Menu
A burlap pouch lies on top of various Euro banknotes. The visible denominations include 100, 200, and 500. The bills are colorful, each featuring different architectural designs. The pouch is small and textured, contrasting with the smooth, vibrant currency beneath it.

FC Barcelona faces €500,000 GDPR fine over biometric data processing violations

, , , , ,

Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), has imposed a €500,000 fine on Fútbol Club Barcelona (FCB) for failing to conduct a legally compliant Data Protection Impact Assessment (DPIA) before processing biometric data. The biometric data involved facial recognition and voice recordings collected during a 2023 digital census update campaign targeting approximately 143,000 club members. The AEPD found that the DPIA submitted by FCB did not meet the necessary GDPR standards, particularly lacking a clear description of biometric data, a genuine assessment of less intrusive alternatives, and an appropriate evaluation of risks.

The digital census required members to complete multiple steps including scanning identity documents, taking a facial selfie with liveness detection, and optionally recording a voice profile. The biometric data was processed using software from Veridas Digital Authentication Solutions S.L., with encrypted biometric vectors stored temporarily on servers within the European Economic Area. The AEPD received complaints from members who argued that the biometric process was mandatory without explicit consent, which led to a formal investigation and suspension of the biometric verification process by the club.

The AEPD’s resolution highlighted several shortcomings in FCB’s DPIA. The assessment failed to explicitly identify facial biometric data, did not properly evaluate whether biometric verification was the least privacy-invasive method, and underestimated the risks associated with processing sensitive biometric identifiers. Despite FCB’s arguments citing prior regulatory guidance and mitigating factors such as voluntary suspension and cooperation, the authority emphasized that the obligation to conduct a thorough DPIA existed independently of guidance and must be completed before processing begins.

This case underscores the importance for organizations using biometric or high-risk technologies to prepare detailed, substantive DPIAs that honestly assess risks and alternatives. It also reflects a broader trend in Spain’s data protection enforcement, where authorities are scrutinizing DPIA quality closely. For data protection and marketing professionals, the Barcelona ruling offers a clear example of the regulatory expectations for biometric data processing under the GDPR and signals that formal compliance alone is insufficient without a robust analytical process.

  • Save

Related Posts

Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied