Biometric Identification at Sports Venues: The Position of the Czech Data Protection Authority (ÚOOÚ)

16.06.2026

On 9 May 2026, supporters of SK Slavia Prague stormed the pitch during a home match at the Eden Stadium. The incident reopened the debate on security at Czech football grounds and, in particular, on whether technology — including AI-assisted facial recognition — could be used to keep known troublemakers out of sports venues. The position of the Czech Data Protection Authority (ÚOOÚ) set out below is directly relevant to that debate.

1. The general framework

Any processing of personal data must comply with the principles in Article 5 GDPR, above all the principle of lawfulness. The controller must therefore have at least one legal basis under Article 6(1) GDPR — typically the controller's legitimate interests, a legal obligation, or the performance of a contract.

For camera footage recorded and used in the ordinary way, a basis under Article 6 is enough. The position changes fundamentally where cameras are used to capture biometric characteristics: there, the controller must additionally rely on one of the derogations in Article 9(2) GDPR from the general prohibition on processing such data.

 

2. Ordinary camera footage

Camera footage recorded and processed in the ordinary way — that is, without extracting biometric characteristics — is not a special category of personal data. The usual legal basis is the legitimate interests of the controller or a third party under Article 6(1)(f) GDPR. In substance this is simply the visual identification of a person in connection with specific conduct, for example capturing the perpetrator of an offence, regardless of nationality, religion, ethnic origin, health, or biometric features.

This does not rule out later processing of the latent personal data contained in the part of a recording that shows a particular incident or suspect. Biometric and other data may, for instance, be extracted by the Czech Police using specialist tools once the footage has been handed over, in the course of an investigation. In that scenario the Police act as a new and independent controller, and the original controller has merely supplied a plain camera recording.

 

3. Biometric identification: a different legal category

Where biometric characteristics are processed alongside footage or a live feed in order to identify people, the situation is entirely different. This is a serious interference with the privacy of everyone being monitored, and it amounts to processing of a special category of personal data, which Article 9(1) GDPR prohibits as a matter of principle.

The reason for that caution is that biometric data are bound up with a specific individual in a way that cannot later be changed or revoked. If they are misused or compromised, the risk to the data subject is permanent: the data may be used to identify the person again without their knowledge, or to build a more detailed profile against their interests — including emotional, psychological, and health dimensions. Unauthorised access, whether through a controller's negligence or an external attack, may also open the door to other systems that rely on the same biometric identifiers.



4. The Article 9(2)(g) derogation requires a law

The relevant exception here is processing in the substantial public interest under Article 9(2)(g) GDPR — the basis that could, in principle, be considered for identifying individuals at football grounds on security grounds.

That derogation is not, however, self-executing. It applies only where the processing rests on Union or Member State law that is proportionate to the aim pursued, respects the essence of the right to data protection, and provides suitable and specific safeguards for the rights and interests of data subjects. A precondition for relying on it is therefore the adoption of appropriate legislation meeting those criteria — and the ÚOOÚ has stated this consistently on every relevant occasion.

 

5. The added layer: the AI Act

Of all the possible combinations of purpose and technology, real-time remote biometric identification by means of artificial intelligence concentrates an exceptionally high level of risk. By way of comparison, the AI Act prohibits this kind of processing even for law-enforcement purposes, allowing only narrow exceptions where Member State law so provides and under very strict conditions.

In the Czech Republic the matter is now governed by Section 39a et seq. of Act No. 110/2019 Coll., on the processing of personal data, which introduces the concept of an "isolated system" with a fixed territorial scope. Under this regime such processing:

  1. may be carried out only by the Czech Police, not by a private operator;
  2. is confined to international airports (in practice, principally Václav Havel Airport Prague, with scope to extend to other international airports);
  3. requires prior written authorisation from the presiding judge of a regional court panel;
  4. may run for a maximum of 12 months, renewable for further periods each not exceeding 12 months; and
  5. must be reported to the Data Protection Authority within 72 hours of going live.

 

6. The role of the Authority

The ÚOOÚ is willing to offer controllers prior consultation under Article 36 GDPR in connection with specific planned deployments, as well as consultation during the legislative process under Article 57(1)(c) GDPR. It remains, however, primarily a supervisory body. Drafting and adopting any new legislation is a matter for the Government and Parliament, not for the Authority.

 

Conclusion

For a football stadium, the legal position is clear. The operator is not the Czech Police, and a stadium is apparently not an international airport — the two settings in which Czech law currently permits real-time biometric identification. The legislature deliberately drew that permission very narrowly, and sports venues fall outside it. Deploying AI facial recognition to bar known offenders from a ground would therefore be unlawful under the law as it stands, for two cumulative reasons: there is no specific statute satisfying Article 9(2)(g) GDPR, and there is no national activation of the Article 5 AI Act exception covering this purpose and these actors.

A lawful route nonetheless remains open. Operators may use conventional camera systems for visual monitoring and to secure evidence, and may then pass the footage to the Police, who — acting outside the GDPR regime, under Act No. 273/2008 Coll. and Title III of Act No. 110/2019 Coll. — can carry out further processing, including biometric analysis, within their own powers. Any genuine step change, such as a dedicated statute on safety at sports venues that would allow biometric identification, would have to be enacted by the Government and Parliament. The ÚOOÚ can advise and consult on such a measure, but it cannot create it.

 

Article provided by INPLP member: Jan Bárta (barta.legal, Czech Republic)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.