Facial recognition on the football pitch

In order to prevent troublesome “fans” from attending games after having been banned, F.C. København (Copenhagen) has obtained the permission from the Danish Data Protection Authority to use automatic facial recognition for any game on its home pitch at Parken Stadion or in other stadiums.

This is not the first time that such a permission has been granted by the Danish Data Protection Authority to a football club. In 2019, the rival football club Brøndby IF requested and obtained a similar permission for their home pitch at Brøndby Stadium, as the club struggled with spectators displaying an unsafe or destructive behavior. This permission got expanded in 2023, so Brøndby IF also could make use of automatic facial recognition in other football stadiums than their own.

Given that facial recognition involves processing of biometric data, this technology falls under the prohibition in Article 9 (1) of the General Data Protection Regulation. Only important public interests can allow the use of such technology, which the Data Protection Authority has to assess on demand of the applicant – that is, if the use of technology isn’t intended to serve a public institution.

Thus, F.C. København applied for such a permission in April 2024, which the Data Protection Authority ultimately granted after assessment of the public interests at stake. These involve the smooth running of football events involving F. C. København and the safety of these events. The football club claimed that it had issues putting its ban sanctions into force, resulting in the erronate grant of stadium access to spectators who had been banned at previous games from entering the said stadiums or assisting the club’s games. By implementing automatic facial recognition in their security system, F. C. København argued that the banned spectators could be recognized already at the entrance security control, making it easier to refuse them access.

The Danish Data Protection Agency confirmed the public interest at stake and granted the permission, on specific grounds. First of all, the use of facial recognition shall happen only at football events of the Superliga, the 1. and 2. division as well as of UEFA. Second, bans should happen only on factual grounds and in proportional relation to the violation of the Stadium’s or Superliga’s rules. Furthermore, the personal data processed in connection with the use of the facial recognition system, shall either not be stocked or stocked only for the game in question, whereafter it shall be deleted immediately. The use of facial recognition at the entrance security controls shall be clearly communicated and shall comply with the duty of disclosure when collecting personal data. Last but not least, personal data in the facial recognition system must be encrypted during transfer and storage, surveillance cameras must operate on a separate VLAN without internet exposure, and F. C. Copenhagen must enforce strict access controls, including employee authorization, logging, and multi-factor authentication.

Facial recognition is an infringement of personal rights that should not be placed in private hands lightly. The apparent weighing of interests should therefore have been in favour of protecting the personal rights of the vast majority of peaceful spectators.

Article provided by INPLP member: Claas Thöle (advores. Advokater & Rechtsanwälte, Denmark)

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)