The president of the CNIL has issued a warning to the sport society which was assessing the use of a system of facial recognition in order to automatically identify people subjected to commercial prohibition into the stadium. But this project is not in compliance with the GDPR and the Data Protection Act. 

After some reports about the implementation by a sports society of a facial recognition disposal for spectators, the President of the CNIL has decided to carry out checks on the usage of this technology. 

This system, which was under experimentation, had the purpose of identificate people subjected to commercial ban into the stadium, detect lost objects, as well as to fight against terrorism. 

The analysis of the characteristics of the device has permitted established that it was based on the biometric data processing (physical or biological characteristics which permits to identify people (DNA, footprints, hand contour, etc.)). Anyway the recollection and the usage of these sensitive data are, with some exceptions, forbidden by the General Data Protection Regulation (GDPR) and by the Data Protection Act. 

The warning issued by the CNIL 

Without a special legislative disposals (for example a legislation) or a regulation (decree, Law-decree) it is illegal the implementation of this device by a sport association, also for the “anti-terrorism” purpose.

The president of the cNIL has warned the sport association with this current legal framework it can not be implemented in a licit way. 

If, despite this warning, the sport society will still implement facial recognition, it will be exposed to one or more corrective measures required by the GDPR and by the Data Protection Act, including a sanction. 

What is a commercial prohibition at the stadium?

The Article L. 332-1 of the Sport Code  states that sport organizator can refuse or cancel issuing subscription cards to these events or neglect the access to those one that have breached or contravene the general conditions and disposals or internal regulation of security in those events. 

The same article authorizes organizators of sports events to put on a “automated processing of personal data relative to breaches” in order to guarantee the security of those sports events. 

These commercial bans, in which the purpose is contribute to the security of sport events by preventing  specific people to have the access and that are decided by organizators of sport events, shall be divided from judicial or administrative bans which can not only be made by judicial authorities or prefects. 

Practically, the registration of a person in a ban processing into the stadium will permit the ticket office system to reject automatically to issue an single ticket. In addition security guards can reject the access to the stadium of the person subscribed in this process, even if he/she had a valid access ticket. 

How are these processes managed?

The general framework: GDPR.

Processing for commercial prohibition in stadium contribute to the security in the sports events by permitting organizator of those events to prevent the access to specific persons, due to criminal behaviours equal to natural contractual obligation breaches. 

This processing must be in compliance with the GDPR. 

Conditions for the implementation: the sports code.

In particular, the conditions for the implementation of this processing are specified into the disposals of the articles L. 332-1 and R. 332-14 and followings of the Sport Code, in particular according to:

• the aim of the processing;
• the categories of data that can be object of those data;
• as well as implementation legislation (in particular by posting or delivery of a document).

For this reason, even if the Article R. 332-15 of this Code requires that the photo associated with the membership card of a person is processed in the field of commercial ban administration, it does not permit the implementation of a biometric device based in particular on these photos. 

Finally, the article R. 332-18 of the Sport Code, requires that data subjects can not oppose to commercial bans of stadium.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL