Latest considerations on the use of biometric data of the Spanish Data Protection Authority

In order to understand this approach, certain considerations must be analyzed, since the fingerprint is a biometric data, resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person. 

Biometrics is mainly used for two functions: identification, which makes it possible to locate a person within a group by cross-referencing with a database, and biometrical authentication, which makes it possible to confirm a person's identity.  

Biometric data are not always treated as special categories of personal data, but only constitute a special category of data if they are subject to specific technical processing aimed at uniquely identifying a natural person. 

For the processing of such data, reference must be made to Article 9 of the GDPR, which prohibits the processing of special categories of personal data, unless there is a legitimate basis. 

The use of biometrics makes it necessary to examine whether it is proportionate to use biometric data for stadium access. For example, should we request data on fans who have a history of involvement in fights? 

In this regard, reference should be made to Report 368/2006, on the proportionality of the processing of the fingerprint of school students. 

The AEPD understands that "it is disproportionate and therefore contrary to the provisions of Article 4.1 of the Organic Law 15/1999, the use of the fingerprint as a means to control access to students to the school and such purpose can be achieved, no doubt, in a less intrusive way in relation to the rights of students".

The AEPD opposes the plan proposed by the State Commission against Violence, Racism, Xenophobia and Intolerance, which sought to establish measures for soccer clubs to install biometric systems for the control of access to the stands that would allow the univocal identification of fans accessing the stands. 

The Commission confirmed that this plan would be based on the competence legally attributed by article 13. 1 of Law 19/2007, of July 11, 2007, against violence, racism, xenophobia and intolerance in sport, which authorizes it to implement additional security measures for sporting events considered to be high risk.

Within the framework of this law, systems for verifying the identity of persons seeking access to sports venues are promoted. The Anti-Violence Commission argued that processing personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

However, the AEPD has declared that this use of biometric systems to univocally identify people who access to the stands violates data protection regulations. The AEPD alleges that facial recognition systems are highly intrusive identification systems for the fundamental rights and freedoms of citizens. 

An access control, with no other alternative than biometrics that is mandatory for the user, is not allowed. Furthermore, the AEPD alleges that the law does not include the possibility that these systems may involve the processing of biometric data, nor does it establish adequate guarantees to safeguard the fundamental right to protection of personal data. Therefore, there is no legal rule enabling the processing of personal data.

A biometric authentication system could be used to control access only if fans are free to choose if they want to use this system. This implies that, in order for consent to be free, an alternative should be offered for people who do not want to submit to fingerprinting because of their personal circumstances, such as identification through the ID card to access the stands.

In this regard, there are several drawbacks. Firstly, the proportionality principle of Article 5.1.c of the GDPR, which implies that personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed", must be taken into account. 

Thus, the next question must be solved: Is it proportionate to process data on fans who have previously been involved in fights? In this sense, it could be understood that fingerprint identification is too invasive and does not comply with the principle of proportionality. 

Moreover, it is necessary to designate a person responsible for identification of fans at the stadium, so it would be necessary to specify whether this task would fall to the soccer club itself or to the authorities. 

The AEPD rules that the use of identification controls by clubs for access to stadiums constitutes a very intrusive treatment in the lives of citizens and, therefore, the use of this control must be voluntary on the part of the fans, based on free and explicit consent. However, consent cannot be freely obtained, since no valid alternative is presented and the acceptance of biometric controls is a requirement for access to the stadium. 

Therefore, instead of using consent as a legal basis, a legitimate interest of the data controller could be invoked, and the need to maintain security in the stadium could be weighed against the fundamental rights and freedoms of the fans. 

In this case, the controller must demonstrate that its interest objectively outweighs the right of the data subjects not to be enrolled in a biometric system. For security reasons, it may be required to accurately verify the persons who have access to the premises and therefore, it is not necessary to obtain their consent. 

In addition, the fingerprint system is not effective for some groups, since certain personal circumstances of the individuals concerned may prevent its use and the system may be widely considered discriminatory. For example, people who lack fingerprints due to a dermatological disease or a finger injury would be discriminated against when accessing the premises. 

Therefore, before using biometric data as a measure to control access, it is necessary to assess whether there is a less intrusive but effective method to control access, such as the use of a personal ID card with a photo of the person concerned, which is not transferable to another person.