The Spanish Data Protection Agency (AEPD) has imposed a fine of more than €10 million on Spanish airport authority Aena for deploying facial recognition systems without first carrying out a valid impact assessment that, among other issues, examines the necessity, suitability and proportionality of the measure. In total, the fine amounts to €10,043,002 for a breach of Article 35 of the General Data Protection Regulation (GDPR).
In a resolution accessed by EFE, the agency also confirms the temporary suspension of all biometric data processing. In particular, the text adds, this applies to the facial recognition identification system used to control passenger access to certain areas of airports managed by Aena, until this operator carries out a data protection impact assessment (DPIA) in accordance with the terms of the GDPR.
According to the aforementioned article, when a type of processing, in particular if it uses new technologies (...), is likely to result in a high risk to the rights and freedoms of natural persons, the controller - in this case Aena - shall, prior to the processing, carry out an assessment of the impact of the operations on the protection of personal data.
This assessment must include at least a number of items, including a systematic description of the envisaged processing operations and the purposes thereof, including, where applicable, the legitimate interest pursued by the controller. In addition to a description of the necessity and proportionality of the measure, the assessment must include the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.
This decision by the agency, reported by El Confidencial and confirmed by EFE, is subject to appeal; Aena has already announced that it will appeal the sanction in court. In a statement released on Tuesday, the Spanish airport operator stated that it believes the decision is not in line with the principle of proportionality. The sanction is based on the alleged breach of a formal obligation, as the AEPD considers that Aena did not duly comply with its formal obligation to carry out a data protection impact assessment that met the requirements established by the regulations, prior to the start of the programmes in which biometric access was enabled for passengers who requested it.
Having carried out such assessments prior to the start of the programmes, Aena ‘respectfully disagrees’ with the AEPD’s view that the assessments carried out did not adequately comply with the applicable regulatory requirements. Aena guarantees that there has been no security breach and that, therefore, there has been no leakage of data from users of the various biometric boarding programmes deployed at airports in the Spanish network, nor from any third party.
It added that the data subjects ‘voluntarily gave their informed consent to the processing necessary to enjoy biometric access’. Aena explained that it launched biometric boarding, together with the airlines participating in the programme, in order to provide passengers with a better experience at airports by speeding up the documentation process.
The airport operator ‘will continue to work along these lines to restart the programme as soon as possible’. The high amount of the fine is similar to others previously imposed by the AEPD. In 2022, it announced a €10 million fine for Google LLC for violating Articles 6 and 17 of the GDPR, which regulate the right to be forgotten.
The AEPD declared the existence of two ‘very serious’ infringements for transferring data to third parties without authorisation and obstructing citizens’ right to erasure. The previous year, in 2021, the AEPD imposed several penalties on Vodafone Spain totalling more than €8 million for breaching several articles of Spanish law; at the time, it was the highest fine ever imposed by this body.
Most of the complaints against Vodafone Spain alleged marketing and commercial prospecting activities through telephone calls and the sending of commercial communications by electronic means, including emails and SMS messages, which the agency considered to be illegal. These communications had not been requested or expressly authorised by the people who received them. In January 2025, the National Court reduced the fine from €8 million to €4.5 million.