Certified Information Privacy Professional – Europe (CIPP/E) — Question 280

SCENARIO -

Please use the following to answer the next question:

It has been a tough season for the Spanish Handball League, with acts of violence and racism having increased exponentially during their last few matches.

In order to address this situation, the Spanish Minister of Sports, in conjunction with the National Handball League Association, issued an Administrative Order (the "Act") obliging all the professional clubs to install a fingerprint-reading system for accessing some areas of the sports halls, primarily the ones directly behind the goalkeepers. The rest of the areas would retain the current access system, which allows any spectators access as long as they hold valid tickets.

The Act named a selected hardware and software provider, New Digital Finger, Ltd., for creation of the new fingerprint system. Additionally, it stipulated that any of the professional clubs that failed to install this system within a two-year period would face fines under the Act.

The Murla HB Club was the first to install the new system, renting the New Digital Finger hardware and software. Immediately afterwards, the Murla HB Club automatically renewed current supporters’ subscriptions, while introducing a new contractual clause requiring supporters to access specific areas of the hall through the new fingerprint reading system installed at the gates.

After the first match hosted by the Murla HB Club, a local supporter submitted a complaint to the club and to the Spanish Data Protection Authority (the AEPD), claiming that the new access system violates EU data protection laws. Having been notified by the AEPD of the upcoming investigation regarding this complaint, the Murla HB Club immediately carried out a Data Protection Impact Assessment (DPIA), the conclusions of which stated that the new access system did not pose any high risks to data subjects' privacy rights.

What is the proper legal base for processing fingerprints at the Murla HB Club gates?

Answer options

• A. The consent provided by the spectators.
• B. The Act, imposing security measures on the spectators.
• C. The contract between the Club and the affected spectators.
• D. The legitimate interest of preventing violent acts from the spectators.

Correct answer: A

Explanation

The correct answer is A, as the processing of fingerprints requires explicit consent from the spectators under EU data protection laws. While the Act mandates security measures, it does not replace the need for consent. Options C and D also do not meet the legal requirements for processing biometric data, as they do not involve the necessary explicit consent.