AEPD vs AENA: €10.04M for a deficient DPIA in biometrics
On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant DPIA related to biometric boarding. Key signal: a DPIA must now be complete, evidence-based and traceable.
Summary — On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant Data Protection Impact Assessment (DPIA) on biometric boarding. Key takeaway: an evidence-based, complete DPIA is now scrutinized in detail. BOE-A-2026-6543. (boe.es)
The case
AENA, Spain’s airport operator, deployed facial-recognition boarding systems. The Agencia Española de Protección de Datos (AEPD) imposed an administrative fine of €10,043,002 for violation of GDPR Article 35 (DPIA), officially published in Spain’s Official State Gazette (BOE) on 20 March 2026 (resolution dated 4 March 2026). The annexed table explicitly identifies the Article 35 infringement and the exact amount. BOE-A-2026-6543. (boe.es)
According to the BOE publication, the fine specifically targets DPIA non-compliance (Art. 35 GDPR) for large-scale biometric processing. While the full reasoning is not reproduced in the BOE, the legal basis and the amount are official and enforceable. (boe.es)
Legal reasoning
- GDPR framework. Article 35 mandates a DPIA whenever processing is likely to result in a high risk to individuals’ rights and freedoms, with minimum content under paragraph 7 (systematic description, necessity and proportionality assessment, risk assessment, envisaged measures). If a high residual risk remains, Article 36 requires prior consultation with the supervisory authority before go-live. Official text: EUR-Lex — GDPR.
- Biometrics specificity. Facial recognition involves “biometric data” under Article 4(14) and, in most cases, “special categories” under Article 9 when used for identification or authentication. In such cases, a DPIA is almost always required, with heightened attention to the irreversibility of templates and risks of malicious reuse. GDPR text: EUR-Lex — GDPR.
- EU DPIA doctrine. The WP29 DPIA Guidelines (WP248 rev.01) — endorsed by the EDPB — set out triggering criteria (systematic monitoring, large scale, innovative tech, combination of criteria, etc.) and quality requirements (method, traceability, DPO involvement, stakeholder consultation). EDPB refs: “Endorsed WP29 Guidelines” and the thematic “DPIA” page. EDPB — Endorsed WP29 Guidelines; EDPB — DPIA.
- EDPB 2026 milestone. On 10 March 2026, the EDPB adopted a “Template [2026] for Data Protection Impact Assessment (DPIA) — Explainer”: a standardized canvas structured around processing description, necessity/proportionality tests and risk analysis, with cross-references to relevant guidelines (incl. Art. 25 privacy by design). Official document: EDPB DPIA Template Explainer (10/03/2026).
- Luxembourg position (CNPD). Under Article 35(4), the CNPD issued a list of processing operations that always require a DPIA, notably biometrics and systematic monitoring. Official resources: CNPD — Mandatory DPIA list and CNPD — DPIA obligations.
In short, the AENA fine illustrates convergence: 1) biometrics ⇒ DPIA is almost systematic; 2) the DPIA must demonstrate, with evidence, necessity/proportionality and risk reduction; 3) failing that, the authority may sanction solely under Article 35, regardless of other violations. (boe.es)
What this changes in practice
- “High-risk” processing = DPIA before go-live. This typically covers:
- biometric authentication/access control (face, fingerprint, vein, voice);
- smart video surveillance, systematic tracking of users or employees;
- large-scale special-category data (health, inferences).
See the CNPD list for mandatory cases. CNPD — DPIA list. A dedicated certified DPO mandate and structured GDPR governance help ensure compliance.
- Demand for “demonstration”, not mere “description”. A compliant DPIA must:
- make purposes explicit, distinguishing ultimate from derivative purposes;
- pass the necessity/proportionality test by analyzing less-intrusive alternatives;
- present a specific risk analysis (e.g., template irreversibility, function creep, future linkages); and
- map each risk to technical/organizational measures (Art. 32) with evidence of effectiveness. Using the 2026 EDPB template eases CNPD/CNIL/AEPD review. EDPB template 2026.
For legal bases, records and roles, also refer to our GDPR page to align Article 35 with related obligations (Arts. 30, 32).
- If residual risk remains “high”, conduct prior consultation (Art. 36) before launch. Otherwise, authorities may order suspension, require changes and/or fine. Text: EUR-Lex — Art. 36. Complementary cybersecurity audits can provide the effectiveness evidence (testing, logs, audits) regulators expect.
Common pitfalls
- “Paper” DPIA without effectiveness evidence. Listing measures (encryption, MFA, segmentation) is not enough: attach proof (designs, tests, audits, code reviews, access logs) and explain how each measure reduces a specific risk. The 2026 EDPB template includes dedicated fields for follow-up and final decision. EDPB 2026.
- Superficial necessity/proportionality. For biometrics, regulators expect a well-documented alternatives assessment (QR codes, badges, mobile app, human control) with metrics (error rates, FPR/FNR, accessibility, security), costs/impacts and justification of the choice. WP248 rev.01 stresses less-intrusive options. EDPB — Endorsed WP29 Guidelines.
- Lack of granular purposes. A DPIA that lumps “better passenger experience + security + anti-fraud” without detailing operations, legal bases, retention and recipients per purpose is vulnerable. The AENA case shows regulators expect a systematic, segmented description. BOE — AENA.
- Underestimating biometric-specific risks. Templates are irreversible: a breach cannot be “reset”. The DPIA must include tailored countermeasures (isolated storage, anti-inversion safeguards, PAD/liveness, strong segregation, edge minimization) with evidence of effectiveness and auditability. General refs: EDPB — DPIA.
- Skipping prior consultation (Art. 36) when residual risk stays high. Authorities view this as aggravating. Build a formal project checkpoint: if residual high risk is found, freeze design, consult CNPD, then proceed. Text: EUR-Lex — Art. 36.
Official sources
- AENA fine publication (amount, legal basis Art. 35 GDPR) — Boletín Oficial del Estado, Resolution of 4 March 2026, published 20 March 2026: BOE-A-2026-6543. (boe.es)
- Regulation (EU) 2016/679 — Articles 35 (DPIA) and 36 (prior consultation): EUR-Lex.
- CNPD (Luxembourg) — Mandatory DPIA list; “DPIA — obligations” page: Mandatory DPIA list ; DPIA — obligations.
- EDPB — Endorsed WP29 DPIA Guidelines (WP248 rev.01); “DPIA” topic page; new “Template [2026] for DPIA — Explainer (10/03/2026)”: Endorsed WP29 Guidelines ; DPIA ; PDF.
Note to executives/DPO/CISO: in Luxembourg, a DPIA is required “by default” for biometrics and systematic monitoring. When in doubt, mirror the 2026 EDPB template, map alternatives, hold a documented DPO review and, if residual risk remains high, consult the CNPD before deployment. The AENA case shows that lacking a robust DPIA is now very costly. For hands-on support, see our GDPR Luxembourg page or engage a certified DPO.
Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →