Having user data under control is one of the pending issues for a large part of companies, not only in Spain, but also globally. But it is crucial that the request for this data has to be regulated and previously communicated. However, there are times when things are not done properly and irregularities end up being committed. And one of the fashionable teams in the Second Division is in serious trouble.
One of the systems that is most commonly used to access a specific leisure area, such as gyms or sports centers, but also to sign in when you go to your workplace, is the fingerprint. This technology is very common to control user access and collect all their data, but the processing of this is very sensitive, so security measures must be established that comply with the General Data Protection Regulation (GDPR). .
In fact, the Spanish Data Protection Agency (AEPD) itself considers the practice of including biometric data as high risk, and one of the primary security measures is to keep people informed at all times that they are going to have to transfer their information. private. Next we are going to see one of the cases that should be avoided at all costs and that should serve as a lesson.
A fine of 200,000 euros for breaking the rules
The protagonist of this story is the Burgos Club de Fútbol team, which is currently competing in the Second Division. The entity has already been punished with a fine of 200,000 euros for violating the established rules for requesting biometric data from its partners. As a general rule, users should have been informed in advance that their data was going to be stored, but this was not the case.
However, the corporation has appealed the appeal based on two reductions that appear in the AEPD: recognizing the rights and voluntary payment. In this way, the penalty is reduced to 120,000 euros.
It all happened when two members denounced the club with the justification that asking for a fingerprint was excessive, when it was only enough to show their ID and membership card, and in addition they had not signed any document confirming that it was going to be carried out. that practice from now on.
The result was that the company failed to comply with several conditions of the AEPD regulations and up to five articles of the RGPD have been violated. Therefore, according to the legal statement, if a system was already applied to identify all users, it was not necessary to implement a mechanism as exhaustive as the fingerprint. And although the football club insisted that biometric data was implemented to prevent violence in sport, the AEPD had to reject its basis because there are other ways to remedy it.
However, the ruling is still up in the air and Burgos CF still has the opportunity to appeal and convince the National Court to withdraw the lawsuit.
