LaLiga fined for €1M for using biometric data for stadium access

The Agencia Española de Protección de Dato (AEPD) has imposed a fine of €1 million onto LaLiga for using biometric data for accessing soccer stadiums.

A handful of Spanish soccer fans filed complaints against LaLiga in November 2022 and March 2023 when the Spanish top soccer division mandated that soccer stadiums had to implement biometric identification for fans to enter sections of the football arena.

The complainants argued that the use of facial recognition and fingerprint scanning was disproportionate and that alternative methods could be used to identify soccer fans, such as ID verification.

The Spanish data protection authority (DPA) launched an investigation into the matter. The AEPD has concluded that biometric data collection has no solid legal basis. The National Professional Football League (LNFP) argued that soccer fans voluntarily agreed on the collection of their biometric data, and that other alternatives were available for fans who refused biometric registration.

However, according to the AEPD, biometric data is considered sensitive data. Therefore, consent isn’t sufficient to collect and use facial recognition or fingerprint scanning. In addition, the use of biometric data doesn’t meet the proportionality requirements, because alternative security measures exist.

Furthermore, the Spanish DPA found that LaLiga was the data controller, contrary to what the soccer league itself claimed. LaLiga argued that each soccer club should be considered a data controller. However, the Spanish privacy regulator pointed to the obligation imposed by LaLiga and the access system it offered clubs.

Lastly, the AEPD pointed out that LaLiga should have carried out a Data Protection Impact Assessment (DPIA) before implementing a system of biometric identification. A DPIA identifies possible security and privacy risks in processing data so countermeasures can be taken to reduce the impact of these risks.

Because of the extent of the data processing and the sensitive nature of biometric data, the AEPD decided to impose a fine of €1 million.

Additionally, the Spanish DPA ordered LaLiga to stop the processing of biometric data until a DPIA has been conducted, in which the soccer league has to assess the necessity and proportionality of the processing. In the meantime, the LNFP and soccer clubs have to find alternative ways to manage stadium security and ensure compliance with data protection regulations.

LaLiga has indicated it will appeal the fine.