Spanish airport operator AENA has been ordered to suspend all biometric processing at its airports, which include Malaga and Alicante.
The move comes after the country’s data protection authority issued one of the largest fines in its history earlier this month – details of which only emerged on Tuesday.
Aena was sanctioned more than €10 million for rolling out facial-recognition systems at eight airports without carrying out the mandatory Data Protection Impact Assessment (DPIA) required under the EU’s GDPR.
The penalty is comparable to the one imposed on Google in 2022.
The scanners were used to collect data at security, boarding gates and luggage drop off, and were designed to speed up the boarding process.
The machines in question are not related to the biometric scanners currently in force for the EU’s Entry/Exit System (EES).
Aena, which is 51% state-owned, has already confirmed it will challenge the ruling in court.
The company says it ‘respectfully disagrees’ with both the substance and procedure of the decision and argues the penalty breaches the principle of proportionality.
It maintains that all regulatory obligations were met and stresses that no security incident or data breach occurred.
The Spanish Data Protection Agency (AEPD), led by Lorenzo Cotino, reached the opposite conclusion.
A 90-plus-page resolution, seen by El Confidencial, states that Aena engaged in high-risk biometric processing without the prior assessments and safeguards required before such systems can be deployed.
The resolution cites the airports of Madrid-Barajas, Barcelona-El Prat, Alicante, Gran Canaria, Tenerife North, Palma de Mallorca, Menorca, and Ibiza.
According to the official document, the order entails ‘the temporary suspension of all biometric data processing, and especially data related to the facial recognition identification system used to control passenger access to certain areas of airports managed by Aena.’
Facial recognition used at checkpoints, boarding gates and bag-drop stations
The system allowed passengers to enter security zones, board flights and check in luggage using face recognition instead of manual document checks.
The AEPD notes that Aena itself acknowledged as early as January 23, 2020 that the projects involved high-risk processing, which under GDPR meant a DPIA was legally mandatory.
The agency adds that Aena consulted the AEPD twice during the pilot phase but failed to correct the shortcomings identified.
Is the EU’s Entry/Exit System affected?
The AEPD’s ruling concerns domestic airport processing systems operated by Aena, especially those used for boarding and security within airports.
The EES is an EU-level border control system with its own legal basis and regulatory framework. Its deployment is mandated and regulated at the supranational level, and not a discretionary system operated solely by Aena.
There is no public declaration by AEPD that it intends to block or suspend the EES, therefore, its phased rollout should continue.
Processed and stored more data than traditional checks
The AEPD concluded that Aena’s system collected and retained far more personal information than manual verification.
This included biometric data plus the full information contained in identity documents and boarding passes, exceeding what is normally required for human inspection.
Aena, for its part, insists passengers participated voluntarily and gave informed consent to the processing, which the company says was designed to speed up airport procedures.
System suspended until Aena completes a lawful DPIA
Alongside the fine, the AEPD has confirmed that the temporary suspension of all biometric processing that remains in force.
Facial-recognition identification cannot resume until Aena completes a DPIA that complies with Article 35 of the GDPR.
The ruling emphasises that conventional document-checking continues unaffected.
Because the penalty exceeds €1 million, the resolution will be published in the BOE, and the administrative appeal period, which Aena has already announced it will use, is now open.
The document also notes that Aena halted the project in June 2024, blocking and deleting the data stored by the system, as communicated to the regulator.
