On July 27, 2021, the Spanish Data Protection Authority (the “AEPD”) imposed a €2,520,000 fine on Spanish supermarket chain Mercadona, S.A. for unlawful use of a facial recognition system.

Following its investigation, the AEPD found that Mercadona was using a facial recognition system in 48 of its shops for several months across Spain to detect individuals with criminal convictions or restraining orders (particularly, individuals who had received a restraining order after assaulting an employee of a store or that had been convicted for a store-based incident). The facial recognition system and related processing of biometric data also captured facial images of all customers entering Mercadona’s supermarkets, including children and Mercadona’s employees.

The AEPD found that none of the legal grounds available under Article 9 of the EU General Data Protection Regulation (which sets forth the legal grounds available for the processing of sensitive data, including biometric data) could be used by Mercadona for the processing of biometric data through its facial recognition system – hence, the AEPD declared the processing unlawful. In addition, the AEPD found that the processing did not meet the principles of necessity, proportionality and data minimization, transparency and privacy by design. Moreover, the AEPD found that the data protection impact assessment conducted by Mercadona was insufficient and incomplete as it did not account for the risks posed to Mercadona employees by the data processing.

The AEPD originally decided to impose a €3,150,000 fine, but subsequently reduced it due to voluntary payment.

Read the decision, only available in Spanish.