Safety and regulations go hand in hand.
Biometric technology in companies and its regulatory implications
In today's world, technological advances have made it possible to streamline certain processes in companies and offer effective solutions to real problems. One area in which considerable progress has been made is security, for example, through biometric recognition systems that can accurately identify individuals, which can be used as a measure to restrict access to certain facilities.
However, the use of such systems is considered high risk under the regulations, given the high sensitivity of biometric data as unique identifiers of individuals. This is accompanied by regulatory issues that must be observed in order to implement such systems, and failure to comply can lead to very heavy penalties.
The AEPD fines AENA €10,000,000 for using a facial recognition system to manage passenger boarding
The AEPD has fined AENA €10 million for serious breaches of data protection regulations in the use of facial recognition systems, a form of processing that involves biometric data, which is considered a special category under the GDPR.
Data deficiencies and processing
The Agency concludes that the Data Protection Impact Assessment (DPIA) carried out by AENA was deficient: it lacked signature and traceability, did not adequately describe the processing operations or their purposes, did not systematically analyze the necessity and proportionality of facial recognition, and did not correctly identify or assess the risks to users' rights.
In addition, the AEPD emphasizes that AENA continued to process biometric data despite receiving unfavorable reports in previous consultations, without correcting the deficiencies identified. It also highlights that AENA did not justify why the biometric system was necessary in the face of less intrusive alternatives and that centralized storage increased privacy risks without sufficient safeguards.
Violation of the GDPR and consequences
For these reasons, the AEPD considers that Article 35 of the GDPR ( obligation to carry out a valid DPIA before processing high-risk data) has been violated and imposes the sanction, together with the temporary suspension of biometric processing until AENA submits a DPIA in accordance with the regulations.
AENA has announced that it will appeal the decision, considering that the sanction does not respect the principle of proportionality.
