← All articles

consultant

AEPD vs AENA: €10.04M for a deficient DPIA in biometrics

On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant DPIA related to biometric boarding. Key signal: a DPIA must now be complete, evidence-based and traceable.

Summary — On 20 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non-compliant Data Protection Impact Assessment (DPIA) on biometric boarding. Key takeaway: an evidence-based, complete DPIA is now scrutinized in detail. BOE-A-2026-6543. (boe.es)

The case

AENA, Spain’s airport operator, deployed facial-recognition boarding systems. The Agencia Española de Protección de Datos (AEPD) imposed an administrative fine of €10,043,002 for violation of GDPR Article 35 (DPIA), officially published in Spain’s Official State Gazette (BOE) on 20 March 2026 (resolution dated 4 March 2026). The annexed table explicitly identifies the Article 35 infringement and the exact amount. BOE-A-2026-6543. (boe.es)

According to the BOE publication, the fine specifically targets DPIA non-compliance (Art. 35 GDPR) for large-scale biometric processing. While the full reasoning is not reproduced in the BOE, the legal basis and the amount are official and enforceable. (boe.es)

Legal reasoning

  • GDPR framework. Article 35 mandates a DPIA whenever processing is likely to result in a high risk to individuals’ rights and freedoms, with minimum content under paragraph 7 (systematic description, necessity and proportionality assessment, risk assessment, envisaged measures). If a high residual risk remains, Article 36 requires prior consultation with the supervisory authority before go-live. Official text: EUR-Lex — GDPR.
  • Biometrics specificity. Facial recognition involves “biometric data” under Article 4(14) and, in most cases, “special categories” under Article 9 when used for identification or authentication. In such cases, a DPIA is almost always required, with heightened attention to the irreversibility of templates and risks of malicious reuse. GDPR text: EUR-Lex — GDPR.
  • EU DPIA doctrine. The WP29 DPIA Guidelines (WP248 rev.01) — endorsed by the EDPB — set out triggering criteria (systematic monitoring, large scale, innovative tech, combination of criteria, etc.) and quality requirements (method, traceability, DPO involvement, stakeholder consultation). EDPB refs: “Endorsed WP29 Guidelines” and the thematic “DPIA” page. EDPB — Endorsed WP29 Guidelines; EDPB — DPIA.
  • EDPB 2026 milestone. On 10 March 2026, the EDPB adopted a “Template [2026] for Data Protection Impact Assessment (DPIA) — Explainer”: a standardized canvas structured around processing description, necessity/proportionality tests and risk analysis, with cross-references to relevant guidelines (incl. Art. 25 privacy by design). Official document: EDPB DPIA Template Explainer (10/03/2026).
  • Luxembourg position (CNPD). Under Article 35(4), the CNPD issued a list of processing operations that always require a DPIA, notably biometrics and systematic monitoring. Official resources: CNPD — Mandatory DPIA list and CNPD — DPIA obligations.

In short, the AENA fine illustrates convergence: 1) biometrics ⇒ DPIA is almost systematic; 2) the DPIA must demonstrate, with evidence, necessity/proportionality and risk reduction; 3) failing that, the authority may sanction solely under Article 35, regardless of other violations. (boe.es)

What this changes in practice

  1. “High-risk” processing = DPIA before go-live. This typically covers:
    • biometric authentication/access control (face, fingerprint, vein, voice);
    • smart video surveillance, systematic tracking of users or employees;
    • large-scale special-category data (health, inferences).

    See the CNPD list for mandatory cases. CNPD — DPIA list. A dedicated certified DPO mandate and structured GDPR governance help ensure compliance.

  2. Demand for “demonstration”, not mere “description”. A compliant DPIA must:
    • make purposes explicit, distinguishing ultimate from derivative purposes;
    • pass the necessity/proportionality test by analyzing less-intrusive alternatives;
    • present a specific risk analysis (e.g., template irreversibility, function creep, future linkages); and
    • map each risk to technical/organizational measures (Art. 32) with evidence of effectiveness. Using the 2026 EDPB template eases CNPD/CNIL/AEPD review. EDPB template 2026.

    For legal bases, records and roles, also refer to our GDPR page to align Article 35 with related obligations (Arts. 30, 32).

  3. If residual risk remains “high”, conduct prior consultation (Art. 36) before launch. Otherwise, authorities may order suspension, require changes and/or fine. Text: EUR-Lex — Art. 36. Complementary cybersecurity audits can provide the effectiveness evidence (testing, logs, audits) regulators expect.

Common pitfalls

  • “Paper” DPIA without effectiveness evidence. Listing measures (encryption, MFA, segmentation) is not enough: attach proof (designs, tests, audits, code reviews, access logs) and explain how each measure reduces a specific risk. The 2026 EDPB template includes dedicated fields for follow-up and final decision. EDPB 2026.
  • Superficial necessity/proportionality. For biometrics, regulators expect a well-documented alternatives assessment (QR codes, badges, mobile app, human control) with metrics (error rates, FPR/FNR, accessibility, security), costs/impacts and justification of the choice. WP248 rev.01 stresses less-intrusive options. EDPB — Endorsed WP29 Guidelines.
  • Lack of granular purposes. A DPIA that lumps “better passenger experience + security + anti-fraud” without detailing operations, legal bases, retention and recipients per purpose is vulnerable. The AENA case shows regulators expect a systematic, segmented description. BOE — AENA.
  • Underestimating biometric-specific risks. Templates are irreversible: a breach cannot be “reset”. The DPIA must include tailored countermeasures (isolated storage, anti-inversion safeguards, PAD/liveness, strong segregation, edge minimization) with evidence of effectiveness and auditability. General refs: EDPB — DPIA.
  • Skipping prior consultation (Art. 36) when residual risk stays high. Authorities view this as aggravating. Build a formal project checkpoint: if residual high risk is found, freeze design, consult CNPD, then proceed. Text: EUR-Lex — Art. 36.

Official sources

  • AENA fine publication (amount, legal basis Art. 35 GDPR) — Boletín Oficial del Estado, Resolution of 4 March 2026, published 20 March 2026: BOE-A-2026-6543. (boe.es)
  • Regulation (EU) 2016/679 — Articles 35 (DPIA) and 36 (prior consultation): EUR-Lex.
  • CNPD (Luxembourg) — Mandatory DPIA list; “DPIA — obligations” page: Mandatory DPIA list ; DPIA — obligations.
  • EDPB — Endorsed WP29 DPIA Guidelines (WP248 rev.01); “DPIA” topic page; new “Template [2026] for DPIA — Explainer (10/03/2026)”: Endorsed WP29 Guidelines ; DPIA ; PDF.

Note to executives/DPO/CISO: in Luxembourg, a DPIA is required “by default” for biometrics and systematic monitoring. When in doubt, mirror the 2026 EDPB template, map alternatives, hold a documented DPO review and, if residual risk remains high, consult the CNPD before deployment. The AENA case shows that lacking a robust DPIA is now very costly. For hands-on support, see our GDPR Luxembourg page or engage a certified DPO.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →