Data Protection imposes a fine of 10 million euros on Aena for its biometric systems

The Spanish Data Protection Agency (AEPD) has imposed a fine of more than 10 million euros on Aena for deploying facial recognition systems without having previously carried out a valid impact assessment that, among other issues, examines the necessity, appropriateness and proportionality of the measure. The airport manager has announced that he will appeal the sanction to the courts and that he understands that the resolution is not in accordance with the principle of proportionality.

In total, the fine amounts to 10,043,002 euros for a violation of article 35 of the General Data Protection Regulation (GDPR). In a resolution to which Efe has had access, the agency also confirms the temporary suspension of all processing of biometric data. In particular, he adds, those referring to the facial recognition identification to control passenger access to certain areas of the airports managed by Aena, until this operator carries out an impact assessment on data protection in the terms set out in the RGPD.

The sanction is based on the alleged violation of a formal obligation, as the AEPD considers that Aena did not properly fulfill his formal obligation to prepare a data protection impact assessment that complied with the requirements established by the regulations prior to the start of the programs in which biometric access was enabled for passengers who requested it. Having prepared such evaluations before the start of the programs, Aena disagrees respectfully of the AEPD’s consideration that the evaluations carried out did not adequately comply with the applicable regulatory requirements.

Aena has stressed that it guarantees that no security breach has occurred and that, therefore, there has been no data leak from the users of the different biometrics programs for boarding, deployed at the airports in the network in Spain, or from any third party. Custody of this data “he has not been at risk at any time”Aena has insisted, adding that the data owners voluntarily gave their informed consent to the processing necessary to enjoy biometric access.

The biometric data of enrolled passengers has been given the conservation, blocking and deletion treatment included in the General Data Protection Regulation (RGPD) and the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), Aena has detailed. The airport manager has explained that he launched biometric boarding, together with the airlines that participated in the program, in order to provide passengers with a better experience at airports, by streamlining the passage through the documentation processes. Aena has said that “it will continue working along these lines, to restart the program as soon as possible.”