Spain’s data watchdog has ordered airport management firm Aena to suspend its biometric-based passenger boarding system and pay a 10 million euro (US$11.5 million) fine. The world’s largest airport operator in terms of passengers is appealing the judgment, arguing that the penalty is disproportionate and that its system is safe from data leaks.
In a decision published earlier in November, the Spanish Data Protection Agency (AEPD) says that Aena violated GDPR by providing an incomplete and insufficiently detailed Data Protection Impact Assessment (DPIA). The regulator also highlighted privacy and security risks related to the biometric boarding system, which relies on centralized storage.
Aena issued a response, disagreeing with the watchdog’s evaluation of the impact assessment. The state-owned company, which manages 6 airports and 2 heliports in Spain, also notes that it has had no security breaches.
“Aena guarantees that there has been no security breach and, therefore, no data leak from users of the various biometric boarding systems deployed at airports in its Spanish network, nor from any third party,” the company says. “The data subjects voluntarily gave their informed consent to the processing necessary to enjoy biometric access.”
The system was first piloted at three airports across Spain, including Menorca Airport, the Josep Tarradellas Barcelona-El Prat Airport and the Adolfo Suárez Madrid–Barajas Airport. The pilots kicked off in 2019 with the help of partners such as Atos, Idemia, air carrier Vueing and Air Europa, registering over 62,000 users.
The deployment, however, was met with criticism from the Barcelona-based non-profit organization Fundación Éticas, which filed a complaint to the data authorities alongside an anonymous individual. Aena suspended the biometrics program in June 2024.
AEPD has ruled that the airport operator failed to assess the proportionality of using biometrics and demonstrate that biometric data was necessary to achieve efficiency and security compared to less intrusive alternatives such as QR codes, digital boarding passes and document scans.
Aena relied on centralized storage of biometric templates used for 1:N passenger identification. The regulator argued that this arrangement not only puts datasets at risk of leaks and unauthorized access, but also leads to passengers losing more control over their data.
“The Committee considers that a result similar to streamlining passenger flow at airports can be achieved in a less intrusive manner, and that the negative impact on the fundamental rights and freedoms of data subjects resulting from a data security breach in a centralized biometric database appears to outweigh the anticipated benefit of the processing,” AEPD explains.
The airport operator also failed to provide passengers with sufficiently clear and complete information on biometric processing, data retention and deletion periods, risks and consent withdrawal. The investigation showed a lack of clarity in how long biometric data was kept, according to the watchdog.
Although the program is voluntary, the consent mechanism was not properly documented and passengers may not have received enough detail to provide informed consent, the decision notes.
Aena responded that the treatment of biometric data of enrolled passengers is in line with the GDPR and the local Organic Law on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
“Aena, together with the airlines that participated in the program, implemented biometric boarding to provide passengers with a better airport experience by streamlining the check-in process,” the company says. “The airport authority will continue working in this direction to restart the program as soon as possible.”
