SPAIN Trends and Developments Contributed by: Agustín Puente Escobar and Natalia González Vera, Broseta Abogados
pursued – and so the processing of biometric data can never be based on consent. This de facto prohibition involves a modification of the rule provided for in Article 9.1 of Organic Law 3/2018, which adapts Spanish law to the GDPR. Article 9.1 establishes that “[f]or the purposes of Article 9(2)(a) of Regulation (EU) 2016/679, in order to avoid discriminatory situ - ations, the consent of the data subject alone will not be sufficient to lift the prohibition on the processing of data whose main purpose is to identify their ideology, trade union membership, religion, sexual orientation, beliefs or racial or ethnic origin”, excluding health, biometric and genetic data from this prohibition. The AEPD has applied the content of the Guide in several resolutions. Thus, in May 2024, it fined a gym in which a mandatory biometric access control had been established EUR27,000. Like - wise, in December 2024, the AEPD sanctioned a public law corporation that established access control in the workplace by means of the digital fingerprint – albeit without a financial fine, as the exception of Article 83.7 of the GDPR applies in Spain. However, the main resolutions adopted have affected football clubs that had estab - lished biometric recognition systems based on the consent of the data subject for access to their stadiums. However, the scope of these resolutions is differ - ent. Thus, until December 2024, the AEPD sanc - tioned an alleged breach of Article 9(1) of the GDPR on the grounds that the principle of law - fulness and the prohibition of processing special categories of data had been violated. Likewise, in cases where the processing was based on consent, applying the reasoning contained in the Guide, the AEPD also sanctioned the violation of the principle of data minimisation – consider -
ing that the processing was not necessary, as it was possible to achieve the purpose pursued by it without the processing of biometric data. However, in the last of the published decisions (that of procedure PS/00482/2023), the AEPD only found that the principle of data minimisa - tion had been infringed and not Article 9(1) of the GDPR – considering that, once the first of the infringements has been declared, it is unneces - sary to assess whether the consent is valid. In summary, the AEPD appears to interpret that – unless there is an express authorisation for the processing of biometric data in a legal provision, which also establishes the guarantees that must be adopted – the processing will be deemed contrary to the GDPR. However, in its most recent resolutions, the AEPD has opted to consider only the violation of the principle of data minimisation, without assessing the validity of the consent provided (where appropriate) by data subjects – although it implicitly deems such consent to be contrary to the GDPR. EDPB criteria The processing of biometric data has also been subject to assessment by the EDPB, as it was by the Article 29 Working Party. Thus, it is worth referring to – among others – the Working Docu - ment on Biometrics adopted in August 2023 or to Opinion 3/2012 on Developments in Biometric Technologies of April 2012. Likewise, after the full application of the GDPR, reference should be made to Guidelines 3/2019 on processing of personal data through video devices (adopted in January 2020) and Guide - lines 05/2022 on the use of facial recognition technology in the area of law enforcement (adopted in April 2023), as well as – in particular – to the more recent Opinion 11/2024 on the use of facial recognition to streamline airport pas -
404 CHAMBERS.COM
Powered by FlippingBook