The Spanish Data Protection Agency (“AEPD”) has imposed a penalty of €200,000 euros on Burgos Club de Fútbol, S.A.D. (Burgos Football Club) for using a biometric data system to allow access to seating at the Club’s stadium, a measure promoted under the Regulations of the Spanish Football League (“LALIGA”) and supported by the Spanish Commission to Combat Violence, Racism, Xenophobia and Intolerance in Sport (“CERXID”).

The Club began using biometric fingerprint recognition as a compulsory system for gaining access to a specific section of its stadium on 4 November 2022. At a later point, on 16 February 2023, it carried out an Impact Assessment in relation to Data Protection under the system and, as a consequence of the results of this assessment, announced that the biometric fingerprint recognition system would no longer be mandatory in order to gain access, though it would remain as a voluntary option.

The processing of biometric data, given their special, high-risk nature, is prohibited at a general level unless one of the legal exceptions applies, there is a legitimate basis for processing, and the data minimisation principle is complied with.

Firstly, according to the AEPD, it has not been demonstrated that, before February 2023, processing was covered by a valid legal exception, since the Club itself acknowledges that the exception that it originally claimed (compliance with a legal obligation) did not justify the introduction of biometric data processing. It was for this reason that the legitimate legal basis for processing was changed in February 2023 from that of compliance with a legal obligation to that of the express consent of the data subject.

In addition, the data controller is under an obligation to carry out an impact assessment that must justify the appropriateness, necessity and proportionality of the biometric control system in protecting the rights and freedoms of data subjects. The Club did not carry out this assessment until three months after it had implemented its biometric system. Furthermore, even following the completion of this assessment, the AEPD felt that the Club had not been able to demonstrate that the processing of these biometric data was necessary, appropriate and proportional for the purposes of controlling access to the seating in its stadium. According to the AEPD, the club had introduced this system when it already had an identification or identity authentication system that was much less intrusive and served the same purpose.

Other critical issues for which the football club was penalised were the processing of the biometric data of people younger than 14 years of age without obtaining proper consent from their parents or guardians, and the failure to provide the proper information to their season ticket holders regarding the gathering of data. Both of these represent a breach of the Regulations.

In this regard, it is important to mention that the Spanish Supreme Court recently annulled a fine imposed by the AEPD on LALIGA (Judgement 1263/2024 de 15 July 2024). The Court argued that, especially in cases in which there is no precedent and the company has made an interpretation that may or may not be mistaken, the AEPD must first issue an order requiring correction of the behaviour in question and establish guidelines, before imposing a penalty for a breach of regulations that have not been previously defined. This ruling underlines the importance of clarity and communication when applying the rules governing data protection.

In conclusion, both the case of Burgos Football Club and that of LALIGA underline the need for organisations that use biometric data processing systems to carry out, review and update their Data Protection Impact Assessments following publication of the AEPD Guide. It is also essential that the AEPD provide clear guidelines and, where necessary, that it issue orders requiring correction prior to imposing penalties, thus ensuring the correct interpretation of and compliance with the regulations governing data protection.