In recent years, many large clubs have tried to modernize their relationship with members through digital tools. FC Barcelona took a further step by promoting a system that allowed it to verify the identity of its members using biometric data, such as voice or facial image, within its census update process. The initiative sought to strengthen identification and reduce possible impersonations. However, this project has ended up generating a regulatory conflict that has resulted in a fine of 500,000 euros imposed by the Spanish Data Protection Agency (AEPD).
The file. The AEPD does not generically question the use of biometric tools, but rather a prerequisite that the regulator considers essential. According to El ConfidencialFC Barcelona did not carry out an impact assessment on data protection in accordance with what is established article 35 of the General Data Protection Regulation (GDPR). This type of analysis must be carried out before implementing treatments that may pose a high risk to the rights and freedoms of the affected people.
Partner Digital Profile. In this process, the system processed certain biometric traits with the objective of authenticating each person within the club’s digital ecosystem. The documentation analyzed by the AEPD indicates that the mechanism allowed “biometric vectors to be generated from the member’s image and their voice for authentication.” These vectors were used as a reference to validate the identity of the member in different procedures linked to the club.
Campaign organized in several phases. The verification phase began on March 21, 2023 using digital identification tools. In this way, partners could complete the update process both remotely and in person. The system also included an alternative route for those who did not want to use biometrics, who could continue to identify themselves through traditional mechanisms.
The scale factor. One of the elements that the regulator took into account was the number of people affected by the system. The FC Barcelona census has around 143,000 members, which places the project in a particularly sensitive dimension from the point of view of data protection. This volume, in the opinion of the AEPD, raised the level of potential risk for the rights and freedoms of those affected.
Prior evaluation process. The GDPR requires a data protection impact assessment to be carried out when processing may pose a high risk to people’s rights and freedoms. During the investigation, the aforementioned media reports, FC Barcelona presented reports on the biometric systems used in the project. The AEPD concluded that these documents could not be considered a complete impact assessment in the terms required by article 35 of the Regulation.
Avoiding a violation. Article 9 of the GDPR regulates, among other aspects, the processing of biometric data when it is used to uniquely identify a person, within the so-called special categories of data. According to the resolution, the AEPD finally decided to archive this possible infringement as the necessary elements to apply that provision were not proven.
The answer. FC Barcelona has decided to appeal the sanction imposed by the AEPD and defends its actions in the process of updating the census. Barça’s legal services also highlight that the sanction initially proposed was much greater than the one finally set by the regulator. In the club’s words, a penalty of almost 6 million euros was proposed, but they managed to reduce it to 500,000 euros.
Images | Fikri Rasyid
In Xataka | OpenAI promised them very happy as the army’s new AI. Until thousands of users started uninstalling ChatGPT
GIPHY App Key not set. Please check settings