AEPD vs AENA: €10,043,002 for a deficient DPIA (Art. 35 GDPR)

Summary — On 4 March 2026, the AEPD published in the BOE a €10,043,002 fine against AENA for a non‑compliant DPIA on biometric boarding. Key lesson: a “pro forma” DPIA equals a missing DPIA. Sources: BOE-A-2026-6543, AEPD – PS-00431-2024.

The case

Airport operator AENA, S.M.E., S.A. was sanctioned for breaching Article 35 GDPR (DPIA) in biometric boarding projects. The exact amount — €10,043,002 — appears in the BOE resolution of 20 March 2026, which lists AEPD fines above €1m and identifies the Article 35 GDPR violation. See the Annex naming AENA. Official sources: BOE-A-2026-6543; detailed decision AEPD – PS-00431-2024 (PDF).

The decision (Expediente EXP202304532, “PS-00431-2024”) found the DPIA deficient: incomplete analysis of necessity/proportionality, failure to meet Article 35(7) minimum content, insufficient assessment of risks specific to biometric templates, and inadequate security measures (Art. 32). See “Hechos probados” and “Fundamentos de Derecho,” especially Chapter IV and point “1.- Incumplimiento de las obligaciones contenidas en el art. 35.7 del RGPD.”

AENA publicly stated it would challenge the decision, arguing DPIAs were performed before pilots, without undermining the authority’s legal findings at this stage. Release: AENA.

Legal reasoning

• Legal basis and scope — A DPIA is mandatory “where a type of processing is likely to result in a high risk” (Art. 35(1)), and even more so for processing listed under Art. 35(4). Minimum content (Art. 35(7)) covers: description of processing and purposes, necessity/proportionality, risks to rights and freedoms, and mitigating measures.
• EDPB guidance — WP29/EDPB DPIA Guidelines (WP248 rev.01), endorsed by the EDPB, set out 9 “high risk” criteria (systematic monitoring, large‑scale biometric data, innovative tech, etc.) and require an argued, traceable analysis. Sources: EDPB – Endorsed WP29 Guidelines; EDPB – DPIA topic.
• AEPD’s application — In PS-00431-2024, the authority found AENA’s DPIA failed to sufficiently demonstrate: 1) necessity and proportionality of biometrics for the stated purposes (passenger flow/experience, security) despite potential less intrusive alternatives; 2) specific risks of biometric templates (sensitivity, irreversibility); 3) adequacy of security measures (Art. 32) vs. residual risk; 4) compliance with Art. 35(7) GDPR content requirements.
• Luxembourg resonance (CNPD) — The CNPD issued an Article 35(4) list: biometric identification combined with other EDPB criteria (large scale, monitoring public areas, new tech) typically triggers a DPIA and, if residual risk remains high, prior consultation (Art. 36). Sources: CNPD mandatory DPIA list; CNPD – DPIA & prior consultation.

What this changes in practice

• Sloppy DPIA = no DPIA. Box‑ticking is not enough: necessity/proportionality and comparison with less intrusive alternatives must be documented, reasoned, and kept up to date. A structured DPO mandate helps embed this rigor.
• Biometric projects (boarding, access control, time/attendance, fraud prevention, in‑branch KYC): multiple EDPB criteria apply; a DPIA is almost always required from scoping, with written evidence of the reasoning. For the local framework, see GDPR in Luxembourg and CNPD compliance.
• High residual risk: if the DPIA concludes this, prior consultation with the authority is mandatory before go‑live (Art. 36). The CNPD provides a dedicated channel and dossier: CNPD – DPIA.

Immediate applications in Luxembourg

• Airports/transport: biometric boarding, airside staff access, paperless passenger journeys; DPIA mandatory, proportionate design, effective rights (true opt‑in, non‑friction alternative path).
• Banking/insurance: biometric onboarding (face recognition vs OTP + assisted document checks), in‑branch fraud detection; DPIA, assessment of false positives/errors and minimisation.
• Retail/real estate: VIP lounges or parking access via biometrics; justify necessity vs badges or QR codes.
• Public sector/health: patient/visitor flow with biometrics in semi‑public spaces; stringent DPIA and reinforced measures (Art. 9 + 32). For AI or smart sensors, consider AI compliance in Luxembourg to align with governance requirements.

Common pitfalls

1. Confusing “consent” with “necessity/proportionality”. Even with consent, controllers must show no less intrusive option would achieve the purpose. See PS-00431-2024.
2. Overly descriptive, under‑evaluative DPIA: copying vendor specs without quantifying risks, attack scenarios or a risk/measure matrix breaches Art. 35(7). See WP248 rev.01.
3. Forgetting the “two‑key” effect: biometrics + another criterion. The CNPD list often combines them, almost automatically triggering a DPIA: CNPD list.
4. Non‑equivalent alternative path: a theoretical but discouraging option weighs against proportionality.
5. Pilots without prior DPIA or updates: the DPIA must precede processing and be revised upon change; otherwise, expect orders or fines. Reference: BOE – 4 March 2026.

Key takeaway

For any biometric, AI or smart‑sensor project in Luxembourg, start from a necessity/proportionality matrix and a complete, traceable, up‑to‑date DPIA aligned with WP248 and the CNPD list — and consult the CNPD if high residual risk remains. In 2026, a DPIA is a robust, auditable demonstration, or eight‑figure fines may follow.

Need operational and regulatory support? Reach out via our contact page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.