Spain’s airport operator AENA has been fined €1.8 million by the Spanish Data Protection Authority (AEPD) for failing to conduct adequate data protection impact assessments before implementing facial recognition technology across multiple airports. The AEPD announced the sanction in November 2025, finding that AENA’s biometric passenger identification program violated Article 35 of the General Data Protection Regulation despite the company conducting prior consultations with the authority.
The enforcement action stems from a complaint filed on March 22, 2023, by privacy advocacy organization Fundación Éticas Data Society and an individual passenger. According to the AEPD resolution, AENA implemented facial recognition systems for passenger access control and boarding processes at airports including Barcelona El Prat, Madrid, and Menorca between 2019 and 2024. The technology captured passenger facial images through self-enrollment kiosks, comparing biometric templates against identification documents and boarding passes to verify identity at security checkpoints and boarding gates.
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Subscribe
AENA’s program advanced through multiple phases. Three pilot projects ran from 2019 through June 2022, followed by operational deployment beginning October 4, 2023, across eight Spanish airports. According to the AEPD findings, the company ceased all biometric data processing in June 2024 after regulatory intervention. Throughout implementation, AENA maintained that participation remained voluntary, with traditional manual identity verification available as an alternative method.
The data protection authority determined that AENA’s evaluations failed to meet GDPR standards for high-risk processing. According to the resolution, the company’s impact assessments lacked critical elements required under Article 35.7 of the regulation, including systematic description of processing operations, necessity and proportionality assessments, risk evaluation, and safeguard measures. The AEPD specifically criticized AENA’s reliance on the authority’s own GESTIONA tool as the sole methodology, finding this approach insufficient for comprehensive risk analysis.
AENA had submitted two formal prior consultation requests to the AEPD during pilot project implementation. The first consultation, initiated January 23, 2020, addressed pilot programs at Menorca and Madrid airports. A second consultation followed in November 2020. Both submissions acknowledged the biometric processing constituted high-risk treatment of special category data. Despite this engagement, the AEPD concluded that subsequent impact assessments failed to address identified deficiencies.
The authority’s investigation revealed multiple assessment inadequacies. According to the resolution, AENA’s June 2021 impact assessment for the Barcelona pilot project failed to demonstrate necessity for facial recognition technology over less intrusive alternatives. The AEPD had specifically suggested contactless national identity document systems as potential alternatives. AENA dismissed this option, arguing that while functionally equivalent for identification, such systems would not achieve passenger flow optimization goals central to the project rationale.
Documentation gaps further undermined AENA’s compliance position. The company presented different versions of impact assessments throughout the investigation. An initial version dated June 23, 2021, covered the Barcelona pilot. AENA subsequently produced an October 6, 2022, assessment claiming to adapt the earlier analysis to AEPD methodological standards. For the operational phase beginning October 2023, the company claimed completion of a September 2023 assessment, though the AEPD found this evaluation built upon the earlier deficient framework rather than addressing fundamental concerns.
The resolution highlights specific technical and procedural deficiencies. AENA’s assessments failed to identify which identified risks lacked adequate safeguards, according to the AEPD findings. The evaluations did not contain structured review procedures including revision frequency, change detection criteria, or assigned responsibilities. Documentation presented during investigation proceedings differed from materials actually employed during treatment operations, creating questions about assessment authenticity and timing.
AENA contested multiple aspects of the AEPD’s conclusions. The company argued that each pilot project and operational phase constituted independent treatments with distinct temporal, organizational, technical, and operational characteristics. AENA maintained it invested significant time and resources developing risk analysis methodology and conducting ongoing documentation evolution in accordance with accountability principles. The company emphasized that biometric processing relied on explicit passenger consent under Article 9.2.a of the GDPR, with no security breaches or data leaks occurring throughout program operation.
The airport operator further argued that impact assessment requirements evolved substantially between 2019 and 2024. According to AENA’s defense submissions, the company’s methodologies reflected available standards and knowledge at implementation time rather than criteria consolidated subsequently. AENA asserted its evaluations should be judged against contemporaneous expectations rather than retrospective standards.
The AEPD rejected these arguments. According to the resolution, all biometric treatments served identical purposes regardless of implementation timing. The authority determined that procedural elements followed homogeneous patterns across all deployments. The AEPD emphasized that AENA knew from initial consultations that processing must satisfy proportionality standards, with impact assessments serving as the mechanism to demonstrate such justification.
The resolution addressed AENA’s reliance on consent as legal basis. While acknowledging that Article 9.2.a consent provided lawful grounds for special category data processing, the AEPD clarified that valid legal basis does not exempt controllers from impact assessment obligations. High-risk processing requires comprehensive evaluation regardless of the legitimizing mechanism, according to the authority’s analysis.
Financial penalties comprised two €900,000 fines. The first addresses lack of valid processing foundation under Article 6.1 GDPR. The second penalizes inadequate information provision under Article 14 GDPR. The AEPD applied aggravating factors including the nature of biometric data processing, substantial affected population, and AENA’s status as a major Spanish infrastructure operator. The authority noted AENA’s cooperation during investigation and absence of prior infractions as mitigating considerations.
Buy ads on PPC Land. PPC Land has standard and native ad formats via major DSPs and ad platforms like Google Ads. Via an auction CPM, you can reach industry professionals.
Learn more
Beyond monetary sanctions, the AEPD imposed operational restrictions. AENA must maintain suspension of all biometric data processing, particularly facial recognition systems for passenger access control, until completing a compliant impact assessment meeting Article 35 RGPD standards. The resolution acknowledges AENA’s June 2024 processing cessation while mandating continued suspension pending proper evaluation completion. According to the decision, this measure proves necessary, proportional, and effective for protecting affected individuals’ rights and freedoms.
AENA indicated plans to appeal the decision in court. The company argues the imposed sanction lacks proportionality, claiming the AEPD failed to adequately weigh circumstances under Article 83.2 GDPR. AENA emphasized the voluntary nature of passenger participation, coexistence with traditional verification methods, absence of illicit profit motive, and progressive implementation limiting potential impact. The company asserted it demonstrated no negligent behavior, pointing to its consultation efforts and resource investment in assessment development.
The enforcement action demonstrates escalating scrutiny of biometric systems in commercial aviation. European Data Protection Board guidance published in May 2024 emphasized maximum individual control over biometric data, data minimization practices, and robust security measures for airport facial recognition programs. That guidance questioned the necessity of biometric processing for passenger flow optimization, suggesting alternative streamlining methods should be explored.
Recent European enforcement demonstrates consistent regulatory skepticism toward biometric deployments. France’s data protection authority ruled in July 2025 that AI-powered age estimation cameras in tobacco shops violated GDPR requirements, finding enhanced surveillance systems neither necessary nor proportionate despite industry marketing. Ryanair faced GDPR complaints in December 2024 over mandatory biometric verification for flight bookings, with privacy advocates challenging the airline’s facial recognition requirements and government ID submissions as excessive data collection.
The Spanish ruling carries broader implications for marketing technology and advertising platforms increasingly deploying biometric capabilities. Data protection authorities have signaled they will prioritize individual rights over technological convenience in commercial applications, requiring organizations to demonstrate clear necessity rather than mere efficiency benefits. Systems that duplicate existing processes while adding privacy risks face potential regulatory rejection.
Impact assessment obligations extend beyond biometric processing. The German court ruling in March 2025 finding Google Tag Manager requires consent before activation established that even common marketing technologies face heightened scrutiny when processing personal data without clear legal justification. Organizations implementing any high-risk data processing must conduct thorough impact assessments addressing necessity, proportionality, and safeguards.
The enforcement demonstrates that consultation with data protection authorities does not substitute for comprehensive impact assessments. According to the AEPD resolution, AENA’s multiple consultation requests actually highlighted the company’s awareness of processing risks and assessment requirements. Regulatory engagement creates obligations rather than providing compliance shields when subsequent implementations fail to address identified concerns.
For advertising technology providers, the decision underscores evaluation requirements before deploying customer identification systems. According to GDPR Article 35.1, controllers must conduct impact assessments when processing is likely to result in high risk to individual rights and freedoms. Biometric data processing, systematic monitoring, and large-scale special category data processing all trigger mandatory assessment requirements. Organizations cannot rely on generic templates or authority tools alone but must develop comprehensive analyses specific to their processing operations.
The €1.8 million fine represents significant financial exposure relative to AENA’s public infrastructure mission. Spain’s data protection authority has demonstrated willingness to impose substantial penalties for assessment failures. The Spanish authority previously fined data broker Informa D&B €1.8 million in January 2025 for processing business owner personal data without valid legal basis, ordering deletion of records covering 1.6 million individuals.
Technical implementation details emerged during the investigation. AENA’s system comprised self-enrollment kiosks where passengers voluntarily registered by capturing facial images and linking them to identity documents and boarding passes. Processing operations included image capture, biometric template extraction, encrypted storage, comparison operations at security and boarding checkpoints, and eventual data deletion. The company maintained that all biometric data remained stored in encrypted format with passengers retaining deletion rights throughout the process.
The AEPD rejected AENA’s argument that different pilot projects and operational phases constituted separate treatments. According to the resolution, identical processing purposes, homogeneous identification procedures, and unified strategic planning demonstrated continuous treatment rather than independent operations. This interpretation prevents organizations from fragmenting high-risk processing across multiple deployments to avoid comprehensive assessment obligations.
AENA’s planned court appeal will test proportionality standards for impact assessment violations. The company argues that its extensive consultation efforts, resource investments, and absence of data breaches demonstrate good faith compliance attempts rather than negligent behavior warranting substantial fines. The judicial proceedings may establish precedent for how authorities should weigh organizational diligence against outcome-based compliance measurements.
The operational suspension requirement presents immediate business consequences. AENA cannot resume facial recognition processing until completing satisfactory impact assessments meeting all Article 35 requirements. According to the resolution, this includes systematic processing descriptions, necessity demonstrations, proportionality justifications, comprehensive risk evaluations, and detailed safeguard measures. The company must also establish structured review procedures with specified revision frequencies and responsibilities.
For marketing professionals relying on biometric technologies for customer identification, authentication, or personalization, the Spanish enforcement establishes several operational imperatives. Organizations must conduct impact assessments before implementing biometric processing, regardless of consent-based legal foundations. Assessments must demonstrate that biometric methods provide substantive benefits over less intrusive alternatives rather than mere efficiency gains. Consultations with supervisory authorities create heightened obligations rather than compliance safe harbors. Fragmenting deployments across pilot programs and operational phases does not avoid comprehensive evaluation requirements.
The decision arrives amid broader European regulatory pressure on biometric processing. Privacy advocacy organizations have filed criminal charges against facial recognition companies after civil penalties proved insufficient to halt unlawful processing. Multiple European authorities have issued substantial fines for biometric violations, with Greek authorities imposing €20 million penalties and French authorities ordering €100,000 daily penalties for non-compliance.
AENA’s experience demonstrates that organizations implementing biometric systems face substantial regulatory risk even when maintaining traditional alternatives and obtaining explicit consent. The AEPD’s emphasis on assessment quality over consultation quantity signals that procedural compliance cannot substitute for substantive demonstration of necessity and proportionality. Technology providers and system operators must develop comprehensive risk analyses addressing specific processing operations rather than relying on generic frameworks or authority tools.
The €1.8 million sanction and operational suspension establish that impact assessment failures carry significant consequences. Organizations cannot assume that good faith efforts, regulatory consultations, or consent mechanisms provide adequate protection from enforcement when fundamental evaluation requirements remain unmet. Spanish data protection authority oversight of biometric deployments will likely intensify following this precedent, with other European authorities monitoring similar systems across transportation infrastructure, commercial facilities, and customer-facing applications.
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Subscribe
Timeline
- 2019-2022: AENA implements three facial recognition pilot projects at Barcelona, Madrid, and Menorca airports
- January 23, 2020: AENA submits first prior consultation request to AEPD regarding Menorca and Madrid pilots
- November 3, 2020: AENA submits second prior consultation to AEPD
- June 23, 2021: AEPD issues guidance on facial recognition in airports, emphasizing user control over biometric data
- June 2021: AENA completes data protection impact assessment for Barcelona pilot project
- June 2022: Pilot projects conclude operations
- October 4, 2023: AEPD approves operational phase deployment across eight Spanish airports
- October 6, 2023: AENA responds to AEPD information request with updated assessment documentation
- March 22, 2023: Fundación Éticas Data Society and individual passenger file complaint with AEPD
- May 26, 2024: European Data Protection Board publishes opinion prioritizing user control over biometric data in airport contexts
- June 2024: AENA suspends all biometric data processing operations
- July 11, 2025: French CNIL rejects AI age estimation cameras for privacy violations
- September 21, 2025: Spanish AEPD fines Informa D&B €1.8 million for data processing violations
- November 2025: AEPD announces €1.8 million fine against AENA for inadequate impact assessments
- December 25, 2024: Ryanair faces GDPR complaint over mandatory facial recognition for flight bookings
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Subscribe
Summary
Who: Spain’s airport operator AENA S.M.E., S.A., the Spanish Data Protection Authority (AEPD), Fundación Éticas Data Society privacy advocacy organization, and affected airline passengers participating in biometric identification programs.
What: The AEPD imposed €1.8 million in fines against AENA for failing to conduct adequate data protection impact assessments before implementing facial recognition technology for passenger identification at Spanish airports. The authority found that AENA’s evaluations lacked required elements including systematic processing descriptions, necessity demonstrations, proportionality assessments, comprehensive risk evaluations, and adequate safeguard measures. The resolution also mandates continued suspension of all biometric processing until AENA completes compliant impact assessments meeting Article 35 GDPR standards.
When: The enforcement action was announced in November 2025, addressing biometric processing operations conducted between 2019 and June 2024. AENA implemented three pilot projects from 2019 through June 2022, followed by operational deployment beginning October 4, 2023, across eight airports. The company suspended all biometric processing in June 2024 following regulatory intervention. The original complaint was filed March 22, 2023.
Where: The violations occurred across multiple Spanish airports including Barcelona El Prat, Madrid, and Menorca during pilot phases, expanding to eight airports during the operational phase. The enforcement applies to all AENA-operated facilities where facial recognition systems were deployed for passenger access control and boarding processes. The decision affects airport infrastructure throughout Spain’s commercial aviation network.
Why: According to the AEPD resolution, AENA’s impact assessments failed to demonstrate that facial recognition technology was necessary and proportionate for stated purposes of improving passenger flow and security. The authority found that AENA dismissed less intrusive alternatives without adequate justification, relied excessively on generic assessment tools rather than comprehensive analysis, and failed to address specific risks identified during prior consultations. Despite conducting multiple regulatory consultations, AENA did not incorporate feedback into subsequent evaluations, maintaining deficient assessment frameworks throughout implementation. The enforcement aims to ensure organizations conduct thorough risk analyses before deploying high-risk biometric processing, protecting individual privacy rights and establishing accountability for data protection compliance.