On June 22, 2023, the Danish data protection authority (Datatilsynet) announced that it had authorized Brøndby IF's use of facial recognition at stadiums for its matches, including those that take place in other stadiums, following Brøndby's request for extended use of its automatic facial recognition system. In particular, the Datatilsynet noted that with its renewed authorization, Brøndby will be able to use images from surveillance cameras to register individuals who violate the rules of order in their system for automatic facial recognition, so that such persons can be apprehended when they subsequently try to access the stadium again. In this regard, the Datatilsynet specified that Brøndby must ensure it observes the duty of disclosure when collecting personal data of individuals concerned and provide information that access control is being carried out, including the processing of biometric data using an automatic facial recognition system.

In this regard, the Datatilsynet had previously granted Brøndby, on May 24, 2019, authorization to process sensitive personal data, specifically biometric data for the purpose of identifying individuals, in accordance with Section 7(4) of the Danish data protection act, Act No. 502 of 23 May 2018, to establish an automatic facial recognition system as part of access control at the entrances to its stadium. Against this background, on November 30, 2022, Brøndby requested authorization from the Datatilsynet for the use of automatic facial recognition for matches at stadiums other than Brøndby Stadium.

Additionally, the Dataitlynet noted that the use of images from surveillance cameras may fall within the scope of the TV Surveillance Act, specifically, the rules of Sections 4c(4) and 4c(5), the former of which specifies a maximum retention period of 30 days for image and sound recordings, whereas the latter allows for an extension to the 30-day period. Accordingly, the Datatilsynet expressed the opinion that Brøndby's use of the facial recognition system to register and apprehend individuals may fall within the scope of Section 4c(5) and thus be subject to a storage period of longer than 30 days.

You can read the press release here and the Datatilsynet's response here, both only available in Danish.