Banner1.jpg

Datatilsynet (Denmark) - 2024-51-0012

From GDPRhub
Datatilsynet - 2024-51-0012
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(14) GDPR
Article 9(1) GDPR
Article 9(2)(g) GDPR
§ 7(4) DDPA
Type: Other
Outcome: n/a
Started: 05.04.2024
Decided: 18.12.2024
Published: 16.01.2025
Fine: n/a
Parties: F.C. Copenhagen
National Case Number/Name: 2024-51-0012
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: tjk

The DPA has granted F.C. Copenhagen’s application to use facial recognition technology at football matches under national law since the intended enforcement of suspensions is a substantial public interest. No permission was given for non-football events.

English Summary

Facts

The football club F.C. Copenhagen (the controller) applied for permission on 5 April 2024 to process sensitive biometric data using facial recognition for security purpose pursuant to § 7(4) Danish Data Protection Act (Databeskyttelsesloven – DDPA).

The system would match facial images taken by the controller’s video surveillance with photos of individuals on internal and police suspension lists to maintain order during events. The controller requested permission to use this technology for both home and away football matches, as well as for other events at the stadium, such as concerts.

F.C. Copenhagen argued that due to increasing incidents of poor behaviour by visitors, the use of facial recognition was necessary not only for football matches but also for other events. However, no suspensions had yet been issued for non-football events.

Holding

The DPA stated that facial recognition data qualifies as biometric personal data under Article 4(14) GDPR and its processing is generally prohibited under Article 9(1) GDPR. However, it can be processed if necessary for reasons of substantial public interest, as outlined in Article 9(2)(g) GDPR (processing is necessary for reasons of substantial public interest) in connection with the national implementation of that provision in § 7(4) DDPA.

The DPA granted permission for the controller to use automatic facial recognition at the club's matches in order to support the enforcement of the rules on club and general suspensions only in connection with football matches. The technology can be used for access control at the entrances to Parken Stadium, in the stadium and at mobile facilities in connection with the controller's home and away football matches, excluding (for now) international matches. The DPA stated, that it is currently processing the part of the application concerning international football matches.

However, the DPA concluded that the use of facial recognition for non-football events at Parken Stadium was not justified. The DPA assessed that using automatic facial recognition for non-football events is not necessary for reasons of substantial public interest and therefore disproportionate. The DPA stated that there has not yet been a basis for issuing a suspension in connection with such other events at Parken Stadium. The DPA held, that as § 7(4) DDPA has a narrow scope of application compelling reasons for considering processing necessary must be given. Therefore, the DPA concluded, that the use of automatic facial recognition - and thus the processing of biometric data - in connection with the organization of other events at Parken Stadium is not proportionate to the purpose of ensuring peace and order.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Skip main navigation

Search

New decision

F.C. Copenhagen granted permission to use automatic facial recognition

Date: 18-12-2024

Decision Private companies No criticism Response to inquiry Access control Images and video Television surveillance Processing security Sensitive information

The Danish Data Protection Authority has – following an application from F.C. Copenhagen – granted permission for the club to use facial recognition at F.C. Copenhagen football matches

Journal number: 2024-51-0012.

Summary

F.C. Copenhagen requested in its application on 5 April 2024 permission to process sensitive information pursuant to Section 7(4) of the Data Protection Act. The application included the processing of biometric data for the purpose of uniquely identifying a person using automatic facial recognition when holding any event in Parken and for F.C. Copenhagen's away matches at stadiums other than Parken Stadium.

Danish Data Protection Authority approves facial recognition for F.C. Copenhagen matches

After consideration of the case by the Data Council, the Danish Data Protection Authority has – after reviewing the case – granted permission for F.C. Copenhagen to use automatic facial recognition at the club's matches in order to support the enforcement of the rules on club quarantines and general quarantines in connection with football matches.

The technology can thus be used for access control at the entrances to Parken Stadium, at the stadium and at mobile facilities in connection with the holding of F.C. Copenhagen's football matches, including training matches, with the participation of teams from the Super League, 1st and 2nd divisions, as well as at football matches under UEFA auspices.

Impact assessment requirements

The permit states, among other things, that the processing must comply with the rules on the preparation of an impact assessment – including in particular the requirements for the content of an impact assessment. The impact assessment must be carried out before the processing begins.

Furthermore, for the sake of the record, the Danish Data Protection Authority has pointed out that the use of images from surveillance cameras may be covered by Section 4c, subsections 4 and 5 of the TV Surveillance Act.

The permission does not cover international football matches

The Danish Data Protection Authority is currently processing the part of the application that concerns the use of facial recognition in connection with international football matches. The Danish Data Protection Authority has asked F.C. Copenhagen a few supplementary questions on this and expects to make a decision on this part of the application as soon as possible.

For other events that are not football matches, the Danish Data Protection Authority has decided that the processing of biometric data – and thus the use of facial recognition technology – cannot, in the opinion of the Danish Data Protection Authority, be considered necessary for reasons of essential public interest.

Decision

The Danish Data Protection Authority hereby returns to the case in which the law firm Danders & More applied on 5 April 2024 for permission to process sensitive information pursuant to Section 7, subsection 1 of the Data Protection Act. 4, on behalf of F.C. Copenhagen P/S (hereinafter referred to as F.C. Copenhagen).

As a preliminary matter, the Danish Data Protection Authority should note that the Danish Data Protection Authority has today granted F.C. Copenhagen permission pursuant to Section 7(4) of the General Data Protection Regulation to process biometric data using automatic facial recognition at Parken Stadium in connection with F. C. Copenhagen's home matches and F. C. Copenhagen's away matches under certain specified conditions. It appears from the permission in question that it applies to football matches, including training matches, with the participation of teams from the Super League 1st and 2nd divisions, as well as football matches under UEFA auspices. The Danish Data Protection Authority has also sent a supplementary consultation to the law firm Danders & More with a view to finalizing F.C. Copenhagen's application for permission to process biometric data in connection with international football matches.

The Danish Data Protection Authority should note that in this partial decision the term “other events” is used to refer to events that are not covered by the Danish Data Protection Authority’s permit of today (as mentioned immediately above) and that are not international football matches.

1. Decision

After reviewing the case, the Danish Data Protection Authority has – after the case has been submitted to the Data Council – decided that F. C. Copenhagen is not granted permission to process biometric data using automatic facial recognition in connection with the holding of other events at Parken Stadium.

2. Presentation of the case

It appears from F.C. Copenhagen’s application that F.C. Copenhagen is requesting permission to process biometric data - with the purpose of uniquely identifying a natural person using automatic facial recognition - in connection with the holding of any event held at Parken Stadium, including, but not limited to, concerts, international football matches, F.C. Copenhagen’s football matches, other football matches and any other type of event or arrangement.

F.C. Copenhagen has also applied for permission to use automatic facial recognition in connection with F.C. Copenhagen's away matches at stadiums other than Parken Stadion.

F.C. Copenhagen intends to implement a facial recognition system that can perform automatic facial recognition by analyzing and comparing recordings from surveillance cameras with photos of unidentified and identified quarantined persons on 1) F.C. Copenhagen's internal quarantine list and 2) the police's general quarantine list, respectively. The facial recognition system is to be used with a view to increasing security at the stadium.

F.C. Copenhagen has also stated that F.C. Copenhagen is the data controller for the processing of personal data in connection with television surveillance at Parken Stadion at any event at the stadium, as well as for its internal quarantine list and the intended facial recognition system. Furthermore, F.C. Copenhagen has stated that third parties who may have access to the stadium do not, as a rule, use the surveillance for their own purposes and that these third parties are not responsible for the quarantine lists.

2.1. F.C. Copenhagen's comments regarding the necessity of processing biometric data using facial recognition technology at any event held at Parken Stadium

F.C. Copenhagen has stated in its application that no quarantines have yet been issued in connection with the holding of other events. The reason for this is that the focus has previously been on the allocation of quarantines for football matches. In line with the negative development in visitor behavior, F.C. Copenhagen has experienced an increased need to enforce the rules of order for other events in Parken, and thus not only in connection with football matches. With regard to the necessity and proportionality of using facial recognition at any event held at Parken Stadium, F.C. Copenhagen stated in its response to the consultation of 20 August 2024 that:

“According to the Parken Stadium rules of order, F.C. Copenhagen reserves the right to assign quarantine for any event at the stadium, regardless of whether it is

C. Copenhagen matches, national team matches, other public football-related events (exhibitions, open training, fan cups, etc.) or other events (concerts, etc.).

F.C. Copenhagen does not want people who have violated the rules of order or have otherwise committed criminal offences to have access to Parken Stadium at any time.

In order to enforce the rules of order, including the quarantines, it is necessary to use automatic facial recognition in connection with any event at Parken Stadium and not only at football matches, as F.C. Copenhagen has the same challenge with manually identifying for other events. As described above, the desire is that quarantine for any event has a preventive effect.

It is therefore assessed that the use of facial recognition is proportionate to the desired purpose of ensuring peace and order in the stadium at any event, which is sought to be achieved, among other things, by assigning and enforcing quarantines.”

3. Reasons for the Danish Data Protection Authority’s decision

The concept of biometric data is defined according to Article 4, no. 14 of the General Data Protection Regulation as personal data which, as a result of specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, enables or confirms the unique identification of that person, e.g. by means of a facial image or fingerprint information.

According to Article 9, paragraph 1 of the General Data Protection Regulation, there is a prohibition on the processing of sensitive data, including the processing of biometric data for the purpose of uniquely identifying a natural person.

According to paragraph 2 of the provision, the prohibition in paragraph 1 does not apply if one of the circumstances mentioned in letters a-j applies, including: if:

“g) Processing is necessary for reasons of substantial public interest on the basis of Union law or the national law of the Member States and is proportionate to the aim pursued, respects the essence of the right to data protection and ensures suitable and specific measures to protect the fundamental rights and interests of the data subject.”

Article 9(2)(g) of the General Data Protection Regulation cannot be applied directly, but requires that the provision is anchored in national law or in Union law in order for the starting point in Article 9(1) on the prohibition of processing sensitive data to be derogated from.

According to Section 7(4) of the Data Protection Act, sensitive data covered by the prohibition in Article 9(1) of the General Data Protection Regulation may be processed if the processing is necessary for reasons of substantial public interest, cf. Article 9(2)(g). If the processing is carried out by a private data controller, there is a requirement to obtain a permit for this from the Danish Data Protection Authority. The supervisory authority may lay down further terms for the processing.

The special comments on Section 7(4) of the Data Protection Act state the following[1]:

"In Section 4, it is proposed to continue the option in Section 7(7) of the Personal Data Act to process sensitive information with permission from the supervisory authority. Thus, according to the provision, information covered by Article 9(1) of the Data Protection Regulation may be processed if the processing of information is necessary for reasons of substantial public interest, cf. Article 9(2)(g) of the Data Protection Regulation.

[…]

The provision is in the nature of a collection provision and is assumed to have a narrow scope of application. It is a condition for processing under the provision that the Danish Data Protection Authority grants permission for this when the processing is carried out by a private data controller. It is thus left to the Danish Data Protection Authority to assess whether the processing of information in question can be permitted for reasons that can be said to be necessary for reasons of essential public interest.”

After reviewing the case, the Danish Data Protection Authority has assessed that the use of automatic facial recognition – and thus the processing of biometric data – when holding other events at Parken Stadium cannot be considered to be proportionate to the purpose of the processing, and that it is therefore not a processing that, in the Danish Data Protection Authority’s opinion, is necessary for reasons of essential public interest.

The Danish Data Protection Authority has therefore emphasized that the considerations that apply in relation to ensuring peace and order in connection with football matches are not, according to the information, present with regard to the holding of other events in Parken. In this connection, the Danish Data Protection Authority has placed particular emphasis on the fact that the considerations that F.C. Copenhagen has stated as justification for the use of automatic facial recognition are not – according to the information – seen to be based on specific problems with security at events other than the holding of football matches. Furthermore, the Danish Data Protection Authority has placed emphasis on the fact that, according to the information, there has not yet been a basis for issuing a quarantine in connection with the holding of other events at Parken Stadium.

Furthermore, the Danish Data Protection Authority has placed emphasis on the fact that the provision in Section 7(4) of the Data Protection Act has a narrow scope. Thus, there must be compelling reasons if the processing is to be considered necessary for reasons of essential public interest.

It is therefore the Danish Data Protection Authority's assessment that the use of automatic facial recognition - and thus the processing of biometric data - in connection with holding other events at Parken Stadium is not proportionate to the purpose of ensuring peace and order at the stadium during other events.  

[1]   Proposal for Act No. 502 of 23 May 2018, Bill No. 68, FT 2017/2018, special comments on Section 7, subsection 4.

Data Protection Authority

Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk

About us

About the Data Protection AuthorityPressHomepagePrivacy PolicyAccessibility Statement

Shortcuts

GDPR GuidanceCall usNewsletterThe National Whistleblower Scheme

Follow us

Data Protection Authority on LinkedIn

New decision

F.C. Copenhagen granted permission to use automatic facial recognition

Date: 18-12-2024

Decision Private companies No criticism Response to inquiry Access control Images and video Television surveillance Processing security Sensitive information

The Danish Data Protection Authority has – following an application from F.C. Copenhagen – granted permission for the club to use facial recognition at F.C. Copenhagen football matches

Journal number: 2024-51-0012.

Summary

F.C. Copenhagen requested in its application on 5 April 2024 permission to process sensitive information in accordance with Section 7(4) of the Data Protection Act. The application included processing of biometric data for the purpose of uniquely identifying a person using automatic facial recognition when holding any event in Parken and for F.C. Copenhagen's away matches at stadiums other than Parken Stadium.

The Danish Data Protection Authority approves facial recognition for F.C. Copenhagen matches

The Danish Data Protection Authority has – after reviewing the case in the Data Council – granted permission for F.C. Copenhagen to use automatic facial recognition at the club's matches in order to support the enforcement of the rules on club quarantines and general quarantines in connection with football matches.

The technology can thus be used for access control at the entrances to Parken Stadium, at the stadium and at mobile facilities in connection with the holding of F.C. Copenhagen's football matches, including training matches, with the participation of teams from the Super League, 1st and 2nd divisions, as well as at football matches under UEFA auspices.

Requirements for impact assessment

The permit states, among other things, that the processing must comply with the rules on the preparation of an impact assessment – including in particular the requirements for the content of an impact assessment. The impact assessment must be carried out before the processing begins.

Furthermore, for the sake of the record, the Danish Data Protection Authority has pointed out that the use of images from surveillance cameras may be covered by Section 4c, subsections 4 and 5 of the TV Surveillance Act.

The permission does not cover international football matches

The Danish Data Protection Authority is currently processing the part of the application that concerns the use of facial recognition in connection with international football matches. The Danish Data Protection Authority has asked F.C. Copenhagen a few supplementary questions on this and expects to make a decision on this part of the application as soon as possible.

For other events that are not football matches, the Danish Data Protection Authority has decided that the processing of biometric data – and thus the use of facial recognition technology – cannot, in the opinion of the Danish Data Protection Authority, be considered necessary for reasons of essential public interest.

Decision

The Danish Data Protection Authority hereby returns to the case in which the law firm Danders & More applied on 5 April 2024 for permission to process sensitive information pursuant to Section 7, subsection 1 of the Data Protection Act. 4, on behalf of F.C. Copenhagen P/S (hereinafter referred to as F.C. Copenhagen).

As a preliminary matter, the Danish Data Protection Authority should note that the Danish Data Protection Authority has today granted F.C. Copenhagen permission pursuant to Section 7(4) of the General Data Protection Regulation to process biometric data using automatic facial recognition at Parken Stadium in connection with F. C. Copenhagen's home matches and F. C. Copenhagen's away matches under certain specified conditions. It appears from the permission in question that it applies to football matches, including training matches, with the participation of teams from the Super League 1st and 2nd divisions, as well as football matches under UEFA auspices. The Danish Data Protection Authority has also sent a supplementary consultation to the law firm Danders & More with a view to finalizing F.C. Copenhagen's application for permission to process biometric data in connection with international football matches.

The Danish Data Protection Authority should note that in this partial decision the term “other events” is used to refer to events that are not covered by the Danish Data Protection Authority’s permit of today (as mentioned immediately above) and that are not international football matches.

1. Decision

After reviewing the case, the Danish Data Protection Authority has – after the case has been submitted to the Data Council – decided that F. C. Copenhagen is not granted permission to process biometric data using automatic facial recognition in connection with the holding of other events at Parken Stadium.

2. Presentation of the case

It appears from F.C. Copenhagen’s application that F.C. Copenhagen is requesting permission to process biometric data - with the purpose of uniquely identifying a natural person using automatic facial recognition - in connection with the holding of any event held at Parken Stadium, including, but not limited to, concerts, international football matches, F.C. Copenhagen’s football matches, other football matches and any other type of event or arrangement.

F.C. Copenhagen has also applied for permission to use automatic facial recognition in connection with F.C. Copenhagen's away matches at stadiums other than Parken Stadion.

F.C. Copenhagen intends to implement a facial recognition system that can perform automatic facial recognition by analyzing and comparing recordings from surveillance cameras with photos of unidentified and identified quarantined persons on 1) F.C. Copenhagen's internal quarantine list and 2) the police's general quarantine list, respectively. The facial recognition system is to be used with a view to increasing security at the stadium.

F.C. Copenhagen has also stated that F.C. Copenhagen is the data controller for the processing of personal data in connection with television surveillance at Parken Stadion at any event at the stadium, as well as for its internal quarantine list and the intended facial recognition system. Furthermore, F.C. Copenhagen has stated that third parties who may have access to the stadium do not, as a rule, use the surveillance for their own purposes and that these third parties are not responsible for the quarantine lists.

2.1. F.C. Copenhagen's comments regarding the necessity of processing biometric data using facial recognition technology at any event held at Parken Stadium

F.C. Copenhagen has stated in its application that no quarantines have yet been issued in connection with the holding of other events. The reason for this is that the focus has previously been on the allocation of quarantines for football matches. In line with the negative development in visitor behavior, F.C. Copenhagen has experienced an increased need to enforce the rules of order for other events in Parken, and thus not only in connection with football matches. With regard to the necessity and proportionality of using facial recognition at any event held at Parken Stadium, F.C. Copenhagen stated in its consultation response of 20 August 2024 that:

"According to the Parken Stadium rules of order, F.C. Copenhagen reserves the right to assign quarantine for any event at the stadium, regardless of whether it is

C. Copenhagen matches, national team matches, other public football-related events (exhibitions, open training, fan cups, etc.) or other events (concerts, etc.).

F.C. Copenhagen does not want persons who have violated the rules of order or have otherwise committed criminal offences to have access to Parken Stadium at any time.

In order to enforce the rules of order, including the quarantines, it is necessary to use automatic facial recognition in connection with any event at Parken Stadium and not only at football matches, as F.C. Copenhagen has the same challenge with manually identifying for other events. As described above, the desire is that quarantine for any event has a preventive effect.

It is therefore assessed that the use of facial recognition is proportionate to the desired purpose of ensuring peace and order in the stadium at any event, which is sought to be achieved, among other things, by assigning and enforcing quarantines.”

3. Reasons for the Danish Data Protection Authority’s decision

The concept of biometric data is defined according to Article 4, no. 14 of the General Data Protection Regulation as personal data which, as a result of specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, enables or confirms the unique identification of that person, e.g. by means of a facial image or fingerprint information.

According to Article 9, paragraph 1 of the General Data Protection Regulation, there is a prohibition on the processing of sensitive data, including the processing of biometric data for the purpose of uniquely identifying a natural person.

According to paragraph 2 of the provision, the prohibition in paragraph 1 does not apply if one of the circumstances mentioned in letters a-j applies, including: if:

“g) Processing is necessary for reasons of substantial public interest on the basis of Union law or the national law of the Member States and is proportionate to the aim pursued, respects the essence of the right to data protection and ensures suitable and specific measures to protect the fundamental rights and interests of the data subject.”

Article 9(2)(g) of the General Data Protection Regulation cannot be applied directly, but requires that the provision is anchored in national law or in Union law in order for the starting point in Article 9(1) on the prohibition of processing sensitive data to be derogated from.

According to Section 7(4) of the Data Protection Act, sensitive data covered by the prohibition in Article 9(1) of the General Data Protection Regulation may be processed if the processing is necessary for reasons of substantial public interest, cf. Article 9(2)(g). If the processing is carried out by a private data controller, there is a requirement to obtain a permit for this from the Danish Data Protection Authority. The supervisory authority may lay down further terms for the processing.

The special comments on Section 7(4) of the Data Protection Act state the following[1]:

"In Section 4, it is proposed to continue the option in Section 7(7) of the Personal Data Act for sensitive information to be processed with permission from the supervisory authority. Thus, according to the provision, information covered by Article 9(1) of the Data Protection Regulation may be processed if the processing of information is necessary for reasons of substantial public interest, cf. Article 9(2)(g) of the Data Protection Regulation.

[…]

The provision is in the nature of a collection provision and is assumed to have a narrow scope. It is a condition for processing under the provision that the Danish Data Protection Authority grants permission for this when the processing is carried out by a private data controller. It is thus left to the supervisory authority to assess whether the processing of information in question can be permitted for reasons that can be said to be necessary for reasons of essential public interest.”

After reviewing the case, the Danish Data Protection Authority has assessed that the use of automatic facial recognition – and thus the processing of biometric data – when holding other events at Parken Stadium cannot be considered to be proportionate to the purpose of the processing, and that it is therefore not a processing that, in the opinion of the Danish Data Protection Authority, is necessary for reasons of essential public interest.

The Danish Data Protection Authority has hereby emphasized that the considerations that apply in relation to ensuring peace and order in connection with football matches are not, according to the information, present with regard to holding other events at Parken. In this connection, the Danish Data Protection Authority has placed particular emphasis on the fact that the considerations that F.C. Copenhagen has stated as justification for the use of automatic facial recognition, that it is not – according to the information – seen to be based on specific problems with the security of events other than football matches. Furthermore, the Danish Data Protection Authority has emphasized that, according to the information, there has not yet been a basis for issuing a quarantine in connection with the holding of other events at Parken Stadium.

Furthermore, the Danish Data Protection Authority has emphasized that the provision in Section 7(4) of the Data Protection Act has a narrow scope of application. Thus, there must be compelling reasons if the processing is to be considered necessary for reasons of essential public interest.

It is therefore the Danish Data Protection Authority's assessment that the use of automatic facial recognition – and thus the processing of biometric data – in connection with the holding of other events at Parken Stadium is not proportionate to the purpose of ensuring peace and order at the stadium during other events.  

[1]   Bill no. 502 of 23 May 2018, Bill no. 68, FT 2017/2018, special comments on section 7, subsection 4.