Aena, Spain’s biggest airport operator, will go to court to fight the 10-million-euro fine given to it by the Spanish data protection agency (AEPD) for its biometric boarding system. Aena says the sentence is “disproportionate” and that there has been no security or data breach “at any time.”
The data protection agency says that Aena has used facial recognition technologies, which are a high-risk way to process special category data, without doing a formal data protection impact assessment (DPIA) that meets the standards of need, suitability, and proportionality.
Aena said on Tuesday that there has been no leak of user data from the biometric boarding programs used at its airports in Spain. The company said that data security has “not been at risk at any time.”
The AEPD’s penalties is based on the claim that the DPIA didn’t meet formal standards, while Aena disagrees and says that users gave their informed consent.
According to Aena, the punishment is based on the company’s claim that it broke a statutory commitment by not properly doing a data protection impact assessment that met all regulatory standards.
Aena, on the other hand, says that the impact evaluations were done before the biometric access programs were used, therefore it “respectfully disagrees” with AEPD’s conclusion that they didn’t meet the requirements.
The airport operator has said it will appeal the decision in court for this reason and because it thinks the decision is not in line with the idea of proportionality.
The future of the program and data security
Aena said in its statement that its biometric program has always kept consumers’ privacy and safety safe. The corporation has made it clear that there has been no data breach that affected users of the several biometric programs used throughout Spain’s airport network, nor has there been a breach of any third-party data.
“The safety of this data has never been in danger,” said the airport operator.
Aena also says again that biometric data was only processed after getting passengers’ informed and voluntary consent, and that the existing rules say that this data must be kept, blocked, and deleted.
The airport operator said that it will keep working on making the process of getting passenger documents easier so that the biometric boarding program may start up again “as soon as possible.”
Fine of 10 million euros
The AEPD has fined Aena 10,043,002 euros for not following article 35 of Spain’s general data protection legislation (GDPR) when it set up its facial recognition system at its airports.
The resolution that imposed the fine says that Aena did not do a legitimate data protection impact assessment before processing the data, and it also did not explain why utilising biometric data for passenger identification was necessary and proportional.
The system used specific category biometric data, such face patterns, and other personal data to help speed up passenger travel and make it safer.
The AEPD found that the processing did not follow the rules of necessity and proportionality because there were less intrusive ways to get the same goals. Also, there were problems with the security and risk management systems that were put in place.
The sanction includes a temporary halt to processing biometric data while Aena does a proper impact assessment. The official state gazette (BOE) will also publish the resolution because the fine is more than one million euros.
Author: Derek Appleton
Other Articles
Two arrested for pickpocketing at the Oliva market
Benidorm is still waiting for a new police station 50 years on
No Comment! Be the first one.