The use of biometric systems or facial recognition systems to carry out access control, among others, to workplaces or other types of facilities became widespread, as a method that facilitated this type of management to users, without the need to carry another type of element or token to verify their identity, for example, cards or ID cards.
However, for some time now, the supervisory authorities, and in particular the AEPD, have established certain criteria, according to which the legality of this type of system is questioned in the eyes of the data protection regulations, considering that it would not pass the proportionality tests of this processing activity.
AEPD sanction to La Liga
Was your facial recognition for access control compliant?
The AEPD sanctions LA LIGA, with a fine of 1.000.000 € for the implementation of facial recognition systems in stadiums, to control access of fans to the matches.
The AEPD has recently sanctioned La Liga, due to defects in compliance with personal data protection regulations, specifically, in the implementation of facial recognition systems to control access of fans to soccer stadiums, specifically, for having required the implementation of such systems to soccer clubs through its General Regulations. Specifically, the sanction has been caused because, according to the AEPD, the systems implemented had not been subjected to the mandatory risk management process, and more specifically, to the carrying out of Impact Assessments on the processing required for this type of systems under Article 35 RGPD, so that security measures were not implemented in accordance with the risks to the rights and freedoms of the processing operations carried out.
In addition, the AEPD assesses other aspects related to the processing and its legitimacy, concluding that, even basing these treatments on the consent of the person concerned, this consent would not be considered free, since, if not granted, the consequence would be the denial of access to the stadium.
On the other hand, in relation to the proportionality of the processing, the supervisory authority considers that this processing would not be proportional in terms of its necessity, since there are other less restrictive alternatives capable of fulfilling the objectives of these systems, such as, for example, the request for ID cards and nominal subscriptions.
The League, for its part, alleges in its defense that the implementation of such systems would have been authorized by the State Commission against Violence, Racism, Xenophobia and Intolerance in Sport (CEVRXID) and that the procedure had the endorsement of the Superior Council of Sports (CSD), which, in the eyes of the AEPD, does not exempt the League from its responsibility as promoter of the implementation of these systems, without the adoption of adequate safeguards. The AEPD concludes, by virtue of all the above, that La Liga de futbol is sanctioned with a fine of €1,000,000, for breach of Article 35 RGPD, in addition to requiring the temporary or definitive suspension of these personal data processing until they comply with data protection regulations, and the Impact Assessment regarding the rights and freedoms of the persons concerned is carried out.
