Overview
- The Spanish data protection authority fined Aena €10,043,002 for its facial-recognition boarding program under GDPR Article 35.
- The resolution says Aena lacked a valid prior impact assessment, failed to prove necessity or proportionality given less intrusive options, and showed gaps in risk and security measures.
- The sanction includes a suspension of biometric data processing at Spanish airports until an adequate Data Protection Impact Assessment is completed.
- Aena will challenge the penalty in court, calling it disproportionate and asserting there was no data breach, that assessments were conducted, and that users gave informed consent.
- The decision will be published in Spain’s Official State Bulletin (BOE), and Aena says it aims to restart biometric boarding once requirements are met.