Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bulgaria: CPDP issues opinion on the use of biometric data to control access to sports centers

On April 29, 2024, the Commission for Personal Data Protection (CPDP) published Opinion No. PNMD-01-24/2024 on the use of biometric data to control by technical means access to sports centers following a company request.

Background to the Opinion

The CPDP stated that, on February 28, 2024, it received a request from a company planning to use a biometric access control system with facial recognition in relevant sports centers. The company stated that access control is necessary due to the remuneration for the services provided and that it plans to implement all legal obligations and organizational and technical measures to protect personal data.

Opinion of the CPDP

The CPDP held that the company failed to carry out a Data Protection Impact Assessment (DPIA) prior to consulting the CPDP to determine the high residual risk after the implementation of technical and organizational measures. Furthermore, the CPDP determined that the use of facial recognition systems for the purpose of identification for access to sports facilities is an extremely intrusive processing of sensitive personal data, generally prohibited under Article 9 of the General Data Protection Regulation (GDPR) and allowed only under strict circumstances. The CPDP also held that the processing of biometric data through video surveillance, including facial recognition, for the purposes of access control to sports centers does not meet the requirements under Article 5(1) of the GDPR regarding the legality, necessity, and proportionality, as well as Articles 9(2) and 22(3) of the GDPR.

The CPDP stated that pass-through access should be implemented using other methods that do not require the processing of special categories of personal data, such as personalized magnetic cards with a photo.

You can read the Opinion, only available in Bulgarian, here.