Regulator Cites GDPR Breaches and ‘Centralised Storage’ Risks; Aena Appeals, Insisting System is Safe
Spain’s data protection agency (AEPD) has hit the state-owned airport operator Aena with a EUR 10 million (approximately USD 11.5 million) fine and an order to suspend its biometric-based passenger boarding system.
The AEPD’s decision, published earlier in November, states that Aena violated the European Union’s General Data Protection Regulation (GDPR) by failing to provide a sufficiently detailed Data Protection Impact Assessment (DPIA) and by creating excessive privacy and security risks through its centralised data storage model.
Aena, the world’s largest airport operator by passenger volume, is appealing the ruling, arguing that the penalty is “disproportionate” and maintaining that its system is robust against data leaks.
Risk of Centralised Biometrics
The biometric boarding system, which began pilots in 2019 at three airports including Menorca and Madrid–Barajas, had registered over 62,000 users. It relied on centralised storage of biometric templates for 1:N passenger identification.
The regulator argued that this arrangement significantly increases the risk of large-scale leaks and unauthorised access, leading to passengers losing control over their highly sensitive data.
The AEPD ruled that Aena failed to adequately assess the proportionality of using biometrics and could not demonstrate that this intrusive method was necessary for efficiency and security, especially when less intrusive alternatives exist.
“The Committee considers that a result similar to streamlining passenger flow at airports can be achieved in a less intrusive manner, and that the negative impact on the fundamental rights and freedoms of data subjects resulting from a data security breach in a centralised biometric database appears to outweigh the anticipated benefit of the processing,” the AEPD explained.
The investigation, prompted by a complaint from the Barcelona-based non-profit Fundación Éticas and an anonymous individual, highlighted several transparency failures.
The AEPD found that Aena failed to provide passengers with clear information on:
The processing of biometric data.
Data retention and deletion periods.
Associated risks and procedures for consent withdrawal.
While the program was voluntary, the regulator stated that the consent mechanism was not properly documented, meaning passengers may not have received enough detail to provide informed consent as required by law.
Aena suspended the biometrics program in June 2024 following the complaint.
In its response, Aena strongly disagreed with the watchdog’s evaluation of the DPIA and the security risks.
“Aena guarantees that there has been no security breach and, therefore, no data leak from users of the various biometric boarding systems deployed at airports in its Spanish network, nor from any third party,” the state-owned company stated, adding that passengers “voluntarily gave their informed consent.”
The company maintains that the system, developed with partners including Atos and Idemia, was implemented to enhance the passenger experience by streamlining the check-in process.
Aena confirmed it “will continue working in this direction to restart the program as soon as possible,” suggesting a revised system compliant with AEPD requirements may be in development.
