Club Atlético Osasuna – €200,000 Fine (Spain, 2025)

A data subject lodged a complaint against the Spanish football club “Club Atlético Osasuna” with the Spanish DPA (Agencia Española de Protección de Datos – AEPD) on 22 November 2022. The football club, here the controller, had implemented a facial recognition system at one of the stadium entrances on the 10 April 2022. By the 22 April 2022, the system had been added to several entrances. Fans were given the option to register for the system online to which they had to provide a selfie, a scan of their ID-card and agreement to the terms and conditions. Traditional entry with physical or digital tickets was still possible at other entrances. The controller detailed that the purpose of the system was primarily limited to convenience. Therefore, security and identity verification purposes were not listed as the aim of the system. The controller had carried out a data protection impact assessment and concluded that based on the legal basis of consent, the processing did not endanger data protection rights. The DPIA had shown that the data was only processed for the intended purpose. The data subject alleged that the large-scale processing of biometric data lacked proportionality, that the controller did not provide sufficient safeguards and that consent alone was not enough to legitimise this processing. Consent under Article 6(1)(a) GDPR The AEPD confirmed that the opt-in design of the system proved that the use of the facial-recognition system was in fact voluntary. Fans were not confronted with any negatives if they refused to use the system or if they withdrew their consent. The sign-up system required multiple opt-ins in order to sign up, so the AEPD concluded that consent was informed and freely given. Further, people wanting to sign up were informed on data usage and storage by the controller. Necessity of processing sensitive Article 9 GDPR data However, the nature of the biometric data processed under Article 9 GDPR required further assessment. The AEP