limits and its regulation.
             Nor can it be accepted, as equally imprecise, the purpose
      adduced by the lawyer of the State, which refers to the functioning of the
      democratic system, since it also contains a high degree of

      uncertainty and may involve circular reasoning. On the one hand,
      political parties are by themselves "necessary channels for the
      functioning of the democratic system" (for all, STC 48/2003, of
      March 12 (RTC 2003, 48), FJ 5); and, on the other hand, all
      functioning of the democratic system pursues, ultimately, the

      safeguarding of constitutional aims, values and assets, but this does not
      reaches to identify the reason why the right should be restricted
      fundamental affected.
             Finally, it should be specified that it is not necessary to be able to
      suspect, with greater or lesser grounds, that the restriction pursues
      an unconstitutional purpose, or that the data collected and

      processed will be harmful to the private sphere and the exercise of rights.
      rights of individuals. It is enough to note that, by not
      to be able to identify with sufficient precision the purpose of the treatment
      of data, the constitutional character cannot be prosecuted
      legitimate use of that purpose, nor, where appropriate, the proportionality of the

      measure provided in accordance with the principles of suitability, necessity and
      proportionality in the strict sense.



c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                      13 Legal Office

             On the other hand, regarding the guarantees that the
      legislator, the aforementioned judgment no. 76/2019 of May 22, after
      remember that "In view of the potential intrusive effects on the
      affected fundamental right resulting from data processing
      personal data, the jurisprudence of this Court requires the legislator to,

      In addition to meeting the aforementioned requirements, you also
      establish adequate guarantees of a technical, organizational and
      procedural, that prevent risks of different probability and
      severity and mitigate its effects, because only in this way can the
      respect for the essential content of the fundamental right itself”, analyzes
      What is the norm that must contain the aforementioned guarantees:


             "Therefore, the resolution of this challenge requires that
      clarify a doubt raised regarding the scope of our
      doctrine on adequate guarantees, which consists of determining whether
      adequate guarantees against the use of information technology must
      be contained in the law that authorizes and regulates that use or may

      can also be found in other normative sources.
             The question can only have a constitutional answer. The
      provision of adequate guarantees cannot be deferred to a moment
      after the legal regulation of the processing of personal data of
      in question Appropriate safeguards should be built into the
      own legal regulation of the treatment, either directly or through

      express and perfectly delimited reference to external sources that
      have the appropriate regulatory status. Only that understanding is
      compatible with the double requirement arising from art. 53.1 EC (RCL
      1978, 2836) for the legislator of fundamental rights: the reservation
      of law for the regulation of the exercise of fundamental rights
      recognized in the second chapter of the first title of the Constitution

      and respect for the essential content of said fundamental rights.
             According to reiterated constitutional doctrine, the reserve of law is not
      limited to requiring that a law enable the restrictive measure of rights
      fundamental, but it is also necessary, according to both
      requirements called -sometimes- normative predetermination and
      -others- regarding the quality of the law as well as respect for the essential content of the

      law, that in this regulation the legislator, who is obliged to
      primary way to weigh the rights or interests in conflict,
      predetermine the assumptions, conditions and guarantees in which
      the adoption of restrictive measures of rights is appropriate
      fundamental. That mandate of predetermination regarding
      essential elements, also ultimately linked to the judgment of

      proportionality of the limitation of the fundamental right, cannot
      be deferred to a subsequent legal or regulatory development, nor
      it can be left in the hands of the individuals themselves” (FJ 8).

             Therefore, the processing of biometric data to the
      under article 9.2.g) requires that it be provided for in a standard
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                     14 Legal Office

      of European or national law, having in the latter case
      said norm, according to the aforementioned constitutional doctrine and the provisions
      in article 9.2 of the LOPDGDD, rank of law. Said law shall,
      also specify the essential public interest that justifies the

      restriction of the right to the protection of personal data and in
      what circumstances can be limited, establishing the rules
      that make the imposition of such a law foreseeable to the interested party
      limitation and its consequences, without it being sufficient, to these
      effects, the generic invocation of a public interest. and said law

      must also establish the appropriate type of guarantees
      technical, organizational and procedural, that prevent risks
      of different probability and severity and mitigate their effects.

             In addition, said law must in all cases respect the principle
      of proportionality, as recalled in the Judgment of the Court

      Constitutional 14/2003, of January 28:

             In other words, pursuant to a settled doctrine of
      this Court, the constitutionality of any restrictive measure of
      fundamental rights is determined by the strict observance

      of the principle of proportionality. For the purposes that matter here enough
      remember that, in order to check whether a restrictive measure of a
      fundamental right overcomes the proportionality judgment, it is necessary
      verify if it meets the following three requirements or conditions: if the
      measure is capable of achieving the proposed objective (judgment of
      suitability); if, moreover, it is necessary, in the sense that there is no other

      more moderate measure for the achievement of such purpose with the same
      effectiveness (judgment of necessity); and, finally, if it is weighted or
      balanced, because it derives from it more benefits or advantages for the
      general interest than damages to other goods or values in conflict
      (judgment of proportionality in the strict sense; SSTC 66/1995, of 8

      May [RTC 1995, 66], F. 5; 55/1996, of March 28 [RTC 1996, 55]
      , FF. 7, 8 and 9; 270/1996, of December 16 [RTC 1996, 270], F. 4.e;
      37/1998, of February 17 [RTC 1998, 37], F. 8; 186/2000, of 10
      July [ RTC 2000, 186] , F. 6).”



             The conclusions reached in the aforementioned case are transferable to the
present, since the treatment of the special categories of data
seeks to rely on the power of the Commission to promote systems of
verification of the identity of the people who try to access the premises
sports, under the terms provided in article 13.1. of Law 19/2007, of

July 11.

      Said precept is developed by article 15.3 of the Royal Decree
203/2010, of February 26, which approves the Regulation of

c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                      15 Legal Office

prevention of violence, racism, xenophobia and intolerance in the
sport:

             3. In the cases contemplated in article 13.1 of the Law

       19/2007, of July 11, verification and monitoring of identity
       of those who purchase tickets or control the distribution of
       localities will be carried out by implementing ticket sales systems
       nominative and developing procedures that allow to supervise the
       distribution of assigned locations and to know the identity of the

       holders of access titles to sports facilities.
             The treatment of the data obtained in accordance with these
       procedures will be limited to providing information on who
       access or attempt to access sports venues, with the purpose of
       to ensure compliance with existing prohibitions and, where appropriate,
       case, purge the responsibilities that may arise.

             The organizers will cancel the data of the people who
       they would have accessed the sporting event when it concludes,
       keeping exclusively the data necessary to identify
       who may have engaged in conduct prohibited by law
       19/2007, of July 11, which may only be transferred to the authorities or

       competent bodies in matters of public safety.


       As can be seen, article 13.1 of Law 19/2007, of 11 December
July refers to identity verification systems, but does not
considers the possibility that said systems may involve treatments

of biometric data, nor does it establish the pertinent and adequate guarantees for
the protection of the fundamental right to the protection of personal data.
This possibility is not provided for in article 15.3 of the Royal Decree either.
203/2010, of February 26, although it should be noted that said standard
would lack, as has been explained, the appropriate legal status for

proceed to the regulation of the treatment of special categories of data
personal.


       Therefore, claiming in the processing of personal data
included in the special categories of data referred to in the article

9.1. of the RGPD, since it is about biometric data directed to the
identification of natural persons, it is a prerequisite that some
of the circumstances contemplated in section 2 that lifts the prohibition
of treatment of said data, established in general in its
section 1, requiring article 9.2. of the LOPDGDD that "Treatments of

data referred to in letters g), h) and i) of article 9.2 of Regulation (EU)
2016/679 founded on Spanish law must be covered by a
standard with the force of law, which may establish additional requirements relating to
your security and confidentiality. not existing, as indicated, norm
that enables said treatment under article 9.2.g) of the GDPR, since
c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                      16 Legal Office

that article 13.1. does not meet the legal requirements and
jurisprudentially, as has been analyzed in the present

report.

      And without said gap being able to be filled by means of an agreement of the
CEVRXID, as it does not have the appropriate regulatory range. In this sense, as already

As indicated, the jurisprudence of the Constitutional Court is clear regarding
of the norm that must contain the adequate guarantees that cannot be
be deferred to a time after the legal regulation of data processing
personal in question. Adequate safeguards must be incorporated
to the legal regulation of the treatment itself, either directly or by referral

expressly and perfectly delimited to external sources that have the rank
adequate normative (Ruling 76/2019 of May 22, FJ 8)


      Consequently, it must be concluded that the adoption of an agreement

of the State Commission against Violence, Racism, Xenophobia and
Intolerance, within the scope of its powers, establishing measures
for the compliance of the clubs consisting of the installation of
biometric systems for the control of all access to the stands of

animation that allows the unequivocal identification of the fans who
access said stands, is not in accordance with the regulations governing
Data Protection.





























c. Jorge Juan 6 www.aepd.es
28001 Madrid
                                     17