SPAIN Trends and Developments Contributed by: Agustín Puente Escobar and Natalia González Vera, Broseta Abogados
points (landmarks system) are now being sup - plemented by AI-based models, such as renew - able biometric references (RBR), which may miti - gate the aforementioned risks. Based on these premises, several recent deci - sions have established highly restrictive criteria regarding biometric data processing – although the degree of restriction varies. Given the brevity of this article, it will focus on the position adopted by the Spanish Data Pro - tection Agency ( Agencia Española de Protec - ción de Datos , or AEPD) and the European Data Protection Board (EDPB), which have examined the issue in greater detail. However, other data protection authorities have also addressed this matter. As a preliminary consideration, biometric data falls within the special categories of personal data outlined in Article 9(1) of the GDPR. There - fore, its lawful processing requires: • the application of an exception to the general prohibition under Article 9(2) of the GDPR; • the existence of a valid legal basis under Arti - cle 6(1) of the GDPR; and • compliance with the remaining data protec - tion principles set forth in Article 5(1) of the GDPR. Evolution of AEPD criteria Until the adoption of its “Guide to Attendance Monitoring Using Biometric Systems” (“the Guide”), the AEPD had been establishing in its different opinions and resolutions uniform cri - teria in relation to biometric data processing (essentially focused on facial recognition), based on the following elements.
• As the joint application of Articles 9(2) and 6(1) of the GDPR is necessary, the only pos - sible legal bases for the processing would be – in general – that the processing was necessary for the performance of a mission in public interest or that the data subject has given their consent to the processing. • For processing based on public interest, processing must be explicitly recognised in a legal provision that should also establish minimum safeguards, including specifying the type of biometric data to be processed. • For consent to be lawful, it must meet the requirements set out in the GDPR (in par - ticular, the condition that it be freely given), ensuring that data subjects have an alter - native that does not involve biometric data processing. • In all cases, processing must be proportion - ate to its intended purpose. Applying these criteria, the AEPD: • imposed a significant fine on a supermarket chain for attempting to use facial recogni - tion on all its customers to prevent access by prohibited individuals; • ruled that a bank’s facial recognition system for AML compliance violated the GDPR; • determined that facial recognition for online university exams was permissible only if stu - dents could opt to take exams in person; and • found that biometric access control for sports venues could not be based on sport violence prevention laws (which did not regulate it) and could only be implemented with freely given consent and an alternative method. However, in November 2023, the AEPD modi - fied these criteria with the adoption of the Guide, which states that it is adopted with the objective of “determining the criteria for the processing of
402 CHAMBERS.COM
Powered by FlippingBook