Burgos Club de Fútbol, S.A.D. – €120,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Burgos Club de Fútbol had to pay a fine for requiring fans to give their fingerprints to enter the stadium. This was seen as too much and not properly explained to the fans. The ruling shows that sports organizations need to be careful about how they collect personal data.
What happened
Burgos Club de Fútbol required fans to provide fingerprints for entry to cheering stands.
Who was affected
Approximately 700 fans who wanted to enter the cheering stands were affected.
What the authority found
The Spanish data protection authority ruled that the club did not properly inform fans about the biometric data collection.
Why this matters
This case highlights the importance of transparency in data collection, especially in sports. Other clubs should ensure they clearly communicate how they handle personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 4 November 2022, the Burgos Club de Fútbol, S.A.D. (the controller) implemented a biometric data collection system which required the approximately 700 members of the 'cheering stands' to provide their fingerprints in order to gain entry. The biometric processing was required by an agreement adopted by the State Commission against violence, racism, xenophobia and intolerance in sports (State Commission). The fingerprint system, which was distributed to football clubs by the Spanish Football League (La Liga), collected data subjects’ names, national identification card numbers, system identification numbers, and fingerprint patterns. It replaced the previous entry system, which allowed entry after verifying identification cards. The controller published a communication concerning the system and its basis on the State Commission's agreement on its website on November 4, 2022. The system was first used during a match on 8 December 2022. This was mandatory in order to enter the cheering stands. The system did not set a minimum age, permitting the collection of biometric data from any minors whose parents or guardians consented. On 4 and 7 November 2022, complaints were filed with the Spanish DPA (AEPD) arguing that the biometric control was excessive and failed to adequately inform data subjects as to processing. On 15 February 2023, the controller ceased the mandatory collection of biometric data and instead gave data subjects the option of entering with their ID cards or with fingerprints. On 19 February 2023, the controller notified members of the change in policy and implemented the change at a football game. On the same day, the controller received a copy of [https://www.aepd.es/documento/2022-0098.pdf Dictamen 98/22], initially circulated to La Liga, in which the AEPD declared that the State Commission's biometric processing obligations did not conform with the GDPR. The controller identified itself as the controller for the biometric data at issue. It stat
Related Enforcement Actions (0)
No other enforcement actions found for Burgos Club de Fútbol, S.A.D. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
9 April 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
GDPRhub ID
gdprhub-7855About this data
Cite as: Cookie Fines. Burgos Club de Fútbol, S.A.D. - Spain (2024). Retrieved from cookiefines.eu
Last updated: