The Spanish Data Protection Agency (AEPD) has imposed a one-million-euro sanction on LaLiga for the improper use of biometric recognition systems in access to the stands of football stadiums. The violation is classified as serious under the General Data Protection Regulation (GDPR).
Furthermore, “to safeguard the fundamental right of season ticket holders to the animation stands,” the AEPD orders LaLiga to “temporarily or definitively limit the processing” with the biometric recognition system for access to the animation stands of the clubs and Public Limited Sports Companies (SAD) affiliated with LaLiga, as long as it does not carry out and pass a valid data protection impact assessment of the processing.
Animation stands are louder than normal ones. They are designated areas in football stadiums where the most passionate fans gather and are known for loud chants, coordinated cheering, and visual displays. These areas can also be more prone to chaos and incidents. In response, LaLiga implemented biometric recognition for fan identification; a measure now deemed illegal.
Mandatory mismanagement of personal data?
LaLiga imposed the obligation to the clubs to use biometric data recognition in animation stands, according to data lawyer, Jorge García Herrero. He highlights that “this system was implemented without guaranteeing the rights and freedoms of season ticket holders.”
Moreover, the AEPD claims that normal identification of fans through tickets and national identification documents would have been sufficient. LaLiga claimed that its use of biometric systems was backed by the Superior Council of Sports and the State Commission Against Violence, Racism, Xenophobia, and Intolerance in Sport. However, the AEPD argued that this support did not exempt LaLiga from its responsibility to properly handle personal data.
Risk to the rights and freedoms of fans
According to the AEPD, LaLiga should have carried out a data assessment. Such an assessment must have examined “the necessity, suitability, and proportionality of the processing,”
Furthermore, it should have considered “the risks to the rights and freedoms of the data subjects, and the technical and organizational measures of all kinds that are appropriate and adequate guarantees for the processing, or even if carried out, it would need to include the consultation provision established in Article 36 of the GDPR.”
“To this effect, it must inform its Associates (Clubs and SAD) of the definitive suspension of biometric data processing insofar as a Data Protection Impact Assessment (DPIA) that addresses the specific access regime to the animation stands with biometric data is not executed and passed, with the mandatory content established in the regulations governing it,” the data watchdog adds.
The case dates back to several complaints filed with the Agency in 2022 and 2023 when alerts were raised about the use of access control mechanisms to football stadiums based on biometric data. In related news, this is not the only court case where LaLiga has taken centre stage. Armed with a judicial ruling from December 2024, LaLiga has instructed internet service providers (ISPs) to implement dynamic blocks on IP addresses linked to unauthorised streams. However, Cloudflare argues that collateral damage is a reality, with many of its clients experiencing outages during peak match times.
