Burgos Club de Fútbol, S.A.D. – €120,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 4 November 2022, the Burgos Club de Fútbol, S.A.D. (the controller) implemented a biometric data collection system which required the approximately 700 members of the 'cheering stands' to provide their fingerprints in order to gain entry. The biometric processing was required by an agreement adopted by the State Commission against violence, racism, xenophobia and intolerance in sports (State Commission). The fingerprint system, which was distributed to football clubs by the Spanish Football League (La Liga), collected data subjects’ names, national identification card numbers, system identification numbers, and fingerprint patterns. It replaced the previous entry system, which allowed entry after verifying identification cards. The controller published a communication concerning the system and its basis on the State Commission's agreement on its website on November 4, 2022. The system was first used during a match on 8 December 2022. This was mandatory in order to enter the cheering stands. The system did not set a minimum age, permitting the collection of biometric data from any minors whose parents or guardians consented. On 4 and 7 November 2022, complaints were filed with the Spanish DPA (AEPD) arguing that the biometric control was excessive and failed to adequately inform data subjects as to processing. On 15 February 2023, the controller ceased the mandatory collection of biometric data and instead gave data subjects the option of entering with their ID cards or with fingerprints. On 19 February 2023, the controller notified members of the change in policy and implemented the change at a football game. On the same day, the controller received a copy of [https://www.aepd.es/documento/2022-0098.pdf Dictamen 98/22], initially circulated to La Liga, in which the AEPD declared that the State Commission's biometric processing obligations did not conform with the GDPR. The controller identified itself as the controller for the biometric data at issue. It stat
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 4 November 2022, the Burgos Club de Fútbol, S.A.D. (the controller) implemented a biometric data collection system which required the approximately 700 members of the 'cheering stands' to provide their fingerprints in order to gain entry. The biometric processing was required by an agreement adopted by the State Commission against violence, racism, xenophobia and intolerance in sports (State Commission). The fingerprint system, which was distributed to football clubs by the Spanish Football League (La Liga), collected data subjects’ names, national identification card numbers, system identification numbers, and fingerprint patterns. It replaced the previous entry system, which allowed entry after verifying identification cards. The controller published a communication concerning the system and its basis on the State Commission's agreement on its website on November 4, 2022. The system was first used during a match on 8 December 2022. This was mandatory in order to enter the cheering stands. The system did not set a minimum age, permitting the collection of biometric data from any minors whose parents or guardians consented. On 4 and 7 November 2022, complaints were filed with the Spanish DPA (AEPD) arguing that the biometric control was excessive and failed to adequately inform data subjects as to processing. On 15 February 2023, the controller ceased the mandatory collection of biometric data and instead gave data subjects the option of entering with their ID cards or with fingerprints. On 19 February 2023, the controller notified members of the change in policy and implemented the change at a football game. On the same day, the controller received a copy of [https://www.aepd.es/documento/2022-0098.pdf Dictamen 98/22], initially circulated to La Liga, in which the AEPD declared that the State Commission's biometric processing obligations did not conform with the GDPR. The controller identified itself as the controller for the biometric data at issue. It stat
Related Enforcement Actions (0)
No other enforcement actions found for Burgos Club de Fútbol, S.A.D. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
9 April 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
GDPRhub ID
gdprhub-7855About this data
Cite as: Cookie Fines. Burgos Club de Fútbol, S.A.D. - Spain (2024). Retrieved from cookiefines.eu
Last updated: