AEPD (Spain) - EXP202213792: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202213792 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00483-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
 
mNo edit summary
Line 87: Line 87:


=== Holding ===
=== Holding ===
The AEPD found that the controller violated Articles 5(1)(c), 8, 9, 13 and 35 GDPR.
The AEPD recommended sanction proceedings against the controller, finding likely violations of [[Article 5 GDPR#1c|Article 5(1)(c)]], [[Article 8 GDPR|8]], [[Article 9 GDPR|9]], [[Article 13 GDPR|13]] and [[Article 35 GDPR|35 GDPR]].


Article 35 GPDR requires that a data protection impact assessment take place prior to the processing of high-risk data, which biometric data is always considered to be pursuant to [[Article 35 GDPR#4|Article 35(4) GDPR]]. The AEPD noted that while the controller provided a data protection impact assessment dated 15 February 2023, the processing was initiated on 4 November 2022. The assessment thus took place months after the processing occurred, indicating that for over 3 months biometric data was being processed in violation of [[Article 35 GDPR|Article 35 GDPR]]. The AEPD thus determined that the controller violated [[Article 35 GDPR|Article 35 GDPR]].  
Article 35 GPDR requires that a data protection impact assessment take place prior to the processing of high-risk data, which biometric data is always considered to be pursuant to [[Article 35 GDPR#4|Article 35(4) GDPR]]. The AEPD noted that while the controller provided a data protection impact assessment dated 15 February 2023, the processing was initiated on 4 November 2022. The assessment thus took place months after the processing occurred, indicating that for over 3 months biometric data was being processed in violation of [[Article 35 GDPR|Article 35 GDPR]]. The AEPD thus determined that the controller violated [[Article 35 GDPR|Article 35 GDPR]].  


Second, the AEPD found that the controller also lacked a legal basis to process the biometric data as it had not triggered an exception under [[Article 9 GDPR#2|Article 9(2) GDPR]]. Prior to 15 February 2023, the controller indicated that the processing was required to fulfill a legal obligation, establishing a legal basis for processing under Articles 6(1)(c) and 9(2)(b) and (g) GDPR. In light of the AEPD’s opinion on 98/22, the controller changed its legal basis after 15 February 2023 to consent pursuant to Articles 6(1)(a) and 9(2)(a) GDPR. The controller did not dispute that the processing of data prior to 15 February 2023 lacked a legal basis.   
Second, the AEPD found that the controller also lacked a legal basis to process the biometric data as it had not triggered an exception under [[Article 9 GDPR#2|Article 9(2) GDPR]]. Prior to 15 February 2023, the controller indicated that the processing was required to fulfill a legal obligation, establishing a legal basis for processing under [[Article 6 GDPR#1c|Articles 6(1)(c)]] and [[Article 9 GDPR#2b|9(2)(b)]] and [[Article 9 GDPR#2g|9(2)(g) GDPR]]. In light of the AEPD’s opinion on 98/22, the controller changed its legal basis after 15 February 2023 to consent pursuant to [[Article 6 GDPR#1a|Articles 6(1)(a)]] and [[Article 9 GDPR#2a|9(2)(a) GDPR]]. The controller did not dispute that the processing of data prior to 15 February 2023 lacked a legal basis.   


Third, the AEPD found that the processing both prior to and after 15 February 2023 violated data minimisation principles. It noted that the classification as a special category of data requires special caution in addition to Article 5(1)(c)'s obligations. Pursuant to [[Article 35 GDPR#7|Article 35(7) GDPR]](b), controllers must also analyse the necessity, suitability and proportionality of processing prior to processing special categories of data. The AEPD emphasises this jurisprudence-based analysis, which it calls the triple judgment of proportionality. Whether other non-biometric options exist which serve the same purpose, it notes, it is not necessary to process special categories of data and doing so violates the GDPR. In this case, processing was neither necessary nor proportional because the security purposes could have been served by the previous ID-review system. The AEPD rejected the controller’s argument that that the biometric data system was more efficacious because it was more reliable, finding the claim unsupported. The AEPD also stated that the State Commission’s order to establish the fingerprinting system imposed an obligation was insufficient to justify a system as suitable, necessary or proportionate. To establish necessity, a system must be supported by tests that describe the problem and efficacy of the measures adopted. These shortcomings constituted a violation of Article 5(1)(c).  
Third, the AEPD found that the processing both prior to and after 15 February 2023 violated data minimisation principles. It noted that the classification as a special category of data requires special caution in addition to [[Article 5 GDPR#1c|Article 5(1)(c) GDPR']]<nowiki/>s obligations. Pursuant to [[Article 35 GDPR#7|Article 35(7) GDPR]](b), controllers must also analyse the necessity, suitability and proportionality of processing prior to processing special categories of data. The AEPD emphasises this jurisprudence-based analysis, which it calls the triple judgment of proportionality. Whether other non-biometric options exist which serve the same purpose, it notes, it is not necessary to process special categories of data and doing so violates the GDPR. In this case, processing was neither necessary nor proportional because the security purposes could have been served by the previous ID-review system. The AEPD rejected the controller’s argument that that the biometric data system was more efficacious because it was more reliable, finding the claim unsupported. The AEPD also stated that the State Commission’s order to establish the fingerprinting system imposed an obligation was insufficient to justify a system as suitable, necessary or proportionate. To establish necessity, a system must be supported by tests that describe the problem and efficacy of the measures adopted. These shortcomings constituted a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]].  


In addition, the controller was found to be in violation of [[Article 8 GDPR|Article 8 GDPR]] both prior to and after 15 February 2023 because it permitted minors to use biometric data to enter the cheering stands without establishing a minimum age.  
In addition, the controller was found to be in violation of [[Article 8 GDPR|Article 8 GDPR]] both prior to and after 15 February 2023 because it permitted minors to use biometric data to enter the cheering stands without establishing a minimum age.  


Finally, the AEPD held that controller failed to comply with informational obligations under [[Article 13 GDPR|Article 13 GDPR]] in its processing prior to 15 February 2023. The controller's informational documents indicated that it was necessary for data subjects to agree to biometric processing in order to gain entry into the cheering stands. Given that, as discussed previously, there was no legal basis for the processing of the data prior to 15 February 2023, the AEPD found that the inaccurate statement of legal obligation constituted a failure to adequately inform data subjects of the processing of their data and was thus a violation of [[Article 13 GDPR|Article 13 GDPR]].
Finally, the AEPD held that controller failed to comply with informational obligations under [[Article 13 GDPR|Article 13 GDPR]] in its processing prior to 15 February 2023. The controller's informational documents indicated that it was necessary for data subjects to agree to biometric processing in order to gain entry into the cheering stands. Given that, as discussed previously, there was no legal basis for the processing of the data prior to 15 February 2023, the AEPD found that the inaccurate statement of legal obligation constituted a failure to adequately inform data subjects of the processing of their data and was thus a violation of [[Article 13 GDPR|Article 13 GDPR]].
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 200,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000.


== Comment ==
== Comment ==

Revision as of 11:57, 7 May 2024

AEPD - EXP202213792
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 8 GDPR
Article 9 GDPR
Article 13 GDPR
Article 35 GDPR
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
Type: Complaint
Outcome: Upheld
Started: 04.11.2022
Decided: 09.04.2024
Published:
Fine: 120,000 EUR
Parties: Burgos Club de Fútbol, S.A.D.
National Case Number/Name: EXP202213792
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a football club €200,000 for lacking a legal basis to process fingerprint data and violating obligations of necessity and proportionality. The controller acknowledged its fault and paid a reduced fine of €120,000 in accordance with national law.

English Summary

Facts

On 4 November 2022, the Burgos Club de Fútbol, S.A.D. (the controller) implemented a biometric data collection system which required the approximately 700 members of the cheering stands to provide their fingerprints in order to gain entry. The biometric processing was imposed due to an agreement adopted by the State Commission against violence, racism, xenophobia and intolerance in sports, which obligated such a system. The system, which was distributed to football clubs by the Spanish Football League (La Liga), collected data subjects’ names, national identification card numbers, system identification numbers, and fingerprint patterns. It replaced the previous entry system, which allowed entry after verifying identification cards.

The controller published a communication concerning the system and its basis on the State Commission's agreement on its website on November 4, 2022. The system was first used during a game on 8 December 2022. This was mandatory in order to enter the cheering stands. The system did not set a minimum age, permitting the collection of biometric data from any minors whose parents or guardians consented.

On 4 and 7 November 2022, complaints were filed with the Spanish DPA (AEPD) arguing that the biometric control was excessive and failed to adequately inform data subjects.

On 15 February 2023, the controller ceased the mandatory collection of biometric data and instead gave data subjects the option of entering with their ID cards or with fingerprints. On 19 February 2023, the controller notified members of the change in policy and implemented the change at a football game. On the same day, the controller received a copy of Dictamen 98/22, initially circulated to La Liga, in which the AEPD declared that the State Commission's biometric processing obligations did not conform with the GDPR.

The controller identified itself as the controller for the biometric data obtained to access the cheering stands. It stated its purpose for processing was fulfilling the requirements established by the State Commission aiming towards violence prevention, and argued that this system was more efficacious and reliable than the use of ID cards. No copy was provided of the alleged protocol in case of security breaches. The controller expressed that there is no specific measure being applied, but that it instead plans for future measures given that currently no new biometric data is being captured.

Holding

The AEPD recommended sanction proceedings against the controller, finding likely violations of Article 5(1)(c), 8, 9, 13 and 35 GDPR.

Article 35 GPDR requires that a data protection impact assessment take place prior to the processing of high-risk data, which biometric data is always considered to be pursuant to Article 35(4) GDPR. The AEPD noted that while the controller provided a data protection impact assessment dated 15 February 2023, the processing was initiated on 4 November 2022. The assessment thus took place months after the processing occurred, indicating that for over 3 months biometric data was being processed in violation of Article 35 GDPR. The AEPD thus determined that the controller violated Article 35 GDPR.

Second, the AEPD found that the controller also lacked a legal basis to process the biometric data as it had not triggered an exception under Article 9(2) GDPR. Prior to 15 February 2023, the controller indicated that the processing was required to fulfill a legal obligation, establishing a legal basis for processing under Articles 6(1)(c) and 9(2)(b) and 9(2)(g) GDPR. In light of the AEPD’s opinion on 98/22, the controller changed its legal basis after 15 February 2023 to consent pursuant to Articles 6(1)(a) and 9(2)(a) GDPR. The controller did not dispute that the processing of data prior to 15 February 2023 lacked a legal basis.

Third, the AEPD found that the processing both prior to and after 15 February 2023 violated data minimisation principles. It noted that the classification as a special category of data requires special caution in addition to Article 5(1)(c) GDPR's obligations. Pursuant to Article 35(7) GDPR(b), controllers must also analyse the necessity, suitability and proportionality of processing prior to processing special categories of data. The AEPD emphasises this jurisprudence-based analysis, which it calls the triple judgment of proportionality. Whether other non-biometric options exist which serve the same purpose, it notes, it is not necessary to process special categories of data and doing so violates the GDPR. In this case, processing was neither necessary nor proportional because the security purposes could have been served by the previous ID-review system. The AEPD rejected the controller’s argument that that the biometric data system was more efficacious because it was more reliable, finding the claim unsupported. The AEPD also stated that the State Commission’s order to establish the fingerprinting system imposed an obligation was insufficient to justify a system as suitable, necessary or proportionate. To establish necessity, a system must be supported by tests that describe the problem and efficacy of the measures adopted. These shortcomings constituted a violation of Article 5(1)(c) GDPR.

In addition, the controller was found to be in violation of Article 8 GDPR both prior to and after 15 February 2023 because it permitted minors to use biometric data to enter the cheering stands without establishing a minimum age.

Finally, the AEPD held that controller failed to comply with informational obligations under Article 13 GDPR in its processing prior to 15 February 2023. The controller's informational documents indicated that it was necessary for data subjects to agree to biometric processing in order to gain entry into the cheering stands. Given that, as discussed previously, there was no legal basis for the processing of the data prior to 15 February 2023, the AEPD found that the inaccurate statement of legal obligation constituted a failure to adequately inform data subjects of the processing of their data and was thus a violation of Article 13 GDPR.

Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 200,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/54









     File No.: EXP202213792

Sanctioning Procedure PS/00483/2023.

        RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                         VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                       BACKGROUND


FIRST: On December 29, 2023, the Director of the Spanish Agency
of Data Protection agreed to initiate sanctioning proceedings against BURGOS CLUB
DE FÚTBOL, S.A.D. (hereinafter, the claimed party), through the Agreement that is

transcribes:

File No.: EXP202213792.
Sanctioning Procedure No.: PS/00483/2023.



          AGREEMENT TO START SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:



FACTS................................................. .................................................. ....................2

   FIRST:................................................ .................................................. ...............2

   SECOND:................................................ .................................................. ..............3
   THIRD:................................................ .................................................. ...............4

   ROOM:................................................ .................................................. .................4

   FIFTH:................................................ .................................................. ..................4

     5.1. Intervening parties and documents that form part of the file..........4

     5.2. On the origin and current situation of the implementation of biometric systems
     in first and second division soccer stadiums................................................ .5

     5.3. Facts related to BURGOS CF................................................ ...........8

     5.4 Conclusions................................................ .................................................. 12

LEGAL FUNDAMENTALS................................................. ...................................13
   I Competition................................................ .................................................. ........13

   II Biometric data as special category personal data...................................13

     2.1. Definition and characteristics of biometric data...................................................13

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/54








      2.2. Biometric templates as special and high category personal data
      risk................................................. .................................................. .................fifteen

      23. BURGOS CF as responsible for data processing operations
      biometrics................................................. .................................................. ........17

   III. On the need to carry out a prior and appropriate impact evaluation to the

   treatment................................................. .................................................. ............18

      5.1. Obligation and legal requirements of the impact assessment (EIPD) in
      high-risk treatments................................................... ....................................18

      5.2. Breach of the duty to present a DPIA by BURGOS CF.
      .................................................. .................................................. .........................twenty

   IV Concurrence of an exception to article 9 of the RGPD, and legitimizing basis of the
   Article 6 of the GDPR................................................ .................................................. .twenty

      4.1. Regarding the need for an exception to the prohibition of
      processing of biometric data................................................ ............................twenty

      4.2. Necessity of the basis of legality of the treatment of article 6.1................................22

      4.3. Analysis of the concurrence of an exception and a basis of legality in the
      present assumption................................................ ................................................2. 3

   V Regarding the requirement that the treatment be necessary, appropriate and proportional...25

   VI About the consent of minors................................................ ....................31

   VII On the information duties of article 13 of the RGPD................................33

   VIII Classification of infractions and qualification for the purposes of prescription....36

      8.1. Violation of article 35 of the GDPR................................................ ...................36
      8.2. Violation of article 9 of the GDPR................................................ .....................36

      8.3. Violation of article 5.1.c of the RGPD................................................ .................37

      8.4. Violation of article 8 of the GDPR................................................ .....................37

      8.5. Violation of article 13 of the GDPR................................................ ...................38

   X Determination of sanctions............................................... ................................38

   XI Adoption of corrective measures................................................... ............................43
   XI. Provisional measures................................................ ............................................44

HE REMEMBERS:............................................... .................................................. ............46



                                                   FACTS


FIRST:
With dates of November 4 and 7, 2022, they are received at this Spanish Agency of
Data Protection complaint and claim against the implementation of systems

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/54








biometrics for access control to the entertainment stands of the stadium
BURGOS CLUB DE FÚTBOL, S.A.D. with NIF A09012428 (hereinafter, “the
club”/BURGOS CF).

 - Firstly, a complaint was received on November 4, 2022 stating the
     State Commission against violence, racism, xenophobia and intolerance in
     The sport adopted an agreement according to which access to the cheering stands
     of football stadiums was to be carried out through biometric control. In

     Consequently, some football teams are already adopting these forms of action.
     cess for its stands, such as BURGOS CF. The complaining party
     considers that the aforementioned treatment is excessive. In this sense, it indicates that
     They can carry out the same controls by requesting nominal payments and, if by chance
     security issues were necessary, by requesting the exhibition of the
     National identity document.

      The complainant does not attach any documentation to his writing.


 - Subsequently, a claim is received on November 7 of the same year.
     nifiesta that BURGOS CF is requesting, compulsorily, to access the
     Football field animation stand, the use of fingerprint. Literally
     states the following: “When you become a member of the cheering tier, in no way
     moment you sign anything about data protection and they do not tell you that it will be able to
     tender, for access to the field, biometric data. Until now the system
     The key to access the field is: first they ask for your DNI and MEMBER CARD to
     verify that you are the subscriber, and then you go through a turnstile in which you have to

     Enter your membership card and you are registered. Therefore, the justification of
     that it is for security is unjustified, since there is a less invasive means. Is
     discriminatory that only one stand is requiring this measure of
     access control to the field, since none of the subscribers in another stand will be
     imposed on you, nor on people who enter punctually with a ticket. If Ale-
     “They gain security, where security is in the rest of the field.”

      The claimant accompanies the official statement published on November 4,
      2002 on the burgoscf.es website about “Official statement | Access

      biometric in animation stands carried out by BURGOS CF” in which
      states the following:

          “The Burgos Football Club, in compliance with Law 19/2007, of July 11,
          lio, Royal Decree 203/2010, of February 26, and Book
          General of LaLiga, after an audit carried out by LaLiga, and after
          the agreement adopted by the State Commission against violence, racism,
          xenophobia and intolerance in sport, communicates that access to its
          animation stand will have to be done through biometric control.

          In this sense, all the LaLiga clubs, among which also
          Burgos CF is located, they have been warned that failure to comply
          This regulation will give rise to the action of the commission through the co-
          rresponding proposals for opening disciplinary proceedings in
          under current legislation. In this way, LaLiga has installed a pro-
          fingerprint detection program so that all subscribers of this
          area of the stadium go to the club offices to establish their fingerprint and thus act
          give in to the El Plantío Stadium with this method. (…) This movement is
          only a first step, since the Burgos entity has the objective and ad-

          wants the commitment to implement this biometric access mechanism
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/54








          for the entire stadium in an estimated period of two seasons. Actually yes-
          guiding the line of action of other reference clubs in Spanish football,
          The entity intends to develop facial identification processes, in favor of
          speed and accessibility, when these systems are more developed.”


None of the complainants provides evidence that suggests that
collected your biometric data.

SECOND:
In accordance with article 65.4 of Organic Law 3/2018, of December 5, of

Protection of Personal Data and guarantee of digital rights (hereinafter
LOPDGDD), on December 1, 2022, said transfer was made
claim to BURGOS CF so that it could proceed with its analysis and inform this
Agency within one month, of the actions carried out to adapt to the
requirements provided for in data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations

Public (hereinafter, LPACAP), was collected on December 2, 2022, as
It appears in the acknowledgment of receipt that is in the file. However, BURGOS CF
did not respond to this first transfer.

THIRD:

On January 2, 2023, the Director of the Spanish Protection Agency
of Data urged the Subdirectorate General of Data Inspection (SGID) to initiate the
prior investigative actions referred to in article 67 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD) to analyze the implications that
could have in terms of personal data protection the practical application of the
aforementioned biometric system in football stadiums, one of which was the
BURGOS CF.


ROOM:
On February 3, 2023, in accordance with article 65 of the LOPDGDD,
They were accepted for processing and acknowledged receipt of the complaint and claim.


FIFTH:
Following instructions from the agreement of the Director of the AEPD, the Subdirectorate
General Data Inspection initiated a file of previous actions of
investigation (AI/00444/2022) to clarify the facts contained in the

complaint of November 4 and in the complaint of November 7, 2022. All
this, by virtue of the functions assigned to the control authorities in the article
57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), and in accordance
with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD.


5.1. Intervening parties and documents that are part of the file.

To clarify the facts, it was necessary to make various requirements
information and documentation aimed at all those entities that participated in
the implementation of the biometric system in the first and second football stadiums

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/54








division at the state level, and specifically, in the Plantío stadium of BURGOS CF, such
as:

    - HIGHER SPORTS COUNCIL (hereinafter, CSD).
    - STATE COMMISSION AGAINST VIOLENCE, RACISM,
       XENOPHOBIA AND INTOLERANCE IN SPORTS (hereinafter,
       CEVRXID).
    - NATIONAL PROFESSIONAL FOOTBALL LEAGUE (hereinafter, LALIGA)

    - SOCIEDAD ESPAÑOLA DE FÚTBOL PROFESIONAL, S.A.U (hereinafter,
       SEFPSA)
    - BURGOS CF.

On September 22, 2023, a report is issued on previous actions of
investigation, according to which they are made aware and attached to the file
the following documents and actions carried out:

 - Those carried out before the start of the previous actions, with the complaint and

     claim and documents that have already been mentioned in the background
     first to fourth of this agreement.

 - Regarding BURGOS CF, 3 requirements are made that run as follows:
     luck:
           1. On 02-16-2023, BURGOS CF is requested for the first time,
               which is notified by electronic and postal means. BURGOS CF responds to
               same dated 03-16-23 (hereinafter, WrittenBurgos1).

           2. On 07-06-2023 the request to BURGOS CF is reiterated,
               to which he responds by writing of 07-27-23 (hereinafter,
               WrittenBurgos2).
           3. On 08-22-2023, BURGOS CF is required to provide certain
               additional documentation, and he responds in writing dated 04-09-
               2023 (hereinafter, WrittenBurgos3).

 - Regarding LALIGA, two information requirements are made. The first of
     02-17-23, is answered dated 03-10-23 (WrittenLaliga1). The second was

     carried out on 07-06-23, LALIGA requesting an extension of the deadline to be granted
     gave on 07-13-23. Finally, LALIGA presented allegations in response to the same
     mo dated 07-27-23 (WrittenLaliga2).

 - Regarding the CSD, a first request was formulated on 02-23-2023 and a second
     on 6-07-23. In response to them, the CSD presents three written documents with
     on 03-28-2023 (Written CSD1), 07-21-23 (Written CSD2), and 07-24-23 (Written
     toCSD3). And a second request on 07-06-2023, to which in response
     this one on 07-21-23.


 - Finally, on 08-22-2023 information is required from SEFPSA, reiterate-
     issued on 09-04-2023, which received a response on 09-15-2023 (WrittenSEFPSA1).


5.2. On the origin and current situation of the implementation of biometric systems in

first and second division football stadiums.

In accordance with the information collected, and before analyzing the particular case of the
BURGOS CF, a succinct reference must be made to the actions (chronologically
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/54








ordered) carried out by the inspector in order to elucidate what was the origin and what is
the current status of the implementation of biometric fingerprint or fingerprint systems
facial recognition that was carried out in a general way to be able to access the
football stadiums of LALIGA's first and second division clubs.

    - On September 23, 2015, the CSD authorized the new
        version of Book XII of the League Regulations (hereinafter, RGLALIGA), which
        is currently in force, whose article XII establishes the following in its

        sections 2, 3, and 4:

” 2. The sale of season or half-season access titles or documents,
regardless of its name, in the cheering stands with the
characteristics described in section 1, will require that the fan provide, together with
the data referred to in article 1 of this Regulation, that biometric data
determined, and the consent of the interested party must be obtained, informing
clearly of the specific purposes for the processing of the aforementioned data.
personal nature, in accordance with current regulations on protection

of personal data. At the time of acquiring the access title,
by the affiliated Club/SAD, the fan will be associated with the affiliation provided and the
biometric data.
       3. ACCESS TITLES for season or half-season stands
       animation will be personal and non-transferable, regardless of the policy
       that the Club/SAD has on these for the rest of the venue. To this end, the
       Club/SAD will establish, both in the document of acquisition of the access title
       so, as in the corresponding internal regulations that, in said areas, the

       Pectators will undergo all those identity verification controls
       current at all times, including those related to automatic systems.
       biometric data, as well as the display of the access title next to the
       document proving your identity.
       4. Only fans will be allowed access to the cheering stands.
       two who have obtained the title of access to said area and who, at the time
       at the entrance, submit to the reading of their biometric data. Access will be denied
       cess in the event that the person does not contribute, if required to do so, along with
       biometric data, a document proving your identity that matches

       the affiliation associated with the biometric data and the access title.”

- There is no evidence that LALIGA had adopted measures aimed at
demand compliance with the obligations provided for in the aforementioned article of the RGLALIGA
until CEVRXID urged him to do so. Specifically, it is proven that the
CEVRXID urged LALIGA on two occasions to promote the implementation
by the clubs of the biometric control measures indicated in Book XII of their
General Regulations, exclusively for the animation stands in first and
second division. In its agreements it also refers to the fact that its non-compliance

will give rise to “the corresponding proposals for opening files
sanctioners in the exercise of their surveillance and control function provided for in the Law.”

- The first agreement directed by CEVRXID to LALIGA was on March 15,
2022, and gave rise to the beginning of the implementation of these systems by various clubs,
warning them of the possibility of incurring sanctioning responsibility, the
that this agreement was communicated by LALIGA.

    - Once its first agreement was issued on March 15, 2022, the CEVRXID, in

        At its meeting on October 20, 2022, it agreed to consult the AEPD
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/54








       only a question related to compliance with protection regulations
       of data. Specifically, on the legitimizing cause and exception applicable to
       These biometric treatments referred to could be carried out under the protection of the
       articles 6.1.e and 9.2.g of the personal data protection regulations in
       consideration with the competence attributed to the CEVRXID by article 13.1
       of Law 19/2007, of July 11, against violence, racism, xenophobia and
       intolerance in sport. There was no consultation about the need and
       proportionality of the processing of biometric data or compliance with the

       rest of the principles and obligations provided for in the regulations for the protection of
       data.

    - On December 22, 2022, the AEPD legal office issued the
       Report 98/2022 in response to the previous consultation (joined by the inspector in
       the Reference Diligence mentioned above). The report is based on several
       previously reported background, and maintains that in the present case
       “there was no legal norm in the Spanish legal system that brought together the
       requirements of article 9.2.g) of the RGPD, so the treatment only

       could rely on the consent of those affected as long as it was
       guaranteed that he is free.”

    - After receiving the aforementioned report, the CEVRXID communicated on March 21,
       2023 to LALIGA that “in accordance with what was reported by the AEPD, access to the
       animation stands using biometric data will be carried out with the
       consent of the interested party" so that, "in the case of not having the
       consent of the interested party to access the animation stands

       through biometric data, it will be mandatory for clubs/SAD to have
       a procedure that allows the identification of all those who access
       outside of biometric control.”

    - Having received the previous statement, LALIGA adopted on March 23, 2023 the
       “Circular No. 19 of the 2022/2023 Season, which transferred the
       clubs as indicated by the aforementioned Commission, also informing of the report of
       that AEPD of December 22, 2022.” The Circular informs the clubs that
       “Access to the cheering stands through biometric data can

       maintained but provided that there is free consent of the interested party, prior
       information on the specific purposes for the processing of data
       personal character. If you do not have the consent of the
       interested, the CEVRXID reminds that the spectators in these stands do not
       will be exempt from undergoing all verification checks
       identity that are in force at all times and, to this end, it is
       It is mandatory that the Club or SAD has a procedure that allows
       identify them.”


Additionally, in the phase of previous actions, the
following information on the effective implementation of biometric systems to
access control to the stadiums of LALIGA members. In this regard, it
highlights the following:

    - LALIGA states that it is aware that 18 of its members have
       implemented a biometric system to control access to their
       stadiums, one of them being BURGOS CF. The moment when they would have
       launched differs from one to another, with the 2015-2016 season being

       oldest referred to and 2022-2023 the most recent. Furthermore, according to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/54








       the information provided by the League, in all cases but one the
       implementation of these access controls would have only occurred in the
       “entertainment stands”.

    - The League, through the SEFPSA entity, provides members who request it
       the different devices for operating the entrance turnstiles to the
       sports venues, including, where appropriate, biometric systems
       fingerprint recognition. Clubs are free to contract the system

       fingerprint from SEFPSA or any other, as long as they have
       a biometric system for the sale of season tickets and access control to its stands.
       animation.

    - According to the information provided, SEFPSA states that it has provided its
       biometric solution for 15 League members, the system being identical
       for everyone, and considers that he acts neither as responsible nor as manager
       of treatment in this context, since its work is limited to the supply of
       necessary hardware and software without accessing personal data. In this

       situation indicates that it has not carried out risk analysis or evaluations of
       impact regarding the treatments derived from the use of its supplies.

    - Upon receipt of League Circular 19 of March 23, 2023, the
       clubs that had biometric recognition systems implemented
       adopted measures aimed at suspending this procedure
       of access, either to maintain it as voluntary and complementary
       of others.


    - BURGOS CF installed the biometric fingerprint detection system in
       the animation stand, door 15, through three turnstiles, hiring the system
       developed by SEFPSAU, which seems to correspond to SEFPSA. Starting
       on February 15, 2023, before receiving LALIGA Circular 19, I would choose
       for maintaining the fingerprint as a voluntary access system, sending
       a statement to its partners that informed of this, as well as the possibility
       to request the deletion of your biometric data. This was applied from
       match against Albacete held on February 19, 2023, as stated in

       the Minutes provided in the WrittenBurgos1.

5.3. Facts related to BURGOS CF.

Regarding the particular case of BURGOS CF, to which this file refers
sanctioning, it is worth briefly pointing out the main aspects and documents

contributed by him so far during the phase of previous actions of
investigation:

    1. Response dated March 16, 2023 (WrittenBurgos1).

In response to the request made on February 16, 10 Annexes are attached, and
The following manifestations are carried out that must be highlighted:

 - BURGOS CF began to implement the biometric fingerprint system

     as a mandatory means of accessing the entertainment stands on November 4
     2022, following an audit carried out by LALIGA on July 27, 2022. In
     Proof of this is said to accompany the audit as Annex 1, but the aforementioned Annex
     does not correspond to the audit, but to the “System Technical Report
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/54








     El Plantío Stadium Access Control developed by SEFPSAU, with the logo of
     LALIGA, which appears undated and unsigned.

 - The CEVRXID agreement dated 03/15/22 is attached as Annex II,
     previously referenced.

 - Burgos has provided the Impact Assessment as Annex V of Document 1
     Relating to the Data Protection of the system, dated February 16, 2023

     (EIPD Report), signed by the entity DATAINFO CONSULTORÍA Y
     CONSULTING, S.L. (hereinafter, DATA CONSULTING). It is well observed that his
     realization was considerably later than the start of treatment (4 of
     November 2022). Its content and adaptation to what is required by the regulations of
     Data protection will be analyzed in detail in the fundamentals of
     right of this startup agreement.

 - Responding to several of the questions asked in the first request
     of information, BURGOS CF is identified as responsible for the treatment

     of biometric data for access to the El Plantío stadium, informing of the
     following regarding compliance with data protection regulations:
               -Source of the data: The interested party himself provides them.
               - Collection procedure: In person through fingerprint reader
               fingerprint.
               - Deletion period: Once the season ends.
               - Recipients: They are the 700 members of the entertainment tier, which is
               at door 15. No transfer is planned, except for possible

               compliance with legal obligations.
               -International transfers: No transfers are planned
               international except possible compliance with legal obligations.
               -The purpose of biometric processing, according to the EscritoBurgos1, was
               “meet the requirements established by La Liga and the Commission
               Permanent of the State Commission against violence, racism,
               xenophobia and intolerance in sport.”
               -Data conservation period: per season, waiting for
               that the AEPD decides whether it should proceed with its conservation or destruction.

               The partners are informed of this in Annex VII, and they were given the
               possibility of requesting deletion in the statement of Annex IV.
               -Those in charge of processing special category data: they do not exist.
               -Those in charge of processing other data: LALIGA, the Company
               Española de Fútbol Profesional S.A, and Ligatech S.L.

 - The BURGOS CF has identified the following relevant dates regarding the
     treatment: November 4, 2022 as the start date of collection
     biometric data; December 8, 2022 as the date of the first

     match in which the treatment was carried out to control access to the stands
     animation; February 15, 2023 as the end date of the
     treatment (mandatory) to control access to the stands
     animation; and on February 19, 2023 as the first match in which
     Only those who had access entered the stadium with a fingerprint
     voluntarily, the rest entering, about 60 with the card.

    In this regard, the 9 minutes are attached as Annex III of the EscritoBurgos1
    signed by the Security Director of BURGOS CF and the Coordinator of

    Security belonging to the Ministry of the Interior on the matches held in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/54








    the El Plantío Stadium during the years 2022 and 2023, where the
    need to carry out biometric controls of the animation stand. Some of
    These minutes state that the stadium did not have an identification system
    biometric for access, without prejudice to the fact that the collection has already been carried out
    of fans' footprint (e.g. minutes of the following dates: August 14, 16

    October, October 29, November 27, 2022). In others it is stated
    that this control has been used for access.

    The completion of the biometric system as a mandatory access system and its
    continuation as a volunteer is accredited by means of the communication addressed to their
    partners on February 16, 2023, as Annex IV of the EscritoBurgos1, in which
    informs that, in view of Report 98/2022 of the AEPD, the fingerprint system
    fingerprint would be maintained for use on a voluntary basis, providing the

    One-way partners to request deletion of recorded biometric data
    in the system. What is corroborated in the Minutes of the match played between Burgos
    and Albacete on February 19, 2023, which states the following: “The
    Security Director DELIVERS to the security coordinator a copy of a
    writing addressed to the League in which he requests allegations in relation to opinion 98/22 of the
    Spanish data protection agency dated January 20, 2023 declaring the
    non-conformity with current regulations regulating data protection, of which
    copy attached. Therefore, in this match the club has decided that only the

    partners who have voluntarily agreed to transfer said data, with the rest entering, some
    sixty, simply with meat.”

- Consequently, BURGOS CF has indicated that currently the treatment
    is suspended “pending the completion of this process before the
    AEPD to be able to implement it with the technical, legal, and security measures
    “adequate.” Specifically, it is specified in the EscritoBurgos2: “this treatment of
    data has not yet been implemented and is not currently operational

    since BURGOS CLUB DE FÚTBOL, S.A.D. is waiting for the
    completion of this process before the AEPD to be able to implement it with the measures
    appropriate technical, legal and security measures. Therefore, currently it is not
    collects no biometric data from the Controller, constituting the
    exposed measures planning for the future.” Additionally, Burgos
    states that “it is waiting for the decision of the Spanish Agency of
    Data Protection on whether to continue retaining said data or proceed
    to its destruction” and that “affected people have been given the option to

    suppress it.”

- The documents that prove the consent of the interested parties for the
    processing of your personal data, or document that proves that they have been
    provided the information provided for in article 13 of the GDPR, before collecting
    Your personal data (biometric and others whose contribution is mandatory), were
    required by the inspector on two occasions. However, BURGOS CF
    has only provided as Annexes VI and VII of the EscritoBurgos1 the two models

    which it says were provided to interested parties before and after February 15,
    2023.

             - Annex VI. Conditions of membership, access and permanence in
             the animation stands for the 22-23 season. Used before
             02/15/23. It is not a personal data consent model but
             a contractual document, which requires the provision of personal data
             biometric and non-biometric (nominative, ID, contact information...).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/54








             - Annex VII. Information about access to the cheering stands
             through biometric data (fingerprint). Model used after
             02/15/23. In which a specific consent is signed regarding
             processing of biometric data.

- To prove what security measures have been adopted regarding
    data protection, provide as Annex VIII the document prepared by the
    SEFPSAU entity, as the supplier of the hardware and software on which

    executes the processing of biometric data. This document provides information
    descriptive description of the operation of the biometric system installed in the stadium of the
    Burgos, from which the following main points are extracted:
                                               .
             -The personal data collected from each interested party in the process of
             registration (registration in the system) are name, surname, DNI number, a
             identifier generated by the system, and the biometric pattern of the fingerprint
             fingerprint.
             -The registration of the biometric fingerprint pattern is carried out in the

             microcomputer positions serving members. Access to the
             animation stand is carried out through a single door that has
             three turnstiles with the possibility of access by identification
             biometric. Each of these lathes has several methods of
             access (in addition to biometric reading): optical reading of access codes
             bars or QR, and wireless card reading with built-in chip.
             -The comparison process carried out is “identification
             biometric” (one to many). Thus, the readers installed on the turnstiles

             send the encrypted biometric pattern of the fingerprint of the interested party
             that is accessing the stadium to the Identification Management Server
             Biometric (SGI) located in the club facilities, and to which only the
             club has access. The comparison performed on this server returns the
             positive or negative identification result.
             -Biometric patterns are encrypted at all times with
             the keys of the device manufacturer. The latter proves that the
             Decryption keys are only kept by him and are not
             are available to their clients. Additionally, it certifies that

             Once the fingerprint image template has been extracted, the latter
             is suppressed.
             -In point 6 it refers only to security measures
             specific to the elements or technical equipment.

- Burgos has also provided (annex IX of the EscritoBurgos1) the content of the
    record of processing activities related to “Access control through
    biometric data (fingerprint) to Grada de Animación”.


    1. Response dated July 27, 2023 (WrittenBurgos2).

On July 6, 2023, the inspector formulates a new requirement in which
requests that the action plan of security measures mentioned be provided
but they are not provided in the EIPD or in any other document of the EscritoBurgos1, and the
documentation accrediting the technical detail of the measures described in the heading
“regarding the biometric vector”.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/54








Responding to the new requirement, BURGOS CF provides as Document 1 the
consent model that is signed at the time of fingerprint collection
(not consents signed by subscribers).

As Document 2, it provides the document from the system provider that explains the
security measures related to the biometric vectors obtained by the
system, to which 3 Annexes are attached, issued by various system providers
installed: NITGEN (sensor manufacturer), KIMALDI (guide for the integrator of

biometric solutions), and SETELSA SECURITY (fingerprint control system in
CONACWIN client position). From these only some of the
technical specifications and characteristics of the biometric system used, such as
which uses a biometric vector encrypted with AES algorithm proprietary to the manufacturer
NITGEN of an irreversible nature for its own employees, clients (including the
Club) and their suppliers (SEFPSAU). These documents do not constitute
no elaborate plan of security measures for the purposes provided for in the article
32 or 35.7.d) of the GDPR, aimed at addressing risks, including guarantees, security measures
security and mechanisms that guarantee the protection of personal data, and to

demonstrate compliance with this Regulation, taking into account the
rights and legitimate interests of the interested parties and other affected persons.

Various statements are also made regarding compliance with the
principles provided for in article 5 of the RGPD, the operation of the system through
of encrypted vectors that capture part of the fingerprint and generate a template, and the
protocol applied in case of security breaches, of which no copy is provided
some. And it is expressly said that currently no

measure, but rather it is a plan of future measures given that they are not being
capturing new biometric data.


    2. Response dated September 4, 2023 (WrittenBurgos3).

Finally, on August 22, the inspector requests and the BURGOS CF responds
the following, without accompanying any document:


- Present the risk analysis document: refer to the content in the
    DPIA provided in Document 1.
- Provide information about the places where the patterns are stored
    biometrics (club servers -SGI- or Tornos): they are stored only on the server
    of the club. It states, among other things, that “The normal thing is to collect 2 templates
    per finger and 2 fingers per subscriber. Enrollment is done through a reader
    desktop USB fingerprint scanner, which is interacted with and managed from the client application
    installed on the Club's equipment. − Once the enrollment process is completed, the
    "client application transmits the metadata to the Club Server (SGI) that stores it."

    (…).“The lathe (reader) does not store the biometric pattern, it only serves as an issuer,
    collects the subscriber's template through the fingerprint reader and transmits it in
    raw (vLan over Private IP with HTTPS encryption) to the club server (SGI)”.
- That the security measures applied for storage be indicated.
    A specific detail of measures is not found in the response, but rather a
    explanation of the authorization process. The club explains when it considers a
    user as “unauthorized”, the possibility of authorizing it manually in case
    of errors. Something important that is said is that being “unauthorized” does not imply
    delete your data.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/54








- Describe how their suppression occurs, stating that: "when a
    authorized employee of the club, decides to delete one or all biometric patterns,
    You can do it from the Conacwin system, eliminating them from the only place in the
    which are stored, the Club Server (SGI); This process is irreversible,
    Therefore, once eliminated, recovery is not possible.” Mention is made

    also to the different causes of withdrawal for which employees can be disavowed.
    someone, or data deletion.

5.4 Conclusions.


In view of the actions carried out, it is considered that initially
various evidences that justify the opening of sanctioning proceedings against the
BURGOS CF, for having implemented a biometric system based on the detection of
fingerprint to access the cheering stands of your stadium on November 4
of 2022 that did not comply with several requirements and principles required by the regulations of
data protection, both when it was required as the only system for purchasing
tickets and access to the stadium, as when he became a volunteer on February 15,
2023.


All this without prejudice to the fact that the previous actions carried out may lead to the
initiation of sanctioning procedures against other possible persons responsible for the
implementation of these biometric systems in first-class soccer stadiums and
second division, when the concurrence of other infractions of the
present regulations.

FIFTH: According to the report collected from the AXESOR tool, the entity

BURGOS CLUB DE FÚTBOL, S.A.D. is an SME that acts as a Company
Anonymous sports company associated with LALIGA, established in 2018, and with a volume
of business of €1,451,967 euros in 2021.


                           FOUNDATIONS OF LAW


                                    I Competition

In accordance with the powers provided by article 58.2 of the GDPR and as
established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter, LOPDGDD), is competent to initiate and resolve this procedure
Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

           II Biometric data as special category personal data


2.1. Definition and characteristics of biometric data.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/54








Biometric data processing systems are based on collecting and processing
personal data relating to the physical, physiological or behavioral characteristics of
natural persons, which may include their neural characteristics,
through devices or sensors, creating biometric templates (also
called signatures or patterns) that make it possible to identify, track or

profiling of said people.


The GDPR defines art.4.14 biometric data as “personal data obtained through
based on a specific technical treatment, related to the physical characteristics,
physiological or behavioral characteristics of a natural person that (…) unique to said person,
such as facial images or fingerprint data.”



As already pointed out in Opinion 4/2007 of the working group of article 29 (ART. 29 of the
Directive 95/46 EC, as an EU body, of consultative and independent character),
on the concept of personal data (WP136), of 06/20/2007, biometric data

can be defined as:

   “… biological properties, physiological characteristics, personality traits or
   tics, which are, at the same time, attributable to a single person and measurable, even
   whether the models used in practice to technically measure them imply a certain
   degree of probability. Typical examples of biometric data are those that provide
   fingerprints, retinal patterns, facial structure, voices, but
   also the geometry of the hand, the venous structures and even certain ha-

   deep-seated ability or other behavioral characteristic (such as
   handwriting, heartbeats, a particular way of walking or talking, etc.). A
   particularity of biometric data is that they can be considered both
   content of information about a certain person (So-and-so has these bones-
   fingerprints) as an element to link information to a specific
   person (this object has been touched by someone who has these fingerprints and these
   fingerprints correspond to so-and-so; Therefore, So-and-So has touched this object).
   As such, they can serve as "identifiers." In effect, as it corresponds to a single

   each person, biometric data can be used to identify that person.
   This dual character also occurs in the case of DNA data, which provides
   tion information about the human body and allow unequivocal identification
   of one, and only one, person.”

Every biometric access control system to the stadium, in order to be used, must
first register the user's identity in the system by capturing a security
series of biometric parameters (in this case, the fingerprint of subscribers who purchase tickets)

access tickets for the entertainment stands of the BURGOS CF stadium). Of what
What we are trying to achieve is to carry out processing on those parameters to identify
tify the person each time they then re-enter and exit through the access point.

A biometric data contained in a system is stored in the form of a template or pa-
biometric tron, commonly called “vector”. A biometric template is a form
writing method of a human biometric characteristic, such as a face or fingerprint
fingerprint, so that it is interpretable by a machine efficiently and effectively

for a specific purpose or purposes. The biometric template is not aimed at
be interpreted by a person, like a photograph, but is oriented to be processed
ted in an automated process, that is, be efficiently and effectively interpretable by
a machine. This form of storage would allow an individual to be singled out and executed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/54








cut actions automatically, profile or infer information about a subject such as
attitudes or patterns of behavior, etc.

This technology can be really intrusive and requires an ethical and legal debate
calm, since it can have very adverse effects on the fundamental values
them and human integrity. Look at just a few of its special features and think
Consider the significant impact that occurs when this data is compromised, in
comparison to when other types of personal data are processed:


- Biometric systems are closely linked to a person, given
that can use a certain unique property of an individual to identify them.
tion. Each individual has unique fingerprints that show characteristics
that can be measured to decide whether a fingerprint corresponds to
a recorded sample. Therefore, they are unique, permanent or definitive in time.
and the person cannot free himself from them, they can never be changed, not even with age,
so the damage created in case of compromise-loss or intrusion into the system is
irreparable in this case. Unlike a password, if lost, the data

of our fingerprint or face cannot be changed.
- Furthermore, because biometric data is specific to a person and per-
petuos, the user can use the same data in different systems.
- While traditional authentication methods such as passwords
require a 100% character-for-character match to allow the user to
rio accesses, for example, an account or application (deterministic methods), the methods
Biometrics are called “probabilistic” because they are based on the probability that
the user trying to access a certain device or application is the same

person than the registered user. We can measure the performance of a biomedical system
based on three main characteristics. These are: false rejection rate
(FRR), false acceptance rate (FAR) and equal error rate (ERR). The rate of
false rejections represents the probability of detection errors by a system.
biometric, which means that it cannot recognize a user whose characteristics
biometric cases are already in the database. In case of rejection, the person must see
rify your identity again. From a safety and security perspective, this
rate does not mean that it is necessarily a negative result. Each biometric method
co, be it face reading, fingerprint reading, palm print reading, iris reading, etc., has different va-

lores for different rates based on which a system rejects or accepts requests.
triads.


2.2. Biometric templates as special and high category personal data

risk.

According to the definition given by article 4.14 of the GDPR, biometric data
processed by these systems will become personal data as long as
when the purpose of the processing is the identification or authentication of a person,
in the sense provided for in article 4.1 of the GDPR, which defines personal data
as:

    "1. Personal data: any information about an identified natural person or

    identifiable ("the interested party"); Any identifiable natural person will be considered
    person whose identity can be determined, directly or indirectly, in
    particular by means of an identifier, such as a name, a telephone number,
    identification, location data, an online identifier or one or more

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/54








    elements of physical, physiological, genetic, psychological identity,
    economic, cultural or social of said person.”



In the present case there is no doubt that biometric data of
personal nature, since the purpose of the system implemented for the acquisition
of season titles and access to the animation stands by fingerprint is

identify the people who access the stands, is to determine the identity, direct or
indirectly, from the person. Every time the process assigns an identifier (the
biometric template obtained by collecting fingerprint samples from
interested parties) that allows to single out an individual and distinguish him from others, to
through “elements specific to physical, physiological, genetic, and psychological identity.”

It must be taken into account that the approval of the RGPD (after the regulation of the
Book XII of the RGLALIGA) has meant a paradigm shift in matters of

protection of personal data that aims to guarantee citizens control of
your personal data, establishing high protection standards and
adapted to the digital environment in which we live. According to the Principle of
Proactive Responsibility, inspiration for the new regulation, the new RGPD makes
emphasize that the person responsible must seriously evaluate the risks of the treatment
that you want to establish in the rights and freedoms of the interested parties (always
prior to starting any treatment, and continuously if you decide to do so),
opting for a risk analysis approach by design and by default, to

be able to identify them, determine the probability of materialization and its impact and foresee
measures and guarantees that eliminate or, at least, mitigate the risks detected,
preventing its materialization. Likewise, certain obligations must be met and
respect certain principles established by regulations.

Thus, whenever personal data of any type is processed,
whatever, the person responsible must comply with the principles and obligations provided for in the
data protection regulations for all types of personal data.


All of these duties are exponentially accentuated when it comes to data from
special category, whose treatment is considered high risk. Both
circumstances occur in biometric data aimed at uniquely identifying
to a person, as happens in the present case.

Thus, this paradigm shift has especially affected the data
biometrics, since on the one hand - unlike what happened under the regime

prior to the RGPD - these have come to be considered personal data of
special category in article 9, the processing of which is generally prohibited,
unless any of the exceptions provided for in article 9.2 of the RGPD apply.
Which does not exempt the fact that there must always also be a basis of legality provided for in the
article 6 thereof, among many other requirements and principles that must be met
whoever decides to opt for this type of treatment.

In accordance with article 9.1 of the GDPR, data processing is prohibited

biometrics when they are: “biometric data aimed at uniquely identifying
to a natural person.” Although recital 51 of the GDPR includes both
identification and authentication procedures: “since only
are included in the definition of biometric data when the fact of
be treated with specific technical means allowing the identification or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/54








univocal authentication of a natural person. Such personal data should not be
treated, unless treatment is permitted in specific situations
contemplated in this Regulation.”

In this sense, it should be noted that the classification as special category data

necessarily implies the observance of special caution when determining
determine whether it is possible to carry out data processing of this nature. Among other
things, and in addition to there being an exception that allows overcoming the prohibition of the article
9.1 of the GDPR, that there is a basis for the legality of Article 6 of the GDPR and that
comply with the principles of the RGPD, the subject that intends to implement data systems
biometrics, in this case, BURGOS CF, must previously analyze the attendance
compliance with the mandatory criteria of necessity, suitability and proportionality of the treatment.
I lie.


That is, whoever intends to establish personal data processing of this nature
za must, first of all, ensure that what has been called in the
jurisprudence as “the triple judgment of proportionality”, considering in particular whether
the processing of biometric data is ideal, proportionality, and above all, necessary
Aryan. If there are other non-biometric systems that allow the same goal to be achieved,
ability to identify-verify the identity of people effectively, it will not be necessary
initiate biometric treatments, and, therefore, implementing this system will be considered

contrary to the GDPR. This judgment must be the starting point of your analysis, since only in
If these methods pass the aforementioned triple judgment, compliance with
other requirements or guarantees.

And, in addition to being special category personal data, the processing of
This type of biometric data is also considered “high risk”, which will require
to always carry out an impact evaluation (IAPD), in accordance with the provisions of the
article 35.1 of the RGPD, this DPIA must be prior to the start of the treatment, but

be carried out continuously. And it will not be enough to do it, but the same
must be considered valid, because it meets the requirements set forth in the aforementioned
article, in particular, that contains at least the information of art. 35.7 of the
GDPR.

The processing of biometric data is considered high risk in accordance with the provisions
in section 4 of article 35, which provides that “…The supervisory authority
establish and publish a list of the types of processing operations that

require a data protection impact assessment in accordance
with section 1…”, given that it is among the treatments included in the
document “Lists of types of data processing that require evaluation of
impact regarding data protection”, made public by the AEPD in development of the
provision contemplated in the fourth section of the aforementioned article 35.

There is no doubt about the high-risk nature of this data, given that the
biometric data meets the criteria corresponding to numbers 4, 5 and 10

of said document (those that involve the use of special categories of data;
the use of biometric data and those that involve the use of new technologies or
innovative use of established technologies). Therefore, the data processing
biometrics can never be started if a valid DPIA has not been prepared prior to the
treatment.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/54









23. BURGOS CF as responsible for data processing operations

biometrics.

Article 4.2 of the GDPR defines “processing of personal data” as:


  “any operation or set of operations carried out on personal data or
   set of personal data whether by automated procedures or not, such as
   the collection, registration, organization, structuring, conservation, adaptation or modification
   cation, extraction, consultation, use, communication by transmission, dissemination or
   any other form of access enablement, collation or interconnection, limitation, su-
   pressure or destruction;”

Biometric data can be processed and stored in different ways. Sometimes the

Biometric information captured from a person is stored and processed in raw form, which
that allows you to recognize the source from which it comes without special knowledge; by
For example, a photograph of a face, a photograph of a fingerprint, or a recording
voice. Other times, the raw biometric information captured is treated in a
that only certain characteristics or traits are extracted and saved as a bio-template.
metric, here called “vector”.

According to what was stated by the club itself, the biometric system implemented by

BURGOS CF works with biometric data obtained from a person (fingerprint-
tilar), from which an algorithm selects characteristics to create a template.
biometric call. Then, when the fan enters the stadium, they pass a check
access in which the system checks the identity of the person with the database
biometric. You can do it in a second, while comparing hundreds of millions of data.
cough.

That is, the biometric characteristics are subjected to technical treatment through

which a person is recognized through a chronological process that is contained in
all biometric data processing: data capture or registration with your system
next storage or processing and the comparison or matching phase,
the conservation of data, as well as its subsequent deletion, limitation...etc.

Therefore, the identification process necessarily includes carrying out several
processing operations (data collection or capture, registration, storage, processing)
cessation, comparison, authentication, conservation, deletion, limitation...etc) of

for which only BURGOS CF was responsible for the purposes provided for in article 4. 7
of the RGPD, which provides: “7) “responsible for the treatment” or “responsible”: the person
physical or legal entity, public authority, service or other body that, alone or together with others,
determine the purposes and means of the processing; whether the law of the Union or of the States
members determines the purposes and means of the processing, the data controller or
The specific criteria for their appointment may be established by the Law of the
Union or of the Member States.



In short, when BURGOS CF implemented a new fingerprint detection system
fingerprint for the identification-verification of the identity of natural persons (instead
of the usual method of identity verification by means of DNI, and purchase title
via QR reader, or chip on card) must have been aware that it was going to be res-


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/54








responsible for setting the purposes and means of various data processing operations of
special and high risk category.

From the evidence that exists so far in the file, and without prejudice to the
resulting in the instruction, it is initially deduced that the club implemented this system

when it already had an identification-authentication system for the identity of the
people who accessed the entertainment stands of their stadium, which was much less
trusive, with which the same purpose was obtained, so the biometric treatment does not
It should never have started under these conditions.

But in addition to starting this treatment without it being necessary and proportional, there are
evidence that the treatment was carried out in breach of many other obligations pre-
seen in the data protection regulations when we are faced with the presence of data

biometric personal data from which the alleged commission of 4 other possible
administrative violations. We will thus refer in the Fundamentals of Law III to
VII of this agreement to the lack of concurrence of an exception that would lift the prohibition.
tion of processing biometric data of article 9 of the RGPD, not to prepare or pass a
EIPD prior to treatment, but late and invalid, failing to comply with the duties of informing
tion related to article 13 of the GDPR, and not obtain the consent of the parties.
parents or legal guardians of minors under 14 years of age referred to in article 8 of the
GDPR.


In short, given the fingerprint system that was implemented by BURGOS CF at
as of November 4, 2022 of the evidence obtained so far and without
prejudice to what may be deduced in the investigation phase, it follows that the Club
did not act with the diligence required of a data controller
special category and high risk such as biometrics, committing up to 5 infractions
administrative provisions of the RGPD, in the terms set out below in the
Legal Fundamentals III to VII of this Initiation Agreement.




  III. On the need to carry out a prior and appropriate impact evaluation to the
                                       treatment.


5.1. Obligation and legal requirements of the impact evaluation (EIPD) in treatments
high-risk.


As stated above, before implementing a project
data processing based on this very intrusive technology, it is also necessary
previously audit its operation, not in isolation but within the framework of the
specific treatment in which it is going to be used (in this case, sale of subscriptions and access
to the entertainment stands of the BURGOS CF stadium).


The impact assessment on the protection of personal data, DPIA, appears
then as the tool required by the GDPR to ensure compliance with
this aspect of the treatment, as established in article 35 in its section - 1
of the GDPR,
   “When it is likely that a type of treatment, particularly if it uses new technologies,
   noologies, due to their nature, scope, context or purposes, entail a high risk for
   rights and freedoms of natural persons, the person responsible for the processing carried out


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/54








   Before treatment, an evaluation of the impact of the treatment operations will be carried out.
   ment in the protection of personal data…”


As already indicated, the processing of biometric data has been rated as highly
risk by the AEPD, by virtue of the provisions of article 35.4, so we must
based on the fact that the processing of biometric data initiated by BURGOS CF

After its statement of November 4, 2022, it should have been preceded by a
valid impact assessment, which included at least the sections provided for in
article 35.7 of the GDPR. This implies that it is not enough to carry out a DPIA, but rather
It will have to be overcome to comply with the RGPD.



This evaluation will be done prior to the start of treatment, but must
be understood as a continuous or periodic evaluation, in the sense established by the
Article 35.11 of the GDPR, which states: “If necessary, the controller will examine
whether the treatment complies with the impact assessment relating to the protection of

data, at least when there is a change in the risk represented by the operations
of treatment.”


A DPIA must meet the minimum requirements or content listed in the article.
35.7 of the GDPR, which provides:

     “The evaluation must include at least:
     a) a systematic description of the planned processing operations and the

     purposes of the processing, including, where applicable, the legitimate interest pursued by
     the person responsible for the treatment;
     b) an assessment of the necessity and proportionality of the processing operations
     treatment with respect to its purpose;
     c) an assessment of the risks to the rights and freedoms of the data subjects
     referred to in section 1, and
     d) the measures planned to address the risks, including guarantees, security measures
     security and mechanisms that guarantee the protection of personal data, and

     show compliance with this Regulation, taking into account the rights
     rights and legitimate interests of the interested parties and other affected persons.”


In short, overcoming a DPIA requires that the person responsible for a treatment
high risk document in writing that it passes the suitability assessment,
necessity and proportionality of the treatment, and that manages from the design the
specific risks of the treatment, with the practical application of measures aimed at
them in a way that guarantees an acceptable risk threshold throughout the
processing life cycle, as established in article 35 of the GDPR.

Furthermore, it requires prior consultation with the supervisory authority in the event that the
responsible has not taken measures to mitigate the risk in accordance with the
article 36 of the GDPR.




5.2. Breach of the duty to present a DPIA by BURGOS CF.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/54








In the present case, the club has provided (Annex V of the WrittenBurgos1) the
document “Impact Assessment Report Related to Data Protection”
(DPIA Report) dated February 15, 2023 by a third party (DATAINFO
CONSULTORÍA Y ASESORÍA, S.L.). But the start of treatment occurred on the 4th
November 2022, as recognized by BURGOS CF itself.



This DPIA is after the start of the biometric treatment, since starting the
treatment on November 4, 2022, the date of the DPIA is February 15,
2023, which shows that for more than three months a
processing of biometric data without complying with the obligation prescribed in the article
35 of the GDPR.


It is, therefore, recognized and accredited that BURGOS CF began the treatment on
November 4, 2022 without having previously carried out a DPIA, so
clearly violated the provisions of article 35.1 of the RGPD, which prevents carrying out
any high-risk processing - such as biometric data - without having carried out
previously a DPIA, which analyzes the purpose, the risks, the judgment of
proportionality of the treatment, and, where appropriate, the measures to be provided to protect the
personal information.





  IV Concurrence of an exception to article 9 of the RGPD, and legitimizing basis of the
                                  Article 6 of the GDPR.


4.1. Regarding the need for an exception to the prohibition of the treatment of
biometric data.


As already indicated, biometric data, cataloged as “category
special”, in article 9, both of the RGPD and the LOPDGDD, are data
personal data, the use of which may give rise to significant risks to the rights and
fundamental freedoms, and therefore, in principle its treatment is prohibited in the
article 9.1 of the RGPD, unless any of the exceptions provided for in the
paragraph 2 of the same article.

Another additional requirement of this type of treatment will therefore be that

Before starting the treatment, the person responsible must also check and
prove that one of the exceptions provided for in article 9.2 of the RGPD exists or
other specific legislation.


In this way, its treatment being prohibited in general, any
An exception to this prohibition must be subject to restrictive interpretation. So and
as can be deduced from recitals 51 and 52 of the GDPR, which show:



   ”Such personal data should not be processed, unless their processing is permitted.

   treatment in specific situations contemplated in this Regulation,
   taking into account that Member States may establish provisions
   specific provisions on data protection in order to adapt the application of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/54








   rules of this Regulation to comply with a legal obligation or to
   fulfillment of a mission carried out in the public interest or in the exercise of powers
   public conferred on the person responsible for the treatment. In addition to the requirements
   specific to that treatment, general principles and other
   rules of this Regulation, in particular as regards the conditions

   of legality of the treatment. Exceptions must be explicitly stated
   general prohibition on the processing of these special categories of data
   personal, among other things when the interested party gives explicit consent or
   in the case of specific needs, particularly when the treatment is
   carried out within the framework of legitimate activities by certain associations or
   foundations whose objective is to allow the exercise of fundamental freedoms.



   “Exceptions must also be authorized to the prohibition of treating categories
   special personal data when established by Union or European Union law.

   Member States and provided that appropriate guarantees are given, in order to protect
   personal data and other fundamental rights, when it is in the public interest, in
   particular the processing of personal data in the field of labor legislation, the
   legislation on social protection, including pensions and for security purposes,
   health supervision and alert, prevention or control of communicable diseases
   and other serious threats to health (...)”



Thus, the exceptions that could possibly allow the lifting of the
general prohibition on processing biometric data aimed at identifying-verifying identity

of natural persons, are those provided for in article 9.2. of the RGPD, with the following wording
literal, which must be interpreted restrictively, always in favor of protecting the
rights and freedoms of citizens in case of doubt:

   "2. Section 1 will not apply when one of the circumstances occurs
   following:

   a) the interested party gave explicit consent for the processing of said data

   personal data for one or more of the specified purposes, except when the Right to
   the Union or the Member States establishes that the prohibition referred to in
   section 1 cannot be lifted by the interested party;”
   b) the processing is necessary for the fulfillment of obligations and the exercise of
   specific rights of the controller or the interested party in the field
   of labor law and social security and protection, to the extent that it is
   authorized by Union or Member State law.
   c) the processing is necessary to protect vital interests of the interested party or another

   natural person, in the event that the interested party is not qualified, physical or
   legally, to give consent;
   d) the treatment is carried out, within the scope of its legitimate activities and with the
   due guarantees, by a foundation, an association or any other body without
   profit-making, whose purpose is political, philosophical, religious or union, provided that
   The processing refers exclusively to current or former members of such
   organizations or persons who maintain regular contact with them in relation
   for its purposes and provided that personal data is not communicated outside of them

   without the consent of the interested parties;
   e) the processing refers to personal data that the interested party has made
   manifestly public;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/54








   f) the treatment is necessary for the formulation, exercise or defense of
   claims or when the courts act in the exercise of their judicial function;
   g) the treatment is necessary for reasons of essential public interest, on the
   basis of Union or Member State law, which must be proportional
   to the objective pursued, to essentially respect the right to data protection and

   establish appropriate and specific measures to protect the interests and rights
   fundamentals of the interested party;
   h) the treatment is necessary for preventive or occupational medicine purposes, evaluation
   of the worker's work capacity, medical diagnosis, provision of assistance or
   health or social treatment, or management of healthcare systems and services
   health and social assistance, on the basis of Union or State law
   members or under a contract with a healthcare professional and without prejudice to the
   conditions and guarantees contemplated in section 3;

   i) the treatment is necessary for reasons of public interest in the field of health
   public, such as protection against serious cross-border health threats,
   or to guarantee high levels of quality and safety of care
   health and medicines or health products, on the basis of the Law
   of the Union or the Member States that establishes appropriate measures and
   specific to protect the rights and freedoms of the interested party, in particular the
   professional secret.
   j) the processing is necessary for archiving purposes in the public interest, purposes of

   scientific or historical research or statistical purposes, in accordance with the article
   89(1) on the basis of Union or Member State law,
   which must be proportional to the objective pursued, essentially respect the right
   to data protection and establish appropriate and specific measures to protect
   the interests and fundamental rights of the interested party.”

Therefore, in addition to previously verifying that the treatment exceeds the judgment of
proportionality, if the person responsible does not prove that their treatment is within some

of these exceptions, you will not even be able to start treatment without incurring a
violation of article 9 of the GDPR.

4.2. Need for a legal basis for the processing of article 6.1.


In addition to lifting the prohibition on its treatment, the person responsible must prove
also that its treatment can be carried out because one of the bases is present
legal legitimating of the treatment contained in article 6.1 of the RGPD, which are
general requirement for the processing of any personal data. This is the
concurrence of exception that hypothetically allows lifting the prohibition of treating
biometric data will not be sufficient, it does not replace the need for there to be
a basis of legality in the case of biometrics. The person responsible must be in
willingness to prove that both are present, in addition to the fact that the judgment of

proportionality mentioned above, and so on, with respect to the rest of the requirements
provided for in the regulations. That is why we speak of “cumulative requirements” and not
alternatives.

Thus, article 6 of the GDPR also starts from the fact that processing personal data
In general it is something exceptional, maintaining that:

   "1. Treatment will only be legal if at least one of the following is met

   conditions (commonly referred to as “legal basis”):


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/54








   a) the interested party gave his consent for the processing of his personal data
   for one or more specific purposes;
   b) the processing is necessary for the performance of a contract in which the
   interested party is part or for the application at his request of measures
   pre-contractual;

   c) the processing is necessary for compliance with an applicable legal obligation
   to the person responsible for the treatment;
   d) the processing is necessary to protect vital interests of the interested party or another
   Physical person;
   e) the processing is necessary for the fulfillment of a mission carried out in
   public interest or in the exercise of public powers conferred on the person responsible for the
   treatment;
   f) the processing is necessary for the satisfaction of legitimate interests pursued

   by the person responsible for the treatment or by a third party, provided that regarding said
   interests do not prevail over the interests or fundamental rights and freedoms of the
   interested party requiring the protection of personal data, in particular when the
   interested is a child.
   The provisions of letter f) of the first paragraph will not apply to the treatment
   carried out by public authorities in the exercise of their functions.

Therefore, in the event that there is no basis of legality, the violations

mentioned above, a violation of article 6 of the RGPD would be added.

4.3. Analysis of the concurrence of an exception and a basis of legality in the case
present.


With regard to the case at hand, the BURGOS CF refers to these
issues in what is called the analysis of “legitimation and legality”, of point 1.3
of the EIPD of February 15, 2023), where reference is made to both the exception
concurrent as the basis of legality that presumably legitimizes the biomedical treatment
trico for the purpose of controlling access to the entertainment stands of your stadium. In
In this sense, BURGOS clearly distinguishes two periods (before and after the

EIPD) in which there has been a change in criteria of the legitimizing basis and exception
which supported the possibility of processing biometric data.

It is stated that the legitimacy for the use of the system prior to December 15
February 2023 was based on compliance with a legal obligation and that the
lifting of the prohibition on processing data from special categories was supported
in sections b and g of article 9.2 of the RGPD, and in the legality basis of 6.1.c). TO
starting February 15, 2023 (after the CEVRXID agreement of that same date),

The EIPD states that the treatment is based on the consent of the interested parties,
in accordance with article RGPD: 9.2.a) and 6.1.a) of the RGPD), whose interested parties are the
people with access to the El Plantío Stadium Entertainment Stand.

Thus, with regard to the basis of legality of the treatment of article 6 of the
RGPD, the concurrence of a basis of legality of article 6.1.c) is alleged (compliance
legal obligation) before February 15, 2023, but after that date
From now on it is said to assume that the base is that of 6.1, without indicating exactly

what letter/cause they refer to. They admit that compliance with a legal obligation does not
can be the basis as indicated in Report 98/22 of the legal office of this
Agency, and they say change the concurrent exception. But they do not give any other alternative.
It goes with respect to the basis of legality, confusing exception with basis of legality.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/54








Although this omission to indicate the basis of legality that occurs in the treatment may
affect the validity of the DPIA, the truth is that to assess whether a violation occurs
of article 6 of the RGPD, the main thing is to check that there really is a legal basis
legal indication, even if the person responsible has not determined it correctly or included it in
the EIPD.

And in this case, it can be established that initially there is a legal basis that enables
the club to process personal data in general (not for biometrics,

since this means that an exception from article 9 must also apply). In
specifically, that referred to in article 6.1.b), which refers to that: “the treatment is
necessary for the execution of a contract to which the interested party is a party or for the
application of pre-contractual measures at his request.” Every time the
purchasing a ticket or season ticket constitutes the creation of a link
contractual between the purchaser and the club, which is governed by the conditions provided in the
front and back of the ticket/subscription and the document of conditions that the club
provided as Annex VI of its first written statement of allegations. Therefore, it does not fit
initially allege a violation of Article 6 of the GDPR.


Now, although there was a legal basis, this legitimized the club to treat
other non-biometric personal data, already usually required to access by
the previous access methods, but in no case did it legitimize starting a
biometric treatment if there is also no exception from article 9.2 that
would allow lifting the prohibition on processing biometric data.

The concurrence of the lack of exception that would allow biometric data to be processed before

The EIPD is clear and clear, as it is recognized by the Club itself. It is not a question
discussed.

- On the one hand, we have that the Club acknowledges having initiated a treatment of
    biometric data without obtaining express consent and for the specific purpose for which
    referred to in the exception of article 9.2.a), since the biometric system was
    mandatory, there was no option for an alternative access method, and the
    fan of this animation tier was obliged to provide his data
    biometrics to acquire the season ticket and access the stands. This is corroborated by the

    content of the model that was signed until February 15, 2023 (Annex VI),
    which is not even considered a model of consent on
    data protection, constituting a simple contractual document that indicates
    the conditions of membership, access and permanence that the acquirer must
    sign to be able to acquire the bonus. It is accredited and recognized in
    consequence that before the EIPD, the club was not collecting a
    consent for protection of biometric data that could fit into the
    exception of article 9.2.a).


- On the other hand, the club recognizes that the exceptions of 9.2.b) and 9.2.g)
    (compliance with legal obligation and essential public interest) do not justify the
    processing of these data, assuming the interpretation made by Report No.
    98/2022 of this Agency, as have also been done by CEVRXID and LALIGA. And in
    Based on this, they claim to have changed the exception to the express consent of the
    9.2.a) as of February 15, 2023.

This implies, without a doubt, that between November 4, 2022 and February 15
2023, BURGOS CF began processing biometric data without

An exception would arise that would lift the prohibition on processing these data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/54









Consequently, it is also possible to initiate sanctioning proceedings for violation
of article 9 of the RGPD, since there is recognition by the
reported and sufficient evidence that the biometric treatment was started without
no legal exception that justifies it will occur until February 15, 2023.



    V On the requirement that the treatment be necessary, suitable and proportional

One of the obligations that correspond to every data controller

personal is to ensure that the treatment respects the Principles provided for in the
Article 5 of the GDPR.

In the case of biometric data, because it is of a special category and high risk, it is possible
highlight the essential importance of respecting the principle of minimization of
treatment/data, provided for in article 5.1.c) which indicates:
    "1. The personal data will be:
    a) adequate, relevant and limited to what is necessary in relation to the purposes

    for those who are processed (“data minimization”)”.

Respect for this principle must be the starting point at the beginning of everything
treatment, the person responsible must first of all consider whether this treatment
It will be really necessary, suitable, and proportional before starting it. And if this
treatment is high risk - in the case of biometrics - must reflect this evaluation
prior of necessity and proportionality in a specific document called
personal data protection impact assessment (DPIA), in accordance with the

provided for in article 35.7.b) of the RGPD, which states that it must be carried out and
overcome “an assessment of the necessity and proportionality of the operations
of treatment with respect to its purpose.

This is confirmed by recital 39 of the GDPR, which underlines the importance of the
processing is necessary, indicating that “Personal data should only be processed if
“the purpose of the processing could not reasonably be achieved by other means.”


Along the same lines, the Working Group of article 29, in its Opinion 3/2012 on the
evolution of biometric technologies, indicates that “When analyzing the proportionality of
a proposed biometric system, it is necessary to previously consider whether the system is
necessary to respond to the identified need, that is, if it is essential to
satisfy that need, and not just the most appropriate or profitable one. A second factor that
should be taken into account is the probability that the system will be effective in responding
to the need in question in light of the specific characteristics of the technology
biometric to be used. A third aspect to consider is whether the loss of

The resulting intimacy is proportional to the expected benefits. If the benefit is
relatively minor, such as greater comfort or slight savings, then the
loss of privacy is not appropriate. The fourth aspect to evaluate the adequacy of
a biometric system is to consider whether a less invasive means of privacy
would achieve the desired end.”

Idea that is reiterated in section 72 of Guidelines 3/2019 on the treatment of
personal data through video devices, dated 01/29/2020, from the CEPD, which indicates:

“The use of biometric data and, in particular, facial recognition entails
high risks for the rights of the interested parties. It is essential that the use of
such technologies take place with due respect for the principles of legality,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/54








necessity, proportionality and data minimization as established by the GDPR.
Although the use of these technologies may be perceived as particularly
effective, those responsible for the treatment must first evaluate the impact on the
fundamental rights and freedoms and consider less intrusive means of achieving their
legitimate purpose of the processing. That is, the question would have to be answered as to whether this

biometric application is something that is really essential and necessary, or is it just
"convenient".

Therefore, processing personal data that is not suitable (adequate)
necessary and proportional is always prohibited, and constitutes in itself the commission of
an administrative violation of article 5.1.c) of the RGPD.

Since the processing of biometric data implies restricting rights and freedoms

of the interested parties, the obligation to process only “personal data that is
appropriate, relevant and limited to what is necessary in relation to the purposes for which
are processed” provided for by the principle of data minimization/processing of the article
5.1.c) of the RGPD, must be interpreted in accordance with the provisions of the reiterated
jurisprudence of our Constitutional Court regarding the need to verify
that any restrictive measure of fundamental rights (biometric treatment in this
case) overcomes what is called “the triple judgment of proportionality.”


This implies that, first of all, it is necessary to verify whether it meets the following three
requirements or conditions referred to by the Constitutional Court: "if such measure is
capable of achieving the proposed objective (suitability judgment); yes, furthermore, it is
necessary, in the sense that there is no other more moderate measure for the
achievement of such purpose with equal effectiveness (judgment of necessity); and finally, if
itself is weighted or balanced, since more benefits or advantages are derived from it for
the general interest that damages other goods or values in conflict (judgment of
proportionality in the strict sense).


In view of the antecedents in this file, the denounced club states that
party to have carried out a suitability evaluation in its DPIA of February 15, 2023.
ity, necessity and proportionality of biometric processing for the purpose of control
Access your stadium's entertainment stands using your fingerprint. Proceeds,
Therefore, analyze whether the intended treatment exceeds the so-called triple judgment of pro-
proportionality, which in accordance with the aforementioned doctrine of the Constitutional Court
analyze the following:


1. If the treatment is likely to achieve the proposed objective (judgment of
suitability).

    It is about determining whether the treatment is appropriate for the purpose it pursues. That
    treatment is the response to certain deficiencies, demands, demands
    as obligations or objective opportunities and can achieve the proposed objectives.
    positions with sufficient efficiency.


    Requested about the “Suitability Judgment” by the inspector, BURGOS CF refers to
    its response in this regard in the DPIA of February 15, 2023, which indicates what
    following: “With this measure the objective is achieved in a more effective way
    set to guarantee security at matches based on a mission carried out
    in the public interest, with legitimation based on express consent, since
    which is the most reliable method we currently have according to the power technique
    verify a person's identity. On the other hand, the installation of systems

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/54








    biometric recognition is the only way to comply with the
    requirements of the State Commission against Violence, Racism,
    Xenophobia and Intolerance, as well as the orders imposed by The League."

    Indeed, it has been found that BURGOS CF already had two other

    methods of acquiring tickets and access to the entertainment stands before the 4th
    November 2022, the details of which will be referred to in the judgment of necessity.

    With regard to the arguments put forward regarding suitability, the club
    It simply indicates that biometric control is more effective than the security system.
    previous access because it is the most reliable method, but it does not prove it. Rather to
    On the contrary, taking into account that the biometric system generates false rates
    acceptance, false rejections and equal errors, as indicated

    previously. These errors are added to those that can already occur when using
    QR code, barcode or chip card readers used in other security systems
    access. And it must be taken into account that what the judgment of suitability,
    necessity and proportionality must evaluate is the effectiveness of the system for the
    protection of the rights and freedoms of the interested parties who provide their
    biometric data, and not those that favor the organization.



    On the other hand, the fact that CEVRXID and LALIGA had ordered
    establishing this biometric system does not in itself mean that this system is
    ideal, nor necessary or proportional. That there is a mandate of a

    higher entity does not justify the person responsible for not evaluating whether this system is
    suitable, necessary, or proportionality prior to installing it in your stadium.

    Finally, it cannot be accepted that the processing of biometric data was

    ideal, necessary or proportional to begin basing the system on the
    express consent, given that the need for treatment is a matter
    prior and unrelated to what may constitute the exception of article 9 of the RGPD and the

    legitimizing legal basis of article 6 of the RGPD. So, even though I can
    constitute a cause to lift the exception of article 9, does not affect in any way the

    proportionality judgment. Especially when it comes to the judgment of necessity, since
    that, as the jurisprudence of our TC indicates, necessity cannot
    never depend on what the affected party decides.

1. If, furthermore, it is necessary, in the sense that there is no other more modern measure.

rada to achieve such purpose with equal effectiveness (judgment of necessity).

   The point is that it must be determined whether the goal pursued cannot be achieved
   another less harmful or invasive way, that is, if there is no alternative treatment,
   that is equally effective in achieving the intended purpose.

   Necessity should not be confused with utility of the system. The detection may
   fingerprint make it easier to avoid having to carry a card, which takes a few seconds.

   two less in its access, which is automatic and instantaneous and not excessively expensive.
   cough. Obviously, a fingerprint system can be useful, but it doesn't have to be
   be objectively necessary (the latter being what really must be present).
   tea). As established in opinion 3/2012 on the evolution of biomedical technologies,
   trics - of GT 29 -, it must be examined “if it is essential to satisfy that need, and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/54








   not just the most suitable or profitable one.” Options and alternatives must be analyzed
   before establishing a new system that represents an exaggerated limitation of the right
   choice of each user, when there may be less invasive means of privacy,
   and not opt for what is practical or agile and comfortable, when the rights of your rights are at stake.
   tulars.


   Thus, the person in charge who considers implementing data processing
   biometrics must be scrupulous in its work of exhaustively analyzing all the
   alternative options that are equally suitable and effective, but less intrusive
   available. Consequently, the study of
   the feasibility of other possible alternative options available that do not require the
   using special data, compare all options and document the
   conclusions. What has not been done for BURGOS CF. Despite stating that

   There are two other alternatives to the biometric access method available, it does not perform
   nor does it attach to its DPIA any analysis referring to the differences and impact of applying the
   biometric method compared to other alternative options from the point of view of the
   risks and impact produced on the rights and freedoms of the interested parties.

   The need assessment carried out by BURGOS CF in the EIPD is completely in-
   sufficient to justify the processing of biometric data. To assess the need
   ity of the treatment, the proposed measure must be supported by evidence that

   Describe the problem that is going to be addressed with the measures, how it will be addressed
   with the measure, and why existing or less intrusive measures cannot address
   give it sufficiently.

   Thus, according to what BURGOS CF has stated and is observed in Annex I
   of the EscritoBurgos1, there are other pre-existing alternatives that were already used
   previously to verify the identity of the fans who accessed the stands
   of animation: “Access to the animation stands is through a single

   door that has three turnstiles with the possibility of access by identification
   biometric. Each of these turnstiles has several access methods
   (in addition to biometric reading): optical reading of barcodes or QR, and
   wireless card reading with built-in chip.”

   According to the club, the pre-existing fingerprint modalities always appear
   as an “access” to which one can return, with respect to which there is no further record or
   log that the passage of the aforementioned entrance through the turnstiles through which those people

   they access.

   Thus, the subscription tickets for the animation stand, the form adopted by the
   access titles, contain personal data that the accused demanded for their
   issuance (name, DNI, etc.), power granted to the organizer of the event by the
   regulations for ticket sales and access to sports venues, and involves the creation
   of a legal relationship between the parties of a contractual nature. These are also
   same data contained in the subscription card in its various modalities

   (QR/chip card) which serve as a basis to implement the registration and use of the
   fingerprint.

   Then, this implies that in the entertainment stands of the El Plantío stadium there are 3
   possible access systems, two of them being non-biometric and prior to the
   implementation of the biometric system. In view of what was stated by himself
   BURGOS CF, these two systems stopped being used between November 4,
   2022 and February 15, 2023, during the period in which the system was implemented

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/54








   biometric as mandatory, being again available and operational from
   so.

    It is also stated that since February 15, 2023, the
   collect new biometric data and require biometric control in stadiums,
   This system being suspended until the AEPD determines what to do. But I know
   alludes to the fact that biometric control continues to be used to access the stands
   animation by those subscribers who opt for it voluntarily, AND also

   that the data is kept until the end of the season, although it is still
   They are being held at this time, awaiting determination of what to do.

   It is thus proven that the denounced Club had and has two
   identity verification methods that are clearly less intrusive
   for the rights of people who access the stadium, and identify the subscriber
   with the same effectiveness as biometric systems. Whenever you can access
   with the physical card or with the subscription on the mobile phone (NFC chip) or reading the QR code of
   the subscriber card, whose identity can be verified by simply showing

   of the DNI. System that was already operating before the implementation of the
   fingerprint reader.

   Consequently, if there are alternatives available so that at a given time
   all fans opt for non-biometric access, and a
   free, express and specific consent that allows you to choose between these others
   less intrusive methods and biometrics, this implies that data processing
   biometrics is not necessary for the purpose of controlling the identity of those who

   They access the animation stands. In no case is the judgment of
   necessity because biometric processing is not necessary.

   Asked about the judgment of necessity in the inspection, BURGOS CF does not offer reasons.
   zones that justify it. The EIPD only states the following: “In
   regarding the question raised regarding the need to incorporate a system
   of biometric recognition, we must argue that this measure contributes to
   Avoid violence in sports in two ways. On the one hand, we find
   mos with its deterrent effect as it functions as a preventive factor; Yes one

   person knows that the organization has its unique identification through
   fingerprint, you will be much more careful when carrying out actions that
   involve acts of violence, racism or intolerance inside or outside the stadium. By
   On the other hand, this type of identification can reliably help to determine
   identify the identity of people who are part of hypothetical violent acts that occur
   given in the context of football matches”

   However, the argument of helping to avoid violence in sport cannot be
   be accepted as valid enough to consider that these biometric systems are

   necessary for this reason. Since the current regulation regarding the sale of
   tickets and access to sports venues (RGLALIGA; Law 19/2007 against violence,
   racism, xenophobia and intolerance in sport, and its development regulations
   approved by RD 557/2011) it follows that there are other ways to prevent rape.
   lence in the stadiums and identify those responsible, who function properly
   For this end. Thus, among other means, this regulation allows establishing that the
   tickets are nominative, inside the stadiums there may be security systems
   video surveillance, which can be placed at the entrances and surroundings of the stadium, and each
   seat is assigned to the person who purchases the ticket. Through the methods

   traditional access through a nominative subscription with display of the DNI is
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/54








   can identify and register people who access the stands. It's not understood
   that the fingerprint is going to add a plus that allows identifying those who presume
   They could have committed acts of violence in the match in question. And not even m-
   unless it contributes to avoiding it.


   It is thus deduced that the fingerprint access system compared to the traditional
   The sale of registered tickets does not represent a clear and differentiated plus in security.
   ity of the stadiums, since with the already existing means it is possible to identify
   also to possible offenders and verify the facts that have occurred.

2. Finally, if it is weighted or balanced, because it is derived from it more
benefits or advantages for the general interest that harm other goods or values
in conflict (proportionality judgment in the strict sense).




    This is determined, among others, in “STC 66/1995, of May 8, F. 5; STC 55/1996,
    of March 28, FF. 7, 8 and 9; STC 270/1996, of December 16, F. 4.e; STC
    37/1998, of February 17, F. 8; STC 186/2000, of July 10, F. 6).”



    In this regard, the seriousness of the risk to the rights and freedoms of the
    treatment, and its interference in the fundamental right to Data Protection of
    personal character must be appropriate to the objective pursued and proportionate to the
    urgency and seriousness of this. We must weigh the benefit that the treatment
    From the point of view of Data Protection, society provides,

    maintaining a balance with the impact it represents on other rights
    fundamental. However, although it may partially cede, in no case will
    can assume the absolute denial of the right to Data Protection and empty
    of its essential content.



    There must be a logical link between the measure and the legitimate objective pursued.
    In order for the principle of proportionality to be respected, the advantages resulting from the
    measure should not be outweighed by the disadvantages that the measure causes
    regarding the exercise of fundamental rights. And one of the factors that play

    In proportionality it is the effectiveness of the measures of the existing measures, for
    above the proposal, if in the same context measures already existed for a
    similar or identical purpose, should be considered, if not, the evaluation of the
    proportionality has not been properly carried out.



    With respect to the Proportionality Judgment, BURGOS CF states in its DPIA
    only the following: “We must remember that the BURGOS CLUB DE FÚTBOL,
    S.A.D. has been informed that there are several people with precautionary measures,
    of the corresponding courts with jurisdiction in the matter, which have been

    prohibited from entering the stadium and a 500-meter restraining order. To avoid
    skip any other type of looser control, a control through data
    biometrics ends up being configured as an essential system that cannot be
    deceive, since the fingerprint is a piece of information inherent to each person, which
    cannot be modified or transferred. In this way, we determine that, in relation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/54








    with the interference that this system entails in the rights of the interested party and
    making a weighing judgment between the interference of their right to
    privacy, this is conceived as minuscule compared to the assurance
    of the right to life and physical integrity of each person who pursues
    proposed control measure.”


    Again, the judgment made is not correct since it is not weighing the
    advantages and disadvantages of using this biometric system. But above all, and in
    relation to the proportionality requirement, because the alleged conflict between
    the right to life and physical integrity of people and the right to protection
    of personal data is not solved solely by means of a
    biometric access system, since there is another alternative method
    pre-existing information that allows the identification and verification of the identity of those people who

    They are prohibited from entering the stadium with the same effectiveness as a fingerprint.

    Taking into account that the computerized sales control and management system of
    tickets, as well as access to football stadiums provided by law, can
    achieve that the entries must be nominative, which is a type of access
    common and normalized, and there being another modality of the same less intrusive than
    the EIPD recognizes, it must prevail as it is preferable to the biometric system of
    fingerprint detection.


From all of the above, it is clearly deduced that fingerprint access system
fingerprint implanted by BURGOS CF in accordance with the provisions of the EIPD of February 15.
February 2023 does not pass this triple judgment of proportionality, for the specified purpose.
intended ca according to the club (“access control to the entertainment stands through the
fingerprint identification") and in the specific framework of the BUR stadium.
GOS CF.


In the present case, the intended purpose is to univocally identify the
people who accessed the stadium's entertainment stands using data
biometrics, and considering that there is an access modality that complied and complies
with the same purpose in a less intrusive way, it is considered that the treatment of
biometric data carried out by BURGOS CF is not necessary, nor proportional, therefore
that violates the provisions of the principle of data minimization contained in the article
5.1.c), which advocates that the data processed must be limited to what is necessary
to achieve those ends.



All this, to the extent that the club recognizes that the biometric system continues
operational on a voluntary basis, and that continues to retain the biometric data collected
above, since this will mean continuing to process biometric data, when this
It is not necessary, appropriate or proportional.

Therefore, the club is warned that the violation of article 5.1.c) is still
maintaining at present and will continue, as long as this
biometric treatment without being suitable, necessary, or proportional, being indifferent whether
This is voluntary or mandatory.



For completeness, it should be noted that the DPIA presented cannot be considered
valid, since it does not exceed the minimum requirements established in article 35.7 of the
GDPR. Not only in terms of not passing the evaluation of need and
proportionality, but also for not describing well the operations and purposes of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/54








treatment, not containing an adequate analysis of the risks of the treatment from the
point of view of the rights and freedoms of people, nor propose measures
adequate and sufficient as necessary to reduce the impact of threats
raised.


                      VI About the consent of minors

In addition to the requirements set out above, it must be taken into account that the
BURGOS CF in the Annex VI document is allowing minors under 18
years old access the stadium's entertainment stands as long as there is a

consent signed by parents or legal guardians, without establishing any limits
minimum age, and including in the signature footer of the document said possibility of
signature of the representative in case of being a minor) as acceptance of the
terms of use.

Thus, section 1 of this Annex VI provides that: “1.- Anyone who accesses the
Animation Stand must be at least eighteen (18 years old) old. If this
If this is not the case, signed consent from the parents or legal guardian will be required.”


Through this clause, the denounced club has been seeking consent
contractual that is required to make up for the minor's lack of capacity to
acquire the season ticket, for the purposes of the club-subscriber contractual relationship.

When it is possible for minors to go to the stadium (without any limitation
of age), and allow them to acquire the subscription as long as the document of the
Annex VI is signed by their parents or guardians, this will imply that they will be

obliged to provide their personal data.

In relation specifically to the processing of biometric data, as of 15
February 2023, the BURGOS CF considered that it was necessary to request the
consent to proceed with the processing of these personal data.

However, it does not accredit the club that is obtaining consent.
for the biometric treatment of minors, either (i) by parents or

guardians of minors under 14 years of age or (ii) by the
own minors over 14 years of age, regarding the treatment of
your personal biometric data from February 15, 2023, as this
possibility does not appear in the model in Annex VII.

It turns out that for minors there is no provision established in said document.
any provision of consent to process your personal data
biometrics.


In this regard, article 8 of the GDPR provides that,

       "1. Where Article 6(1)(a) applies in relation to the
       direct offer to children of information society services, the
       processing of a child's personal data will be considered lawful when
       is at least 16 years old. If the child is under 16 years of age, such treatment
       It will only be considered lawful if the consent was given or authorized by the owner.

       of parental authority or guardianship over the child, and only to the extent that it was given or
       authorized.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/54








       Member States may establish by law an age lower than such
       purposes, as long as this is not less than 13 years.
       2. The controller will make reasonable efforts to verify in
       such cases that the consent was given or authorized by the owner of the
       parental authority or guardianship over the child, taking into account technology

       available.
       3. Paragraph 1 shall not affect the general provisions of the Law
       contractual law of the Member States, such as rules relating to the validity,
       formation or effects of contracts in relation to a child.”

Likewise, it is necessary that the conditions provided for in article 7 of the
LOPDGDD, which on the “Consent of minors”, provides that,


       "1. The processing of personal data of a minor only
       may be based on your consent when you are over fourteen years of age.
       Exceptions are cases in which the law requires the attendance of the holders of
       parental authority or guardianship for the celebration of the legal act or business in
       the context of which consent for treatment is obtained.
       2. The processing of data of minors under fourteen years of age, based on the
       consent, it will only be lawful if it includes that of the holder of parental authority or guardian.
       “cloth, with the scope determined by the holders of parental authority or guardianship.”


In conclusion, at present there is sufficient evidence that there has been
There has been an alleged violation of Article 8 of the GDPR, since it appears that the
club is not obtaining the consent of minors for the treatment
of their biometric data, either by their parents or guardians or from them
directly, depending on the age of the minor.


            VII On the information duties of article 13 of the RGPD

One of the obligations of the person responsible for all personal data processing is
comply with the duties of information to interested parties that are provided for in the
Articles 12 to 14 of the GDPR.


In accordance with the provisions of article 12.1 of the RGPD, the starting point is a Principle of
“Transparency of information, communication and modalities of exercise of the
rights of the interested party”:

    "1. The person responsible for the treatment will take the appropriate measures to facilitate the
    interested party all information indicated in articles 13 and 14, as well as any
    communication under articles 15 to 22 and 34 relating to processing, in
    concise, transparent, intelligible and easily accessible form, with clear and

    simple, particularly any information directed specifically at a child. The
    Information will be provided in writing or by other means, including, if applicable,
    by electronic means. When requested by the interested party, the information may
    be provided verbally as long as the identity of the interested party is demonstrated by
    other media"

These information duties are specified in articles 13 and 14, being of
application to the present case, those provided for in article 13 of the RGPD on

“Information that must be provided when personal data is obtained from the
interested":

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/54








    1. When personal data relating to him or her are obtained from an interested party, the
    responsible for the treatment, at the time these are obtained,
    will provide all the information indicated below:
         a) the identity and contact details of the person responsible and, where applicable, their
         representative;
         b) the contact details of the data protection officer, if applicable;
         c) the purposes of the processing for which the personal data are intended and the basis
         legal treatment;

         d) when the processing is based on Article 6, paragraph 1, letter f), the
         legitimate interests of the controller or a third party;
         e) the recipients or categories of recipients of the personal data,
         in your case;
         f) where applicable, the intention of the controller to transfer personal data to a
         third country or international organization and the existence or absence of a
         adequacy decision of the Commission, or, in the case of transfers
         indicated in Articles 46 or 47 or Article 49, paragraph 1, paragraph
         second, reference to the adequate or appropriate guarantees and the means

         to obtain a copy of these or to the place where they have been made available.
         provision.

    2. In addition to the information mentioned in section 1, the person responsible for the
    treatment will provide the interested party, at the time the data is obtained
    personal, the following information necessary to guarantee a treatment of
    loyal and transparent data:


         a) the period during which the personal data will be kept or, when not
         where possible, the criteria used to determine this period;
         b) the existence of the right to request from the data controller the
         access to personal data relating to the interested party, and its rectification or
         deletion, or limitation of its processing, or to oppose the processing, as well as
         such as the right to data portability;
         c) when the processing is based on Article 6, paragraph 1, letter a), or the
         Article 9, paragraph 2, letter a), the existence of the right to withdraw the
         consent at any time, without affecting the legality of the

         treatment based on consent prior to its withdrawal;
         d) the right to file a claim with a supervisory authority;
         e) if the communication of personal data is a legal or contractual requirement,
         or a necessary requirement to sign a contract, and if the interested party is
         obliged to provide personal data and is informed of the possible
         consequences of not providing such data;
         f) the existence of automated decisions, including the preparation of
         profiles, referred to in article 22, paragraphs 1 and 4, and, at least in such
         cases, significant information about the logic applied, as well as the

         importance and anticipated consequences of such treatment for the
         interested.

    3. When the data controller plans the subsequent processing of data
    personal data for a purpose other than that for which they were collected, will provide
    to the interested party, prior to said further processing, information about that
    other purpose and any additional information relevant under paragraph 2.
    4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
    to the extent that the interested party already has the information.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 36/54








As already anticipated, being required by the inspector in relation to justifying the
compliance with the duty to inform the interested party of the content provided for in the
mentioned article 13 of the RGPD, Burgos has provided two documents that have
used, both prior to February 15, 2023, and the one used
later (Annexes VI and VII).


Firstly, Annex VI of the WrittenBurgos1, which according to the BURGOS CF is the only
document that was signed by the interested parties when acquiring the subscription before 15
February 2023, is not a consent regarding the processing of personal data,
but a contractual document that contains the “Conditions of membership, access
and permanence in the animation stands. 2022/2023 season”, and what is necessary
sign to be able to acquire the subscription.


However, this document requires the collection of personal data for the
“achievement of the season ticket”. In section 3 it refers to the
obligation to provide personal data such as name, surname, ID, contact details
contact, and sign a data protection law consent, which is not
contributes. And section 8 contains the obligation to submit to access control
biometric prior to obtaining the subscription, collecting your data for this purpose
biometrics, indicating that any other access system will have a
exceptional.


It should be noted that the inspector requested BURGOS CF on a second occasion to
to provide the supposed data protection consent document that
interested parties had to sign before collecting the data referred to in the
section 3, but the club did not contribute it in the Written2Burgos (limiting itself to contributing
new Annex VII), nor in the Writing3. Therefore, we must consider that this
consent was not signed.


It follows that, until February 15, 2023, data was collected
biometric and other personal data (DNI, name, surname, etc.) without having
duly informed the purchasers of the payment of the information provided in the
Article 13 of the GDPR. Since the only document they signed was this
Annex VI, which only contained the following generic information regarding
personal data protection:

         […] 8.- Any person who accesses the "LA HINCHADA" Entertainment Stand

         DEL ARLANZON” must undergo biometric access control, to
         which, prior to obtaining the subscription for this area, must
         facilitate the capture of the fingerprint that is necessary. Any other system
         access that does not entail biometric recognition, will have a
         exceptional. The biometric data collected is for exclusive use
         of entry to the sporting event, and the subscriber may request a cancellation of
         said file canceling your subscription.
         […] 12.- For the purposes of the provisions of Organic Law 3/2018 of 5

         December protection of personal data and guarantee of rights
         digital, we inform you that the personal data that has been
         collected in this document, as well as those obtained by
         biometric means will be included in a data file of a nature
         staff owned by the Club. In this sense, the undersigned lends his
         express consent for the processing of your aforementioned personal data
         staff."


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/54








In short, before February 15, 2023, there is no doubt that BURGOS CF
was collecting personal data from these subscribers (700 people according to the
club), both biometric and other types, without informing the interested party of all the
aspects expressed in article 13, resorting to a generic formula. This
document does not comply with the information required by the GDPR, which has been expanded

considerably with respect to previous legislation.

For the period after February 15, 2023, BURGOS CF provides the
document “Information on access control to animation stands through
biometric data (fingerprint)” (Annex VII of the EscritoBurgos1). The document,
used as indicated by Burgos after February 15, 2023, if applicable
an express consent that informs the signatory about the treatment through the
biometric control. Thus, it states that by signing the document the

interested party consents to “the processing of biometric data relating to my fingerprint or
pattern thereof for the purpose described.” This contains most of the
information provided for in article 13, except that provided for in 13.2.c) referring to the
possibility of withdrawing the consent given. Well, despite the fact that the
possibility of requesting the right to delete the data collected, this is not
equivalent to revoking consent.

In short, from the documents in the file and without prejudice to those

that are provided during the instruction, at this time there is evidence
enough that BURGOS has been collecting personal data from the 700
subscription purchasers without adequately informing them of all the aspects required to
data protection purposes, so a violation of the
Article 13 of the GDPR.




    VIII Classification of infractions and qualification for the purposes of prescription.

As has been explained in Legal Fundamentals III to VII of this agreement,
It is considered that BURGOS CF may have committed the following infractions of the
current regulations regarding data protection:


8.1. Violation of article 35 of the GDPR

As set out in Legal Fundamentals V, in accordance with the

evidence that is available at the present time, and without prejudice to what
results from the instruction, it is considered that the facts presented could violate the
established in article 35 of the RGPD, which could involve the commission of a
administrative offense classified in article 83.4.a) of the RGPD which indicates that:

    “Infringements of the following provisions will be sanctioned, in accordance with
    paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
    In the case of a company, an amount equivalent to a maximum of 2% of the

    global annual total business volume of the previous financial year, opting
    for the largest amount:
    a) The obligations of the person responsible and the person in charge in accordance with the articles
    8, 11, 25 to 39, 42 and 43.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/54








For the purposes of prescription, the LOPDGDD establishes in its article 73.t) that: “In
Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:


   t) The processing of personal data without having carried out the evaluation of the
   impact of processing operations on the protection of personal data in
   the cases in which it is enforceable.”


                        8.2. Violation of article 9 of the GDPR.


As set out in the Fundamentals of Law IV, in accordance with the
evidence that is available at the present time, and without prejudice to what
results from the instruction, it is considered that the facts presented could violate the
established in article 9 of the RGPD, which could involve the commission of a
administrative offense classified in article 83.5 of the RGPD, which provides the
following:

    “Infringements of the following provisions will be sanctioned, in accordance with the

   section 2, with administrative fines of a maximum of EUR 20 000 000 or, treatment
   of a company, of an amount equivalent to a maximum of 4% of the volume
   global annual total business of the previous financial year, opting for ma-
   i amount:
   “a) the basic principles for treatment, including the conditions for
   consent in accordance with articles 5, 6, 7 and 9.”

For the purposes of prescription, the LOPDGDD establishes in its article 72.e):


   “Based on what is established in article 83.5 of Regulation (EU) 2016/679,
   considered very serious and will prescribe violations that involve three years
   a substantial violation of the articles mentioned therein and, in particular, the
   following:
   “e) The processing of personal data of the categories referred to in the article.
   9 of Regulation (EU) 2016/679, without any of the circumstances occurring
   provided for in said precept and in article 9 of this organic law.”


8.3. Violation of article 5.1.c of the RGPD.

As set out in the Fundamentals of Law V in accordance with the
evidence that is available at the present time, and without prejudice to what

results from the instruction, it is considered that the facts presented could violate the
established in article 5.1.c) of the RGPD, which could involve the commission of a
administrative offense typified in article 83.5 of the RGPD, which provides
following:

    “Infractions of the following provisions will be sanctioned, in accordance with the
   section 2, with administrative fines of a maximum of EUR 20 000 000 or, treatment
   of a company, of an amount equivalent to a maximum of 4% of the volume

   global annual total business of the previous financial year, opting for ma-
   i amount:
   “a) the basic principles for treatment, including the conditions for
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/54








   consent in accordance with articles 5, 6, 7 and 9.”

For the purposes of prescription of infractions, the LOPDGDD establishes in its article
72: “Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve a

substantial violation of the articles mentioned therein and, in particular, the
following:

   a) The processing of personal data violating the principles and guarantees established
   “established in article 5 of Regulation (EU) 2016/679”.


                        8.4. Violation of article 8 of the GDPR.


As set out in Legal Fundamentals VII, in accordance with the
evidence that is available at the present time, and without prejudice to what
results from the instruction, it is considered that the facts presented could violate the
established in article 8 of the RGPD, which could involve the commission of a
administrative offense classified in article 83.4 of the RGPD, which provides as follows:
following:


    “Infringements of the following provisions will be sanctioned, in accordance with
    paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
    In the case of a company, an amount equivalent to a maximum of 2% of the
    global annual total business volume of the previous financial year, opting
    for the largest amount:
    a)- the obligations of the person responsible and in charge in accordance with articles 8, 11, 25
    at 39, 42, and 43”.


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

    “Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
    a) The processing of personal data of a minor without obtaining their

consent, when he has the capacity to do so, or that of the holder of his parental authority
or guardianship, in accordance with article 8 of Regulation (EU) 2016/679.”


                       8.5. Violation of article 13 of the RGPD.

As stated in the Fundamentals of Law VI, in accordance with the
evidence that is available at the present time, and without prejudice to what

results from the instruction, it is considered that the facts presented could violate the
established in article 13 of the RGPD, which could involve the commission of a
administrative offense classified in article 83.5 of the RGPD, which provides
following:

   “Based on what is established in article 83.5 of Regulation (EU) 2016/679,
   considered very serious and will prescribe violations that involve three years


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/54








   a substantial violation of the articles mentioned therein and, in particular, the
   following:
   b) the rights of the interested parties under articles 12 to 22.”

For the purposes of the limitation period, article 74 “Infringements considered minor” of

The LOPDGDD indicates:

        “The remaining infractions of violations are considered minor and will expire after one year.”
   purely formal nature of the articles mentioned in sections 4 and 5 of the
   article 83 of Regulation (EU) 2016/679 and, in particular, the following:

        a) Failure to comply with the principle of transparency of information or
   right of information of the affected person for not providing all the information required by

   Articles 13 and 14 of Regulation (EU) 2016/679.


                           X Determination of sanctions


Article 58.2 of the GDPR provides the following: “Each supervisory authority will have
of all the following corrective powers indicated below:

     i) impose an administrative fine in accordance with Article 83, in addition to or instead of
     the measures mentioned in this section, according to the circumstances of
     each particular case;”

The determination of the sanctions that should be imposed in the present case requires ob-

serve the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively,
mind, they provide the following:

     "1. Each supervisory authority will ensure that the imposition of administrative fines
     pursuant to this article for violations of this Regulation.
     indicated in sections 4, 9 and 6 are effective in each individual case, pro-
     portioned and dissuasive.”


     "2. Administrative fines will be imposed, depending on the circumstances of
     each individual case, as an additional or substitute for the measures contemplated in
     Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
     administrative and its amount in each individual case will be duly taken into account.
     ta:

     a) the nature, severity and duration of the infringement, taking into account the
     nature, scope or purpose of the processing operation in question, as well as

     such as the number of interested parties affected and the level of damages that
     have suffered;

     a) intentionality or negligence in the infringement;

     b) any measure taken by the person responsible or in charge of the treatment
     to alleviate the damages and losses suffered by the interested parties;


     c) the degree of responsibility of the person responsible or in charge of the treatment.
     taking into account the technical or organizational measures that have been applied in
     under articles 25 and 32;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/54









     d) any previous infraction committed by the person responsible or in charge of the
     treatment;

     e) the degree of cooperation with the supervisory authority in order to enforce

     medium to the infringement and mitigate the possible adverse effects of the infringement;

     f) the categories of personal data affected by the infringement;

     g) the way in which the supervisory authority became aware of the infringement,
     in particular if the controller or processor notified the infringement and, in such case, in
     what measure;


     h) when the measures indicated in Article 58, paragraph 2, have been organized
     previously condemned against the person responsible or the person in charge in question in relation to
     tion with the same matter, compliance with said measures;

     i) adherence to codes of conduct under Article 40 or mechanisms
     of certification approved in accordance with Article 42, and

     j) any other aggravating or mitigating factor applicable to the circumstances

     of the case, such as the financial benefits obtained or the losses avoided, direct
     or indirectly, through infringement.”

Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions
and corrective measures”:

     "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
     (EU) 2016/679 will be applied taking into account the graduation criteria established

     acids in section 2 of the aforementioned article.

     2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
     may also be taken into account:

     a) The continuous nature of the infringement.
     b) The linking of the offender's activity with the performance of medical treatment.
     personal information.

     c) The benefits obtained as a consequence of the commission of the infraction.
     d) The possibility that the conduct of the affected person could have induced the
     sion of the violation.
     e) The existence of a merger by absorption process subsequent to the commission of the
     infringement, which cannot be attributed to the absorbing entity.
     f) The impact on the rights of minors.
     g) Have, when not mandatory, a data protection delegate.
     h) The submission by the person responsible or in charge, on a voluntary basis,

     to alternative conflict resolution mechanisms, in those cases in which
     that there are disputes between them and any interested party.

     3. It will be possible, complementary or alternatively, adoption, when appropriate,
     of the remaining corrective measures referred to in article 83.2 of the Rules.
     ment (EU) 2016/679.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 42/54








For the assessment of the sanction that would be implemented in this initial agreement, for the
alleged violation of article 35 of the RGPD, the following circumstances are contemplated:
cias:

- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation.” Every time he treats
biometric data processing began on November 4, 2022 without the
EIPD until February 15, 2023, in such a way that for more than three months

carried out the treatment without identifying, evaluating and assessing the risks to the
rights and freedoms of natural persons, without, among other issues, establishing
bleed and implement, as a consequence of the above, the appropriate measures to
seek their protection, in response to the purpose sought by the RGPD. And it affected 700
subscribers who acquired the animation stand subscription title in the season
2022/2023. (83.2.a GDPR). For completeness, it should be noted that not having carried out
DPIA is substantially serious in this case, in which when carrying it out it has been
passed from a mandatory to a voluntary system, also changing the basis of legality and
applicable exception.


- A serious lack of diligence is included (art 83.2.b RGPD), given that any
treatment that entails a high risk requires the performance of a DPIA with
ter prior to the start of the treatment, especially if it can encompass categories
special personal data, such as biometrics in this case, or subjects who deserve
cen specific protection, such as children.

        In this sense, the Supreme Court has understood that there is imprudence

        A legal duty of care is always neglected, that is, when the offender does not
        behaves with the required diligence. And in the assessment of the degree
        of diligence, the professionalism or otherwise of the subject must be especially considered,
        and there is no doubt that, in the case now examined, when the activity of the
        recurring is constant and abundant handling of data of a
        personnel must insist on rigor and exquisite care to conform to the
        legal precautions in this regard. The STS of 06/05/1998 requires
        professionals in the sector "a duty to know especially the standards
        applicable", and in similar terms are pronounced, among others, the SSTS of

        03/2/1999 and 09/17/1999, due to their activity they are accustomed to the treatment of
        personal data must be especially diligent and careful when making
        operations with them and must always opt for the most favorable interpretation
        to safeguard the fundamental right to data protection (as of
        repeatedly maintains the National Court, among others in a ruling of
        11/26/2008).

- The impact on one of the special categories of data, biometric data,
whose need for protection is to that extent greater than that of other personal data,

in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of
05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article
83.2.g) of the RGPD “the categories of personal data affected by the
infringement".

- The impact on the rights of minors (76.f) of the LOPDGDD). Since of
According to the document provided as Annex VI, it is possible to process biometric data of
under 18 years old.


As a consequence, with the elements that are available, the sanction is quantified in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/54








50,000 euros, without prejudice to what results from the processing of the procedure.

For the assessment of the sanction that would be implemented in this initial agreement, for the
alleged violation of article 9 of the RGPD, the following circumstances are contemplated:
cias:

- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation”, given that it is an operation

periodic processing of personal data that affected since November 4th
November 2022 to February 15, 2023 to the 700 subscribers who acquired the title
subscription for the animation stand in the 2022/2023 season (83.2.a RGPD).

- A lack of diligence is included, given that it prepared the implementation of the system and
It did not foresee its impact, so this factor would operate as an aggravating factor. (art
83.2.b RGPD), in accordance with the doctrine of the Supreme Court previously referred to
ciada


- The impact on the rights of minors (76.f) of the LOPDGDD). Since of
According to the document provided as Annex VI, it is possible to process biometric data of
under 18 years old.

As a consequence, with the elements that are available, the sanction is quantified in
50,000 euros, without prejudice to what results from the processing of the procedure.

Regarding the violation of the principle of data minimization due to the presumption

This violation of article 5.1.c) of the RGPD, the following circumstances are contemplated:

- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation.” It was not considered correctly
specifically the specific purpose of the processing of personal data in relation to the
needs to be covered, which constitutes the nature of the infringement and which opened the scope
of affected to any subscriber of the accused, considering that the purpose of the treatment
processing is a basic activity of the person responsible for the treatment, which aggravates
tea. (83.2.a GDPR).


- A serious lack of diligence is included, given that it was available and thus stated
documented in the DPIA of February 15, 2023 that there were other means to process
less intrusive treatment and the use of the solution was left to the users' will, and not
foreseen its impact, so this factor would operate as an aggravating factor (art 83.2.b
GDPR).

- The impact on one of the special categories of data, biometric data,
whose need for protection is to that extent greater than that of other personal data,

in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of
05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article
83.2.g) of the RGPD “the categories of personal data affected by the
infringement".

- The impact on the rights of minors (76.f) of the LOPDGDD). Since of
According to the document provided as Annex VI, it is possible to process biometric data of
under 18 years old.


As a consequence, with the elements that are available, the sanction is quantified in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/54








50,000 euros, without prejudice to what results from the processing of the procedure.

Regarding the violation of the principle of data minimization due to the presumption
This violation of article 8 of the RGPD, the following circumstances are contemplated:

- “The nature, severity and duration of the infraction, taking into account the nature
nature, scope or purpose of the treatment operation”, whenever the treatment
Biometric data collection carried out as of February 15, 2023 provided for the provision of

tion of consent for the processing of biometric data without prior
sion to collect their consent. Which represents a loss of
control and disposition of your personal data. (83.2.a GDPR).

- A serious lack of diligence is included (art 83.2.b RGPD), given that any
processing that collects data from minors and that requires the provision of consent
feeling, must contain specific provisions for the provision of the same by
these directly or by their legal representatives, depending on the age of the
nor. Considering that negligence occurs in accordance with the doctrine of the Court

Supreme Court previously referenced.

- The impact on one of the special categories of data, biometric data,
whose need for protection is to that extent greater than that of other personal data,
in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of
05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article
83.2.g) of the RGPD “the categories of personal data affected by the
infringement".


As a consequence, with the elements that are available, the sanction is quantified in
25,000 euros, without prejudice to what results from the processing of the procedure.


With regard to the alleged violation of article 13 of the RGPD, the following are contemplated:
following circumstances:

- “The nature, severity and duration of the infraction, taking into account the nature

nature, scope or purpose of the treatment operation.” Every time the response
Saber of the treatment did not inform those affected under the terms of the RGPD since 4
November 2022, when the processing of biomedical data was launched.
nor from February 15, 2023, date of completion of the DPIA, nor
In none of the cases was said information adapted to minors, and
which affected 700 subscribers who acquired a subscription to the entertainment stand
in the 2022/2023 season. All of this means a lack of information, a loss of
provision and control over personal data (83.2.a RGPD).


- A serious lack of diligence is included (art 83.2.b RGPD), since it is necessary
that interested parties be informed prior to treatment, especially
when the information precedes the provision of consent.

       In this sense, the Supreme Court has understood that there is imprudence
       A legal duty of care is always neglected, that is, when the offender does not
       behaves with the required diligence. And in the assessment of the degree of diligence
       The professionalism or lack of professionalism of the subject must be especially considered, and it is not possible
       doubt that, in the case now examined, when the activity of the appellant

       is constant and abundant handling of personal data must be insisted upon.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 45/54








       employ rigor and exquisite care to comply with legal preventions when
       regard. The STS of 06/05/1998 requires professionals in the sector "a duty
       to know especially the applicable standards", and in similar terms it is
       pronounce, among others, the SSTS of 03/02/1999 and 09/17/1999, for their activity
       are accustomed to the processing of personal data must be especially careful.

       ligent and careful when carrying out operations with them and should always choose
       the most favorable interpretation to safeguard the fundamental right to
       data protection (as the National Court repeatedly maintains, in-
       three others in ruling of 11/26/2008).

- The impact on one of the special categories of data, biometric data,
whose need for protection is to that extent greater than that of other personal data,
in accordance with what was indicated by the Constitutional Court in ruling 76/2019, of

05/22/2019, appeal 1405/2019, which represents an aggravating circumstance, in accordance with the article
83.2.g) of the RGPD “the categories of personal data affected by the
infringement".

- The impact on the rights of minors (76.f) of the LOPDGDD). Since of
According to the document provided as Annex VI, it is possible to process biometric data of
under 18 years old.


As a consequence, with the elements that are available, the sanction is quantified in
25,000 euros, without prejudice to what results from the processing of the procedure.

                          XI Adoption of corrective measures.



If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this

act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the

this Regulation, where appropriate, in a certain manner and within a
specified period…”

The imposition of this measure is compatible with the sanction consisting of a fine

administrative, according to the provisions of art. 83.2 of the GDPR.

It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a

administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.


                               XI. Provisional measures

Article 58.2 of the GDPR provides the following:


       “Each supervisory authority will have all of the following corrective powers:
       indicated below:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 46/54








       d) order the person responsible or in charge of the treatment that the operations of
       treatment comply with the provisions of this Regulation, when
       appropriate, in a certain manner and within a specified period;”
       f) impose a temporary or definitive limitation on the processing, including its
       prohibition; […]”
       i) impose an administrative fine in accordance with Article 83, in addition to or instead of
       of the measures mentioned in this section, depending on the circumstances
       of each particular case;”


The imposition of these measures are compatible with each other and with the consistent sanction
in administrative fine, according to the provisions of art. 83.2 of the GDPR.

There is no evidence that BURGOS CF has stopped using the biometric system to
access to the stadium based on the consent of the users, since it maintains it as
Voluntary method of access to the cheer stands at your stadium.

In particular, it is worth mentioning article 69 of the LPACAP, which determines:


   "1. During the carrying out of prior investigation actions or initiating a
   procedure for the exercise of sanctioning power, the Spanish Agency for
   Data Protection may agree to provisional measures with reasons.
   necessary and proportionate to safeguard the fundamental right to
   data protection and, in particular, those provided for in article 66.1 of the Regulation
   (EU) 2016/679, the precautionary blocking of data and the immediate obligation to attend
   the right requested.

   2. In cases where the Spanish Data Protection Agency considers that the
   continuation of the processing of personal data, its communication or
   international transfer will entail a serious impairment of the right to
   protection of personal data may order those responsible or in charge of
   the treatments, the blocking of the data and the cessation of its processing and, in the event of
   If these said mandates are not complied with, proceed to their immobilization.”

Article 56 of the LPACAP, insofar as it is applicable, indicates the measures
provisionally the following in sections 1 and 3:

    "1. Once the procedure has started, the administrative body competent to resolve,
    may adopt, ex officio or at the request of a party and in a motivated manner, the measures
    provisional measures that it deems appropriate to ensure the effectiveness of the resolution that
    could relapse, if there were sufficient elements of judgment for it, according to
    with the principles of proportionality, effectiveness and least onerousness. (…).
    3. In accordance with the provisions of the two previous sections, the
    following provisional measures, in the terms provided in Law 1/2000, of
    7/01, Civil Procedure:
    a) Temporary suspension of activities.

    b) Provision of guarantees.
    c) Withdrawal or intervention of productive assets or temporary suspension of
    services for reasons of health, hygiene or safety, the temporary closure of the
    establishment for these or other reasons provided for in the regulatory regulations
    applicable.
    d) Preventive seizure of assets, income and fungible things computable in
    metallic by application of certain prices.
    e) The deposit, retention or immobilization of movable property.
     f) The intervention and deposit of income obtained through an activity that is

    considered illegal and whose prohibition or cessation is sought.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 47/54








    g) Consignment or constitution of deposit of the amounts claimed.
     h) The withholding of income on account that must be paid by the Administrations
    Public.
      i) Those other measures that, for the protection of the rights of
    interested parties, expressly provide for the laws, or that are deemed necessary to

    ensure the effectiveness of the resolution.
    4. Provisional measures may not be adopted that may cause harm to
    difficult or impossible reparation to the interested parties or that involve violation of
    rights protected by law.
    5. Provisional measures may be lifted or modified during the
    processing of the procedure, ex officio or at the request of a party, by virtue of
    circumstances that occurred or that could not be taken into account in the
    time of its adoption. In any case, they will be extinguished when the

    administrative resolution that puts an end to the corresponding procedure.”


In the data processing analyzed, the high risk that
means for the rights and freedoms of a large number of those affected, such as
loss of control and disposition of your personal data or the use of the data
personnel that are not obviously necessary to access the stadium, which
It also includes minors. Along with this, there are indications and proven evidence

that recommend not continuing with the aforementioned treatment that involves categories
special personal data.

The continuation of the treatment, for which there is evidence that it has not passed the
triple judgment of proportionality and therefore the failure to exceed the DPIA of February 15
of 2023, which could lead to very serious and irreparable harm to the
rights of those users. Therefore, the temporary suspension of treatment is the
only measure that can be adopted to safeguard the Fundamental Right to

Data Protection, also proving to be the least harmful, onerous, proportional
and effective, as well as the most proportional and effective for the accused.

From these premises and in order to guarantee the rights and freedoms of those affected,
It is considered appropriate to impose a provisional measure that prevents as soon as possible the
continuation of the processing of personal data through the
fingerprint recognition for access to the El Plantío stadium
BURGOS CF, which must temporarily suspend its use.


This measure would not prevent the accused from continuing to control the entry correctly.
and legal with the other systems you are using, not even the fans would mind.
loss of service, since you can continue entering the stadium normally because
It is a “complementary” or “alternative” system to the fingerprint, as stated
continually the accused.

Consequently, in accordance with art 83.2 of the RGPD and article 76.3 of the

LOPDGDD transcribed above, it is possible to impose through this Agreement of Start of
sanctioning file the provisional measure of ordering, in accordance with the provisions
in art. 69 of the LOPDGDD and art. 56 of the LPACAP, the temporary suspension of all
processing of biometric personal data and especially those related to the
Fingerprint recognition for access to the El Plantío stadium. Every time the
provisional suspension of treatment is considered necessary, proportional, effective
to guarantee the rights and freedoms in contention of those affected and of less burdensomeness
for the accused.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 48/54









The provisional measure must be carried out from the notification of this agreement
initiation of the sanctioning procedure until its final resolution, in which it must be
confirmed, modified or lifted, without prejudice to the provisions of art. 56.5 of the
LPACAP.


Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,

HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against BURGOS CLUB DE

FOOTBALL, S.A.D. with NIF A09012428, for the following violations of the RGPD:

   - For the alleged violation of article 35, typified in article 83.4 of the RGPD
   - For the alleged violation of article 9 of the RGPD, typified in article 83.5.a)
    of the GDPR.
   - For the alleged violation of article 5.1.c, typified in article 83.5.a) of the
    GDPR.
   - For the alleged violation of article 8 of the RGPD, typified in article 83.4.a)

    of the GDPR.
   - For the alleged violation of article 13 of the RGPD, typified in article 83.5.b)
    of the GDPR.


SECOND: ORDER as a provisional measure the BURGOS FOOTBALL CLUB,
S.A.D. with NIF A09012428, in accordance with the provisions of article 69 of the

LOPDGDD and article 56 of the LPACAP, the temporary suspension of all treatment of
personal data related to fingerprint detection for access to the El stadium
Plantation. The provisional measure must be carried out within ten business days,
counted from the notification of this agreement to open the procedure, and
will remain until its final resolution, in which it must be confirmed, modified or
lifted, without prejudice to the provisions of art. 56.5 of the LPACAP. To this end, you must
justify before this Spanish Data Protection Agency the attention of this
request.


THIRD: APPOINT A.A.A. as instructor. and, as secretary, to B.B.B.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
Articles 23 and 24 of Law 40/2015, of 1/10, on the Legal Regime of the Public Sector
(LRJSP).

FOURTH: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the

documents obtained and generated by the General Subdirectorate of Inspection of
Data.

FIFTH: THAT for the purposes provided for in art. 64.2 b) of the LPCAPAP, the sanction that
could correspond would be for each of the infractions charged, without prejudice to
What results from the instruction would be:
- 50,000 euros, for the violation of article 35 of the RGPD.
- 50,000 euros, for the violation of article 9 of the RGPD.

- 50,000 euros, for the violation of article 5.1.c) of the RGPD.
- 25,000 euros, for violating article 8 of the RGPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 49/54








- 25,000 euros, for the violation of article 13 of the RGPD.

SIXTH: NOTIFY this agreement to BURGOS CLUB DE FÚTBOL, S.A.D. with
NIF A09012428, granting a hearing period of ten business days so that
formulate the allegations and present the evidence you consider appropriate. In its

written allegations must provide your NIF and the file number that appears in the
heading of this document.

If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of the LPACAP.

In accordance with the provisions of article 85 of the LPACAP, you may recognize your

responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 160,000 euros, resolving the
procedure with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which will mean

the reduction of 20% of its amount. With the application of this reduction, the sanction
would be established at 160,000 euros, and its payment will imply the termination of the
procedure, without prejudice to the imposition of the corresponding measures.

The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for the recognition of responsibility, provided that this recognition of
responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 120,000 euros.

In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above 160,000 euros or 120,000 euros, you must make it effective
by depositing it into the account number IBAN: ES00-0000-0000-0000-0000-0000 open to
name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the procedure
that appears in the heading of this document and the reason for reducing the amount
which is welcomed.


Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.

The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After this period, its expiration will occur and, in
consequently, the archive of actions; in accordance with the provisions of the
article 64 of the LOPDGDD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 50/54









Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.




                                                                               935-30102023
Sea Spain Martí
Director of the Spanish Data Protection Agency


 >>

SECOND: On March 5, 2024, the claimed party has proceeded to pay
the sanction in the amount of 120,000 euros, making use of the two reductions
provided for in the initiation Agreement transcribed above, and has submitted a written document in the
same date on which you request a resolution to terminate the procedure,

recognizing their responsibility, and expressly desisting from any action or
administrative appeal against the sanction.



THIRD: In the aforementioned Initiation Agreement transcribed above, it was agreed: “OR-
DENIM as a provisional measure the BURGOS CLUB DE FÚTBOL, S.A.D. with NIF
A09012428, in accordance with the provisions of article 69 of the LOPDGDD and article 56

of the LPACAP, the temporary suspension of all processing of personal data relating
to fingerprint detection for access to the El Plantío stadium. The provisional measure
nal must be carried out within a period of ten business days, counted from the notification.
tion of this agreement to open the procedure, and will remain until its resolution
final, in which it must be confirmed, modified or lifted, without prejudice to the provisions

to in art. 56.5 of the LPACAP. To this end, you must justify before this Spanish Agency of
Data Protection attention to this requirement.”

The BURGOS CLUB DE FUTBOL, S.A.D has not yet proven to have executed
This provisional suspension measure has been lifted.


                           FOUNDATIONS OF LAW


                                            Yo
                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency

of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 51/54








regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."



                                            II
                             Termination of the procedure


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:

"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,

except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,

20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased

“regularly.”

                                            III
    Elevation of provisional measure to definitive. Adoption of corrective measures.


Article 58.2 of the GDPR provides the following:

       “Each supervisory authority will have all of the following corrective powers:
       indicated below:
       d) order the person responsible or in charge of the treatment that the operations of
       treatment comply with the provisions of this Regulation, when
       appropriate, in a certain manner and within a specified period;”
       f) impose a temporary or definitive limitation on the processing, including its

       prohibition; […]”
       i) impose an administrative fine in accordance with Article 83, in addition to or instead of
       of the measures mentioned in this section, depending on the circumstances
       of each particular case;”

Regarding the temporary or definitive limitation of the treatment, it is worth referring to the article
69 of the LPACAP, which determines:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 52/54








   "1. During the carrying out of prior investigation actions or initiating a
   procedure for the exercise of sanctioning power, the Spanish Agency for
   Data Protection may agree to provisional measures with reasons.
   necessary and proportionate to safeguard the fundamental right to
   data protection and, in particular, those provided for in article 66.1 of the Regulation

   (EU) 2016/679, the precautionary blocking of data and the immediate obligation to attend
   the right requested.
   2. In cases where the Spanish Data Protection Agency considers that the
   continuation of the processing of personal data, its communication or
   international transfer will entail a serious impairment of the right to
   protection of personal data may order those responsible or in charge of
   the treatments, the blocking of the data and the cessation of its processing and, in the event of
   If these said mandates are not complied with, proceed to their immobilization.”


Article 56 of the LPACAP states in its fifth section that:

    "5. The provisional measures may be lifted or modified during the
    processing of the procedure, ex officio or at the request of a party, by virtue of
    circumstances that occurred or that could not be taken into account in the
    time of its adoption. In any case, they will be extinguished when the
    administrative resolution that puts an end to the corresponding procedure.”


In the present procedure, there is no evidence that BURGOS CF had suspended the
data processing related to access to the stadium's entertainment stands through
fingerprint-which were maintained as a voluntary access system for members who
opt for the same -, the agreement to initiate this procedure ordered to agree
“the temporary suspension of all processing of biometric personal data and in
special of those referred to the fingerprint recognition system for access
to the El Plantío stadium”, since the provisional suspension of the treatment was

considered necessary, proportional, effective to guarantee the rights and freedoms in
list of those affected and less burdensome for the accused.

In accordance with the provisions of the agreement to initiate this procedure, the
provisional measure should have been adopted since the notification of the
initiation of the sanctioning procedure until its final resolution, in which it had to be
confirmed, modified or lifted, without prejudice to the provisions of art. 56.5 of the
LPACAP.


As of the date of this resolution, BURGOS CF has recognized its responsibility and
the payment, requesting the termination of the procedure, without reference to the state in
which is the processing of biometric data in the animation tier of its
stadium, so it is unknown if this system has been provisionally suspended,
as ordered in the agreement to initiate the sanctioning procedure, or have
definitively suspended.


Well, having said the above, BURGOS CF has recognized its responsibility,
the infractions that were charged in the
initial agreement, and it is also necessary to impose on the person responsible the adoption of the
appropriate corrective measures to adjust their actions to the protection regulations
of data, as already anticipated in the initial agreement.

It is estimated that the same risks undoubtedly persist today as
motivated the suspension or provisional limitation of the treatment in the initiation agreement,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 53/54








since the continuation of the treatment could lead to very serious damage and
irreparable for the rights and freedoms of users who access the stadium
using the implemented biometric system.

Given the circumstances, it is understood that the prohibition of treatment, as a measure

corrective action of those granted in article 58.2 of the RGPD to the Spanish Agency for
Data Protection is the only measure that can be adopted to safeguard
the Fundamental Right to Data Protection, also proving to be the least
harmful, onerous, proportional and effective, as well as the most proportional and effective for the
denounced.

From these premises and in order to guarantee the rights and freedoms of those affected,
It is considered appropriate to confirm the provisional suspension ordered in the agreement

initiation, and prohibit, as a corrective measure, the processing of personal data
through the fingerprint recognition system for access to the
El Plantío stadium of BURGOS CF, proceeding to cessation of treatment.

This measure would not prevent the accused from continuing to control the entry
appropriate and legal with the other systems you are using, nor do hobbyists care
would mean the loss of service, since you can continue entering the stadium with
normality since it is a system already implemented “complementary” or “alternative” to that of

fingerprint, as the defendant continually states.

In accordance with what has been stated, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of the sanctioning procedure processed with the

number PS/00483/2023 (EXP202213792), in accordance with the provisions of
article 85 of the LPACAP.

SECOND: Confirm the provisional measure imposed in the agreement to start the
present sanctioning file, and prohibit BURGOS CLUB DE FÚTBOL S.A.D,

as a corrective measure, any processing of personal data relating to the processing
fingerprint for access to the El Plantío stadium, proving within ten
business days before this Spanish Data Protection Agency that has proceeded to the
cessation of your treatment.

THIRD: NOTIFY this resolution to BURGOS CLUB DE FÚTBOL,

S.A.D.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 54/54













                                                                                                         1219-21112023

Sea Spain Martí
Director of the Spanish Data Protection Agency







































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es