The Spanish Data Protection Agency (AEPD) imposed a fine of €10.043.002 on Aena regarding infringements in the processing of personal data through facial recognition systems. The resolution concludes that the airport operator failed to adequately justify the necessity and proportionality of using biometric data for check-in and boarding processes, violating Article 35 of the General Data Protection Regulation (GDPR).

The regulatory body determined that Aena lacked a valid Data Protection Impact Assessment (DPIA) to support high-risk data processing. The system, initially implemented through pilot projects at Menorca, Adolfo Suárez Madrid-Barajas, and Josep Tarradellas Barcelona-El Prat airports, aimed to streamline passenger flow via biometric identification. However, the AEPD considered that less intrusive alternatives existed to achieve the same security and efficiency goals.

The investigation revealed that the system used a centralized storage architecture for facial patterns ("one-to-many" or 1:N identification), which exponentially increases privacy risks compared to local authentication systems or traditional visual verification. "The processing cannot comply with the principles of necessity and proportionality," reads the sanctioning resolution, referring to the technical scenario chosen by the operator.

Preguntas frecuentes
  • What penalty did Aena receive and why?

    Aena was fined €10.043.002 by the Spanish Data Protection Agency for processing biometric facial-recognition data without adequate justification of necessity and proportionality and lacking a valid DPIA as required under GDPR Article 35.

  • Will Aena accept the fine?

    No. Aena has announced it will challenge the AEPD's resolution in court, arguing procedural and substantive disagreements and claiming impact assessments were performed.

  • Which airports were involved in the biometric pilots?

    Pilot projects ran at Menorca, Adolfo Suárez Madrid-Barajas (Madrid) and Josep Tarradellas Barcelona-El Prat (Barcelona) airports.

  • Was there a data breach or leak?

    Aena states that no security breach or leakage of user data has occurred.

  • What did the AEPD order besides the fine?

    The AEPD ordered the continued suspension of biometric data processing until a Data Protection Impact Assessment that complies strictly with GDPR requirements is completed.

Aena's response: legal appeal and defense of the system

Aena reacted immediately to the resolution by announcing it will take the case to court. In a statement issued on November 25, the company expressed its disagreement with the measure. "Aena respectfully disagrees with the sanction imposed by the AEPD on both substantive and procedural grounds," the company stated, adding that it considers the fine "not in accordance with the principle of proportionality."

The airport operator argues that the sanction is based on a discrepancy regarding a formal obligation. According to its position, Impact Assessments were indeed carried out before the programs began, although the regulator deemed them insufficient. "Aena guarantees that no security breach has occurred," the company affirmed in its statement, "and therefore, there has been no leakage of user data."

The company also defended the voluntary nature of the system, asserting that users provided informed consent. "The biometric data of enrolled passengers has been given the treatment of conservation, blocking, and deletion set out in the GDPR," it highlighted. Finally, Aena expressed its intention to continue working to reactivate biometric boarding "as soon as possible," arguing that its goal is to improve the passenger experience by streamlining checks.

Suspension and data minimization

The biometrics program, which registered over 62.000 users during its various phases, was suspended by the operator itself in June 2024 following the issuance of more restrictive European opinions. In addition to the financial penalty, the agency ordered the continued suspension of biometric data processing until an impact assessment strictly complying with GDPR requirements is conducted.

The resolution emphasizes that the chosen technology involved storing a greater amount of personal data than required by manual checks. "With this new system Aena is processing and storing much more personal data than required by traditional human visual verification methods," the regulatory body concludes, pointing to a violation of the data minimization principle.