La Liga – €1,000,000 Fine (Spain, 2024)

In March 2023, LaLiga (data controller) issued a regulation to football clubs in Spain requiring the implementation of changes to how clubs allowed access to their stadiums. For ordinary ticket holders, patrons could either present their physical ticket and be given entry, or, provide an electronic ticket and use a fingerprint scanner. For access to the “animation stands”, reserved for the biggest fans of the home team, patrons had to subject to biometric identification through either fingerprinting or facial recognition, and provide consent to this processing at the point of entry, or be denied entry. The controller also offered to the clubs a system of access for implementing and complying with the updated access guidance. On 4th November 2022, a fan filed a complaint against the controller with the AEPD. The DPA firstly determined that LaLiga was the data controller, rejecting the contention by the controller that each club should be considered controllers in their own respect. In doing so, the DPA focused on the provision by the controller of the access system which complied with their regulation, and the speed with which it was made available to clubs who requested it. The DPA found that the controller infringed Article 35 by not conducting a DPIA prior to the commencement of the processing. The DPA stressed both the high-risk nature of the processing in question, i.e. biometric processing, as well as the large scale. The DPA imposed a fine of €1,000,000 for the infringement of Article 35(1). The also ordered the suspension of the biometric processing until a DPIA had been appropriately carried out, assessing the necessity and proportionality of the processing.