Spain’s airport authority Aena has announced it will challenge in court the 10-million-euro penalty issued by Spain’s Data Protection Agency (AEPD) over its biometric boarding system, arguing the sanction is ‘disproportionate’ and insisting that no security incident or data leak has occurred ‘at any time’.
According to the AEPD, Aena rolled out facial-recognition technology – classified as high-risk due to its processing of special-category biometric data – without completing the required Data Protection Impact Assessment (DPIA), which must demonstrate necessity, suitability and proportionality.
In a statement on Tuesday, Aena reiterated that its various biometric boarding trials across airports in Spain have never compromised user information, asserting that data protection measures have ensured security was ‘not being at risk at any time’.
The regulator’s fine centres on an alleged failure to meet formal DPIA obligations, a conclusion Aena rejects, maintaining that travellers provided informed consent.
Aena says the sanction stems from what the agency views as a breach of procedure – specifically, not producing a DPIA that fulfilled all legal standards. The company, however, insists such assessments were completed before the biometric systems were introduced and therefore ‘respectfully disagrees’ with the AEPD’s conclusion that they were insufficient.
Because it believes the agency’s reasoning lacks proportionality, Aena has confirmed it will lodge a legal appeal.
The operator also emphasised that its biometric programme has consistently protected users’ privacy and data. It noted again that no data breach – whether involving passengers in the biometric trials or any third party – has ever been detected. ‘The security of this data has not been at risk at any time,’ the company stated.
Aena further stresses that biometric data was processed only after passengers provided informed and voluntary consent, and that all information was handled according to the legally mandated procedures for retention, blocking and deletion.
The operator adds that it intends to continue developing faster and more efficient passenger documentation processes so the biometric boarding initiative can resume ‘as soon as possible’.
The AEPD has imposed a fine of 10,043,002 euros for Aena’s alleged breach of article 35 of Spain’s GDPR framework concerning the rollout of facial-recognition systems in its airports.
In its resolution, the watchdog says Aena failed to perform a valid DPIA prior to processing biometric data and did not demonstrate that using such data was necessary or proportionate for identifying passengers.
The system – intended to speed up airport flows and enhance security – relied on sensitive biometric identifiers, including facial templates, alongside other personal information.
The AEPD found that the processing did not meet the requirements of necessity and proportionality, noting that less intrusive options were available to meet the same objectives. It also identified shortcomings in Aena’s risk-management approach and in the security measures applied.
The penalty includes an order halting all biometric data processing until Aena completes a fully compliant impact assessment. Because the fine exceeds one million euros, the resolution will also be published in the official state bulletin (BOE).
Subscribe to the Weekly Newsletter from Spain in English.
ℹ️ Comunicado de Aena ante la resolución sancionadora de la Agencia Española de Protección de Datos
— Aena (@aena) November 25, 2025
▫️ Aena garantiza que no se ha producido ninguna brecha de seguridad y que, por tanto, no ha habido filtración de datos de los usuarios de los distintos programas de biometría… pic.twitter.com/DClmAdlZSW
Click here to get your business activity or services listed on our DIRECTORY.