Aena to Appeal €10 Million Fine Imposed by AEPD for Facial Recognition Systems

Spanish airport operator Aena will appeal the €10 million fine imposed by the Spanish Data Protection Agency (AEPD) for its biometric boarding program, deeming it "disproportionate" and asserting that no security breach occurred "at any time."

The association argues that the Spanish airport operator deployed facial recognition systems—a high-risk data processing of special category data—without a Data Protection Impact Assessment (DPIA) meeting the required standards of necessity, suitability, and proportionality.

In a statement issued on Tuesday, Aena insists that there has been no data leakage from users of the various biometric boarding programs deployed across its network of airports in Spain, affirming that their custody "has not been at risk at any time."

The AEPD fine is based on the alleged non-compliance with formal requirements in the Data Protection Impact Assessment (DPIA), although Aena disagrees with this view and maintains that users gave their informed consent.

The sanction imposed on Aena is based, according to the company, on the alleged infringement of a formal obligation: failing to properly conduct a Data Protection Impact Assessment (DPIA) that met all regulatory requirements.

Aena, however, contends that the Impact Assessments were indeed conducted before the start of the biometric access programs, thus "respectfully disagreeing" with the AEPD's view that they did not adequately meet the requirements.

For this reason, and understanding that the decision does not align with the principle of proportionality, the airport company has confirmed it will appeal the decision in court.

In its statement, Aena reiterated that its biometric program has ensured user privacy and security at all times. The company emphasized that there has been no data leakage from users of the various biometric programs deployed across the network of airports in Spain or from any third party.

"The custody of these data has not been at risk at any time," assures the airport operator.

Additionally, Aena recalls that the processing of biometric data was carried out after obtaining the informed and voluntary consent of passengers, and that these data have been treated in accordance with the conservation, blocking, and deletion measures outlined in current regulations.

The airport operator concludes that it will continue working towards streamlining passenger documentation processes to restart the biometric boarding program "as soon as possible."

The Spanish Data Protection Agency (AEPD) has fined Aena €10,043,002 for allegedly breaching Article 35 of the General Data Protection Regulation (GDPR) in the implementation of its facial recognition system at airports.

The sanctioning procedure resolution states that Aena did not conduct a valid and prior Data Protection Impact Assessment (DPIA), nor did it justify the necessity and proportionality of using biometric data for passenger identification.

The system, designed to expedite passenger transit and enhance security, processed special category biometric data, such as facial patterns, along with other personal data.

The AEPD determined that the processing did not comply with the principles of necessity and proportionality, as there were less intrusive alternatives to achieve the same objectives. Additionally, deficiencies were identified in risk management and the security measures adopted.

The sanction includes the temporary suspension of biometric data processing until Aena conducts an adequate impact assessment. The resolution will also be published in the Official State Gazette (BOE), given that the fine exceeds one million euros.