Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bulgaria: CPDP issues opinion on football clubs' obligations regarding the use of video surveillance systems

On April 15, 2024, the Commission for Personal Data Protection (CPDP) published Opinion No. PNMD-01-30/2024 on football clubs' obligations regarding the use of video surveillance systems, following a request from an individual.

Background to the Opinion

The CPDP explained that on March 8, 2024, it received a request from an individual stating that football clubs have a legal obligation under Bulgarian legislation to carry out video surveillance of sports events taking place, entailing the potential processing of data of hundreds of thousands of individuals.

The individual also outlined that football clubs have a legitimate interest in protecting their facilities, and asked the CPDP to weigh in on the data protection requirements for football clubs.

Opinion of the CPDP

The CPDP arrived at the following conclusions, among other things:

  • organizers of sporting events, in particular football clubs, carry out monitoring of significant or unlimited number of affected data subjects, which is qualified as regular and systematic large-scale monitoring;
  • given such monitoring of data subjects, organizers are obliged to appoint a data protection officer (DPO) under Article 37(1)(b) of the General Data Protection Regulation (GDPR), and carry out a Data Protection Impact Assessment (DPIA) pursuant to Article 35(3) of the GDPR;
  • relationships between football clubs and security companies are qualified as controller-processor relationships, regulated under Article 28 of the GDPR, but joint or separate controllership is not excluded;
  • security companies must appoint a DPO if they meet the conditions under the GDPR; and
  • when a security company carries out video surveillance, following the provisions of the Law on the Protection of Public Order at Sports Events, it should have access to the data during at least a three-month period and disclose the data only to entities combating crime, protecting public order and national security.

You can read the Opinion, only available in Bulgarian, here.