The Spanish Data Protection Agency (AEPD) has recently imposed a fine of €1 million on La Liga for alleged non-compliance with the European Union’s General Data Protection Regulation (GDPR). The sanction relates to the implementation of biometric identification systems used for controlling access to fan zones in stadiums. La Liga introduced these systems as part of broader initiatives to enhance security and prevent violence within sports venues. However, the regulator’s investigation revealed that the deployment of these systems did not meet the stringent requirements imposed by the GDPR, triggering the fine.
The decision has been appealed by La Liga, where it has been argued that the measures were introduced under the guidance of higher sporting authorities and that the responsibilities for data processing might reside with individual clubs.
Breach of GDPR Provisions by La Liga
The primary breach cited in the AEPD’s ruling was the failure to conduct a Data Protection Impact Assessment (DPIA), as required by Article 35 of the GDPR. The DPIA is a critical tool designed to assess the risks associated with processing sensitive personal data—including biometric data—and to ensure that adequate safeguards are implemented before such processing takes place. In this case, the AEPD determined that La Liga did not perform the necessary DPIA for its biometric systems, thereby falling short of the compliance standard set out under the regulation. It is important to note that biometric data is classified as a special category of personal data under Article 9 of the GDPR, meaning that its processing is subject to even more rigorous legal and technical safeguards.
Implications for Data Governance in Sports
The sanction imposed on La Liga serves as a critical reminder for organizations operating in the sports and entertainment sectors to adopt robust data governance frameworks. As technology advances, institutions increasingly rely on innovative tools such as biometric systems to bolster security and improve operational efficiency. However, such advancements must be implemented within a strict regulatory framework that prioritizes data protection and respects individuals’ privacy rights. The case exemplifies the need for sports organizations to ensure that any processing of sensitive data is preceded by comprehensive impact assessments and accompanied by clear measures addressing risks, proportionality, and necessity. Moreover, the decision highlights the role of supervisory authorities in enforcing compliance and ensuring that all stakeholders, including clubs and governing bodies, maintain transparency and accountability in their data processing practices.
Conclusion
The recent fine against La Liga reinforces the imperative of strict adherence to GDPR requirements when processing sensitive data. By failing to carry out a proper Data Protection Impact Assessment—a violation of Article 35—and not establishing sufficient legal grounds for processing biometric data, La Liga has found itself under regulatory scrutiny. The AEPD’s decision is firmly rooted in the legal framework designed to protect the fundamental rights of individuals, particularly in contexts where personal data is inherently sensitive. While La Liga continues its legal challenge, this case offers valuable insights for other organizations in the sports industry and beyond, emphasizing that technological innovation must always be balanced with a commitment to data protection and privacy. The fine, therefore, stands as a significant enforcement action that underscores the need for meticulous data governance strategies in the era of digital transformation.
If your organization is dealing with copious amounts of data, do visit www.tsaaro.com
Tsaaro Consulting, in collaboration with PSA Legal Counsellors and Advertising Standards Council of India, has authored a whitepaper titled ‘Navigating Cookies: Recalibrating Your Cookie Strategy in Light of the DPDPA’. If you want to learn more about cookie consent management, read the whitepaper by clicking here.
The Ministry of Electronics and Information Technology (MeitY) has released the Draft DPDP Rules, 2025 for Public Consultation!
Learn more about the Draft Rules here:
News of the Week
- Infosys Settles U.S. Cyber Incident Lawsuits for $17.5 Million
Indian IT giant Infosys announced a $17.5 million settlement for class action lawsuits against its U.S. unit, Infosys McCamish Systems, following a 2023 cyber incident. The breach impacted up to 6.5 million individuals, leading to unauthorized data access. The settlement resolves all pending allegations related to the cybersecurity event, which had disrupted key applications and systems.
- New York Sues Allstate’s National General Over Data Breach
New York Attorney General Letitia James sued Allstate’s National General unit for failing to report data breaches in 2020 and 2021 that exposed over 165,000 New Yorkers’ driver’s license numbers. The lawsuit alleges violations of the SHIELD Act and consumer protection laws, seeking $5,000 per violation. Allstate defended its response, citing prompt security measures.
- Amazon’s Alexa+ Update Raises Privacy Concerns Over Voice Recording
Amazon’s Alexa+ update will require users to allow voice recordings to be stored in the cloud, or they will lose access to key features like Voice ID. Starting March 28, all Alexa commands will be sent to Amazon’s servers, even for users who opted out. While Amazon claims recordings will be encrypted and deleted after processing, past controversies, including a $25 million fine for storing children’s recordings, raise concerns.
- UK’s Secret iCloud Backdoor Order Faces Legal Challenge
Liberty and Privacy International have filed complaints against the UK government’s secret order requiring Apple to weaken iCloud encryption. Issued under the Investigatory Powers Act, the order could impact non-UK users. Apple has already challenged the order, with a hearing set for March 14. The civil rights groups, joined by Gus Hosein and Ben Wizner, demand a public hearing, warning of global privacy risks.
- Tata Technologies Data Leaked Following Ransomware Attack
Ransomware group Hunters International has leaked data allegedly stolen from Tata Technologies, a month after the company confirmed a cyberattack. The leak includes personal employee details, purchase orders, and confidential contracts, totalling 1.4TB. Tata had earlier reported a ransomware attack but claimed client services were unaffected.
