SPAIN Trends and Developments Contributed by: Agustín Puente Escobar and Natalia González Vera, Broseta Abogados
sengers’ flow (compatibility with Articles 5(1)(e) and(f), 25 and 32 of the GDPR). Regarding the legal base for the processing, paragraph 77 of Guidelines 3/2019 provides that “[t]he use of video surveillance including biom - etric recognition functionality installed by private entities for their own purposes (eg, marketing, statistical, or even security) will, in most cases, require explicit consent from all data subjects (Article 9(2)(a))”, including – as an example – the case where, “[t]o improve its service, a private company replaces passenger identification checkpoints within an airport (luggage drop-off, boarding) with video surveillance systems that use facial recognition techniques to verify the identity of the passengers that have chosen to consent to such a procedure”. In this case, the above-mentioned Guidelines explain that the processing would be lawful, provided that “pas - sengers – who will have previously given their explicit and informed consent – enlist them - selves at, for example, an automatic terminal in order to create and register their facial template associated with their boarding pass and identity” and that the checkpoints with facial recognition are “clearly separated”, so that “[o]nly the pas - sengers, who will have previously given their consent and proceeded with their enrolment, will use the gantry equipped with the biometric system”. Subsequently, Opinion 11/2024 analyses this issue – albeit with a different approach to that of Guidelines 3/2019, given that: • it does not refer to systems established by entities operating at the airport but, rather, to the flow of passengers at airport controls in which the identification of the data subject is mandatory; and
• it analyses its compatibility with Articles 5 (1) (e) and (f), 25 and 32 of the GDPR and not the legal basis for the processing – although it contains some assessments in this regard in paragraph 15, indicating that: (a) individuals would need to be able to eas- ily withdraw such consent at any time and without any detriment; (b) individuals should be able to freely choose whether or not to use these services and without any detriment, incentives, additional costs or additional advantages in return; (c) individuals who did not explicitly con - sent to facial recognition for the purpose intended would not have their faces scanned by cameras; and (d) the principles of processing enshrined in Article 5 of the GDPR with regard to necessity and proportionality still apply, even when individuals have provided their explicit consent to the use of their biom - etric data. Opinion 11/2024 analyses various scenarios related to the specific processing of biometric data, including: • when the biometric template is only in the possession of the data subject themselves (for example, by means of a QR in an app or other device on their mobile terminal that is shown to the reader together with their face or fingerprint) so that the process would be authentication (1:1); • when the template is stored encrypted on the controller’s servers, located in the same space where the identification is carried out, with the decryption key in the possession of the data subjects; and • when the circumstances of the previous case are met but the decryption key is not in the
405 CHAMBERS.COM
Powered by FlippingBook