SPAIN Trends and Developments Contributed by: Agustín Puente Escobar and Natalia González Vera, Broseta Abogados
possession of the interested party but, rather, in the possession of the controller. Opinion 11/2024 considers that, in the first two scenarios and provided that measures are adopted to strengthen the security of the pro - cessing and the rights of the data subjects, the processing could be in accordance with Articles 5(1)(f), 25 and 32 of the GDPR. As regards the principle of data minimisation, Opinion 11/2024 indicates that the processing would be necessary if “the controller can dem - onstrate that there are no less intrusive alter- native solutions that could achieve the same objective as effectively” – for example, if it can be demonstrated that the processing “speeds up the verification process compared to the cur - rent situation, which includes a human checking whether the name on the boarding pass match - es the passenger’s identity document”. Therefore, the system based on consent would be lawful if: • the identification of the data subjects was already being carried out and was necessary or legally required; • the recognition system is complemented by an element (the facial template or decryption key) in the possession of the data subject; and • it has been demonstrated that the system allows the access process to be streamlined with regard to procedures based on identifi - cation by staff. Executive conclusions There is a clear discrepancy between the criteria of the EDPB and the AEPD, given that – whereas the latter seems to limit the processing almost
to the point of prohibition – the former admits it under certain safeguards. The main discrepancy is in the assessment of the need for processing, which – in the case of the AEPD – is applied to the ultimate purpose (access), without taking into account other ele - ments such as agility of access, which the EDPB does consider. And this affects the admissibility of consent as a legal basis for processing. On the other hand, there is no doubt that the controller will have to carry out a thorough analy - sis of the conditions of the processing in order to minimise the risks to the rights and freedoms of individuals, while also reinforcing the security of the processing. However, it is important to bear in mind that both the criteria of the AEPD and the EDPB are based on a vision based on facial recognition systems that are now outdated (based on landmarks) and do not consider the existence of systems that mitigate the risks of immutability, reversibil - ity and interoperability of biometric templates, such as those based on AI (eg, those based on RBR). For this reason, it seems logical that these criteria need to be updated in the short term, in order to adapt to technological developments in this area. In addition, it will be essential to promote research into privacy protection techniques (eg, revocable biometrics or advanced anonymiza - tion) to minimise the security risks associated with the storage and processing of biometric personal data.
406 CHAMBERS.COM
Powered by FlippingBook