HomeIco

Home

 InternalIco

Internal

 GlobalIco

Global

 ContattoIco

Contatto
it

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.
Temi AEPD sides with football fans and hinders the use of facial recognition technology in stadiums

AEPD sides with football fans and hinders the use of facial recognition technology in stadiums

PrintMailRate-it

published on 24 January 2024 | reading time approx. 4 minutes


The Spanish Data Protection Authority (the ‘Authority’ or ‘AEPD’, for its acronym in Spanish) has issued a warning about the possible unlawfulness of using facial recognition systems to control access to stadiums. The implementation of this technology is hard to justify when there are alternative measures that are less intrusive to fundamental rights. Last year, the AEPD already limited the use of similar technology (fingerprint recognition) to control access to football stadiums, workplaces and other facilities.  


Earlier this month, the AEPD issued a warning addressed to the Spanish Professional Football League —hereinafter, the ‘League’—, in light of a tender that was published to contract a facial recognition system to control access to football stadiums. The League had published this tender in the context of recent verbal aggressions by fans on football players, and growing concerns about how to ensure security in sports stadiums.

To understand why the Authority has warned the League, it must be explained that facial recognition technologies use biometric data (as they use facial images). Biometric data relate to unique characteristics of individuals, which allow to identify or confirm their identity. 

The inherent uniqueness of biometric data heightens the need for special protection, thus, their processing is prohibited under Article 9 of the General Data Protection Regulation (hereinafter, ‘GDPR’) unless certain legal requirements are met. 

In essence, in its warning the AEPD reminds the League of these considerations, outlines the legal requirements that it must comply with before using facial recognition (mandatory data protection impact assessment, and legitimate legal reasons to lift prohibition and to process biometric data), and goes on to analyse these requirements. 

In line with its conclusions in past reports on access controls, the AEPD severely hinders the use of biometric systems in its analysis. The Authority questions whether such a measure would pass the mandatory impact assessment, as it can not be understood as ‘necessary’ while there are less intrusive alternatives, such as confirming identity by asking for the national identity document. 

The fact that the less intrusive alternatives can result in being more costly or slower is not a valid argument to reject them. The Authority is clear, fundamental data protection rights of football fans come first, and this argument would only prove that the biometric system is more convenient for the League, and not more necessary for improving security. 

Last, on a personal note, even if the biometric system were to pass the impact assessment (which seems difficult given the considerations of the Authority), the only legitimate reason of Article 9 of the GDPR that could be recalled in this context to lift the prohibition of processing biometric data is explicit consent. The current Spanish legislation does not contain specific provisions that allow for other reasons to be applied, such as substantial public interest. 

And even collecting this explicit consent could be difficult if the only alternative provided by the League were the inability to attend the match. Consent, to be valid, must be freely given. It is questionable whether consent is freely given if the objection to it entails a negative consequence such as not being able to attend any professional football league match. 

On the other hand, if the League were to provide a real, valid and less intrusive alternative to the use of biometric systems, the consent to this system by fans would be freely given and valid, but the system itself would not pass the impact assessment, as it would no longer be considered necessary. 

It will be interesting to see which steps will be taken by the League, and if considerations about the balance between data protection rights and security in sports will be followed.  

DATA PROTECTION BITES
Read all releases »

author

Contact Person Picture

Julieta Staschewski

+34 91 5359 977

Invia richiesta

Contact Person Picture

Jorge Cabet

Abogado, Data Protection Department Spain

Senior Associate

+34 91 5359 977

Invia richiesta

RÖDL & PARTNER SPAIN
​​Discover more about our offices in Spain. Read more »
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu