September 28, 2021

Volume XI, Number 271

Advertisement

September 27, 2021

Subscribe to Latest Legal News and Analysis

Spanish DPA Fines Supermarket Chain 2,520,000 EUR for Unlawful Use of Facial Recognition System

On July 27, 2021, the Spanish Data Protection Authority (the “AEPD”) imposed a €2,520,000 fine on Spanish supermarket chain Mercadona, S.A. for unlawful use of a facial recognition system.

Following its investigation, the AEPD found that Mercadona was using a facial recognition system in 48 of its shops for several months across Spain to detect individuals with criminal convictions or restraining orders (particularly, individuals who had received a restraining order after assaulting an employee of a store or that had been convicted for a store-based incident). The facial recognition system and related processing of biometric data also captured facial images of all customers entering Mercadona’s supermarkets, including children and Mercadona’s employees.

The AEPD found that none of the legal grounds available under Article 9 of the EU General Data Protection Regulation (which sets forth the legal grounds available for the processing of sensitive data, including biometric data) could be used by Mercadona for the processing of biometric data through its facial recognition system – hence, the AEPD declared the processing unlawful. In addition, the AEPD found that the processing did not meet the principles of necessity, proportionality and data minimization, transparency and privacy by design. Moreover, the AEPD found that the data protection impact assessment conducted by Mercadona was insufficient and incomplete as it did not account for the risks posed to Mercadona employees by the data processing.

The AEPD originally decided to impose a €3,150,000 fine, but subsequently reduced it due to voluntary payment.

Read the decision, only available in Spanish.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 211
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement