AEPD fines Yoti €950,000 — Automated DPIA becomes essential

Excerpt — On March 10, 2026, the AEPD fined Yoti €950,000 for unlawful biometric processing, invalid consent and excessive retention. Here is how a tooled, automated DPIA reduces this risk and aligns your practices with the GDPR.

What happened

On March 10, 2026, the Agencia Española de Protección de Datos (AEPD) published a decision sanctioning Yoti Ltd, a UK digital identity and age‑verification provider, for €950,000. The infringements cover three areas: unlawful processing of biometric data (Article 9 GDPR), invalid consent (Article 7) and excessive retention (Article 5(1)(e)). The AEPD also ordered remediation within six months (procedures and evidence required). News source: Biometric Update. The company publicly confirmed the decision and the dismissal of its appeal on March 2, 2026: Yoti CEO statement and official response.

Beyond the amount, the signal to Luxembourg and EU leaders is clear: KYC/age/access use cases leveraging facial recognition or biometric templates require industrial‑grade privacy governance, notably a robust, verifiable, living DPIA able to document necessity, proportionality, technical safeguards and compliant retention periods.

The legal framework

• GDPR — Article 35 (DPIA): a DPIA is mandatory where processing is likely to result in a high risk, notably for biometrics, systematic monitoring, large scale, etc. Official reference (CNPD Luxembourg): CNPD — DPIA, and the EDPB criteria (WP248 rev.01): WP248 rev.01.
• GDPR — Articles 5(1)(e), 7, 9: storage limitation (no longer than necessary), consent conditions, and the general prohibition on processing biometric data unless a derogation applies (notably explicit consent with reinforced safeguards).
• Luxembourg — CNPD: publication of a list of processing operations requiring a DPIA (Art. 35(4)), plus thematic guidance. For biometric and authentication processing, a DPIA is the norm.

In the Yoti case, the Spanish authority highlighted precisely these obligations and imposed a fine with compliance orders. For NIS 2 entities (banking, energy, health, digital services, etc.), these privacy‑by‑design requirements also reinforce cybersecurity risk management required by Article 21 of NIS 2.

The technical approach to deploy

Automated DPIA — This is not a simple Word document. A modern, tooled DPIA should:

• Auto‑map processing activities and data flows from existing sources (records, CMDB, IAM, application logs), detecting risk fields (biometrics, geolocation, persistent identifiers).
• Assess risk via dynamic questionnaires aligned with WP248/EDPB, scoring necessity, proportionality, scale, data subjects’ vulnerability, and transfers.
• Link technical measures to concrete controls (ISO/IEC 27001:2022 Annex A: A.8.10 Information deletion, A.8.12 Data leakage prevention, A.5.34 Privacy and protection of PII), plus NIST Privacy Framework (CT, AP) and CIS Controls (CIS 03 Data Protection, CIS 04 Access Control).
• Manage retention through enforceable policies (tags, durations, evidence metadata), deletion scripts/deletion tests and audit logs.
• Verify consent: integrate with your CMP/consent ledger to track granularity (biometrics ≠ cookies), proof of explicit consent, absence of pre‑ticked boxes, and effective revocation.
• Generate audit‑ready evidence: DPIA versioning, signatures, treated gaps, DPO decisions, prior consultation (Art. 36) when required, and links to technical test reports (security, bias, recognition model performance).

In practice, this tooling turns the DPIA into a living contract between Business, DPO and IT: it automatically drives gaps, triggers actions (e.g., hardening the biometric API, reducing granularity, anonymization/pseudonymization) and continuously documents compliance.

How Luxgap delivers

• Our ISO 27001 governance: our Lead Implementer/Auditor consultants embed the DPIA in the ISMS, mapping each DPIA risk to ISO 27001 controls and verifiable measures (action plans, owners, deadlines). We use requirement → control → evidence matrices to streamline audits.
• Our outsourced DPO and CISO: use‑case scoping (biometrics, KYC/age, access), legal review (Art. 9, legal basis, necessity test), privacy‑by‑design trade‑offs (non‑biometric alternatives, anonymous tokens) and, if needed, preparation of a CNPD prior consultation (Art. 36) with a complete file. For dedicated support, see our DPO mandate.
• Our managed SOC (when biometrics are in production): logging and monitoring of API calls, alerts on drifts (abnormal retention, unplanned exports), correlation with DLP and IAM. Goal: early detection of processing deviations that would break the DPIA. Explore our managed SOC service.

In concrete terms, we connect the DPIA platform to your sources (records, IAM/CIAM, data catalog), normalize flows, run the dynamic WP248 questionnaire, then publish a versioned DPIA with an action plan and an associated evidence pack (retention policy, consent, risk sheets, mapped ISO 27001 measures).

Real‑world case in Luxembourg or EU

A Luxembourg e‑commerce platform, in scope of NIS 2 as an “essential digital service”, wanted to introduce age verification for sensitive categories. In six weeks:

1. Flow mapping (local video capture, on‑device vs. cloud age calculation, no template storage), and definition of a non‑biometric alternative to avoid reliance on facial recognition.
2. Tooled DPIA: WP248 scoring, minimization (no template retention), legal basis (legitimate interest rejected → anonymous age‑token solution), strict CIAM access control.
3. Retention policy: immediate image deletion, technical logs kept max 30 days, automated deletion evidence.
4. Audit evidence: Article 35/5/9/7 pack signed by the DPO, test plan and support runbooks. Result: solution deployed with no persistent biometrics, documentation ready for CNPD and B2B clients.

First practical steps

• Identify high‑risk use cases (biometrics, geolocation, marketing profiling, monitoring) and consolidate a single processing inventory.
• Tool your DPIA: choose a platform that integrates with your records, IAM/CIAM and data catalog, with WP248/EDPB‑aligned templates and evidence generation.
• Lock retention: define durations per purpose, enable automated deletion, test it and log the proof.
• Rework consent: ensure no pre‑ticked boxes, traceability of explicit consent for any biometrics, and self‑service revocation.
• Prepare Art. 36 (if needed): if a high risk remains, assemble the CNPD prior consultation file with formalized compensating measures.

Official sources

• Commented decision — fine against Yoti (10/03/2026): Biometric Update; confirmations by Yoti: CEO statement, Yoti blog.
• GDPR — DPIA (Art. 35): CNPD Luxembourg — DPIA; EDPB guidelines (WP248 rev.01): full text.

Need help to scope your biometric project and document the DPIA? Reach out via Luxgap or our contact form.