AEPD (Spain) - PS/00120/2021
From GDPRhub
| AEPD (Spain) - PS/00120/2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(c) GDPR Article 6 GDPR Article 9 GDPR Article 25(1) GDPR Article 57(1) GDPR Article 83(4)(a) GDPR Article 83(5)(a) GDPR Article 83(5)(b) GDPR Ley Orgánica 3/2018, de 5 de diciembre, de Protecciónde Datos Personales y garantía de los derechos digitales |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 23.07.2021 |
| Published: | 26.07.2021 |
| Fine: | 2520000 EUR |
| Parties: | ASOCIACION DE CONSUMIDORES Y USUARIOS EN ACCION-FACUA Mercadona, S.A. |
| National Case Number/Name: | PS/00120/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined Mercadona, a supermarket chain, €2,500,000 for using a video surveillance system that used biometric data to identify people convicted for robbery or other crimes related with Mercadona and with entry bans in force.
English Summary
Facts
The Spanish DPA (AEPD) launched an investigation on Mercadona, a supermarket chain, after having notice, via the media, that it was using a video surveillance system to prevent access to their premises of people convicted for robbery or other crimes related with Mercadona and with entry bans in force.
Afterwards, also two complaints were lodged in this regard by a consumers association and an association for computer enabled crimes and problems.
Mercadona started the use of this system on 1/06/2020 until 6/05/2021, after the AEPD issued an interim measure ordering the controller to stop the processing.
[in progress]
Holding
The DPA
[in progress]
Comment
This case deals with the same facts as the court judgment AP Barcelona - Auto 72/2021, where the court also find a violation of the GDPR and ordered Mercadona to stop the processing.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/113
Procedure No.: PS / 00120/2021
RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT
VOLUNTARY
Of the procedure instructed by the Spanish Agency for Data Protection and with
based on the following
BACKGROUND
FIRST: On May 5, 2021, the director agreed to start the procedure
sanctioning MERCADONA, S.A. (hereinafter the claimed part). Notified on
initiation agreement and after analyzing the allegations presented, dated June 29,
In 2021, the resolution proposal was issued, which is transcribed below:
<< Procedure number: PS / 00120/2021
Of the procedure instructed by the Spanish Agency for Data Protection and
based on the following:
BACKGROUND
FIRST: On July 6, 2020, the Director of the Spanish Agency
of Data Protection (hereinafter, AEPD) agrees to initiate actions of
investigation in view of the news published in the media
about the implementation that Mercadona, S.A. (hereinafter, Mercadona or
claimed) would be carrying out in their establishments a system of
detection of those with final sentences and restraining orders
in force against Mercadona or against any of its workers.
Subsequently, two claims are registered in the AEPD in relation to the
same facts:
On July 15, 2020, registration number 025103/2020, from the
ASSOCIATION OF CONSUMERS AND USERS IN ACCION-FACUA (NIF
G91344986).
On July 27, 2020, registration number 026511/2020, from
APEDANICA (NIF G80593254).
SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant / of the facts and documents of the
that this Agency, the Subdirectorate General of Inspection, has learned
of Data proceeded to carry out preliminary investigation actions to
the clarification of the facts in question, by virtue of the powers of
investigation granted to the control authorities in article 57.1 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, in
hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I,
Second section, of the Organic Law 3/2018, of December 5, Protection
of Personal Data and guarantee of digital rights (hereinafter
LOPDGDD).
As a result of the investigative actions carried out, it is found that
the person responsible for the treatment is the one claimed.
Likewise, the following points are found:
INVESTIGATED ENTITIES
During these proceedings, investigations have been carried out on the
following entities:
Mercadona, S.A., with NIF A46103834 and domiciled in Paseo de la
Castellana No. 259 C, 28046 Madrid.
The defendant has a turnover in 2019 of more than 25,000 million
euros of turnover and more than 94,000 employees, as recorded in the last
audit report issued by the entity, therefore it constitutes a great
business.
RESULT OF RESEARCH ACTIONS
The writing of these results is based on the information provided by
Mercadona (entry registration numbers 026455/2020, 026457/2020,
026459/2020, 026460/2020, 026461/2020, 026462/2020, 026463/2020,
026464/2020, and 027549/2020) and in the following documents incorporated into the
present file through the corresponding diligence:
- Reference number 1: Official Gazette of the Mercantile Registry (hereinafter
BORME) of *** DATE.1, (…).
- Reference number 2: BORME of *** DATE.2, (…).
- Reference number 3: consultation made on November 5, 2020 of the
entity *** EMPRESA.1 in the Axesor business information service.
- Reference number 4: report of the legal office of the AEPD of
reference number 010308/2019.
- Reference number 5: guidelines on individual decisions
automated systems and profiling for the purposes of Regulation 2016/679
of the Working Group on the protection of personal data of article 29.
- Reference number 6: extract from Law 5/2014, of April 4, of
Private security.
- Reference number 7: extract of the Organic Law 10/1995, of 23 of
November, of the Penal Code.
- Reference number 8: extract from the Royal Decree of July 24, 1889
by which the Civil Code is published.
- Reference number 9: extract from the Spanish Constitution.
- Reference number 10: report of the legal office of the AEPD of
reference number 36/2020.
- Reference number 11: opinion of the ICO (Information Commissioner's
Office) entitled “The use of live facial recognition technology by law enforcement
in public places ”, published on October 31, 2019.
- Reference number 12: privacy policy published on the site of
Mercadona's internet whose latest update, as quoted by the
document, was produced on October 5, 2020.
It is noted that where this report refers to demonstrations,
descriptions, or exhibitions made by Mercadona "in writing" this
expression refers to the entry letter registered on July 25,
2020 with the number 026455/2020.
In order to achieve the greatest possible exposition clarity, the
research results in the following sections:
1. Context and deployment
2. Interveners, recipients, and international data transfers
3. Contribution of the image to the judicial procedure and inclusion in the
Early Detection System (hereinafter SDA)
4. SDA activation, detection, and alert
5. Reception and validation of the alert, and communication to the Forces and
State Security Bodies (hereinafter FCSE)
6. Terms of conservation of personal data
7. System architecture, impact assessment, and security measures
8. Purpose, legality, and proportionality
9. Compliance with the duty of information
1. Context and deployment
Mercadona, as defined in its own writing, is a “global company that
dedicates, among other activities of its corporate purpose, to the exploitation of
a chain of food supermarkets ”. Thus, according to the data that
facilitates, has “1,636 stores and approximately 95,000 workers in
Spanish territory". It also adds that, “at a generic level, it could be determined
than a [sic] the approximate number of people who access one each day
MERCADONA store is *** NUM. 1 ”.
It also states that “each year, the Company has approximately
*** NUM. 2 judicial processes that can end in more than *** NUM. 3
judicial decisions in his favor in which the defendant is firmly condemned
with restraining orders on the MERCADONA facilities ”. To the
In this regard, he cites that they are the object of a complaint and therefore “susceptible
request an order prohibiting access to a Company store "the
people who:
- “They are repeat offenders in the crime of robbery or theft against MERCADONA.
- They have stolen a large number of products that can be sold
- Have been reported and convicted of crimes related to
MERCADONA facilities, goods or workers
- They threaten or attack their own workers or security guards
that provide service in MERCADONA stores
- They commit illegal acts on MERCADONA's clients ”.
In line with the foregoing, it states that “the implementation of a system
early detection using facial recognition technology in their
stores […] motivated by the risk derived from the commission of criminal acts,
with its corresponding risk for MERCADONA customers and employees
due to the large number of crimes that are committed in its more than 1,600
centers distributed throughout the Spanish geography, against their employees or
goods".
Mercadona explains that “a facial recognition process consists of compare a doubted biometric sample, obtained through one or more images of a person, in front of a database of biometric samples already undoubtedly associated with the identity of a person, which have been
previously registered through one or more photographs ”. To do this, he adds,
“The doubted biometric samples are transformed into patterns.
Subsequently, through facial recognition, the biometric samples are
compared to the undoubted template previously saved, through
algorithmic calculations that are evaluated based on matching thresholds
previously established ”.
Mercadona describes that the procedure consists of the following phases (the
document number 1 of document 026457/2020 lists, in addition to these phases, the
actions that each of them includes):
- Contribution of the image to the judicial procedure.
- Inclusion of the image in the SDA.
- Activation of the SDA.
- Detection phase.
- Alert phase.
- Reception and validation of the alert.
- Communication with FCSE.
The condensed information of the treatment can be consulted in the extract of the
record of treatment activities provided by Mercadona as part of the
document number 29 of brief 026463/2020 that includes the activities of
processing of data related to the SDA. The following is anticipated
information on the same, the details of which are expanded in the following sections:
- Data processing: management of the early detection system
- Category of processed data: identification data; picture; profile
biometric.
- Category of interested parties: subjects who access the centers of
Mercadona; subjects with firm condemnation.
- Origin of the data:
o Undoubted image: through the image provided in a final judgment in
which Mercadona is part of.
o Real-time image: data capture through cameras
with facial recognition system of the centers in which this is active
system.
- Legitimation:
o Public interest
o Sensitive data: treatment necessary for the formulation, exercise, or
defense of claims
- Recipients: FCSE; Courts and tribunals
Regarding the deployment of the system, Mercadona states “that on July 1,
2020 the Early Detection System pilot project began in
*** NUMBER 4 stores ”. It adds, however, that “the system solely and exclusively
is active in *** NUMBER 5 stores of *** LOCALIDAD.1, that is, in the
stores that are currently affected by a final judicial decision, in the
that a restraining order be decreed as a measure, having provided
MERCADONA the corresponding images in the procedure and
establishing the possibility by the Court, to make it effective, the
use of technological means. "
In relation to future deployment, Mercadona explains that the purpose of the
system is to protect the safety of customers and employees, "so the
criteria to be followed in the deployment will obey will be evaluated [sic] according to the
most vulnerable areas, where there may be a greater risk to
MERCADONA clients or workers, according to the number of
ongoing legal proceedings ”. Regarding the number of interested parties
to include in the SDA states that “within those *** NUM. 3 restraining orders
on MERCADONA facilities the maximum number could be estimated
of interested parties included annually [sic] in the System ”. However, he clarifies that
"These numbers are an approximation and may be increased or decreased by
function of the own knowledge of the technology on the part of the courts or by
requests that could be made directly by the FCS ”.
2. Interveners, recipients and international data transfers
In its letter, Mercadona lists the following participants in the project:
- The Mercadona Security Department.
Specifically, the following profiles are mentioned:
or (…)
Mercadona informs that Mercadona personnel have signed a commitment
specific confidentiality related to this project (in addition to the
commitments signed by any Mercadona employee). Thus, it facilitates how
document number 8 of the brief 026464/2020, an example copy of this
confidentiality commitment.
or (…)
o The provision of the service implies the realization by *** COMPANY. 2 of the
treatment of registration, conservation and deletion of personal data, in the
insofar as it is necessary for its execution.
o Mercadona guarantees and declares that it has a legitimate basis
sufficient for the treatment of the data of the interested parties object of this
Agreement, in accordance with the provisions of the regulations for the protection of
data.
o In general, subcontracting with third parties of
the services that imply the access and / or treatment, partial or total, of data
personal, unless *** COMPANY.2 has prior, express authorization
and in writing from Mercadona.
o Mercadona's personal data will be processed by *** COMPANY.2
only to carry out the provision of the service. Yes *** COMPANY.2
it is considered necessary to carry out data processing with a
different purpose, you must previously request the written authorization of
Mercadona. In the absence of such authorization, *** COMPANY.2 will not be able to carry out
said treatment.
o The categories of interested parties whose data will be processed by the
*** COMPANY. 2 by virtue of this agreement are: Mercadona customers, people
with a restraining order or judicial measure analogous to the facilities of
Mercadona, people captured by the facial recognition system.
o *** COMPANY.2 will only process identifying data (name,
surname and image) and the personal data associated with the biometric pattern in
under this Agreement.
o *** COMPANY. 2 undertakes to guarantee, taking into account the
state of the art, implementation costs, and the nature, scope,
context, and the purposes of the treatment, as well as the risks of probability and
variable severity for the rights and freedoms of natural persons, the
application of appropriate technical and organizational measures to ensure a
level of security appropriate to the risk, which, if applicable, includes, among others:
pseudonymisation and encryption of personal data; the ability to guarantee
permanent confidentiality, integrity, availability and resilience of the
systems; the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident; a process of
regular verification, evaluation and assessment of the effectiveness of the measures
technical and organizational to guarantee the security of the treatment.
o *** COMPANY. 2 undertakes to notify Mercadona, without delay
undue and within a maximum period of 72 hours, violations of the security of
the personal data of which it has knowledge, giving support in the
notification to the AEPD or other competent Control Authority and, where appropriate, to
the interested parties, of the security violations that occur, as well as
provide support, where necessary, in conducting impact evaluations
of privacy and in prior consultation with the AEPD or another Control Authority
competent, where appropriate.
o *** COMPANY. 2 undertakes to keep, in writing, a record of all
the categories of processing activities carried out on behalf of
Mercadona.
o *** COMPANY. 2 undertakes to make available to Mercadona all
the information necessary to demonstrate compliance with the obligations
established in this Agreement and to allow and contribute to the realization of
audits, including inspections, by Mercadona or a third party
authorized by Mercadona.
o The seventh stipulation of the agreement details the obligations of secrecy and
confidentiality (as well as the establishment of measures for their protection) to
those that both parties are subject to even after the relationship ends
contractual in relation to the information and personal data to which they have
access.
or (…)
o *** COMPANY.2 guarantees that, in relation to the execution of the Agreement,
no processing of personal data will take place outside the Union
European or in a country that does not have an adequate level of protection.
The previous agreement also contains an annex dedicated to measures of
security in relation to: (…)
- *** COMPANY.3, as a provider of private security and maintenance
of facial recognition systems. Refer to the profile of Responsible for
Production, exclusively for Mercadona as stated, as
in charge of directing and coordinating the exclusive technicians for the service in
Mercadona.
Attached as document number 10 of writing 026459/2020, the Agreement of
confidentiality and treatment of Personal Data on behalf of third parties
signed on December 29, 2011 between Mercadona and
*** COMPANY. 4.
According to the BORME publication (reference number 1) *** COMPANY.4 was
absorbed (…) by *** COMPANY.6 Subsequently, on *** DATE.2, the
published in the BORME (reference number 2) the entry as sole partner of
*** COMPANY. 5 in *** COMPANY. 6. Likewise, it is stated (reference
number 3) the coincidence relationship by corporate body and domicile between
*** COMPANY.5 and *** COMPANY.3.
The object of the agreement is to regulate the treatment to be given to the entire
confidential information and personal data to which you have access
in the context of the services provided. It is referred to in the document, given the
date of signature, the personal data protection regulations conformed by
Organic Law 15/1999 and its development regulations. The following is highlighted
contents:
or (…)
o The person in charge of treatment is obliged to:
(…)
“Adopt all the technical and organizational measures required by the
data protection regulations that are necessary to guarantee the
security and confidentiality of personal data, avoiding the
unauthorized alteration, loss, treatment, access or assignment. "
"Once the provision of services is completed, personal data must be
destroyed or returned to the issuing party (at the latter's choice), the same as
any support or document containing any personal data
object of treatment. "
"All the personal data provided is confidential, and
under no circumstances may they be disclosed. "
"The Treatment Manager must communicate and enforce their
employees the obligations established in this Agreement and, specifically,
those related to the duty of secrecy and security measures. "
On the other hand, in relation to the recipients of the information, it clarifies
Mercadona in its writing that the only data communications provided are
those derived from the disclosure of breaches of orders
of removal from the FCSE, and from the courts and tribunals competent in the
procedures. Likewise, document number 29 of writing 026463/2020
which includes the definition of the treatment activity related to the management of the
SDA, indicates that these assignments would be made within the framework of a "legal obligation"
of the person in charge.
Finally, Mercadona points out that within the framework of this project, no
carry out international transfers of personal data.
3. Contribution of the image to the judicial procedure and inclusion in the SDA
In relation to the "undoubted" images against which the
comparison, Mercadona points out that “it has taken into account that, without
sharp, reliable images that meet certain technical requirements
explained later, it would not be possible to carry out the intended activity ”.
It indicates that, “for this reason, prior to the implementation of the System,
carried out numerous tests (…) verifying that the system works correctly
correct ”. He adds that, “all this, tending to avoid errors in the systems
biometric that, where appropriate, could lead to serious consequences for the
person and, in particular, the erroneous refusal to authorized persons and the
erroneous acceptance of unauthorized persons that could lead to
serious problems at many different levels, as the
Agency in its Report 010308/2019 ”(reference number 4).
On this particular Mercadona attaches a document (document number 3
of the writing 026457/2020) that details “the technical requirements for the images
of the system". From this document, written in English and entitled “Face
Enrollment Best Practices ”, the following content is underlined:
- (…)
About the source from which these images would be obtained, firstly
Mercadona states that “regarding the final convictions that are the result of
criminal proceedings in which MERCADONA is part of the procedure,
the images are obtained from the video surveillance cameras that it has
in its facilities and that were provided in the procedure as evidence,
being validly obtained and admitted by the Court or Tribunal
competent".
Specifically, Mercadona indicates that when there is a complaint for facts
that are related to Mercadona's facilities, assets or workers,
the lawyers responsible for the stores request via email to the CAS
the images of the facts and the author or authors. Then, "(…)". Aim
Mercadona that the people in charge of locating and extracting the images
"They have the classification of" Manager "for viewing images, a position that
requires specific training in security and video surveillance,
as well as specific training on the operation of this system ”.
Next, it states that the images “(…)”.
Mercadona indicates at this point that it has a registry, which it calls
"DAM images request", which consists of "a proper internal work list and
exclusive to the CAS with the following fields:
- Zone: number of the shopping area to which the center belongs
- Center: store number.
- Denomination: name of the center.
- Population: municipality where it is located.
- Province: in which it is located.
- Date request images: date on which the lawyer requests the images
images to CAS.
- Observations: annotations to be recorded.
- Delivered: to FCSE, Court or blank if it has not been done.
- Trial date.
- Sentence: prohibition of access, restraining order or blank if not
has been dictated.
- Settlement of sentence: upon receipt, it is filled in with a yes, in case
Otherwise, pending is indicated.
- Start date: in the settlement of the sentence appears from which day the
condemned person cannot enter.
- End date: end date of the sentence of prohibition of access or
Restraining order.
- *** FILE. 1: unique identifier that matches that of the
Court procedure.
- Identification date: day and time in which 100% has been identified at the
person condemned not to be able to enter that store.
- Identification store: center where the company has been 100% identified
person.
- CAS Managers: names of the Viewing Managers present in the
confirmation of identification of that person. "
As he explains, at this moment the request is registered in the list and the
different fields are completed as appropriate throughout the
different phases.
Mercadona attached (document number 2 of document 026457/2020) on
document “DAM images request”.
It adds that “in the event that the judicial resolution determines the order of
distance, the images contributed to the procedure would become
undoubted biometric sample and, consequently, would be transformed into
template". Regarding the territorial scope, it states that “it will be defined by the
Final judicial decision, which may be limited to one store, several or the territory
determined by the relevant Court ”.
Secondly, “in relation to those convictions in which MERCADONA
is not a party to the procedure (in case of restraining orders for crimes
committed against MERCADONA employees - alleged violence against
gender, for example-) and the Courts and Tribunals directly request the
collaboration with MERCADONA, in relation to the scope of the
removal to the workplace of the victim, to enforce the orders
of removal, it will be the Courts and Tribunals themselves who will communicate, to
Through the timely judicial resolution, to MERCADONA the need for its
collaboration to guarantee said effectiveness, as well as the terms of said
measure, in relation to aspects such as the duration of the same and stores
on which it would be applicable ”. As he states, “in these cases, these images
will have been provided in the procedure from which the judicial resolution brings
cause and justification for its use will be determined by the requirement of
use of technological means for the specific restraining order ”. Y
he adds that in these cases he would need that "the Courts and Tribunals
directly, or through the FCSE, provide you with valid images, which
meet the requirements set forth that the facial recognition system
you need to establish a previous undoubted sample ”.
It also exposes the case in which “the requirement comes directly from
FCSE or *** ORGANISM. 1, based on an investigation found
carrying out or issues related to *** SUBJECT.1 ”. About,
states that “in order to use the analyzed system, it must be provided,
likewise, of the guarantees set forth (specifically, where applicable, the
established by the regulations on data protection), namely, order
court based on Law, photograph on which the
biometric pattern, temporal delimitation of the measure and stores on which
it would be applicable ”.
Regarding the inclusion of the images in the SDA, Mercadona points out that,
“Once MERCADONA has a firm judicial resolution that
determine the imposition of a restraining order or similar judicial measure
with respect to one or more MERCADONA stores, the lawyer responsible for the
file, send an email to the CAS "in which the number of
judgment, the centers it affects, and the period of validity, and the
"Pdf document. with settlement of sentence / precautionary measure ”. Thus, it details
Mercadona that "the image is incorporated into the system with the territorial limitation of the
area or stores determined in the court resolution, indicating the limitation
temporary term or expiration of the restraining order, which comes
determined in the judicial resolution ”.
According to Mercadona, this process involves completing the information
corresponding to the "DAM images request" registry. After that the Department
Security, in order to make a new registration in the system, uses a
"Tab" with the following information:
- Number of judicial procedure.
- Description, including telephones of the FCSE to call and of the
surveillance service if it is available at the center, start date and
end date of detection, and a brief description of the judicial measure.
Document number 4 of document 026457/2020 contains the list of telephones
associated with the different Mercadona centers.
- Group: (…).
In the event that the judicial resolution is acquittal or the measure is denied
precautionary, Mercadona points out that “the lawyer responsible for the case would send a
e-mail to the CAS, for the elimination of the blocked images ”. It
would cause the deletion of the images and the update of the list "Petition
DAM images ”.
4. SDA activation, detection and alert
As described by Mercadona, (…).
To follow up on the dates of completion of the judicial measure,
use the application "*** APPLICATION.1". (…). Add that access to the system
requires an individual username and password that are provided by the
IT Department.
Once the system is activated, “through the facial recognition cameras,
the images captured will be checked in real time with the
Undoubted image (s) that have been included. This process of
check lasts tenths of a second (0.3 seconds today) between
that an image is captured and verification is performed against the image
indubited included in the System ”.
In relation to the cameras installed in each center, the following is underlined
information contained in the letter:
- (…)
- Mercadona “has proceeded and will proceed to comply with the duty of
information (…) in those centers in which the
installation of such cameras, even if they are not activated
to meet the expectation of privacy of customers and employees ”.
In relation to the capture of the image by the camera, Mercadona provides the
following documents:
- Document number 5 of brief 026457/2020, (…), qualified as
confidential. This document written by “*** EMPRESA.2” in English and
titled “*** TITLE.1” presents the results obtained after analyzing the potential
gender and skin color bias in the facial recognition system
“*** APPLICATION.2” of *** COMPANY.2. The document concludes that the system
it is not biased based on these attributes.
- Document number 6 of brief 026459/2020, “description of the system
used by *** APPLICATION.2, in the extraction of the biometric pattern and its
comparison in relation to the anonymization process used ”. The
document, drawn up in English by *** EMPRESA.2, is titled “*** TITULO.2”.
Some of the characteristics of the system described in the document are:
or (…)
- Document number 7 of document 026459/2020, “*** DOCUMENT.1”. The
document, written in English by *** EMPRESA.2, is titled "*** TITULO.3" and
includes an explanation of the facial recognition process, which follows the
following phases: detection, feature extraction, adjustment, and
recognition. Define result as the distance between the analyzed pattern and the
inscribed comparison pattern. Add that the probabilities that this
greater distance between different subjects increases if the quality is improved
of the images.
Likewise, Mercadona describes in its brief (pages 24-33) the evaluation that has
carried out in order to assess the effectiveness of the detection system. As he explains,
the tests have been carried out with a detection threshold of X, XX since it would be
the one recommended by the manufacturer *** COMPANY. 2. to optimize the relationship
between detections and false positives. Thus, it expresses that "a person detected
with score X, XX means that it has a similarity in at least one YY% to the
system reference image. "
It also adds that the tests have been carried out using the solution
"*** APPLICATION.2 version 2.2 of the manufacturer *** COMPANY.2" on different
types of cameras, configurations, reference images (…) and scenarios (…)
that have allowed you to select the combination that offers the best results.
As stated in the brief, in the tests carried out there would have been no
no false positives.
In addition, it points out in relation to the process of detecting a person with
mask that:
“The provider of the IT solution has developed an improvement with
in order to identify people with a face semi-hidden by these masks, as
as can be seen in the images provided throughout the writing.
In this sense, it is important to point out that the
facial recognition based identification by collecting information from the
periocular area of the face (…).
The system loses information since part of this area is hidden, for
which has optimized the reading of the visible part without lowering the threshold (treshold
[sic]) of identification. "
Having made these clarifications regarding the effectiveness tests of the system,
describes the process of generating the alert:
“Once the Early Detection System is activated in the store / s
object of the final judgment and in the event that any of the chambers of
facial recognition installed in stores detect the access of a
person whose image is included in the system *** APPLICATION. 2,
it would generate an alert that would initiate the process of confirmation and notification to the FCSE.
This alert that detects the match in the cameras of the store is
send by email to a specific address prepared for this purpose […]
Only the following have access to this email account
profiles:
- The Project Manager.
- CAS Coordinator.
- Managers, shift managers at CAS.
- Image viewing managers.
[…] If someone else needed to access this account, they would have to
expressly request the person in charge of the Project, the need for this new
access.
This alarm mail indicating the coincidence of the images in a
specific store, it is generated by each of the stores' equipment "
Mercadona provides in its letter (page 21) an example of the mail sent. Is according
indicates, the following information is sent in the mail:
- "Qualification: (…)
- Name: (…)
- Group: (…)
- Center: (…)
- Camera: (…)
- Date and time of detection.
- Coincidence: (…)
- Description: (…)
- Reference image: (…)
- Detection image: (…)
5. Reception and validation of the alert, and communication to the FCSE
As Mercadona describes, the process involves “a double factor of
verification of the positives to avoid the risks derived from a treatment
exclusively automated ”. Thus, it emphasizes that “once the alert is received, the
It will be verified by the viewing managers of the Customer Service Center.
Security present at that time, being confirmed (only in the case of
that all the viewing managers confirm that it is the same
person) or not confirmed (if any of them have doubts at the time of
confirm that it is the same person). In the event that it is not
confirmed, the image will be destroyed, studying the technical reasons for the alarm
and the process will be finished ”. As he points out, “the viewing managers of the CAS
they have sufficient experience and training to carry out this verification ”.
Mercadona points out in its writing that “this verification by the
responsible for the Security Department is fully mandatory in the
process". Thus, he understands that “due to the subsequent verification process, no
In no case would there be a treatment through an automated decision ”.
To make this statement, he relies on the “Guide of the Working Group of the
Article 29 on automated decisions published on October 3,
2017 ”(reference number 5).
After confirming the alarm, as described by Mercadona, a Manager of
viewing will take care of:
(…)
Once this process is closed, the image will be extracted
object of detection, to avoid unnecessary treatments on it more
beyond its contribution to the competent authorities. "
6. Terms of conservation of personal data
Mercadona states in its letter that "(...)"
Next, Mercadona differentiates between two assumptions. So, first of all,
describes the behavior of the system during the detection phase in relation to
with people whose image does not match any of the images
stored in the system:
"All the necessary technical and organizational measures have been adopted
in order to minimize any potential data processing and
limit it to mere technical residual storage (strictly necessary
for the proper functioning of the system). "
“The facial recognition system will detect (automatically and
during a non-appreciable period) and will analyze the images individually that
receive from each center. (…)
Regarding the assumption of detection of a positive (coincidence with
an image from the database), Mercadona expresses the following:
(…)
All of the above is listed, in summary, in the evaluation of
impact of privacy (document 30 of brief 026463/2020). Thus, this
states that:
"The data will be kept:
(…)
Finally, it is stated that, as observed in the activity register
treatment (extract attached as document number 29 of the brief
026463/2020), SDA management and video surveillance are activities of
independent treatment. In the case of the processing of personal data
Regarding the video surveillance activity, the consigned conservation period is
thirty days.
7. System architecture, impact assessment, and security measures
Document number 29 of document 026463/2020 includes the risk analysis
related to the management of the SDA. This gives this treatment activity a
medium inherent risk and low residual risk after implementation of measures
mitigating. Among other issues, the analysis indicates that the activity involves:
"(...)". This leads you to determine the need to run a “PIA”.
Document number 30 of document 026463/2020 corresponds to the
project privacy impact assessment. This includes the evaluation
of the risk inherent to the treatment through the analysis of *** NUM. 6 threats.
The result you get is that the level of risk is "tolerable". The
content related to the following threats:
(…)
Likewise, it is noted in the impact assessment that “it has proceeded to
examine the Project, once operational, to verify that the risks
detected have been successfully addressed and that no other
new".
The privacy impact assessment also includes the content
following in the fifth section dedicated to the conclusions:
"(...)"
On the other hand, Mercadona describes in its writing (pp. 35-49) the architecture of the
SDA and the security measures implemented. As provided, the elements that
make up the architecture are:
- Store equipment.
(…)
- Store cameras.
(…)
- CAS teams.
(…)
- System *** APPLICATION.2 version 2.2.0. of *** COMPANY. 2.
(…)
- About the stores:
or (…)
- About the CAS:
or (…) from Mercadona's Security Division or have an authorization
this.
- About the facial recognition program:
(…)
- On Mercadona's own systems on which the SDA relies:
or (…)
7. Purpose, legality and proportionality
Mercadona points out that “it can be concluded that the purpose for which the
installation of the Early Detection System is to comply with the
judicial decisions in which the defendant has been sentenced with a
restraining order, as a result of events related to
MERCADONA's facilities, goods or workers, in certain
special circumstances and provided that a court decision so establishes
firm".
With regard to the basis of legitimation, Mercadona states that "the treatment
of data carried out by MERCADONA in order to preserve the
safety of people and property, as well as its facilities finds
place in the public interest. " Thus, Mercadona also cites the
following content of AEPD Report 010308/2019 (reference number 4):
"In the present case, we have already cited how article 22 of the LPDGDD
regulates the processing for video surveillance purposes whose legitimacy is
finds, as indicated in its Opinion by the Council of State and has
included in the Law in its Statement of Motives, in the existence of a purpose of
Incardinable public interest in article 6.1.e) of the General Regulation, as it has
for the purpose of "preserving the safety of people and property, as well as their
facilities".
To this end Mercadona states that “the treatment carried out to preserve the
safety of people and property, as well as their facilities (the
mentioned by the AEPD in the Report mentioned, as an example of
treatment protected in the public interest) is the main purpose of the treatment of
data carried out by MERCADONA ”.
On the other hand, Mercadona brings up that “article 8 of the Organic Law
3/2018 […] includes the following: “The processing of personal data may only be
be considered founded on the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person in charge, in the
terms provided in article 6.1 e) of Regulation (EU) 2016/679, when
derives from a competence attributed by a norm with the force of law ”. Based on
The above, it is interest of this part to mention that the norm with the force of law
that enables MERCADONA to adopt mechanisms that detect and
mitigate the commission of fraudulent conduct regarding the treatment carried out
to preserve the safety of people and property, as well as their
facilities, is Law 5/2014, of April 4, on Private Security (as per
For example, article 4 on the purposes of the rule or article 8 on its
guiding principles). "
Included in the file, reference number 6, is an extract from the aforementioned Law
5/2014 which contains the wording of articles 4 and 8.
On the other hand, Mercadona states that “there is no doubt that the treatment
of data carried out by a facial recognition system would enter into
from the category of special data ”. On this, he states that “it will only
use the System in the event that it is part of a procedure
court in which a firm resolution determines the use of
facial recognition to enforce restraining orders. Therefore my
represented considers that the analyzed treatment has a place in the article
9.2.f) by virtue of which sensitive data could be processed when "the treatment
it is necessary for the formulation, exercise or defense of claims ”. In
Regarding the above, add the following:
"(...)".
This argument is defended by the Courts and Tribunals, when
position themselves in favor of the option defended by MERCADONA, authorizing that
said sentence is controlled through electronic means, in order to
facial recognition, by virtue of the provisions of article 48.4 of the CP. "
An extract from the Law has been incorporated into the file (reference number 7)
Organic 10/1995, of November 23, of the Penal Code that contains the
wording of article 48.
In line with the above, he also adds that:
“It is worth mentioning article 1 of the CC in which the
following:
"1. The sources of the Spanish legal system are the law, custom
and the general principles of law.
2. Provisions that contradict another of rank will be invalid.
higher.
(…)
6. The jurisprudence will complement the legal system with the
doctrine repeatedly established by the Supreme Court when interpreting and
apply the law, custom and general principles of law.
7. The Judges and Courts have the inexcusable duty to resolve in
In any case, the matters they know, adhering to the system of sources
settled down."
Therefore, it could be concluded that, since the Judges and Courts have
the inexcusable duty to resolve in any case the issues they know,
taking into account the established system of sources, the fact that a judge has
considered appropriate to use a facial recognition system to
ensure compliance with restraining orders in the facilities of
MERCADONA, would have enough weight to legitimize the treatment.
Moreover, it is worth mentioning Article 24 of the EC, which is raised to the
category of fundamental right and that regulates the right of defense within the
which includes the right to effective judicial protection, according to which all
People have the right of access to jurisdiction, that is, they must have the right to
possibility of going to the jurisdictional bodies and formulating before them
guardianship petitions. Likewise, the right to effective judicial protection also
It includes the right for the courts to rule on the
claim made and thus issue a resolution on the merits of the matter,
motivated and founded in Law.
In addition, the Constitutional Court has been understanding that within the
right to effective judicial protection is found, as a manifestation
necessary, the right that the defendants have to the sentences that the
ordinary courts have issued for the protection of their rights and interests
legitimate laws are enforced. This right to compulsory execution
thus links with the jurisdictional power that the EC recognizes to the courts in
its article 117.
[…] And, furthermore, all legal subjects (of a public or private nature)
has the obligation to comply with the final judicial decisions and must collaborate
with the courts and tribunals in the execution of the resolution, as provided
Article 118 of the EC.
In any case, the beneficiary of a judicial resolution has
an authentic subjective right, which has the character of a fundamental right, to the
connect directly with the right to effective judicial protection of the article
24.1 of the EC, and is qualifiable as a subjective public right, since it requires
with respect to the jurisdictional bodies of the State. "
An extract from the Real has been incorporated into the file (reference number 8).
Decree of July 24, 1889 publishing the Civil Code containing
the wording of articles 1 and 3. Likewise, it has also been included (reference
number 9) an extract from the Spanish Constitution that includes articles 24,
117 and 118.
Regarding the legality of the treatment, Mercadona concludes that “it gives
compliance with the provisions of the AEPD in its Reports 36/2020 and
010308/2019, based on the fact that “the existence of a public interest does not legitimize
any type of personal data processing, but must be, in
First, to the conditions that the legislator may have established, such as
provides for article 6 of the RGPD, in its sections 2 and 3 […]. And in case they go
to be subject to any or some of the personal data included
in the special categories of data referred to in article 9.1 RGPD, which
any of the circumstances contemplated in its section 2 concur that
lift the prohibition on the processing of said data, established with the
general in its section 1 ”, insofar as the treatment would be legitimized
by article 6.1.e) RGPD based on the public interest derived from the need
to preserve the safety of customers, staff and facilities and for the
Article 9.2.f) in order to respond to the processes in which it is a party and in the
that the use of said technology has been determined as a measure to recognize
to the subjects who are the object of a restraining order. "
Report 36/2020 has been incorporated into the file (reference number 10)
issued by the legal office of the AEPD.
On the other hand, Mercadona states that the purpose of the system involves the
processing of data related to convictions and criminal offenses. Explain, no
However, this type of data was already processed prior to implementation
of the system since it is a common practice in the sector to identify those
people who may pose a risk to ensure the safety of the
workers and customers. Consequently, he states that “the system studied in
this writing comes to carry out this same treatment, not assuming a
different activity in relation to the processing of personal data related to
penal sanctions or convictions ”.
To support the legitimacy of the treatment of this type of data, in its
written by Mercadona (referencing articles ten of the RGPD and the
LOPDGDD) states that “it deals with data related to convictions and infractions
under the supervision of public authorities, since the
treatment carried out by MERCADONA is fully
legitimized, because it is only carried out supported by the Administration
of Justice or the FCSE. […] the treatment will be carried out only on those
judicial decisions in which MERCADONA is a party, so there is no
would generate a database of criminal convictions, the use of data being
biometrics a specialization within the existing and necessary treatment,
as MERCADONA is part of the procedure or has been required by the
Courts and Tribunals themselves ”.
In relation to the suitability, necessity and proportionality of the implementation of the
system, Mercadona states that:
- “the fulfillment of a restraining order in a store can only
be effectively guaranteed through electronic means, since
MERCADONA has 1,636 stores and approximately 95,000 workers in
Spanish territory and each year, the Company has approximately
*** NUM. 2 judicial processes that can end in more than *** NUM. 3
judicial decisions in his favor in which the defendant is firmly condemned
with restraining orders on the MERCADONA facilities ”.
- “A large part of these judicial decisions are against people who
They act within organized gangs or are particularly dangerous
for bosses and workers, on which it is unfeasible to comply
to judicial decisions and to enforce sentences without the use of
technological mechanisms, since the convicted go to the stores
MERCADONA with a very different physical appearance (costumes, wigs, etc.),
that makes it difficult to visually recognize
security to those people who have an access prohibition, plus
even taking into account that, approximately, *** NUM. 1 people enter the
day in a MERCADONA store ”.
- “although the end pursued could be achieved by other means
(through security guards who control access to stores, for
example) these do not guarantee the reliability of technological solutions based
in biometrics, which allow us to achieve the goal pursued by MERCADONA
with greater guarantees and reliability and, therefore, greater legal certainty ”.
- “the requirement that the data processing be" strictly "
necessary, likewise, it is justified insofar as the measure of
immediate intervention is necessary in cases of flagrante delicto, such as
breach of a penalty that precisely tries to prevent recidivism and,
above all, the safety of MERCADONA's clients and workers ”.
On this point Mercadona adds that "this argument is reinforced
by the British Data Protection Authority, Information Commissioner’s
Office, in the document “The use of live facial recognition technology by law
enforcement in public places 31 ”[sic] of October 2019, stating that“ the
The purpose for which the facial recognition system is deployed is to
great importance since there is a considerable difference between the use of
facial recognition to mitigate certain serious or violent crimes and
widespread deployments of facial recognition technology to
identify known thieves ”.”
The document entitled
"The use of live facial recognition technology by law enforcement in public
places ”published by the ICO (Information Commissioner's Office)
- "the treatment in question only generates benefits and advantages for the
general interest, as well as for the clients and employees of MERCADONA,
as for the Courts and Tribunals themselves, since it is the only way
effective to make effective the measures decreed by them and; for the
FCSE, by guaranteeing the System a collaboration with them, facilitating
the performance of their duties ”.
It concludes that the system “meets the proportionality requirements and is
strictly necessary to fulfill the intended purpose, since it does not
there are less intrusive means for user privacy than
allow the pursued objective to be achieved, as it is technically impossible
effectively control the entry of convicted persons with a
prohibition of access to the facilities without the use of a mechanism
technological". Thus, it states that “opting for an alternative mechanism would imply,
without a doubt, an alteration of the purpose of the treatment pursued ”.
In this way, he adds that “due to MERCADONA's interest in the
implementation of the facial recognition system, since March 2019, in
the judicial proceedings in which it has been a party, it has been requested to the
Administration of Justice the establishment of measures against
reported in relation to access to MERCADONA establishments
of a certain territorial area, according to the facts denounced,
for a specified period of time, making effective the control of said
measured through electronic means in order to facial recognition "
obtaining as a result that “each and every one of the Courts to which
has made the request, they have considered the facial recognition system a
adequate means to ensure compliance with restraining orders
(…) By virtue of the provisions of article 48.4 of the Penal Code ”.
8. Compliance with the duty of information
In its letter, Mercadona lists the following mechanisms used to comply
with the duty of information:
- Informational posters about the facial recognition system placed
Visibly at the entrances to each of the stores.
Attached, document number 18 of brief 026461/2020 and document 18 of
written 026463/2020, copy of the signage that has been installed in “the accesses to
sales room ”in which the SDA has been implemented. The poster includes, under the
title "EARLY DETECTION AREA", information on the person in charge of the
treatment, the operation of the system, the recipient of the information
(FCSE), the legal basis of the treatment, and the possibility of exercising the rights
of data protection and to file a claim with the AEPD. What's more,
Various ways are provided to consult additional information on the
treatment (shop interior, telephone, website).
In this regard, it also states that “the informational badges have a size
enough so that any user can read its content and they are
located in a sufficiently visible place, at the entrance of the store, taking into account
Note that the duty of information must be prior to the processing of the data,
in order to strictly respect this part with the principle of transparency and the
own duty of information. "
- The Privacy Policy of the Mercadona website
Attached, document number 19 of brief 026461/2020, copy of the policy of
privacy of Mercadona published on the internet whose last update, according to
stated in the document itself, it occurred on July 1, 2020.
In the section on categories of processed data, the “data
biometrics (in those stores in Spain where [sic] the
early detection system) ”.
In the section corresponding to the purposes, he cites: “carry out the
precise actions to protect the vital interests of customers when
as necessary, or compliance with court decisions and measures
in them agreed. "
In the section dedicated to conservation periods, it states the following:
“In relation to the protection of the vital interest of people and the execution of
the judgments or resolutions that entail restraining orders on the
work centers and / or people, the data will be processed and guarded over time
essential to comply with the judicial measures [sic] of
those people sentenced to said restraining order (in those
stores in Spain where the early detection system is implemented).
However, the data collected accessory to comply with said
purpose will remain on the server only in the process of
check (this check takes tenths of a second). One time
Once this check is performed, it will proceed to be definitively destroyed (in
those stores in Spain where the detection system is implemented
anticipated). "
Regarding legitimation, the privacy policy states that “in the case of
treatment of sensitive data will be treated for reasons of
public interest with the consequent considerations provided by the regulations
of data protection, which must be proportional to the objective pursued, which is
enforce the law, respecting the remaining principles of the regulations of
data protection and establishing the appropriate and specific measures to
protect the interests and rights of the interested parties, on the basis of the Law
of the Union or of the Member States (in those stores in Spain where
the early detection system is implemented). "
Likewise, the section entitled "Other data that we process at Mercadona"
contains the following paragraphs:
"In the same way we inform you that, in order to improve customer security
and employees, MERCADONA, based on the public interest can treat its image
or their biometric facial profile to identify subjects with a warrant for
withdrawal (or analogous judicial measure) in force against MERCADONA or against
any of its workers (in those stores in Spain where it is
early detection system implemented).
This image will only be used for this purpose and will remain in the
central server only in the verification process (this verification
lasts tenths of a second). Once this check is done, proceed to
be definitively destroyed (in those stores in Spain where it is
early detection system implemented).
These images will only be processed internally by MERCADONA, being
exclusively communicated to the Security Forces and Bodies for
protect the safety of MERCADONA clients and workers and the
compliance with the judicially decreed measures (in those stores of
Spain where the early detection system is implemented) ”.
The privacy policy published in
Mercadona's website whose latest update, as stated
in it, it took place on October 5, 2020.
- The customer service phone.
Attached, document number 20 of brief 026461/2020, copy of the argument
telephone number used in connection with the SDA describing the
system operation.
- Information forms made available to those interested in the
stores to hand them over to them on request.
Attached, document number 21 of brief 026461/2020, copy of the form in the
which describes the operation of the system, sets out the legal basis of the
treatment, informs of the possibility of exercising the rights of protection of
personal data and to file claims with the AEPD, and refers to the
privacy policy for the purpose of obtaining more information.
Likewise, Mercadona attached (document number 28 of the document
026464/2020), the copy of the email that, according to what it states, it addresses in
"Security Manager" to "Store Managers". In this it is reported
on the documents to be printed and provided to customers and
workers requesting more information about the SDA.
- Mercadona's communication plan.
Attached, document number 22 of brief 026462/2020, an extract from the
document "Early Detection Communication Plan" whose date of
creation, as contained therein, is June 1, 2020.
In addition to the foregoing, Mercadona states in its writing that, with character
prior to the launch of the pilot project, he addressed a press release
(copy attached as document number 23 of brief 026462/2020) at
news agencies of the affected cities in order for it to be published
in the media and thus make the project known to residents
of these areas. Likewise, it indicates that on July 3, 2020, I send these
same agencies "some FAQs about the project" (provides a copy as a document
number 24 of the brief 026462/2020). Among other issues, this
list of questions and answers in which "in stores two systems coexist
independent of each other. On the one hand, conventional video surveillance, and on the
another, early detection ”. This question is also seen reflected in the
record of treatment activities (attached extract as document number
29 of writing 026463/2020), in which the management of the SDA and video surveillance
are listed as separate processing activities.
Likewise, Mercadona indicates that it has informed its workers about the
treatment carried out by the SDA through various actions. Thus, it facilitates how
document number 25 of brief 026462/2020, the text that, according to what it states,
it would be available through the “employee portal”. This text includes information
about the person responsible, the purpose, the legal basis, and the possibility of exercising the
rights to protect personal data as well as to file a
claim before the AEPD. Document number 26 of brief 026462/2020 is
corresponds to the information addressed to the "Inter-Center Committee". In this writing,
dated June 30, 2020, the start-up is reported with the date of
July 1, 2020 of the system in various stores. Finally, it states that the
Communication Department would have produced a video “so that its
workers understood the Project perfectly ”. Contributes (document
number 27 of the brief 026463/2020) the argument of the same.
To conclude, Mercadona mentions that “since the System has been installed,
MERCADONA has only received a request to exercise rights
that has been taken care of accordingly. " And then it states that
“This fact allows us to conclude that the interested parties consider that the information
that MERCADONA provides them through the aforementioned channels gives
strictly compliance with the provisions of the regulations for the protection of
data and that the purpose followed by MERCADONA for the purpose of the Project is
proportional and adequate. "
On May 28, 2020, the AEPD published a press release entitled: “The
AEPD analyzes in a report the use of facial recognition systems by
part of the private security companies ”.
This communication has also been incorporated into this file through
of the corresponding diligence.
THIRD: On May 5, 2021, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), for the alleged violation of Article 5.1.c) of the
GDPR, Article 6 of the GDPR, Article 9 of the GDPR, Article 12 of the GDPR, Article
35 of the RGPD, Article 13 of the RGPD, Article 25 of the RGPD, typified in the
Article 83.5 of the RGPD, and the precautionary measure consisting of the suspension of
all the processing of personal data related to facial recognition in its
establishments.
FOURTH: Once the initiation agreement was notified, the defendant requested a copy of the
file and extension of term to present allegations, which was granted
in the legally established terms. Subsequently, the defendant submitted
in term and written form of allegations in which it states, in summary, what
following regarding substantive aspects:
1. That its legitimacy resides in the public interest (art. 6.1.e) of the
RGPD) to ensure compliance with court decisions.
2. That the RGPD allows the use of biometric data provided that it is
adopt the appropriate security measures, focusing not so much on the
legitimation, which he takes for granted, but in that what is important are the measures of
security. It adds that, with adequate security measures, the treatment
can be carried out, even if it concerns special categories of data
personal.
3. Alleges and affirms that the treatment now analyzed is the only measure
capable of solving this problem and indicates that it is necessary, suitable, effective and
proportional.
4. Alleges and affirms that the rights of other subjects who
enter the supermarket since there is no data processing because
produces in 0.3 seconds. Thus, it considers that only the data would be processed
identifiable biometric data of those convicted by final judicial decision, being
impossible for you to identify those people who are not at the base of
undoubted data.
5. The treatment now analyzed has been previously validated by various
court rulings.
6. The AEPD has not carried out a detailed analysis of the system
implanted, and has included innumerable references to “guides, articles and
guidelines ”that are not binding. Consequently, there is a violation
to the principles of typicity and legality, violating the principle of interdiction of
the arbitrariness of the public powers (art 9.3 of the C.E.).
7. It has been informed in a diligent, sufficient and adequate manner of the laying
in operation of the System and its implications, as well as the means to
exercise the rights recognized to those affected.
8. The system implemented now analyzed took into consideration from the
design the potential impact on people's privacy.
Regarding non-substantive or formal aspects, do the following
allegations:
A. Ignorance of the two claims (Facua and Apedanica), which
it is contrary to the usual practice of the AEPD.
B. The pattern of a person does not constitute a personal data, for
so no legal basis is needed for its treatment.
C. The system implemented does not collect additional information to the condition of
convicted included in its database.
D. The proposal for a Regulation on artificial intelligence (COM (2021)
206. Annexes 1 to 9) published on 04/21/2021, considers that the system would be
possible and in accordance with the measures proposed in said proposal.
E. Alleges the inexistence of a subjective element of guilt.
F. MERCADONA's main activity is not linked to the treatment
of data but to the management of a supermarket chain.
G. It alleges that both the AEPD and MERCADONA have been adopting the System and
adjusting it to the requirements of the Agency.
Therefore, MERCADONA requests that the sanctioning file be filed.
FIFTH: There is no evidence from the claimed request for evidence, so
the previous investigation actions are considered incorporated, as well as
the documents provided by the claimed and the inspection of this AEPD.
There is also no contribution from the "expert opinion on facial recognition"
announced in the Second Otheri of the brief of allegations.
PROVEN FACTS
FIRST: The processing of personal data implemented on the date
06/01/2020 and continued until 05/06/2021 by MERCADONA in forty
establishments of the company related to facial recognition of those
people who access its shopping centers, constitutes a treatment of
special category data of those regulated in art. 9 of the RGPD and art 9 of the
LOPDGDD.
SECOND: In the processing of biometric personal data now analyzed
(special category data) the concurrence of the
circumstances set out in article 9.2 of the RGPD, so that according to the provisions
in art. 9.1 of the RGPD the treatment is prohibited. It is accredited
the inadmissibility of applying the exceptions of art. 9.2.f), g) and h) of the RGPD to the lifting of the general prohibition indicated in article 9.1 of said rule.
THIRD: In addition, without prejudice to what is stated in the Facts proven First
and Second, in the processing of biometric personal data now analyzed
(special category data) there is no legitimate basis as indicated in art. 6
of the RGPD, nor legal regulations that allow it as provided in art. 8 of the LOPDGDD.
FOURTH: In the processing of biometric personal data now analyzed
(special category data), without prejudice to what is stated in the Facts proved
First and Second, the information required in art. 13 in relation to the general obligation imposed by art. 12 of the GDPR and, in special, the provisions of 12.1 regarding “children”. Nor is it accredited compliance with the requirements established in art 7 of the LOPDGDD regarding minors.
FIFTH: In the processing of biometric personal data now analyzed, without
detriment to what is stated in the First and Second Proven Facts, there is no evidence
compliance with the minimization principle set forth in art.
5.1.c) since the recognition system implemented by MERCADONA
could treat in a highly plausible way data of various kinds regardless of
those strictly necessary, such as those indicated and classified as category special in art. 9.1 of the RGPD and 9 of the LOPDGDD.
SIXTH: In the processing of biometric personal data now analyzed, without
detriment to what is stated in the First and Second Proven Facts, there is no evidence
accredited that the safeguards have been established from the design in order
to guarantee the freedoms and rights of all those affected, as indicated in the
art. 25.1 of the GDPR.
SEVENTH: In the processing of biometric personal data now analyzed,
without prejudice to what is stated in the First and Second Proven Facts, no
The correct risk analysis and the mandatory evaluation of
impact, since it does not contemplate, neither in one nor in the other, all the subjects
affected (FD V), as is the case of workers and minors.
EIGHTH: Being, therefore, a prohibited treatment, said prohibition
cannot be bypassed by applying proactive security measures, since
that the prohibition of the treatment determines that they are irrelevant.
NINTH: In accordance with the provisions of the Facts tested First,
Second and Eighth, the precautionary measure imposed in the agreement of beginning.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each
supervisory authority, and as established in articles 47 and 48 of the
LOPDGDD, the Director of the Spanish Agency for Data Protection is
competent to initiate and resolve this procedure.
II
In relation to the brief of allegations to the initiation agreement presented by the
mercantile, it must mean, in short, the following:
Regarding the allegations included in the FOURTH antecedent of type
substantial and numbered from 1 to 8, it should be noted that all of them have already been
find distorted and motivated - through a detailed analysis
result of the exhaustive preliminary investigation carried out by this Agency-
its inadmissibility in the Fundamentals of Law (FD) of the agreement of
Initiation of the present sanctioning procedure and of those indicated in the present
Motion for a Resolution. However, they are now answered succinctly, without
detriment of extension in subsequent Foundations of Law:
In answering the allegations presented by MERCADONA, it means the
following:
Regarding legitimation: Mercadona does not adduce in its allegations to
present procedure no exception among those contemplated in art. 9.2
of the RGPD that legitimizes the treatment of the biometric data of the convicted person; I know
limits to citing the legitimacy of the treatment under the pretext that “it is not injured in
no moment the data protection of the subjects ”.
The foregoing confirms what is indicated in the Initiation Agreement: Mercadona does not hold
legitimacy to carry out the processing of personal data consisting of
facial recognition.
Likewise, through the allegations made by Mercadona, it is corroborated
the initial evidence appreciated by this Agency, that is, that the mercantile
was pre-constituting the exception of art. 9.2 of the GDPR for the purposes of
be able to process the biometric data regulated in art. 9 of the GDPR. Well once
obtained the judicial resolution that generically allows the implementation of
the security measure, the supermarket chain interprets in a way
unilateral the scope of the judicial decision and uses it for the purposes of justifying
which holds legitimacy in the sense of art. 9.2.f) of the RGPD not only for the
condemned, but also for the rest of the citizens affected by the
system when they access supermarkets - which the merchant includes under the
name of "not convicted" -.
The initial agreement already stressed the lack of legitimacy to carry out
carried out the treatment consisting of facial recognition: it was pointed out that
where there is no concurrence of one of the exceptions indicated in the article
9.2 of the RGPD, there is no legitimacy to process biometric data of anyone, with
independence of the causes of legality indicated in art. 6 of the GDPR, every time
that art. 9.1 prohibits it; Although, we understood that there was legitimacy regarding
of the treatment of the convicted person's biometric data because it had, in the
assumption examined and raised by Mercadona, with the corresponding measure
of security adopted in a judicial resolution. The AEPD respects the
judicial resolutions, not being able to oppose what is stated in them.
However, the extensive and unilateral interpretation of the exposed terms
in the judicial resolution by Mercadona is contrary to the principles of
necessity, proportionality and minimization indicated by the RGPD (arts. 5.1.c), 25,
35.7.a) and recitals 4, 156 and 170, by all).
At this time we have to bring up the Order of the Provincial Court of
Barcelona of 02/11/2021, Appeal No. 840/2020, and Resolution No.
72/2021. The aforementioned Order examines the adoption of the security measure
consisting of the facial recognition requested by Mercadona for the
condemned. It concludes that the provisions of article 48 of the Penal Code have
to be complemented with the consent of the convicted person so that such
treatment of personal data of facial recognition can be carried out
with sufficient legitimacy: "Although article 48 of the Penal Code establishes" the
deprivation of the right to reside in certain places or to go to them prevents the
sentenced to reside or go to the place where the crime was committed "and that" the judge or
The court may agree that the control of these measures is carried out through
those electronic means that allow it "; this would occur by ensuring
the fundamental rights of the convicted person, that is, as long as he has
given your consent. We must remember that the damned enjoy all
the fundamental rights recognized in the Constitution, with the exception of the
that are expressly limited by the content of the conviction, the
sense of punishment and the penitentiary law ”.
In addition, the Order considers that the treatment is not protecting the
public interest but rather, the private or particular interests of the
trade.
Need for the measure: It also means that the company focuses on
the utility of the measure because it is effective, confusing "utility" with the
Objective "necessity" of the measure. The measure implemented may be effective, but
in no way necessary.
From the foregoing, and from the following legal foundations, the entire
legal support wielded by MERCADONA to carry out the treatment of
data that it seeks, as it is prohibited as indicated in art. 9.1 of the GDPR, and
there is no exception that lifts the ban.
Regarding the rest of the allegations presented by MERCADONA (outlined
from A to G), the following should be noted:
Regarding non-substantive or formal aspects, do the following
allegations:
A) << Ignorance of the two claims (Facua and Apedanica), which
which is contrary to the usual practice of the AEPD. >>
In this sense, it means that the AEPD proceeded to initiate preliminary investigations
in order to verify the alleged infringements of the RGPD as indicated in the
Title VIII of the LOPDGDD, later arriving a series of
claims motivated by general procedural aspects and not
singular claims of specific affected persons, the AEPD. It must be added that,
Following the Initiation Agreement, the respondent has disposed of the entirety of the
documentation that is in the administrative file.
In view of the claims of the company, remember that the transfer is a
optional and non-mandatory procedure, derived from the presentation of a
claim. The transfer is a procedure outside the sanctioning procedure.
Furthermore, the claimed part does not specify in which its
right of defense, which must be material and not formal.
B) << The pattern of a person does not constitute a personal data,
so no legal basis is needed for its treatment >>.
The genesis of the biometric pattern starts from the collection of physical characteristics
of the subject (photography, which by itself is personal data as it is
subsequently object of treatment and, consequently, identifiable) in a
such that it characterizes him unequivocally, so that, by the very definition of
personal data, as it is identifiable, both the photograph and the Pattern
Biometric data constitute personal data and their treatment is subject to the RGPD.
That Mercadona treat the image of any person who enters its
establishments, capture it, obtain a pattern from it, compare it with that of the
person sentenced and suppressed is a treatment of character data
personal (facial recognition). The pattern thus obtained from the personal image
constitutes in itself, a personal data. There are no two patterns
equal (Doc 6 of the letter of nre: 026459/2020).
For the sake of completeness, and in view of the allegations made by the
mercantile, we must remember that the image of a person is a data of
personal character and this is continually reiterated by the AEPD; the image of the face of
a person, from whom the biometric pattern is extracted, fully identifies
this without further action. Within the framework of consistent data processing
in facial recognition, that the company does not have the names of the people
whose biometric data they treat, as they do have that of the convicted person, does not imply that
it is not about personal data. That do not have previously
stored the image of a person other than the sentenced person, to check it
with a database through a pattern, it also does not mean that we do not
we find ourselves before a treatment of personal data.
C) << The implanted system does not collect additional information to the condition
of convicted person included in its database. >>
In this regard, it should be noted that the information collected from the sentenced to
From the undisputed database that MERCADONA has and deals with, it is
contrasted with additional information from third parties in order to "match"
biometric characteristics of both and, later, based on algorithms
and in quality criteria, identity by matching is allowed or
inadmissible. In both cases, additional information is always collected based on
characteristics and personal data that enriches the system and that lacks
legal basis for its treatment.
D) << The proposal for a Regulation on artificial intelligence (COM (2021)
206. Annexes 1 to 9) published on 04/21/2021, considers that the system would be
possible and in accordance with the measures proposed in said proposal >>.
In the Initiation Agreement, mention was already made of the aspects that are now alleged
with regard to the aforementioned draft regulation on artificial intelligence. In this
In this sense, Article 5 of the aforementioned alleged Regulation states:
“The following artificial intelligence practices are prohibited:
(…)
(a) the use of remote biometric identification systems "in real time" in
public access spaces for law enforcement purposes, unless and in the
insofar as such use is strictly necessary for one of the objectives
following:
(i) the specific search for possible victims of crimes, including
missing children;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 36/113
(ii) the prevention of a specific, substantial and imminent threat to life or
the physical safety of natural persons or from a terrorist attack;
(iii) The detection, location, identification or prosecution of an author or
suspect of a criminal offense referred to in article 2, paragraph 2, of the
Framework Decision 2002/584 / JHA of the Council and sanctioned in the Member State that
is dealt with a custodial sentence or an arrest warrant for a period
maximum of three years, as determined by the legislation of said Member State. "
In the present case, there is no evidence that exceptions (i) to (iii) have been met.
Furthermore, in addition to the fact that the aforementioned regulation is found in
processing, data protection regulations always require an analysis
detailed information on the specific case in question for the purpose of verifying
holds legitimacy for a specific processing of personal data, remote
always such an analysis of the automatism.
E) << Alleges the inexistence of a subjective element of guilt. >>
Although it is not possible to impute an offense in the absence of the volitional element of
liability (strict liability), in the present case the commercial
responsible was aware of the activity that was going to start by hiring
specialized entities for its implementation. The fact of having
proceeded to perform a poor risk analysis by omitting not only all the
affected subjects but not to assess as a risk the prohibition of the treatment that
is contemplated in article 9.1 of the RGPD, it already configures the volitional element of
culpability. Having assessed the risk of the planned treatment, the outcome
it would have been that we are faced with a prohibited treatment and, in
consequence, unacceptable, which in his case would have led to the application of the
provided in article 36 of the RGPD (prior consultation), which at no time
has been taken into account and would have led to the pronouncement of this AEPD
on the processing of personal data now analyzed.
Furthermore, to the unacceptable deficiency committed in the elaboration
risk analysis prior to treatment must be added the also deficient
subsequent impact assessment, by not involving all affected subjects,
which also constitutes a serious deficiency by not determining the serious
consequences for the rights and freedoms of the interested parties. All the
citizens who access a Mercadona shopping center with a
implanted facial recognition are treated as condemned.
The above, configures the presence of the volitional element of guilt required
by art. 28 of Law 40/2015, of 1/10, of RJSP.
F) << The main activity of MERCADONA is not linked to
data processing but to the management of a supermarket chain >>.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 37/113
Although MERCADONA's main activity is the management of supermarkets,
It is also true that such management implies as a daily parallel activity and
continues the processing of personal data of both its online customers and
face-to-face and their workers, the latter numbering more than one hundred thousand.
G. << He alleges that both the AEPD and MERCADONA have been adopting the
System and adjusting it to the requirements of the Agency >>.
This claim should be rejected since at no time is AEPD
has taken any position with the establishment of treatment now
analyzed and, as already mentioned, Mercadona has not used the
regulatory mechanism established for this purpose in the RGPD (art. 36 RGPD).
H. << Alleges disproportionality in the amount of the sanction >>.
In this sense, the amount of the penalty is motivated in the commencement agreement.
In this regard, it should be noted that the RGPD itself, art 83.1, states that: “1. Every
supervisory authority will ensure that the imposition of administrative fines
in accordance with this article for infringements of this Regulation
indicated in sections 4, 5 and 6 are effective in each individual case,
proportionate and dissuasive ”.
In the present case, the effectiveness, proportionality and dissuasive character
is guaranteed. The amount of the administrative fine is adjusted to levels
much lower than the maximum allowed (for each, 10 or 20 million
euros, or 2% or 4% of the total global annual turnover for the year
previous financial statement, opting for the one with the highest amount.
Consequently, the allegations must be rejected in their entirety.
III
In order to systematize reading and comprehension from the beginning of the
present Resolution Proposal, the doctrine of this resolution is set out below.
AEPD regarding the treatment now under analysis, to which it will be
reference, among others, throughout the Proposed Resolution.
Regulation (EU) 2016/679, of the European Parliament and of the Council of 27
April 2016 regarding the protection of natural persons with regard to the
processing of personal data and the free circulation of these data and by the
that Directive 95/46 / EC (General Regulation for the protection of
data, RGPD) defines in its article 4.14 biometric data as “data
personnel obtained from a specific technical treatment, relating to the
physical, physiological or behavioral characteristics of a natural person that
allow or confirm the unique identification of said person, such as images
facial or fingerprint data ”.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 38/113
Article 9 of said norm regulates the treatment of special categories of
data, including biometric data, establishing a
general prohibition of its treatment in the following terms:
"The processing of personal data that reveals the origin is prohibited
ethnic or racial, political opinions, religious or philosophical convictions, or
union membership, and the processing of genetic data, biometric data
aimed at uniquely identifying a natural person, data relating to
health or data regarding a person's sexual life or sexual orientation
physical."
In relation to the processing of facial recognition data, in our
Report 36/2020, analyzing article 9.1 in relation to Recital 51
of the GDPR, as well as the Protocol of amendment to the Convention for the Protection of
Individuals regarding the processing of personal data, approved by the
Committee of Ministers at its 128th session in Elsinore on May 18
of 2018 (Convention 108+) we indicated that:
“In order to clarify the interpretative doubts that arise regarding the
consideration of biometric data as special categories of data
the distinction between biometric identification and
biometric verification / authentication established by the Article 29 Group in
its Opinion 3/2012 on the evolution of biometric technologies:
Biometric identification: the identification of an individual by a system
biometric is normally the process of comparing your biometric data
(acquired at the time of identification) with a series of templates
biometric data stored in a database (that is, a process of
one-to-many match search).
Biometric verification / authentication: the verification of an individual by a
biometric system is normally the process of comparison between your data
biometrics (acquired at the time of verification) with a single template
biometric data stored on a device (that is, a process of searching for
one-to-one matches).
This same differentiation is included in the White Paper on intelligence
artificial of the European Commission:
“As regards facial recognition, 'identification' means
that the template of a person's face image is compared to many others
templates stored in a database to find out if your image is
stored in it. "Authentication" (or "verification"), for its part, is
usually refers to the search for matches between two templates
concrete. It allows the comparison of two biometric templates that, in
principle, they are supposed to belong to the same person; thus, the two templates
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 39/113
they are compared to determine if the person in the two images is the same.
This procedure is used, for example, in control gates
automated border controls used in border controls of the
airports ”.
Taking into account the aforementioned distinction, it can be interpreted that, according to the
Article 4 of the RGPD, the concept of biometric data would include both cases,
both identification and verification / authentication. However, and with
general character, biometric data will only be considered as
special category of data in the cases in which they are subjected to treatment
technician aimed at biometric identification (one-to-many) and not in the case of
biometric verification / authentication (one-to-one). "
In the present case, biometric data is processed for the purposes of
identification, that is, to isolate an individual among several, making it a
treatment of special categories of data subject to the general rule of
prohibition of the same (art. 9.1. RGPD).
However, article 9.2 of the RGPD regulates exceptions to this prohibition
general by stating that:
“Section 1 shall not apply when one of the circumstances occurs
following:
a) the interested party gave their explicit consent for the treatment of
said personal data for one or more of the specified purposes, except
when the law of the Union or of the Member States establishes that the
The prohibition mentioned in paragraph 1 cannot be lifted by the
interested.
(…)
f) the treatment is necessary for formulation, exercise or defense
claims or when the courts act in the exercise of their function
judicial;
g) the processing is necessary for reasons of an essential public interest,
on the basis of Union or Member State law, which must be
proportional to the objective pursued, to respect essentially the right to
data protection and establish adequate and specific measures to protect
the interests and fundamental rights of the interested party; "
(…)
In relation to section g), it highlights that when the treatment is necessary
for reasons of public interest, which must be essential on the basis of the right
of the Member States, proportional to the objective pursued, respect as far as
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 40/113
essential the right to data protection and establish adequate measures and
specific to protect the interests and fundamental rights of the interested party.
Therefore, it will proceed to analyze if, in the present case, the budgets concur
established in article 9.2. to lift the prohibition of treatment of
biometric data.
This Agency has had the opportunity to pronounce, on various occasions, on
the necessary requirements to lift the prohibition established in art. 9.1 of
RGPD, especially regarding the requirements established by article 9.2.g)
of the RGPD, to be able to protect the processing of personal data based on
facial recognition, given the proliferation of proposals received in relation to
with them from different spheres, which shows the interest
growing in using these systems and the constant concern of this
control authority, as they are very intrusive identification systems for
the fundamental rights and freedoms of natural persons. Concern
which has been shared by the rest of the control authorities for years, such as
highlight the Working Document on Biometrics, adopted on 1
August 2003 by the Group of 29, or the subsequent Opinion 3/2012 on the
evolution of biometric technologies, adopted on April 27, 2012, and that
has led the Community legislator itself to include these data among the
special categories of data in the GDPR. In this way, its
treatment in general, any exception to said prohibition will be
to be subject to restrictive interpretation.
In this regard, it should be noted, in addition to the aforementioned report 36/2020, referring to the
use of facial recognition techniques in conducting tests of
online evaluation that is later commented on, the report 31/2019 on the
incorporation of facial recognition systems in the services of
video surveillance under article 42 of the Private Security Law or the
Report 97/2020 relative to the Draft Order of the Minister of Affairs
Economic and Digital Transformation on the identification methods not
face-to-face for the issuance of qualified electronic certificates. In all
In these cases, it was concluded that there was no legal norm in the legal system
Spanish that meets the requirements of article 9.2.g) of the RGPD, so the
Treatment could only be based on the consent of those affected
provided that it is guaranteed that it is free.
Analyzing and developing the requirements of article 9.2.g) in our Report
36/2020 we indicated -FD V-, the following:
<< The next question that arises in the consultation is whether the treatment of
biometric data by facial recognition systems in the processes of
online evaluation could be based on the existence of a public interest
essential according to article 9.2.g) of the RGPD:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 41/113
g) the processing is necessary for reasons of an essential public interest, on
the basis of Union or Member State law, which must be
proportional to the objective pursued, to respect essentially the right to
data protection and establish adequate and specific measures to protect
the interests and fundamental rights of the interested party.
As we pointed out previously, the processing of personal data
necessary for the provision of the public service of higher education
legitimates, in general, in the existence of a public interest under the protection
of the provisions of article 6.1.e) of the RGPD. However, when it comes to
special categories of data, the assumption contemplated in letter g) of the
article 9.2. does not refer only to the existence of a public interest, as
does in many other of its precepts the RGPD, but it is the only precept
of the RGPD that requires that it be "essential", an adjective that comes to
qualify said public interest, taking into account the importance and need of
greater protection of the data processed.
This precept finds its precedent in article 8.4 of the Directive
95/46 / EC of the European Parliament and of the Council, of October 24, 1995,
regarding the protection of natural persons with regard to treatment
of personal data and the free circulation of these data: “4. As long as
provide adequate guarantees, Member States may, for reasons
of important public interest, establish other exceptions, in addition to the
provided for in section 2, either by means of their national legislation, or by
decision of the supervisory authority ”. However, its reading results in a greater
rigor in the new regulation by the RGPD, since the adjective
“Important” for “essential” and the exception is not allowed to
be established by the control authorities.
In relation to what should be understood by essential public interest, it must
also take into account the case law of the European Court of
Human Rights, which under article 8 of the European Convention on
Human Rights, has been considering that the processing of personal data
constitutes a lawful interference with the right to respect for private life and only
can be carried out if carried out in accordance with the law, serves a purpose
legitimate, respects the essence of fundamental rights and freedoms and is
necessary and proportionate in a democratic society to achieve an end
legitimate (D.L. v. Bulgaria, No. 7472/14, May 19, 2016, Dragojević
v. Croatia, no. 68955/11, January 15, 2015, Peck v. United Kingdom, no.
44647/98, January 28, 2003, Leander v Sweden, No. 9248/81, January 26
March 1987, among others). As he points out in the last sentence cited, "the
concept of need implies that the interference responds to a need
pressing social force and, in particular, that it is proportionate to the legitimate purpose that
pursues ».
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 42/113
Likewise, the doctrine of the Constitutional Court must be taken into account
regarding restrictions on the fundamental right to data protection, which
synthesized in its judgment 292/2000, of November 30, in which after
configure the fundamental right to the protection of personal data as a
autonomous and independent right that consists of a power of disposition and
of control over personal data that empowers the person to decide
which of these data to provide to a third party, be it the State or an individual, or
which third parties can collect, and which also allows the individual to know
who owns this personal data and for what purpose, being able to oppose this
possession or use, analyzes its limits, noting the following:
More specifically, in the aforementioned judgments regarding the protection of
data, this Court has declared that the right to data protection is not
unlimited, and although the Constitution does not expressly impose limits
nor refer to the Public Powers for their determination as has been
done with other fundamental rights, there is no doubt that they must
find them in the remaining fundamental rights and legal rights
constitutionally protected, as required by the principle of unity of the
Constitution (SSTC 11/1981, of April 8, F. 7; 196/1987, of December 11
[RTC 1987, 196], F. 6; and regarding art. 18, STC 110/1984, F. 5). Those
limits or may be direct restrictions of the fundamental right itself,
to which it has been alluded before, or they can be restrictions to the way, time or
place of exercise of fundamental right. In the first case, regulate those
Limits is a form of development of the fundamental right. In the second, the
The limits that are set are to the specific way in which the beam of
powers that make up the content of the fundamental right in question,
constituting a way to regulate your exercise, which can be done by the
ordinary legislator in accordance with the provisions of art. 53.1 CE. The first
verification that must be made, which is not less capital, is that the
The Constitution has wanted the Law, and only the Law, to be able to set the limits to a
fundamental right. Fundamental rights can, of course, yield
before assets, and even constitutionally relevant interests, provided that the
cutting they experience is necessary to achieve the legitimate purpose envisaged,
provided to achieve it and, in any case, be respectful with the content
essential of restricted fundamental right (SSTC 57/1994, of February 28
[RTC 1994, 57], F. 6; 18/1999, of February 22 [RTC 1999, 18], F. 2).
Precisely, if the Law is the only one authorized by the Constitution to set the
limits to fundamental rights and, in the present case, to the right
fundamental to data protection, and those limits cannot be different from
those constitutionally provided, which for the case are none other than the
derived from the coexistence of this fundamental right with other rights and
legal assets of constitutional rank, the legal empowerment that allows a
Public Power to collect, store, process, use and, where appropriate, transfer data
personal rights, it is only justified if it responds to the protection of other rights
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 43/113
fundamental assets or constitutionally protected assets. Therefore, if those
operations with the personal data of a person are not carried out with strict
observance of the rules that regulate it, the right to protection is violated
of data, since constitutionally illegitimate limits are imposed, either to its
content or the exercise of the bundle of powers that compose it. How
It will also violate that limiting Law if it regulates the limits in such a way that they
impracticable the fundamental right affected or ineffective the guarantee that the
Constitution grants you. And so it will be when the Law, which must regulate the limits to
fundamental rights with scrupulous respect for their essential content,
limits itself to empowering another Public Power to set the restrictions in each case
that can be imposed on fundamental rights, whose unique
determination and application will be at the discretion of the decisions that
Public Power, who will be able to decide, in what interests us now, on the
obtaining, storage, treatment, use and transfer of personal data in
the cases that it deems appropriate and wielding, even, interests or assets
that they are not protected with constitutional rank […] ”. (Legal Basis 11)
“On the one hand, because although this Court has declared that the Constitution does not
prevents the State from protecting legal rights or goods at the cost of the sacrifice of
others equally recognized and, therefore, that the legislator may impose
limitations on the content of fundamental rights or their exercise,
We have also specified that, in such cases, these limitations must
be justified in the protection of other constitutional rights or assets
(SSTC 104/2000, of April 13 [RTC 2000, 104], F. 8 and those cited there) and,
in addition, they must be proportionate to the end pursued with them (SSTC 11/1981,
F. 5, and 196/1987, F. 6). Well, otherwise they would incur the banned arbitrariness
by art. 9.3 CE.
On the other hand, even having a constitutional foundation and resulting
provided the limitations of the fundamental right established by a
Law (STC 178/1985 [RTC 1985, 178]), these can violate the Constitution if
suffer from a lack of certainty and predictability in the very limits they impose and
its mode of application. Conclusion that is corroborated in the jurisprudence of the
European Court of Human Rights that has been cited in F. 8 and that here
it must be considered reproduced. And it should also be noted that not only
would harm the principle of legal certainty (art. 9.3 CE), conceived as
certainty about the applicable law and reasonably well-founded expectation
of the person on what the action of the power should be applying the Law
(STC 104/2000, F. 7, by all), but at the same time said Law would be
damaging the essential content of the fundamental right thus restricted, given
that the way his limits have been set make him unrecognizable and
make it impossible, in practice, to exercise it (SSTC 11/1981, F. 15; 142/1993, of 22
April [RTC 1993, 142], F. 4, and 341/1993, of November 18 [RTC 1993,
341], F. 7). So that the lack of precision of the Law in the budgets
material limitation of a fundamental right is likely to generate
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 44/113
an indeterminacy on the cases to which such restriction applies. And to
to produce this result, beyond all reasonable interpretation, the Law already
does not fulfill its function of guaranteeing the fundamental right that it restricts,
for it lets the will of the one who is to operate in its place
apply it, thus undermining both the effectiveness of the fundamental right and the
legal security […]". (FJ 15).
“More specifically, in relation to the fundamental right to privacy
we have highlighted not only the need for its possible limitations
are based on a legal provision that has constitutional justification and
that are provided (SSTC 110/1984, F. 3, and 254/1993, F. 7) but that the
Law that restricts this right must precisely express each and every one of
the material presuppositions of the limiting measure. If not, it is a bad fit
understand that the judicial resolution or the administrative act that applies it are
founded on the Law, since what it has done, making abandonment of its
functions, is to empower other Public Powers so that they are the ones
set the limits to the fundamental right (SSTC 37/1989, of February 15 [RTC
1989, 37], and 49/1999, of April 5 [RTC 1999, 49]).
Similarly, with regard to the right to protection of personal data, it is
consider that the constitutional legitimacy of the restriction of this right does not
it can be based, by itself, on the activity of the Public Administration. Neither
it is enough that the Law empowers it to specify in each case its
limits, limiting itself to indicating that you must make such precision when
any constitutionally protected right or good. It is the legislator who must
determine when that good or right that justifies the restriction of the
right to the protection of personal data and under what circumstances can
limit himself and, furthermore, it is he who must do so by means of precise rules that
make the imposition of such limitation foreseeable to the interested party and its
consequences. Well, in another case the legislator would have transferred to the
He administers the performance of a function that he alone is responsible for in matters
of fundamental rights by virtue of the reserve of Law of art. 53.1 CE, this
is, clearly establish the limit and its regulation. […] (FJ 16) ”.
Likewise, our Constitutional Court has already had the opportunity to
to pronounce specifically on article 9.2.g) of the RGPD, as
consequence of the challenge of article 58 bis of Organic Law 5/1985,
of June 19, of the General Electoral Regime, introduced by the provision
third final of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and guarantee of digital rights, regarding legitimation
of the collection of personal data related to the political opinions of the
people who carry out political parties in the framework of their activities
electoral, precept that was declared unconstitutional by Sentence no.
76/2019 of 22 May.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 45/113
Said judgment analyzes, first of all, the legal regime to which
is subject to the treatment of special categories of data in the
GDPR:
In accordance with section 1 of art. 9 GDPR, the treatment of
personal data that reveals political opinions, in the same way as
is the processing of personal data that reveal the ethnic or racial origin, the
religious or philosophical convictions or union membership and treatment of
genetic data, biometric data aimed at uniquely identifying
a natural person, data related to health or data related to sexual life or
the sexual orientation of a natural person. However, section 2 of the
The same precept authorizes the treatment of all these data when there is
any of the ten circumstances provided there [letters a) to j)]. Some of those
Circumstances have a limited scope of application (labor, social, associative,
health, judicial, etc.) or respond to a specific purpose, so that, in
themselves, delimit the specific treatments that they authorize as an exception
to the general rule. Furthermore, the enabling efficacy of several of the assumptions there
provided for is conditional on the law of the Union or the law of the
members the circumstances set out in letters a), b), g), h), i) and j).
The treatment of special categories of personal data is one of the
areas in which the General Regulation for the Protection of
Data has recognized Member States 'room for maneuver' when it comes to
"specify its standards", as its recital 10 qualifies. This margin
legislative configuration extends both to the determination of the causes
Enabling the processing of specially protected personal data
-that is, to the identification of the purposes of essential public interest and the
appreciation of the proportionality of the treatment to the end pursued, respecting
essentially the right to data protection- such as the establishment of
"adequate and specific measures to protect the interests and rights
fundamental data of the interested party "[art. 9.2 g) RGPD]. The Regulation contains,
Therefore, a specific obligation of the Member States to establish such
guarantees, in the event that they enable to process personal data
specially protected.
In relation to the first of the requirements demanded by article 9.2.g), the
invocation of an essential public interest and the necessary specification of the
itself, the High Court recalls what was stated in its judgment 292/2000 in which
It was rejected that the identification of the legitimate purposes of the restriction could
be done through generic concepts or vague formulas, considering that the
restriction of the fundamental right to the protection of personal data
may be based, by itself, on the generic invocation of an indeterminate
"public interest" :
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 46/113
In the aforementioned STC 292/2000 (RTC 2000, 292), which also prosecuted
a legislative interference in the right to the protection of personal data,
We reject that the identification of the legitimate purposes of the restriction could
be done using generic concepts or vague formulas:
"16. [...] Similarly, regarding the right to personal data protection
It can be considered that the constitutional legitimacy of the restriction of this right
it cannot be based, by itself, on the activity of the Public Administration.
Nor is it enough that the Law empowers it to specify in each case its
limits, limiting itself to indicating that you must make such precision when
any constitutionally protected right or good. It is the legislator who must
determine when that good or right that justifies the restriction of the
right to the protection of personal data and under what circumstances can
limit himself and, furthermore, it is he who must do so by means of precise rules that
make the imposition of such limitation foreseeable to the interested party and its
consequences. Well, in another case the legislator would have transferred to the
He administers the performance of a function that he alone is responsible for in matters
of fundamental rights by virtue of the reserve of Law of art. 53.1 CE, this
is, clearly establish the limit and its regulation.
17. In the present case, the employment by the LOPD (RCL 2018, 1629) in its art.
24.1 of the expression "control and verification functions", opens a space of
uncertainty so wide that it provokes a twofold and perverse consequence. Of a
On the other hand, by enabling the LOPD to the Administration to restrict rights
invoking such an expression is renouncing to fix it
limits itself, empowering the Administration to do so. And in a way
such that, as indicated by the Ombudsman, it allows to redirect to the same
practically all administrative activity, since all administrative activity
that involves entering into a legal relationship with an administrator, which will be the case
practically in all cases in which the Administration needs data
personal data of someone, will ordinarily entail the authority of the Administration
to verify and control that the company has acted in accordance with the
administrative legal of the legal relationship established with the Administration. It
that, in view of the reason for restricting the right to be informed of art. 5
LOPD, leaves the citizen in the most absolute uncertainty about in which cases
that circumstance will concur (if not in all) and add to the ineffectiveness any
jurisdictional protection mechanism that should prosecute such a case of
restriction of fundamental rights without another complementary criterion that
come to the aid of your control of administrative action in this matter.
The same reproaches deserve, likewise, the use in art. 24.2 LOPD of the
expression "public interest" as the basis for the imposition of limits on
fundamental rights of art. 18.1 and 4 CE, since it contains a degree of
even greater uncertainty. It is enough to note that all administrative activity, in
last term, it pursues the safeguarding of general interests, whose
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 47/113
Achievement constitutes the purpose to which the
Administration pursuant to art. 103.1 CE. "
This argument is fully transferable to the present prosecution. Of
Similarly, therefore, we must conclude that the constitutional legitimacy of the
restriction of the fundamental right to the protection of personal data
may be based, by itself, on the generic invocation of an indeterminate
"public interest". Well, in another case the legislator would have transferred the parties
politicians - whom the contested provision enables to collect data
personal information regarding the political opinions of people within the framework of their
electoral activities- the performance of a function that only corresponds to him in
matter of fundamental rights by virtue of the reservation of Law of art. 53.1
CE, that is, clearly establish its limits and its regulation.
Neither can the purpose adduced by the
State attorney, which refers to the functioning of the democratic system,
as it also contains a high degree of uncertainty and can represent a
circular reasoning. On the one hand, political parties are themselves "channels
necessary for the functioning of the democratic system "(for all, STC
48/2003, of March 12 (RTC 2003, 48), FJ 5); and, on the other hand, all the
The functioning of the democratic system ultimately pursues the
safeguarding of constitutional purposes, values and goods, but this is not enough
to identify the reason why the fundamental right should be restricted
affected.
Finally, it should be specified that it is not necessary to suspect, with
greater or lesser basis, that the restriction pursues a purpose
unconstitutional, or that the data that is collected and processed will be harmful
for the private sphere and the exercise of the rights of individuals. It is
it is enough to verify that, since it cannot be identified with sufficient precision
the purpose of the data processing, neither can the character
constitutionally legitimate of that purpose, nor, where appropriate, the proportionality
of the planned measure in accordance with the principles of suitability, necessity and
proportionality in the strict sense.
On the other hand, regarding the guarantees that the legislator must adopt, the aforementioned
judgment no. 76/2019 of May 22, after recalling that “In view of the
potential intrusive effects on the fundamental right affected that result
of the processing of personal data, the jurisprudence of this Court requires the
legislator who, in addition to meeting the aforementioned requirements,
also establish adequate guarantees of a technical, organizational and
procedural, preventing risks of varying probability and severity and
mitigate its effects, because only in this way can respect for the content be ensured
essential of the fundamental right itself ”, analyzes what is the norm that must
contain the aforementioned guarantees:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 48/113
“Therefore, the resolution of this challenge requires that we clarify a
doubt raised regarding the scope of our doctrine on guarantees
adequate, which consists of determining whether the adequate guarantees against the use
information technology must be contained in the law that authorizes and regulates this
use or may also be found in other normative sources.
The question can only have a constitutional answer. The forecast of
Adequate guarantees cannot be deferred to a time after regulation
legal processing of personal data in question. The guarantees
Appropriate measures must be incorporated into the own legal regulation of the treatment,
either directly or by express and perfectly delimited reference to
external sources that have the appropriate regulatory range. Only that
understanding is compatible with the double requirement that arises from art. 53.1 CE
(RCL 1978, 2836) for the legislator of fundamental rights: the reservation
of law for the regulation of the exercise of fundamental rights
recognized in the second chapter of the first title of the Constitution and the
respect for the essential content of these fundamental rights.
According to reiterated constitutional doctrine, the reservation of law is not limited to requiring that
a law enables the restrictive measure of fundamental rights, but rather
It is also necessary, in accordance both with requirements sometimes called
normative and -other- predetermination of the quality of the law as well as respect for
essential content of the law, that in that regulation the legislator, who comes
primarily obliged to weigh the competing rights or interests,
predetermine the assumptions, conditions and guarantees in which the
adoption of restrictive measures of fundamental rights. That mandate of
predetermination with respect to essential elements, also linked in
last term to the judgment of proportionality of the limitation of the right
fundamental, it cannot be deferred to further legal development or
regulations, nor can it be left in the hands of individuals themselves "
(FJ 8).
Consequently, the processing of biometric data under article
9.2.g) requires that it be provided for in a standard of European or national law,
In the latter case, it must have said norm, according to the constitutional doctrine
cited and the provisions of article 9.2 of the LOPDGDD, rank of law. Said law
must also specify the essential public interest that justifies the restriction
of the right to the protection of personal data and in what circumstances can
be limited, establishing the precise rules that make the interested party foreseeable
imposition of such limitation and its consequences, without being sufficient, to these
effects, the generic invocation of a public interest. And said law shall
establish, in addition, the appropriate technical, organizational and
procedural, preventing risks of varying probability and severity and
mitigate its effects.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 49/113
In addition, said law must respect in all cases the principle of proportionality,
as recalled in the Judgment of the Constitutional Court 14/2003, of 28
January:
“In other words, in accordance with a reiterated doctrine of this Court,
the constitutionality of any restrictive measure of fundamental rights
it is determined by the strict observance of the principle of proportionality.
For the purposes that matter here, it is enough to remember that, to check whether a
restrictive measure of a fundamental right exceeds the judgment of
proportionality, it is necessary to verify whether it meets the three requirements or
following conditions: whether the measure is likely to achieve the objective
proposed (suitability judgment); if, in addition, it is necessary, in the sense that
there is no other more moderate measure to achieve this purpose with
equal efficacy (judgment of necessity); and, finally, if it is weighted or
balanced, by deriving from it more benefits or advantages for the interest
general that damages to other goods or values in conflict (judgment of
proportionality in the strict sense; SSTC 66/1995, of May 8 [RTC 1995,
66], F. 5; 55/1996, of March 28 [RTC 1996, 55], FF. 7, 8 and 9; 270/1996,
December 16 [RTC 1996, 270], F. 4.e; 37/1998, of February 17 [RTC
1998, 37], F. 8; 186/2000, of July 10 [RTC 2000, 186], F. 6). "
Of the transcribed regulation, which is the transposition of community regulations,
it can easily be inferred that it does not meet the requirements
established in article 9.2.g), since the legislator has not provided for the use of
biometric data as a proportional measure for the identification of the
natural persons, establishing the specific and adequate guarantees that are
derive from the greater risks involved in the processing of said data.
Therefore, the project intends to process data
personal data included in the special categories of data referred to in the
article 9.1. of the RGPD, since it is biometric data directed to the
identification of natural persons, it is a prerequisite that one of the
the circumstances contemplated in its section 2 that lifts the prohibition of
treatment of said data, established in general in its section 1,
requiring article 9.2. of the LOPDGDD that "Data processing
referred to in letters g), h) and i) of article 9.2 of the Regulation (EU)
2016/679 based on Spanish law must be covered by a
regulation with the force of law, which may establish additional requirements related to
your security and confidentiality. " not existing, as indicated, norm
legal that enables said treatment under article 9.2.g) of the RGPD.
Therefore, said prohibition may only be lifted in those cases where
that the affected person gives his express consent, under the protection of letter a) of
article 9.2. of the RGPD, all other requirements must be met for
grant a valid consent that is included in the definition of article 4.11
of the RGPD: “any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either through a statement or
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 50/113
a clear affirmative action, the processing of personal data that
concern ”.
Although the absence of cause that lifts the prohibition of the treatment of
special categories of data determines, by itself, the prohibition of
treatment carried out by Mercadona, and it should be noted that there is no
a legal basis that would legitimize, where appropriate, the same under article 6.1.
GDPR on the basis of the public interest.
The concept of public interest, or that of general interest, which is more
frequently used by our constitutional text, it is a legal concept
indeterminate with a double function: to give legitimizing coverage to the performance
of the Administration and, on the other hand, constitutes one of the ways of limiting
administrative powers. In this way, the public interest that, as it points out
Parejo Alfonso, has a clear directive role in regulatory development
(parliamentary or not) of the constitutional order, acts as a delimiting criterion of
the actions of the public powers, so it must, first of all, be
identified by the legislator, in order to identify the area in which the
develop the actions of the Administration, subject to the principle of legality and
which corresponds to serve the general interests objectively (article
103.CE) and, in any case, under the control of the courts, since as you recall
the Judgment of the Constitutional Court of June 11, 1984, “There is no
ignore that the power attributed by the Constitution to the State to define the
general interest, open and indeterminate concept called to be applied to
respective subjects, it can be controlled, against possible abuses and
posteriori, by this Court… ”.
In the first place, it must be assumed that the existence of a public interest, not
legitimizes any type of personal data processing, but must
be, in the first place, to the conditions that the
legislator, as provided for in article 6 of the RGPD, in its sections 2 and 3,
and article 8 of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and guarantee of digital rights (LOPDGDD) that regulates the
data processing based on a legal obligation and on a mission carried out
in the public interest or exercises of public interests in its article 8, in the
following terms:
"1. The processing of personal data can only be considered based on the
compliance with a legal obligation enforceable by the person responsible, in the terms
provided for in article 6.1.c) of Regulation (EU) 2016/679, when so
foresee a rule of European Union law or a rule with the rank of
law, which may determine the general conditions of the treatment and the types
of data object of the same as well as the assignments that proceed as
consequence of compliance with the legal obligation. Said rule may
also impose special conditions on the treatment, such as the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 51/113
adoption of additional security measures or others established in the
Chapter IV of Regulation (EU) 2016/679.
2. The processing of personal data can only be considered based on the
fulfillment of a mission carried out in the public interest or in the exercise of
public powers conferred on the person responsible, under the terms provided in the
Article 6.1 e) of Regulation (EU) 2016/679, when it derives from a
competence attributed by a norm with the force of law. "
Consequently, the public interest requires, in the first place, its realization by
part of the legislator, taking into consideration all the interests affected, when
object of determining the restrictions that particular interests may suffer
as a consequence of the presence of said general interests, which must
be done through a rule with the force of law.
On the other hand, the other principles of article 5 of the RGPD should be respected,
especially to those of limitation of the purpose and minimization of data.
Especially in relation to the principle of data minimization, which
requires that they be “adequate, relevant and limited to what is necessary in relation to
with the purposes for which they are processed ”(article 5.1.c) of the RGPD) it is necessary to
point out that the processing of facial recognition data will involve the
large-scale processing of special categories of data subject to a
reinforced guarantee scheme. This is so due to the high volume of affected
and clients of the company, as well as because said treatment could
be generalized to all merchants in the same or another commercial sector.
Finally, despite the ostensible lack of legitimacy for the treatment of
personal data consisting of facial recognition, the implanted system
by the company would not comply with the proportionality requirements demanded by
the Constitutional Court, since within the triple judgment of proportionality, if
may well be considered suitable for the proposed purpose, it is not
necessary, as there are less intrusive alternative measures, nor is it strictly
proportional, to the extent that more benefits are derived for the interest
public that damages to other goods or values in conflict, taking into account
account that its massive and indiscriminate application is intended for all
clients and the rest of those affected, and that if it were generalized it would imply a
massive treatment of special categories of data that would reach the
practically the entire population, regardless of the level of risk
represents becoming the exception of the possibility of data processing
biometrics in the general rule, contrary to what is intended by the RGPD.
Precisely, the inadmissibility of using these techniques with character
widespread, as well as the absence of connection between the security measure
with the public interest, pursuing, on the contrary, private interests or
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 52/113
individuals of the mercantile, is included in the Order of the Provincial Court of
Barcelona, dated 02/15/2021:
“Having stated what precedes in the preceding paragraphs, this Chamber considers that
the measure requested by the commercial entity, MERCADONA S.A, in
It is in no way proportional, necessary or even suitable. The convicts
in this executive order, Messrs. A.A.A. and B.B.B. a ban was imposed on them
access to a specific supermarket of the Mercadona entity,
specifically located on Calle Frederic Mompou s / n in the town of San
Boi de Llobregat; there has been no record, or at least the testimony of
individuals referred to this section, there is no record that they violated the
corresponding prohibition of access to the shopping center or also that these
are repeat offenders in such conduct. But what's more, this room cannot
share that the measure concerned is protecting the public interest,
but rather, the private or particular interests of the company in question,
since, as has already been explained in the previous paragraphs, they would be
violating the adequate guarantees in order to protect the rights and
freedoms of the interested parties, not only of those who have been punished and whose
access prohibition is incumbent on them, but on the rest of the people who access the
cited supermarket ”.
In the allegations made to the initiation agreement, Mercadona claims an interest
public underlying in the judicial decisions in which the
security measures consisting of facial recognition of the convicted person.
The complained party affirms that “Consequently, in view of the establishment as
security measure in criminal sentences of recognition methods
facial by judges and courts, the public interest wielded and accepted
as a legal basis for the convicted, and courts, the public interest wielded and
accepted as the legal basis for convicted persons, it would logically extend to
these effects on non-convicted persons ”.
Well, one thing is that the adoption of a security measure can
have beneficial effects on society and that a judge or criminal court assess
proportionally what the adoption of the security measure implies (between
the restriction of the rights of the convicted person and the public interest, that benefit
social, which is obtained from the imposition of the security measure). And another thing
is that the preponderance of the public interest (the reason why the
security measure) legitimizes the processing of personal data of the rest of
citizens, so that all citizens are treated as
condemned, being subjected to the same treatment as the subject to whom they
has imposed the security measure.
In any case, the existence of that public interest is not a peaceful matter. The
aforementioned Order of the Provincial Court of Barcelona, examining
specifically the security measure consisting of facial recognition,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 53/113
considers that there is no public interest, but that, as we have already pointed out,
strictly pursue particular and private interests of the company.
Consequently, and in light of the allegations made at this time
procedural by Mercadona, we must conclusively conclude that the
data processing based on facial recognition for the purposes of
identification is not authorized in accordance with article 9.2.g) of the RGPD
and, furthermore, it lacks a legal basis under article 6.1 of the
itself and is contrary to the principles of necessity, proportionality and
minimization.
IV
On the other hand, and as already indicated, it is appropriate to bring up a summary
of the content of the recent Order of the Provincial Court of Barcelona dated
02/15/2021, Resource No. 840/2020, and Resolution No. 72/2021, in which the
mercantile (MERCADONA) has been an interested party in the car that brings cause
for facts related to the treatment now under analysis. Breeds at
The effects of the references to the same appear in the present Proposal of
Resolution.
The aforementioned Order indicates the following (The underlining is from the AEPD):
<< LEGAL REASONS
FIRST.- The mercantile MERCADONA requests the adoption of the measure,
understanding that biometric data is obtained through the cameras of
security when a subject enters the premises. For this it establishes as
regulations to be followed European Union Regulation 2016/679 of Parliament
Council and Council of April 27, 2016 on the protection of persons
with regard to the processing of personal data and the free
circulation of these data. The appellant understands the fact that, the
category of biometric data is recognized in said Regulation as
data of special protection, does not exclude its use, provided that it is carried out
with all relevant security measures. It is understood by part of said
mercantile that with the security measures proposed is not injured in any
moment the data protection of the subjects, since, although they are processed
the biometric data of every user who enters one of the establishments,
the system instantly detects (in 0.3 seconds) those individuals who
have been sentenced with an entry ban to the aforementioned establishment to
through the final judgment in a judicial process; consequently no
no biometric data of a person who has not been
condemned and will be immediately erased and never used.
The appellant argues for considering that the purpose of the Legislator in the
development of the General Data Protection regulation is, not only to protect
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 54/113
the rights of natural persons but also the free circulation of data
attending to the progress of technology. That is why, it would be all-round
ineffective trying to solve a problem such as the control of those
individuals who have been convicted in a final judgment with a prohibition of
entrance, trying to show the image of these individuals to dozens of
employees of establishments so that they could identify them and
report them. It is argued that, failing to take advantage of the advantages that progress
offers, being able to do so ensuring the protection of natural persons, is
condemn the human being, as well as the Spanish legislative development of the last
decades.
The appellant invokes the suitability, necessity and proportionality of the
requested measure. It is effective in the first place, as it addresses the problem
presents, in order to achieve its objective, which is to identify all those
individual who, despite having a final judgment that prevents him from entering
one of its establishments, may violate the decision of the judicial body and
also the rights of the company itself. It is necessary, because it is the only
as you face the problem and solve it, since the above measures
that have been taken, have been completely ineffective due to the
impossibility of exercising control in all establishments by
all the employees; and finally, it is proportional, since it contributes more
benefits for the general interest than damages for the particular individual in
so much so that it does not imply any treatment of the biometric data of the subjects
in general terms, implying a treatment only of those individuals
who have been convicted by final judgment ...
SECOND.- Well, going into the substance of the request made, what
It is true that it is an issue that raises many doubts at the legal level.
We must remember that after the approval and entry into force of the Regulation
general data protection - directly applicable since May 2018 - the
Treatment will only be lawful if at least one of the following is met
terms:
* the interested party gave their consent for the processing of their data
personal for one or more specific purposes;
* the treatment is necessary for the execution of a contract in which the
interested is part or for the application at the request of this of measures
pre-contractual;
* the treatment is necessary for the fulfillment of a legal obligation
applicable to the controller
* the treatment is necessary to protect vital interests of the interested party or of
another natural person;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 55/113
* the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible
of the treatment;
* the treatment is necessary for the satisfaction of legitimate interests
pursued by the controller or by a third party, provided that
the interests or the rights and freedoms do not prevail over said interests
fundamental data of the interested party that require the protection of personal data,
particularly when the interested party is a child. "
In other words, the Regulation contemplates the obligation that the user
of your consent to process your personal data. When we talk about
facial recognition, we must understand made the reference to data
biometrics. The regulation defines them as "personal data obtained from
of a specific technical treatment, related to the physical characteristics,
physiological or behavioral characteristics of a natural person that allow or confirm the
unique identification of that person, such as facial images or data
dactyloscopic ". In case there is any doubt, section 1 of article 9 of the aforementioned
The legal text provides that "The processing of personal data that
reveal ethnic or racial origin, political opinions, convictions
religious or philosophical, or union membership, and data processing
genetic, biometric data aimed at uniquely identifying a
natural person, data related to health or data related to sexual life or
sexual orientation of a natural person ".
According to the mercantile MERCADONA S.A, the system "detects, unique and
exclusively, the entry of people with final sentences and precautionary measure
restraining order in force against Mercadona or against any of its
workers or workers. But, you should ask yourself before the measure invoked,
where do they get images for facial recognition, with what
consent, but it is more true than people with a firm sentence
have the right to privacy or why they maintain a database of
photographs of people.
The system used "performs the identification in real time and deletes
immediately all the information, only using the results
positive to contact the authorities in case of detection.
Mercadona alleges that there is no data processing and that is why it refers to
0.3 seconds. It is, however, the less surprising that
protect the "speed". No matter how fast, there is a violation of the
Privacy. Both the argument of speed and the non-processing of data
they fall under their own weight.
We are clearly facing what the European Union has called "authentication".
In the White Paper on artificial intelligence of the European Commission of 19
February 2020 establishes that "with regard to facial recognition,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 56/113
By "identification" it is meant that the template of the facial image of a
person is compared to many other templates stored in a database of
data to find out if your image is stored in it. The "authentication" (or
"verification"), meanwhile, usually refers to the search for
matches between two specific templates. Allows comparison of two
biometric templates that, in principle, are supposed to belong to the same
person; Thus, the two templates are compared to determine if the person in the
two images is the same. This procedure is used, for example, in
automated border control gates used for controls
border lines of airports.
This is a complex issue. In the words of the AEPD itself in its report
36/2020, "taking into account the aforementioned distinction, it can be interpreted that, according to
With article 4 of the RGPD, the concept of biometric data would include both
assumptions, both identification and verification / authentication. Without
However, and in general, biometric data will only have the
consideration of a special category of data in the cases in which
undergo technical treatment aimed at biometric identification (one-to-one
miscellaneous) and not in the case of biometric verification / authentication (one-to-one). Do not
However, this Agency considers that it is a complex issue,
subject to interpretation, for which no conclusions can be drawn
general, having to attend to the specific case according to the data processed, the
techniques used for its treatment and the consequent interference in the
right to data protection, having, as long as it is not pronounced
in this regard the European Data Protection Committee or the bodies
jurisdictional, adopt, in case of doubt, the most favorable interpretation
for the protection of the rights of those affected. "In the present case, it is
There is no doubt that the use of facial recognition in
video surveillance employees in the field of private security would imply the
treatment of biometric data aimed at uniquely identifying
a natural person, in a one-to-one correspondence search process
various, the treatment constituting a special category of data whose
Treatment, in principle, is prohibited by article 9.1 of the RGPD
The Spanish Agency for Data Protection in a report of May 28,
2020 made the matter quite clear, concluding that
* Facial recognition techniques for biometric identification purposes
involve a treatment of special categories of data for which the
Regulation requires reinforced guarantees
* To treat special categories of data for these purposes, the regulations
requires that there be an "essential public interest" contained in a standard with
rank of law that does not currently exist in the legal system.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 57/113
* The Agency rejects that the legitimation recognized for the systems of
video surveillance that only captures and records images and sounds can cover
technologies such as facial, gait or voice recognition.
As rightly dictated by the Spanish Data Protection Agency in
the aforementioned report, so that facial recognition could have a better
legal protection would need a specific law. There is no rule today
in our legal system regarding facial recognition.
The existence of a public interest does not legitimize any type of treatment of
personal data, but must be, first, to the conditions
that the legislator may have established, as provided for in Article 6 of the
RGPD, in its sections 2 and 3, as well as the aforementioned principles of article 5
of the RGPD, especially those of limitation of the purpose and minimization of
data. And in the event that one or more of the
of the personal data included in the special categories of data to which
referred to in article 9.1. of the RGPD, that any of the
circumstances contemplated in its section 2 that lifts the prohibition of
treatment of said data, established in general in its section 1.
Consequently, the use of facial recognition technologies in
video surveillance systems involves the processing of biometric data, such and
as defined in article 4.14 of the RGPD and involves the treatment of categories
special data regulated in article 9 of the RGPD, being "data
biometrics aimed at uniquely identifying a natural person ". No
we are facing a simple authentication, but rather an identification, so
it requires double legitimation.
Although article 48 of the Penal Code establishes "the deprivation of the right to
Residing in certain places or going to them prevents the convicted person from residing or going
to the place where the crime was committed "and that" the judge or court may agree
that the control of these measures is carried out through those means
that allow it "; this would occur by ensuring the rights
fundamentals of the condemned person, that is, provided that he had given his
consent. We must remember that the damned enjoy all
fundamental rights recognized in the Constitution, except for those that
are expressly limited by the content of the conviction, the
sense of punishment and prison law.
THIRD.- Beyond data protection, you could enter other
issues pertaining to the restraining order. Behind the formalism of a
restraining order, there are many issues to consider
for the crime to be committed, such as prior notification and requirement and
express to the convicted person, and the validity at that time of the order of
remoteness. These are issues that a very complex
third for sure.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 58/113
Not everything goes in the matter of Fundamental Rights. These technologies can
be really intrusive and require a calm ethical and legal debate, all
time they can have very adverse effects on core values and
human integrity.
This analysis is necessary to be able to determine the legality or not of this
treatment, especially considering the particularities of the category of
data being processed, biometric data and therefore especially
protected. This is so by making the images of the faces of the
interested parties the direct, unique and unequivocal identification of all the
people to be recorded. Collecting images for later
recognition must comply with the criteria and standards contained in the
General Data Protection Regulation, in accordance with which we are
faced with an intensive treatment of biometric data, which thus poses situations
of high incursion in the private sphere and in the fundamental right of protection
of personal data of the interested parties. So much so that in order to be authorized
and confirm the legality of this type of treatment, the correct
appreciation of aspects such as the nature and origin of the data, the mode of
development of the same and, above all, the purpose. These elements must
be studied together with the informing principles of the regulations at hand,
in order to determine if the measures implemented are proportional to the
intrusion into the private sphere of those involved.
In accordance with the personal data protection regulations, the treatments
must always respect a minimum level of proportionality between the intrusion
that these treatments can entail in the private sphere of people and
the conditions and guarantees that accompany this in order to correct the
possible adverse effects that they entail. Thus, it is established that for those
treatments that require data from special categories, as is the case
of biometric data, the explicit consent of the
interested as a basis for the legitimation of the uses and actions that are
to develop with your information. In the case that concerns us, and for the moment,
The express consent of the interested parties is not being sought, giving
also a situation in which it is difficult for both parties, company and customer,
can be considered with the same ability to negotiate the effects of granting
consent or not, as this translates directly into the impossibility for
part of the direct customer to continue shopping at that supermarket.
The level of intrusion into the private life of the interested parties must enter into the already
aforementioned proportionality judgment, which according to the regulations therefore requires
the expression of the explicit consent of the interested parties. If this
consent is not explicitly collected and is not collected by means of
test how a written support can be, as is being the case in this
facial recognition treatment, this should be remedied with the support of
another basis of legitimation strong enough to be justified
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 59/113
the need for this treatment to obtain the desired purposes, as can
be the maintenance of the correct operation of the business and the prevention
against robbery, theft and situations of insecurity for the workers of the
business. This basis of legitimation, Mercadona assures, through its
petition, is the "public interest" that is collected in the same way as legitimation
exceptional in the personal data protection regulations. But nevertheless,
This creates doubts when interpreting its validity or lack thereof in this
case, by actually serving the implementation of this technology in a greater way to a
private purpose of the company, such as guaranteeing the safety of its
facilities.
Regarding the implementation of facial recognition technologies and their use
appropriate for the guarantee and maintenance of the security of physical places,
The AEPD ruled in response to a query by a company of
private security, within Report 010308/2019, which continues to be
Today the regulatory framework dedicated to regulating this type of treatment is insufficient
and considering that it will be necessary to approve "a standard with the rank of
law that would specifically justify to what extent and what assumptions, the use
of these systems would respond to an essential public interest "for the correct
definition of the legality requirements of this type of treatment.
… But what is more, this Chamber cannot share that the measure concerned
is protecting the public interest, but rather, the private interests or
individuals of the company in question, since as has already been stated in the
previous paragraphs, the appropriate guarantees would be violated in order
to the protection of the rights and freedoms of the interested parties, not only of the
that have been punished and whose access prohibition is incumbent upon them, if not the rest
of people who access the aforementioned supermarket.
(…) >>
V
Once the legal doctrine to be applied in the present case has been exposed, it is appropriate to enter into the
procedural issues.
From the preliminary investigation actions, it is concluded that Mercadona carries out
a processing of personal data of biometric data (art. 4.14 of the RGPD)
in order to uniquely identify a specific person among several
(hereinafter one-to-many) becoming subject to the guarantees of the provisions of the
art. 9 of the GDPR.
The treatment does not only occur in relation to the identification of
criminal convicted with imposition of security measure, consequence of
the restraining order imposed on those in a criminal sentence, but rather
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 60/113
affects anyone who walks into one of its supermarkets (including
minors) and their employees.
The data processing implemented by Mercadona includes the collection, collation,
conservation and destruction -in case of negative identification- (after 0.3
seconds of its collection) of the captured biometric image of any person
that enters the supermarket (capture, collation, conservation and destruction are
four forms of treatment according to the definition of art 4 of the RGPD).
Mercadona expressly recognizes that there is processing of personal data from
biometric nature, and thus, for example, in the EIPD provided, it states the following:
"The data will be kept:
• Relating to the sentence and the image provided: During the validity period of
the final judgment that imposes the restraining order.
• Relating to the negatives of the camera: The treatment will be 0.3 seconds
(time between capture and deletion after comparison).
• Relating to the camera positives: Duration necessary for putting them into
available to the State Security Forces and Bodies ”.
It should be noted, that the preservation of facial images for the brief
time lapse of 0.3 seconds constitutes a processing of personal data
biometric for “one-to-many” identification purposes, without stating
accredited any of the exceptions for the treatment indicated in the article
9.2 of the RGPD, so it is not even appropriate to apply the legal bases
indicated in article 6 of the RGPD.
The data that is processed is biometric data, whose definition is found
It is found in article 4.14 of the RGPD: “personal data obtained from a
specific technical treatment, related to physical and physiological characteristics
behavior or behavior of a natural person that allows or confirms the identification
unique of said person, such as facial images or fingerprint data ”.
In this specific case, it involves the treatment of special categories of data.
regulated in article 9 of the RGPD, as they are “biometric data aimed at
uniquely identify a natural person ”. Similarly, the
Recital 51 of the RGPD also reasons that “only
included in the definition of biometric data when the fact of being
treated with specific technical means allows the identification or
unique authentication of a natural person ”.
The report 36/2020 of the Legal Office of the AEPD asserts, without prejudice to
address the complexity of the issue and the impossibility of extracting
general conclusions, that “biometric data will only have the
consideration of a special category of data in the cases in which
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 61/113
undergo technical treatment aimed at biometric identification (one-to-one
several) and not in the case of biometric verification / authentication (one-to-one) ”,
as in the present case.
In the same sense, the European Data Protection Committee (hereinafter
CEPD) considers the use of video surveillance with facial recognition as
special category of data of article 9 of the RGPD in its “Guidelines 3/2019 on
processing of personal data through video devices ".
SAW
According to Mercadona, the purpose of the facial and shape treatment
remote control of the “one-to-many” type is to control compliance with a
security imposed by sentence on a convicted person in criminal proceedings in
which Mercadona has been part of.
The establishment of this surveillance system with facial recognition is linked to
issuance of several sentences in which a security measure is imposed
referring to the removal of a convicted person for a minor crime.
Said security measure consists of the removal of the sentenced person to a
supermarket or several concrete ones from Mercadona or from the stores of a
certain territory during a period specified in the judgment that does not
in no case does it exceed six months (art. 57.3 of the CP).
Likewise, as a consequence of the express request of this security measure by
part of Mercadona in the criminal procedure, the judicial resolution allows
establishment of electronic means to control such measures of
security as provided in art. 48.4 of the CP.
In some judgments it is specified that such electronic means can be
facial recognition, processing biometric data (one-to-many). That happens
because Mercadona, if asked about the security measure in the process
court in which it is a party, requests that the security measure be executed at
through electronic means, specifying it in electronic means
consistent in facial recognition.
From the sample of Judgments previously provided by Mercadona in relation to
With security measures and the use of electronic means, it is extracted
following:
(…)
In view of the sample of Sentences that we have, we have to
conclude that:
The security measure agreed by the judicial body affects
only to the convicted person and to his legal sphere of rights.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 62/113
The security measure includes electronic means with
facial recognition. But not all rulings authorize Mercadona to
install that system "one-to-many" (identification), but some do
Generic mention of electronic means that allow the control of this measure
security without specifying that it is facial recognition and, as has already been
discussed above, electronic means of facial recognition do not
they have to be of the "massive and remote" type.
The use of remote biometric identification systems in a way
massive, indiscriminate and remotely in spaces with public access to
effects of the application of a judicial decision must take into account the
nature of the situation giving rise to the possible use, in particular the
severity, probability and magnitude of damage caused in the absence of
use of the system and also the consequences of using the system
for the rights, guarantees and freedoms of all affected persons,
including the condemned.
In addition to existing cause for lifting the general prohibition that indicates
Article 9.1 of the RGPD, the use of biometric identification systems in a way
massive (“one-to-many”), indiscriminate and remotely in access spaces
public for the purposes of the application of a judicial decision should comply,
in addition, the safeguards and conditions necessary and provided in
relation to use, also with regard to time limitations,
geographical and personal data of those affected.
In the present case, the judicial decisions previously provided by
Mercadona does not specify how to control access to
supermarkets, and the guarantees, rights and freedoms of those affected
cannot be left to unilateral interpretation and decision on the
scope of court decisions on the impact on those affected
(convicted, employees and clients, including minors) of such
treatments by the responsible company (Mercadona).
Regarding massive and remote facial recognition (“one-to-many”), the book
Target on Artificial Intelligence indicates what biometric identification is
remote, in the following terms:
“Remote biometric identification must be distinguished from authentication
biometric (the latter is a security procedure that is based on the
unique biological characteristics of a person to verify that it is
who he claims to be). Remote biometric identification consists of determining the
identity of multiple people with the help of biometric identifiers
(fingerprints, facial images, iris, vascular patterns, etc.) remotely,
in a public space and in a continuous or sustained manner, contrasting them with
data stored in a database ”.
The treatment now analyzed is characterized by:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 63/113
Use biometric data, which are special categories of data of art.
9 of the RGPD (one-to-many) on which a general prohibition of
use, except for the exception provided for in the rule itself. This treatment is,
therefore, exceptional.
It is produced remotely in a space accessible to the general public.
It is a continuous treatment that contrasts the data collected with other
stored in a database.
It is an automatic treatment.
It is extremely high risk (unacceptable) as it can lead to
massive and indiscriminate surveillance.
How we can verify the data processing using
Remote biometric identification is automatic, and the biometric data is captured (
treats) automatically; therefore it is considered extremely high risk
(unacceptable) this data processing.
Furthermore, we cannot ignore that the implementation of
Remote biometric “identification” of the “one-to-many” type (special category of
personal data, art 9 RGPD) collects much more information than other types of
treatment and, furthermore, involuntarily and without knowledge or
consent, by setting guidelines and using predefined algorithms that determine
the elaboration of a certain pattern (matrix) characteristic of the image
treated of each affected person.
In the treatment now analyzed, a system of
indiscriminate and massive facial recognition since "depending on the data
collected biometric data, subject data such as race or gender can be derived
(including fingerprints), your emotional state, illnesses, defects and
genetic characteristics, substance use, etc. Being implicit, the
user cannot prevent the collection of said supplementary information ”-Note
of the AEPD on the “14 mistakes in relation to the identification and
biometric authentication ”-. This excess of processed data also violates the
minimization principle provided in art. 5.1.c) of the RGPD.
It is Mercadona (as data controller) who has decided
implement a system of these characteristics that was not previously available,
consequence of his participation in a criminal judicial process in which he has been
party and has requested that the specific security measure be authorized
consisting of the use of a facial recognition system.
This shows us that Mercadona has requested in the judicial process
the security measure linked to facial recognition, before performing a
EIPD, before assessing whether it could carry out the treatment in accordance with the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 64/113
data protection regulations and before evaluating the risks of such treatment
of data. In this sense, it is insisted, it does not appear in this AEPD that there is
carried out the prior consultation referred to in art. 36 of the GDPR, since
implanted treatment is not only extremely risky
(unacceptable) of impairment of rights and freedoms to customers and
Mercadona workers, but is prohibited by art. 9.1 of the RGPD. In this
sense, it should also be noted that in the risk analysis carried out
Previously, the treatment should have been an unacceptable risk and, in
Consequently, be avoided.
Mercadona has requested the adoption of the security measure in the
criminal procedure and, once agreed, enforces it to justify the
exception of art. 9.2 of the GDPR; that is, it has preconstituted the legitimation
necessary to carry out the processing of biometric data in a massive way
and remote from “one-to-many”. Remember that this security measure is dictated
only with respect to the convicted person and that only affects the limitation of their
rights in the terms of the judicial resolution without affecting third parties,
such as Mercadona's clients and workers. The
proportionality judgment before requesting this measure before the judicial body,
as will be seen later.
VII
We begin by examining whether Mercadona has the standing to carry out this
type of treatment in the aforementioned conditions.
Mercadona asserts that it holds legitimacy based on the public interest (art.
6.1.e) of the RGPD) for video surveillance purposes and that the
exception of art. 9.2.f) of the RGPD that allows data processing
biometric of special category, that is, the circumstance that the treatment
it is necessary for the formulation, exercise or defense of claims.
The legal basis for the treatment alleged by the company starts from the previous
lifting of the general prohibition imposed by art. 9.1 of the RGPD through
of the application of art. 9.2.f) of the RGPD and, subsequently, reference is made to art.
6.1.e) RGPD. First, the exception of art. 9.2.f) of the RGPD does not concur
for the potential clients in the treatment now analyzed (nor for the
workers) according to the AEPD report 010308/2019 already mentioned and, in
second, the legal basis provided in art. 6.1.b) GDPR is not valid either
for employees since it is a treatment outside the
video surveillance system.
As we have pointed out before, we can observe in terms of legitimation,
that in the treatment examined there are three types of affected stakeholders
for this one. On the one hand, the processing of biometric data of a convicted person
for the imposition of a restraining security measure in a sentence
penal; on the other, the processing of biometric data of potential clients
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 65/113
from Mercadona; finally, the treatment of biometric data of the own
Mercadona employees.
Legitimation regarding the data of a convicted person.
Mercadona bases the treatment on the exception provided in art. 9.2.f)
of the RGPD to consider that they are entitled to carry out the
biometric data processing. The art. 9.2.f) of the GDPR lifts the ban
general provided for in art. 9.1 of the RGPD when “the treatment is necessary
for the formulation, exercise or defense of claims or when the
courts act in the exercise of their judicial function ”.
According to the Report of this AEPD reference 0098/2020, it is concluded that:
(i) the RGPD separately mentions the extrajudicial claims of
diverse nature and administrative, and on the other hand, those claims
that are promoted through judicial bodies.
(ii) it should be understood the lifting of the prohibition of treatment of
special data categories such as exceptional, subsidiary and the interpretation of
its application must be restrictive, in accordance with the special protection of the
that are creditors this type of data derived from its legal nature.
(iii) the national or European Union law that regulates these treatments
It must offer sufficient guarantees to protect the rights of those affected.
(iv) is that although the RGPD establishes some assumptions that exempt the
prohibition of treatment of special categories of data, through the right
Member States can introduce ad hoc regulations in order to
to adapt the reality of the sectors involved to guarantee protection
effective of the rights of the citizens of the union.
The aforementioned report adds that, in general, the assumptions that raise the
general prohibition of treatment provided for in article 9.2 RGPD, only
serve this purpose, that is, they act as exceptions to the provisions of section
1, which does not mean that whenever any of them is given, the treatment can
gives or must be carried out, since the remaining obligations that
They are derived from the GDPR itself. That is, the mere existence of a claim to the
protection of article 9.2 f) RGPD, does not legitimize by itself, the treatment of categories
special data collections, but must be accompanied by other elements,
that do not appear, that make the treatment comply with the RGPD.
The processing of biometric data (“one-to-many”), in this case, could
occur if necessary for the formulation or exercise or defense of
claims or when the courts act in the exercise of their judicial function.
However, in strict terms, in accordance with the literality of the legal norm,
and for the assumption now examined, the formulation, exercise or defense of
claims have already been made, since the complaint made by
Mercadona derives from the situation in which we find ourselves now.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 66/113
However, we could understand that the imposition in a final sentence of a
security measure is consequence and continuation of the claim
filed, and this measure derived from the claim may be included in this way.
the framework of the transcribed precept. Now, in any case, the treatment of
biometric data for the formulation, exercise or defense of claims
would be restricted to the biometric data of the defendant and in the
strict terms and scope of the judicial resolution and not of third parties totally
foreign to the procedure and even less to the free unilateral interpretation by the
mercantile scope of the judicial resolution.
Recital 52 of the RGPD, regarding the prohibition of the treatment of
special categories of personal data, authorizes the exceptions "always
that adequate guarantees are given ”, stating that“ It should also be authorized
exceptionally, the processing of said personal data when it is
necessary for the formulation, exercise or defense of claims, whether
by a judicial procedure or an administrative or extrajudicial procedure ”.
As it is an exceptional authorization, which requires seniors -in case of
be able to be applied - the establishment of adequate guarantees, the interpretation
that is granted must be restrictive. This is provided for in recital 51 of the RGPD
that includes the restrictive character with which the treatment of
these data, when it states that “Such personal data should not be processed, to
unless its treatment is allowed in specific situations contemplated
in this Regulation, given that Member States may
establish specific provisions on data protection in order to
adapt the application of the rules of this Regulation to comply with
a legal obligation or the fulfillment of a mission carried out in the public interest
or in the exercise of public powers conferred on the data controller.
In addition to the specific requirements of that treatment, the
general principles and other rules of this Regulation, especially as regards
which refers to the conditions of lawfulness of the treatment ”; this interpretation is
systematically collected by the AEPD in its resolutions -for all, the
PS / 00145 / 2019-.
Let's bring up the art. 10 of the GDPR. This precept allows the treatment
of personal data related to convictions and criminal offenses or measures of
security, in relation to the personal data concerned in such convictions,
breaches or security measures. In our case, and with the diction of
Article would only affect the personal data of the convicted person. And in
relation with the exception of art. 9 of the RGPD, to the biometric data of the
condemned.
A higher, it requires, or it is executed under the supervision of the authorities
public or authorized by the law of the Union or of the Member States
that establishes adequate guarantees for the rights and freedoms of
interested.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 67/113
In this case, the supervision of the Judicial Authority occurs if the
condemned violent security measures. The Judicial Authority neither reviews nor
has reviewed the facial recognition system implemented in general,
nor the impact of the implementation of such a system on the rights and freedoms of the
rest of the citizens (clients and employees of Mercadona).
In fact, if the security measure were applied directly by the organ
judicial could not extend it to other subjects other than the convicted or
third parties summoned in the procedure and directly affected by the measure
of security. Consequently, what a judge cannot do in compliance
of their own measures, much less a private individual to collaborate.
Regarding the processing of biometric data in a massive and remote way "one-to-one
several ”of a convicted person for the imposition of a security measure of
withdrawal in a criminal sentence, the company states that the legal basis
of the treatment would be that of art. 6.1.e) of the RGPD, thus forgetting the need for
prior lifting of the general prohibition imposed by art. 9.1 of the RGPD.
Mercadona asserts about the security measure that "This legitimation, although
does not need a legal authorization or a specific determination at the
normative, it must be framed within the Spanish procedural system ”.
However, in the face of such a statement, the truth is that art. 8 of the LOPDGDD is
exhaustive in the sense that "The processing of personal data may only
be considered founded on the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person in charge, in the
terms provided in article 6.1 e) of Regulation (EU) 2016/679, when
derives from a competence attributed by a norm with the force of law ”. In
Consequently, it is mandatory legal authorization for such legal basis to provide
effects.
Well, in reality it is that the legal basis contained in art. 6.1.e) of
RGPD could legitimize the processing of data of the convicted person regarding a
specific security measure (provided that you have an authorization
among those of art. 9.2 of the RGPD), understanding that they carry out a mission in
public interest, by mandate of the judicial body that is assigned for the sake of the
Power to do so (art 17 of Organic Law 6/1985, of July 1, of the Power of Attorney
Judicial). However, as has already been pointed out, there is also no evidence that the measure
security is an essential public interest since what it would protect would be a
private interest of the merchant.
In this sense, GT29 in its Opinion 06/2014 on the concept of interest
public of the data controller under art. 7 of the
Directive 95/46 / EC, examines what is understood by mission in the public interest,
stating that “Article 7, letter e), covers two situations and is pertinent
for both the public and private sectors. First,
includes situations in which the data controller himself has
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 68/113
a public authority or a mission of public interest (but not necessarily
a legal obligation to process the data) and the treatment is necessary for the
exercise of said power or for the execution of said mission ”.
“However, the treatment must be“ necessary for the fulfillment of a
mission of public interest ”. Alternatively, a power of attorney must have been conferred
official either to the person responsible for the treatment or to the third party to whom this
communicates the data and the data processing must be necessary for the exercise
of said power. It is also important to emphasize that this power
official or public interest mission should normally be conferred or attributed
through ordinary laws or other legal regulations. If the treatment involves
an invasion of privacy or if this is otherwise required under the
national legislation to guarantee the protection of the affected persons, the
The legal basis must be sufficiently specific and precise when it comes to
define the type of data processing that can be allowed ”.
In endorsement of the affirmed, we only have to examine the art. 10 of the GDPR
cited by the company: "The processing of personal data related to convictions
and criminal offenses or related security measures based on the
Article 6 (1) may only be carried out under the supervision of the
public authorities or when authorized by the law of the Union or of the
Member States to establish adequate guarantees for the rights and
liberties of the interested parties. Only a complete record of
criminal convictions under the control of public authorities ”.
In our case, that legitimation that we now find based on the mission
public interest and collaboration with justice, would be different from the interest
public used by the company that legitimizes, via art. 6.1.e) of the RGPD and the
art. 22 of the LOPDGDD video surveillance, especially because, as already
We have indicated, some of the sentences examined speak
generically from the use of electronic means to control the measurement
security, without specifying in a “specific and precise way when defining the
type of data processing that can be allowed ”.
Legitimation regarding the data of the possible clients of
Mercadona.
The company uses the exception provided for in art. 9.2.f) of the aforementioned RGPD
to proceed with the treatment of the biometric data "one-to-several" of the
Mercadona customers.
As we have indicated previously, the exception provided for in art. 9.2.f) of
RGPD, relating to the formulation, exercise or defense of claims must be
be construed restrictively and on its own terms, due to its
exceptionality in view of the prohibition contained in the first section
of art. 9 of the GDPR.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 69/113
We have also meant that the proper understanding of art. 9.2.f) of
GDPR limits, according to a literal, systematic and teleological interpretation of the
rule, the use of special categories of personal data to cases
in which the processing of such data is necessary for the formulation, the
exercise or defense of claims. Thus, we could understand that the
concept "formulation", "exercise" and "defense" could not only embrace the
formulation, exercise or defense itself regarding a claim, but
that could be extended to the execution of the resolution obtained after the
formulation, exercise or defense of the claim, within the framework of the guardianship
effective judicial.
Let's transfer it to domestic law and to the specific "claim" process, since
that the exception is not indifferent to the functioning of the procedural system
Spanish.
In the case under examination, the treatment consisting of the recognition
facial, which, remember, has been chosen by the mercantile, derives from the imposition
of a security measure to a specific person, according to a sentence
favorable judicial obtained by Mercadona. Being, in our case of a
criminal judicial procedure and restricting it to the characteristics and elements
definitions of the same established in the legal system, would only affect
the parties to the procedure (including, where appropriate, a third party when there is
been summoned by the judicial body so that it can defend what in its
right is incumbent), without being able to extend its effects to third parties outside the
same.
The judicial body when adopting the security measure weighs, as it can only
be, the affectation of the security measure in the Fundamental Rights of the
condemned. The judicial body does not examine the impact on the measure of
security in third parties unrelated to the procedure neither value, nor weigh what
incidence produces such a security measure in Fundamental Rights of
the latter (privacy and protection of personal data, among others).
And this because such a decision does not concern them at all.
A criminal sentence between parties does not enable data processing per se
biometric data in a massive “one-to-many”, remote and indiscriminate way, affecting
to an important and indeterminate population group, including minors.
In addition to the total disproportion involved in the implementation of this system,
which we will talk about later. Extrapolating it, we would arrive at the absurdity that,
by imposing a security measure for a subject or subjects
specific in a court ruling, or even in an administrative resolution,
the establishment of a facial recognition treatment could be enabled
massive, which would violate the letter and spirit of the GDPR.
The exception provided for in art. 9.2.f) of the RGPD, due to the effect on the
categories of sensitive data and the risks inherent to the treatment, you must
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 70/113
be extremely careful in its restrictive interpretation when it affects a
indeterminate and massive plurality of people, and who are totally alien to the
judicial resolution issued.
It only enables the parties to the claim to use biometric data
necessary to exercise the claim itself, restricting it to the affectation
specific person to whom the process refers and the subsequent resolution
judicial. The biometric data of any potential Mercadona client will not
have been necessary to formulate the complaint. However, this treatment of
facial recognition implemented by Mercadona, seen as a whole
directly affects all potential Mercadona customers, being
strictly unrelated to the claim itself.
In conclusion, art. 9.2.f) of the GDPR could lift the ban, but
restricting such legitimation to a specific sentence and with express scope in
the same and in relation to the specific security measures imposed,
with respect to the persons mentioned in it, and for a territorial scope (a
territory, or one or more supermarkets) and limited time. This is only
regarding the condemned.
However, the facial recognition system implemented by Mercadona,
which lacks legitimacy based on art. 9.1 of the GDPR, it is highly
intrusive, indiscriminately affecting an undetermined amount of
citizens. An indirect security measure is imposed on them.
criminal nature.
It generates a perverse effect, because finally with those *** NUM. 2 processes
judicial that say that they file annually throughout the Spanish territory,
practically in all supermarkets they would have activated a system of
facial recognition, monitoring all Mercadona customers,
habitual or not. It would translate into practice in large-scale establishment
of a facial recognition system highly intrusive in the rights and
freedoms of those affected. It carries an extremely high risk not
acceptable.
In this sense, in the “Guidelines on Facial Recognition” of January 2021 of the
“Consultative Committee of the Convention for the protection of Individuals with
Regarding Automatic Processing of Personal Data Convention 108 ”, it is stated
that private entities cannot develop recognition systems
facial in uncontrolled environments such as shopping malls, especially for
identify persons of interest for security purposes: “Private entities
shall not deploy facial recognition technologies in uncontrolled environments
such as shopping malls, especially to identify persons of interest, for marketing
purposes or for private security purposes ”.
(“Private entities will not use facial recognition technologies in
uncontrolled environments such as shopping malls, especially for
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 71/113
identify persons of interest, for marketing purposes or for the purposes of
Private security". The translation is from the AEPD).
Regarding rights, the aforementioned Guide clarifies that they can be restricted only
when established by a Law, that is, now, in our assumption, the
The rights of the interested parties cannot be restricted: “These rights can be
restricted but only when such restriction is provided for by law, respects the
essence of the fundamental rights and freedoms and constitutes a necessary
and proportionate measure in a democratic society for specific legitimate
purposes (such as law enforcement purposes), according to Article 11 of
Convention 108+ ”.
(“These rights can be restricted but only when that restriction is
provided by law, respects the essence of rights and freedoms
fundamental and constitutes a necessary and proportionate measure in a
democratic society for specific legitimate purposes (such as enforcement purposes
of the law), in accordance with Article 11 of Convention 108+ ”. (The
translation is from the AEPD).
On the other hand, we must examine whether the company has legitimacy for the
treatment of biometric data of a special nature ("one-to-several") of the
potential clients of Mercadona.
Apart from the general prohibition imposed in art. 9.1 of the RGPD that
affects biometric data of a special nature, we will go back to the
art. 6.1.e) of the RGPD cited by the company. The legal basis - if not data
biometrics of a special nature - it would be the same, the public interest, but in this
case is not based on the competence of a judicial body that for the
execution of a security measure allows one of the parties in the process
criminal processing of personal data of the convicted person (mission in the
public). It is obvious that citizens, in general, potential clients of
Mercadona have not been part of the procedure, they are not cited in the judgment, nor
have been considered for the purposes of implementing any electronic means, nor
are affected by it.
The public interest could apparently be found in this case in a
treatment in video surveillance. Article 22 of the LOPDGDD regulates the
treatments for video surveillance purposes whose legitimacy is found, such and
As stated in the Statement of Motives of the referenced legal text, in the
existence of a purpose of incardinable public interest in article 6.1.e) of the
RGPD, as its purpose is "to preserve the safety of people and property,
as well as its facilities ", an objective that goes beyond the mere interests
legitimate of an individual.
In the field of private security, said regulation must be completed with the
provided in its specific regulations, this is the Private Security Law
(LSP), in which article 42 regulates video surveillance services. States that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 72/113
"Video surveillance services consist of the exercise of surveillance through
of camera or video camera systems, fixed or mobile, capable of capturing and
record images and sounds, including any technical means or system that
allow the same treatments as these.
When the purpose of these services is to prevent infringements and avoid damage to
the people or property object of protection or to prevent unauthorized access,
will necessarily be provided by security guards or, where appropriate, by
rural guards ”.
In the case under examination, the video surveillance will be carried out by a
private security company.
Now, as reasoned in Report 31/2019 of the Legal Office
(entry: 010308/2019) of the AEPD "video surveillance treatments
regulated in the LOPDGDD and the LSP, refer exclusively to the
treatments aimed at capturing and recording images and sounds, but do not include
facial recognition treatments, which is a treatment radically
different when incorporating biometric data, as the RGPD itself recalls in its
Recital 51 when stating that “The treatment of photographs should not
systematically consider treatment of special categories of data
personal, since they are only included in the definition of
biometric data when the fact of being treated with technical means
allow the unique identification or authentication of a person
physical.
Consequently, the incorporation of video surveillance systems, aimed at
the capture and recording of images and sounds, of applications of
facial recognition will involve the processing of biometric data, regarding
of which the data protection authorities had been warning of the
risks that they imply for the rights of the people ”.
The aforementioned report includes several documents of the Working Group of the article
29, such as Opinion 4/2004 regarding the processing of personal data
through video surveillance, the working paper on biometrics,
adopted on August 1, 2003 or Opinion 3/2012 on the evolution of the
biometric technologies, adopted on April 27, 2012, in which it is exposed
the difference between conventional video surveillance systems and
facial recognition, also indicating a diverse set of risks
important and significant, such as discrimination, such as the fact that the
treatment can be carried out without the knowledge of the interested party, the possible
generalization of its use and the errors that may occur.
In accordance with the above, the legal basis included in art. 6.1.e)
of the RGPD in relation to art. 22 of the LOPDGDD would be enough to carry
carry out an ordinary video surveillance treatment (not of a special nature). But
it would not be enough for a facial recognition system in the terms
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 73/113
exposed, that is, a radically different treatment when using data
biometric data in a massive and remote way of the "one-to-many" type, without
previously lifted the prohibition established in art. 9.1 of RGPD. For the
Therefore, it would be necessary to determine what is the precise legal basis to carry out
perform a facial recognition treatment (“one-to-many”), as well as the
precise legal requirements for this.
The Report 31/2019 of the Legal Office (entry: 010308/2019) considers that
“The current regulation is considered insufficient to allow the use of
facial recognition techniques in video surveillance systems used by
private security (...) being necessary to approve a standard with
range of law that specifically justifies to what extent and in what assumptions,
the use of these systems would respond to an essential public interest,
defining said legal norm, after consideration by the legislator of the
competing interests according to the principle of proportionality, each and every
one of the material presuppositions of the limiting measure through rules
that make the imposition of such limitation and its
consequences, and establishing the technical, organizational and
adequate procedural rules, which prevent risks of different probabilities
and gravity and mitigate its effects ”.
The report concludes that the use of facial recognition systems of
video surveillance systems used by private security is
disproportionate, in view of intrusion and unacceptable high risks
that supposes for the fundamental rights of the citizens. At least
when it comes to configuring the exception of art. 9.2.g) of the GDPR as a
essential public interest, specifying the need for specific legal regulation
(art 8.2 LOPDGDD). The Legal Report 010308/2019 of the AEPD states “…
in the case of special categories of data, the assumption contemplated in the
letter g) of article 9.2. does not refer only to the existence of a public interest, such
and as the RGPD does in many other of its precepts, but it is the only
RGPD precept that requires it to be "essential", an adjective that comes
to qualify said public interest, taking into account the importance and necessity of
greater protection of the data processed. "
Therefore, we can see consequently that, in response to the
special characteristics of the data processing carried out (with risk
extremely high unacceptable), we are not faced with what
We could define it as an ordinary, ordinary video surveillance system; East
implanted system that incorporates facial recognition applications has its
own entity and virtuality, since it treats biometric data aimed at identifying
a unique way to a natural person through facial recognition, in
a process of searching for “one-to-many” matches (the convict and the
rest people who access supermarkets, whether they are potential customers or
employees) and massively and remotely. This has been stated by the CEPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 74/113
Legitimation regarding the data of Mercadona workers.
Furthermore, we have to mean that there is another group affected
by the establishment of facial recognition. We mean workers
of the mercantile, which are also biometrically identified when entering the
supermarkets.
Well, the treatment of the biometric data of the employees of
Mercadona through a facial recognition system such as the one analyzed
It is not covered by the exception of art. 9.2.f) of the RGPD.
The art. 20.3 of the Workers' Statute and the exceptions of art. 9.2.f) and
9.2.h) of the RGPD do not support the legitimacy of the treatment for the purpose
intended, which is to enforce a security measure derived from a
judicial procedure between Mercadona and a person who has stolen products
or caused damage to its facilities (Mercadona does not hold the legitimacy
to defend assaults and personal and property damages suffered by their
employees, which corresponds to the latter).
It is fully applicable for Mercadona employees, what we have
indicated in the previous section on the use of the legal basis of art. 6.1.e) of
GDPR. This legal basis, without the exception of art. 9.2.f), it is not
possible to legitimize the processing of biometric data of employees
from Mercadona.
We have to mean that the group of supermarket workers has not
been considered by the data controller when assessing and choosing
treatment consisting of a facial recognition system that respects and
weigh the risks in the violation of rights and freedoms of this group.
Thus it can be verified from the examination of the administrative file, since,
In the DPIA, the categories of interested parties are “Subjects who have access to the
MERCADONA centers; Subjects with a firm sentence ”, page 6.
You can also see that the DPIA examines the threat consisting of
that “A treatment is carried out that implies a systematic monitoring of the
holders without them being aware of the activity and / or scope of the
itself […] The facial recognition system can systematically evaluate
(although always with human intervention) the images of the people who
access MERCADONA centers ”, page 16.
Employees do not appear as differentiated subjects, they are not taken into account
as a specific group affected by its own risks. However, they are
being detected by the facial recognition system every time they enter and
go out the supermarket door, either to go to work or in the
performance of their duties.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 75/113
Of course, employees cannot be included among the “subjects who
they access the MERCADONA centers ”; the latter are all
potential clients and it is obvious because their risks, together with the eventual
Risks to the convicted person are the only ones that are examined throughout the DPIA. Do not
the specific and unique risks of workers are examined. In this
In this sense, it should be noted that the DPIA provided is incorrect. In this sense,
brings up the provisions of opinion WP248 on impact assessment
of GT29: “… By virtue of the RGPD, failure to comply with the requirements of the EIPD
may lead to the imposition of fines by the supervisory authority
competent. Failure to carry out a DPIA when the treatment requires a
evaluation of this type (article 35, paragraphs 1, 3 and 4), carry out a DPIA
incorrectly (article 35, paragraphs 2, 7, 8 and 9) or not consulting the
competent supervisory authority where necessary [Article 36 (3),
letter e)] may result in an administrative fine of up to EUR 10 million or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total global annual business volume of the previous financial year, opting
for the highest amount…) ”.
Thus, the Opinion 2/2017 on the treatment of data in the work of the GT29
(adopted on June 8, 2017) establishes that “although the use of these
technologies can be helpful in detecting or preventing loss of property
intellectual and material of the company, improving the productivity of
workers and protecting the personal data of which the
data controller, also poses significant challenges in terms of
privacy and data protection. Therefore, a new
evaluation of the balance between the legitimate interest of the employer to protect his
company and the reasonable expectation of privacy of the data subjects:
workers ”.
Therefore, “Regardless of the legal basis for said treatment, before
its initiation, a proportionality test must be carried out in order to
determine whether the processing is necessary to achieve a legitimate purpose, as well as the
measures to be taken to ensure that violations of the
rights to privacy and secrecy of communications are limited to the
minimum. This can be part of an impact assessment regarding the
data protection (EIPD) ”.
In the case under examination, no proportionality test has been carried out.
in relation to the risks and the affectation of the rights and freedoms of the
employees. This follows clearly from the undoubted fact that not so much
They are even cited in the EIPD that appears in the administrative file as
a specific group to value.
As stated by the GT29 in the aforementioned Opinion “The treatment of data in
The work must be a proportionate response to the risks to which it is
a businessman faces ”. In the case under examination, it is not proportionate
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 76/113
from the moment that not even the group has been considered at the
time to determine the risks.
It is unavoidable to consider whether the treatment (of the biometric data of the
employees) is proportionate, what the risks are and consider them in all
case in the DPIA. Opinion 2/2017 on data processing at work
of the GT29 highlights the need for its realization “in particular if you use
new technologies, by their nature, scope, context or purposes, entail a high
risk to the rights and freedoms of natural persons ”. And this because "The
Modern technologies allow workers to be subjected to
monitoring over time, at workplaces and at home, through
through many different devices, such as smartphones,
desktop computers, tablets, vehicles and wearable technology. If the treatment
has no limits and is not transparent, there is a high risk that the interest
legitimate interests of employers in improving the efficiency and protection of
assets of the company become an unjustified and intrusive control ”.
In any case, the processing of biometric data of the employees of the
supermarket supposes an indirect control of these (in the sense that the
purpose of the treatment is aimed at unambiguously identifying the convict).
Full control.
If you have to be to the provision of art. 89 of the LOPDGDD for the purposes of
respect the privacy of workers when using devices
video surveillance, much more if we are faced with a differentiated treatment
of video surveillance, more invasive, with more specific and higher risks, which
involves the use of biometric data. If such a precept imposes the measure of
prior information to employees and their representatives, you must also
proceed in the case examined for the sake of transparency. The
Information must be provided, in any case, to the representatives of the
workers and the latter under art. 13 of the GDPR.
In the case of Mercadona, in view of the number of workers that
have, the representative body will be the Company Committee, since the
art. 63 of the Workers' Statute establishes that “The works council is
the representative and collegiate body of all workers in the
company or work center for the defense of their interests, becoming
in each work center with a census of fifty or more workers ”.
It should be noted, for information, the recent modification of article 64.4.d)
of the Workers' Statute Law, approved by Royal Decree
Legislative 2/2015, of October 23 (Workers' Statute), which remains
drawn up as follows in accordance with article 13.2.f) of the
GDPR:
<< d) Be informed by the company of the parameters, rules and instructions in
those that are based on algorithms or artificial intelligence systems that affect
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 77/113
decision-making that may affect working conditions, the
access and maintenance of employment, including profiling. >>
In addition to the obligations of information and transparency derived from the
data protection, employee representatives have the right to be
informed and consulted in certain cases provided for by law.
The art. 64 of the Workers' Statute (as of the date of the events), on this
In particular, it indicates that “The works council shall have the right to be informed and
consulted by the employer on those issues that may affect
workers, as well as on the situation of the company and the evolution of the
employment in the same, in the terms provided in this article.
Information is understood as the transmission of data by the employer to the committee
company, so that it is aware of a specific issue
and can proceed to its examination. By consultation is meant the exchange of
opinions and the opening of a dialogue between the employer and the works council
on a specific issue, including, where appropriate, the issuance of a report
prior by the same ".
It remains the same indicating that the works council will also carry out a work
of, art. 64.7.a) “1.º Of vigilance in the fulfillment of the norms in force in
labor, social security and employment matters, as well as the rest of the
pacts, conditions and uses of the company in force, formulating, where appropriate, the
timely legal actions before the employer and the agencies or courts
competent ", for which it will require information on the actions
business.
This last precept we can connect you with art. 5.1.a) and arts. 12, 13 and 14 of
RGPD and art. 89 of the LOPDGDD.
The administrative file contains a communication to the Inter-Center Committee of
Mercadona on this matter. The inter-center committee is a body
second-level representative, established by collective agreement and with the
functions provided for therein (art. 63 of the ET) that cannot be assumed
functions of the Works Council, which is the one that, for the reasons stated,
should be communicated with these questions of implementation of a system of
facial recognition. However, according to the allegation presented by the
mercantile, it should be noted that, indeed, in the present case there is
legally assumed the competence of the Works Council in the Committee
Intercentres.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 78/113
In any case, the communication made shows that, considered
this group by the company as affected by the treatment of
facial recognition, however, there is no reference to the risks on the
workers' rights in the DPIA. (art 35 RGPD and list of types of
data processing requiring impact assessment related to protection
of data). In this sense, as has already been pointed out, the incorrect evaluation of
impact is grounds for sanction in accordance with the provisions of the CEPD guideline
Reference WP248, rev. 01, section I in fine.
That control of the facial recognition system in the terms set forth
also produces coercive pressure on workers and can lead to
an extremely high unacceptable risk that restricts the freedom of
employees, personally and professionally. It is a risk of tracking your
activities without a sufficiently justified cause and, above all, that
it has not been taken into account in the elaboration of the DPIA.
As determined by Opinion 2/2017 on the processing of data in the
work of WG29, “Systems that allow entrepreneurs to control who
can enter their facilities, and / or certain areas of their facilities,
they can also allow the monitoring of workers' activities ”.
In relation to video surveillance, it continues to state that “Video surveillance continues
presenting the same issues for worker privacy as
before: the ability to continuously record the behavior of the
employee".
We must not ignore other risks that can be inferred from all this, as it follows
indicating the aforementioned Opinion that “Although these systems have existed since
years ago, new technologies aimed at tracking the
time use and the presence of workers are becoming more widespread,
including those that process biometric data and others such as tracking
mobile devices ”and that“ Although these systems may constitute a
important component of follow-up by the employer, also
pose the risk of providing an invasive level of insight and control
on the worker's activities in the workplace ”.
Thus we find the highly plausible risk of combining data
obtained from the video surveillance and biometrics system, to "follow" in a
continued behavior of the worker, although the treatment of
facial recognition was not originally established for it.
As GT29 ends, “Therefore, businessmen must refrain from
to use facial recognition technologies. There may be some
marginal exceptions to this rule, but such scenarios cannot be used
to invoke a general legitimation of the use of this technology ”.
Paraphrasing GT29, compliance with a security measure intended
a single specific person cannot be used to invoke legitimation
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 79/113
general use of this technology in the terms set forth, nor with respect to the
employees or any other citizen.
For all the foregoing, we can conclude that the treatment as a whole does not
has the legitimacy to carry it out, so it violates the provisions of
the arts. 9 and 6 of the RGPD, infractions typified in article 83.5.a) of said rule
and considered very serious for the purposes of prescription in art. 72.1.e) and a),
respectively, of the LOPDGDD.
VIII
It is necessary to carry out the proportionality judgment before initiating
any treatment.
In this sense, the Constitutional Court has indicated, for all the Judgment
of the Constitutional Court 14/2003, of January 28, that “to verify whether a
restrictive measure of a fundamental right exceeds the judgment of
proportionality, it is necessary to verify whether it meets the three requirements or
following conditions: whether such a measure is likely to achieve the objective
proposed (suitability judgment); if, in addition, it is necessary, in the sense that
there is no other more moderate measure to achieve this purpose with
equal efficacy (judgment of necessity); and, finally, if it is weighted or
balanced, by deriving from it more benefits or advantages for the interest
general that damages to other goods or values in conflict (judgment of
proportionality in the strict sense) ”.
And this is based on the jurisprudence established by the European Court of Rights.
Humans, that is, the overcoming of a triple judgment, in the sense of determining whether
the interference produced in the owner of the right object of restriction by the
measure is the minimum in order to achieve the legitimate aim pursued with it.
The first thing we have to indicate is that, regarding the treatment of
Mercadona's facial recognition -which affects data processing not only
of the convicted person, but of all potential clients and employees-, the judgment of
proportionality in the broad sense must be carried out in a timely manner.
Notwithstanding the foregoing, authorized by the judicial body an electronic means
generic or a specific one such as facial recognition without indicating the shape or
way to carry it out (see judgments), it is still necessary to carry out the trial
proportionality before starting treatment to assess which means is
more suitable, if necessary to fulfill the purpose allowed by the
judgment and examine the proportionality of the measure.
Second, that the proportionality judgment when it covers the treatment of
biometric data requires particularly careful examination and
detailed.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 80/113
The GT29 in its Opinion 3/2012 on the evolution of biometric technologies
indicates that “When analyzing the proportionality of a proposed biometric system,
It is necessary to consider in advance whether the system is necessary to respond to the
identified need, that is, if it is essential to satisfy that need, and
not just the most suitable or profitable. A second factor to be taken into account
account is the probability that the system will be effective in responding to the
need in question in light of the specific characteristics of the technology
biometric to use. A third aspect to ponder is whether the loss of
Resulting intimacy is proportional to the expected benefits. If the profit
it is relatively minor, such as a greater comfort or a slight saving,
then the loss of privacy is not appropriate. The fourth aspect to evaluate
the adequacy of a biometric system is to consider whether a less
invasive of intimacy would achieve the desired end ”.
Third, and already entering the examination of the proportionality judgment, regarding
suitability, the facial recognition system may be suitable for
comply with the restraining measure with respect to the convicted person, but it is not
necessary, as there are less intrusive alternative measures, nor is it strictly
proportional, to the extent that more benefits are derived for the interest
public that damages to other goods or values in conflict, taking into account
account that its massive and indiscriminate application is intended for all
potential clients, regardless of the level of risk they represent and
becoming the exception of the possibility of processing biometric data
in the general rule, contrary to what is intended by the RGPD.
In this way, in the previously cited judgments it is considered that the
security measure requested by the company is possible to apply it without
to rule on the guarantees on the rights and freedoms of the
affected that must be associated with its implementation or justify the application of
none of the exemptions of art. 9.2 of the RGPD. Now, of course, the
judicial body does not manifest itself regarding the restriction of rights
fundamental neither for the convicted person nor for the rest of the citizens with the
implementation of the generalized facial recognition system, as it exceeds the
scope of its competence. And in this sense it has already been pointed out, and it will be insisted
later, that said treatment is prohibited in application of art. 9.1
of the GDPR.
Let us take as an example the aforementioned Judgment of Santander in which it is indicated
that “It is also requested that the establishment be authorized to control this
measured through the electronic means available to the entity
Mercadona in order to facial recognition, pursuant to art. 58.4 CP, which
provides: “The judge or court may agree that the control of these measures shall be
perform through those electronic means that allow it ”. There are not
absolutely no inconvenience in granting what is requested, since
that the impact on the sphere of rights or interests of the convicted person is
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 81/113
minimum, in the case of only a means or instrument available to the
establishment to enforce what has been agreed more effectively ”.
Thus, it authorizes the implementation of the security measure with respect to the convicted person.
assessing conflicting interests, without even examining the impact on
Mercadona's clients and workers (as none of them are part of the
Penal procedure). It may, therefore, be an ideal measure with respect to the
condemned, but it is not with respect to the rest of the citizens, specifically
Mercadona's clients and workers, who are affected in a way
indiscriminate.
Therefore, the facial recognition treatment as a whole, integrating the
treatment of biometric data of potential clients and employees of
Mercadona is not suitable. Other systems or mode of
carry it out in a way that does not affect their rights and public freedoms.
Let us remember that even understanding that this biometric data processing
implanted by Mercadona is the one authorized by the judicial body, it would only be
for the purpose of adopting a security measure in relation to the
convicted and, even so, respecting his fundamental rights, unless resolution
judicial against.
In any case, there are means that are less invasive of the rights and freedoms of
prospective customers and supermarket employees to get the
intended purpose; some of which could fall directly on the
convicted (such as and together with the prohibition to go to certain
places, impose on the convicted person a slight penalty of permanent location or
impose a location system on it, which would be assessed by the judicial body
at the request of the party concerned) without affecting at all and at no time to
the rights and freedoms of no one else; others could be traditionally
used to hang the photograph of the convicted person in the place -with restricted access
and controlled - where ordinary video surveillance images are displayed, or
well that the photograph of the convicted person included in an electronic device is
manually compared "one-to-one" at the entrance of the establishment.
Fourth, and once the decision to install the system has been made, it must be
necessary “in the sense that there is no other more moderate measure for
achieving this purpose with equal efficiency ”.
It should be examined whether to carry out the treatment it is necessary to
a certain pre-established way or if, of all the options
available, the one that is more moderate and with less incidence in
the rights and freedoms of the citizens concerned and in accordance with the
RGPD and LOPDGDD regulations.
We will start from the concept of the need for treatment, which should not be confused
with utility of the same. A facial recognition system can be helpful, but
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 82/113
does not have to be objectively necessary (the latter being what
really must be present). As established by GT29 - Opinion 3/2012
on the evolution of biometric technologies - it should be examined “if it is
essential to satisfy that need, and not just the most suitable or profitable one ”.
In this sense, the AEPD, analyzing the need for a treatment concludes
that, “If it is necessary or not, in the sense that there is no other measure
moderate for the achievement of such purpose with equal effectiveness by power
the activity be carried out manually. The term need should not
be confused with useful but if the treatment is objectively necessary for the
purpose ”-by all, PS / 00052 / 2020-.
If there is no objective need for the treatment now under analysis, if it is not
essential to satisfy that need, the treatment is not proportional or lawful.
Consequently, it is prohibited.
In the case examined the facial recognition system can be useful,
but not necessary, since not being the only one with which the
intended purpose as there are multiple alternatives, it is the only one that can
produce a devastating interference with the rights and freedoms of
citizens. Consequently, it is insisted, it is prohibited.
In this same sense, the SEPD states, in an article on October 28,
2019 titled "Facial Recognition: A solution in search of a problem?" addressing
this type of treatment. Thus, it requires that treatment by
facial recognition is "demonstrably necessary", that is, objectively
necessary and that there are no other less intrusive alternative means through
which the same objective is obtained and expressly states that "the
efficiency and convenience are not sufficient justification ”.
(Retrieved on February 22, 2020 from https://edps.europa.eu/press-
publications / press-news / blog / facial-recognition-solution-search-problem_en.)
But it is that, in addition, to greater abundance and, for the purposes merely
illustrative, we cannot ignore the fact that the convicted person can circumvent
with ease the facial recognition system with a simple mask -like
It is explained in the note of the AEPD on the “14 mistakes in relation to the
identification and biometric authentication ”, with which, it could happen that
Once the system was implemented, it was also neither useful nor effective for the purpose
claimed by the supermarket.
Here, the principle of minimal intervention comes into play (art. 5.1.c) and art. 25.1
RGPD), because, in addition, it must be proven that there is no other measure more
moderate for the achievement of the intended purpose with equal effectiveness, in the
framework of the proactive responsibility of the data controller.
Although the court generically authorizes the facial recognition system,
does not oblige to install it or prevent the establishment of another with which it can
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 83/113
the same purpose be achieved by other less intrusive systems. This is nothing
would happen if, instead of installing this facial recognition system like the
now analyzed, Mercadona would choose another that would allow it to make the
security measure (e.g. ordinary surveillance system with or without security guard
security, ie not remotely "one-to-one").
Furthermore, the authorization of the judicial body is not at all a carte blanche,
nor does it confer an unlimited right for Mercadona, but must comply with the
data protection regulations. Especially because the establishment of
this facial recognition system may de facto involve the implantation
improper security measure for all customers and employees of
Mercadona, as has happened.
In this same sense, Report 36/2020 of the Legal Office of the AEPD,
regarding the use of facial recognition techniques in conducting
online evaluation tests, pointed out that "the existence of a public interest
does not legitimize any type of personal data processing, but must
be, in the first place, to the conditions that the
legislator, as provided for in article 6 of the RGPD, in its sections 2 and 3,
as well as the aforementioned principles of article 5 of the RGPD, especially the
of limitation of the purpose and minimization of data. And in case they go
to be subject to any or some of the personal data included
in the special categories of data referred to in article 9.1. of the
RGPD, that any of the circumstances contemplated in its section concur
2 that lifts the prohibition on the processing of said data, established with
general character in its section 1 ”.
Fourth, and with regard to proportionality in the strict sense, we must
to examine how many convictions they have obtained, what is the measure
agreed in each of them, regarding how many people, how many
supermarkets affect such sentences and if all this is proportional in relation to
with the number of clients that enter their centers each day and the number of
global supermarkets that they have in the Spanish territory.
Thus, we must consider whether the adoption of such treatment is weighted,
balanced, derive from it more benefits or advantages for the general interest than
damages to other goods or values in conflict. Faced with the interest of
Mercadona to enforce a restraining order (with respect to who has
committed a minor crime in its facilities), the rights to
privacy and data protection of all customers and their employees.
At a glance, it turns out that the treatment is excessive. Well to do
effective a security measure for an average of *** NUM. 3 people per year
throughout the territory of the Spanish State - according to their calculations, on an average of
*** NUMBER 2 judicial processes - for a limited period and established in the sentence
-which can be a maximum of six months as it is a minor offense- it is
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 84/113
could manage to monitor once implemented in all shopping centers
to an average of *** NUM. 7 clients per year (…). This measure would also affect the
collective of its workers, which number in more than 100,000 workers.
Mercadona has 1,624 establishments in Spanish territory.
Or, in other words, to control access to Mercadona from a single
person will be controlled at an average *** NUM. 1 potential daily customers
per store (to be multiplied by the number of stores
affected by the security measure).
Mercadona alleges that the system has only been installed in *** NUMBER 8 centers, and in
Consequently the above numbers are incorrect. In this sense, it must
note that the aforementioned *** NUMBER 8 establishments refer to "test" mode and
the highly plausible intention is its extension to the whole of
commercial establishments.
If to adopt a security measure of a citizen it has to be a matter of
massively and indiscriminately the personal data of the rest of the citizens,
the treatment is clearly disproportionate. Now let's add that we
we find the processing of biometric data intended to identify
uniquely to a person. A system would be installed in the private sphere that
is not being used by the State Security Forces and Bodies that
They pursue the achievement of general interest purposes.
Regarding the immense amount of data collected, it should also be added,
that there is no evidence that adequate technical measures have been taken to prevent
a possible transfer of such data to third parties, including third countries
outside the EEA. The measure taken is limited to a contractual prohibition of the type
formal between the company and the entity in charge and owner of the applied software
(*** COMPANY.2), based on a prior authorization from the person in charge, without
previous studies that reliably prove the technical impossibility of
carry out the aforementioned transfer to third countries given the extremely risk
high (unacceptable) that would lead to a reduction in rights, guarantees and
freedoms of those affected.
We must review regarding the disproportion of the treatment, which are treated
personal data of any person who enters the supermarket, buys or not,
including unimpeachable minors. Unimpeachable minors
in no case can they be affected by a conviction.
The company argues that it is not possible to detect the age of the people
affected, with all the more reason not to carry out this type of treatment. The
extremely high risk assumed in treatment is unacceptable.
Also for these reasons there would be a violation of the principle
data minimization (art. 5.1.c) RGPD).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 85/113
Thus, it can be verified from the simple examination of the administrative file,
that in the EIPD and on the threat consisting in that "Data is processed
inadequate, irrelevant, excessive or unnecessary for the intended purpose "
no mention is made of these data, which are entirely excessive,
page 13. They limit themselves to considering only the data of the convicted person regarding
of the principle of minimization, since they state that “Only the
data derived from final judgments, in which MERCADONA is a party and is
have provided images during the procedure as evidence, which
determine the restraining order becoming effective through the possible
use of new technologies ”.
The principle of minimization that is obliged in all data processing
personal article 5.1.c) of the RGPD, in view of the documentation sent and
to the description of the treatment carried out, we can consider that the system
facial recognition implemented by Mercadona in forty (*** NUM. 8)
of its shopping centers treats biometric data aimed at "identifying" a
unequivocally to a natural person, in a process of searching for
“one-to-many” correspondence subject to the provisions of article 9 of the
RGPD, treatment also called by the doctrine "massive and form
remote ”, in order to differentiate it from other automated facial treatments
also biometrics of a comparative "one-to-one" type aimed at "authenticating"
a person with a database (could also be facial images)
automated or with human intervention in each of the checks,
less intrusive features. It is the case of having in a team
electronic the database of images to be compared (undoubted people) and
be limited manually to perform the comparison "one-to-one" to
“Authenticate”, what the doctrine calls “non-remote mass” treatment. There are not
doubt that the latter type of treatment would considerably minimize the
risks of violating the rights, guarantees and freedoms of the people who
enter the establishment by limiting themselves to what is necessary and pertinent (principle of
minimization, art. 5.1.c) GDPR).
Consequently, this processing operation in the terms set forth
violates the provisions of art. 5.1.c) of the RGPD, offense typified in art.
83.5.a) of said rule, considered very serious for the purposes of prescription in the
art. 72.1.a) of the LOPDGDD, when treating excessive personal data for the
purpose to which it is directed.
IX
It is necessary to carry out the impact assessment before starting any
high-risk treatment in order to be able to detect, where appropriate, those
unacceptable that would prevent treatment.
In the case analyzed, in addition, a DPIA must be carried out. In this sense
it is accurate when “it is probable that the processing operations
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 86/113
pose a high risk to the rights and freedoms of natural persons ”,
considering 84 RGPD, “before treatment”, considering 90 RGPD, and
will be carried out under the terms of art. 35 of the GDPR. The treatment intended by
Mercadona is included in the list of types of data processing
that require an impact assessment related to data protection (art 35.4). The
EIPD must include the aforementioned proportionality judgment.
Before implementing a “one-to-many” facial recognition system, the
responsible should first assess if there is another less intrusive system with the
that the same purpose is obtained. Section 72 of CEPD Guide 3/2019
"On processing of personal data through video devices", clarifies in this regard
that “The use of biometric data and in particular facial recognition
entailheightened risks for data subjects ’rights. It is crucial that recourse to such
technologies takes place with due respect to the principles of lawfulness,
necessity, proportionality and data minimization as set forth in the GDPR. Whereas
the use of these technologies can be perceived as particularly
effective, controllers should first of all assess the impact on fundamental rights
and freedoms and consider less intrusive means to achieve their legitimate
purpose of the processing ”.
(“The use of biometric data and, in particular, facial recognition
carries greater risks for the rights of data subjects. It's fundamental
that the use of such technologies takes place respecting the principles of
legality, necessity, proportionality and minimization of the established data
in the GDPR. Considering that the use of these technologies can be perceived
As particularly effective, managers should first assess
the impact on fundamental rights and freedoms and consider means
less intrusive to achieve their legitimate goal of transformation ”. The
translation is from the AEPD).
However, Mercadona has requested the adoption of a security measure in
the courts consisting of facial recognition treatment before
assess the concurrence of risks and the need to carry out a DPIA, which does not
appears in the administrative file - as evidenced in the fact
that the DPIA is subsequent to the request for such a security measure in a
plurality of criminal proceedings. Even if the DPIA is prior to the
execution of the treatment, the adequate understanding of the responsibility
proactive and privacy by design imply valuing from the moment
original of the outline of a treatment of personal data if this can
carried out. Thus, the first moment in which the idea of requesting the
security measure consisting of a facial recognition treatment before
courts and tribunals, it should have been the occasion to assess and detect the risks
on the rights and freedoms of citizens.
It should be added that the risks derived from such automaticity are high in themselves
themselves and, in fact, unacceptable by not being able to reduce the initial inherent risk
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 87/113
at adequate levels (residual irrigation) as there is a legal prohibition in accordance with
points out article 9.1 of the RGPD. Such treatment occurs without intervention
as soon as the corresponding system is installed and activated, in such a way
that the person concerned cannot prevent the processing of their data
personal in its aspect of the exercise of the right of suppression and opposition,
which may imply an infringement of art. 35 of the RGPD, typified in article 83.4.a) of
said norm and considered serious for the purposes of prescription in art. 73.t) of the
LOPDGDD (in this sense, see GT29 248 already mentioned).
X
In this approach, they ignore and do not consider the possibility that the
all potential customers entering the supermarket are being treated
inappropriate, irrelevant, excessive or unnecessary for the purpose
planned. They have not considered for a moment that this is the situation of the
unimputable minors.
Although in principle the personal data of minors is not
they are especially safeguarded in view of simply age
of these, it is also the case that the legal system protects them especially,
because of their special vulnerability. This protection is specifically deployed in
protection of personal data from the Convention 108 of the Council of Europe
- “specific attention shall be given to the data protection rights of children and
other vulnerable individuals ”-, going through the RGPD and the LOPDGDD, to the
Organic Law 1/1996, of January 15, on the Legal Protection of Minors, of
partial modification of the Civil Code and the Civil Procedure Law.
The latter establishes in its article 2 that “Every minor has the right to have his
best interests is valued and considered as paramount in all
actions and decisions that concern him, both in the public sphere and
private ”, specifying in its art. 4 regarding your right to honor, privacy
personal and family and to the own image and in its art. 22c regarding the
Treatment of personal data.
The art. 28.2 of the LOPDGDD prevents as one of the greatest risks to
that must be attended by the person in charge and the person in charge of the treatment that the “e)
When the data processing of affected groups is carried out in
situation of special vulnerability and, in particular, of minors and
People with disabilities".
In this sense, we will highlight recital 38 of the RGPD which establishes that
“Children deserve specific protection of their personal data, since
may be less aware of the risks, consequences, guarantees and
rights concerning the processing of personal data. Such protection
Specific should apply in particular to the use of personal data of
children for the purposes of marketing or profiling of personality or
user, and to obtain personal data related to children when they are used
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 88/113
services offered directly to a child. The consent of the owner of the
parental authority or guardianship should not be necessary in the context of services
preventive or advisory services offered directly to children ”.
For this reason, the AEPD has clarified in its guides the special recommendations of
protection of minors, as happens with video surveillance
in relation to image capture in school environments.
XI
Regarding transparency, in relation to the information provided
To those interested, there are several aspects to review.
Previously, in the present case, it should be noted that the treatment analyzed
does not comply with the rules of the RGPD as indicated above,
so it is a prohibited treatment. However, we proceed to analyze
briefly the informative posters.
First, regarding the posters, they indicate that it is “to detect
only those people with a restraining order or judicial measure
analogous, in force that may pose a risk to your safety ”.
These convicted persons generate risk to the property and facilities of the
supermarket, which is why they have been condemned. The security risk
of clients is clearly indirect and very tangential. And the
security of customers by ordinary video surveillance system. There are not
transparency in information.
In the administrative file, in the EIPD, it is established in a context -se
copy literally- “Facial recognition system to identify agents
outsiders with a current restraining order issued within the framework of a sentence
firm, enabling the use of technological means for its effectiveness,
harmful to MERCADONA employees and centers ”, page 4.
In the same way we find it when in the aforementioned document they determine the
purpose of the treatment, which again restricts the security of your
employees and their assets (Mercadona centers): “Recognition system
facial to identify external agents with a restraining order in force
issued within the framework of a final judgment, allowing the use of
technological means for its effectiveness, harmful to employees and
MERCADONA centers ”, page 6 (private interests).
They do not cite the supermarket chain's customers as potential
objectives of "your security." Surprisingly, they do so in the aforementioned posters
above and in the information they show their employees to give
explanations to potential clients.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 89/113
The information provided is not correct, nor does it fit the purpose (to make
effective a security measure), since the system does not start up
to protect customers, but Mercadona, as a result of obtaining
a judgment favorable to their interests (containing a penalty for the
condemned). In any case, the ordinary security system is sufficient to
guarantee the security of the clients (art. 22.1 of the LOPDGDD). Not precise
establish facial recognition system like the one now analyzed for
guarantee the safety of customers, because if necessary for such purposes,
it would be the one that would ordinarily be established in all types of facilities. Without
However, this facial recognition system is a security system
extraordinary when biometric data is processed in order to identify
univocally to a person "one-to-many" and remotely meet
included in the special category of personal data (art. 9 of the RGPD).
As we have pointed out before, the information provided in the posters of the
supermarkets is the same, without specifically indicating in which of them it is
activated the system or if by simply hanging the poster it is found
activated, or for how long it is activated (duration of the
security), nor is the specific purpose explicit.
The impression is passed on to customers that in all supermarkets there is
installed the system and permanently. Potential customers are stolen
the possibility of not entering the specific supermarket and choosing another in which you do not
the facial recognition system is installed. It is de facto limiting the
right of self-determination, freedom and privacy. Derivative risks
of this incorrect information are clear, the impairment of their freedoms and
Fundamental rights.
The information should indicate whether or not the system is installed. Especially if so and
as Mercadona affirms, it will only use the system “in the event that it is
part of a judicial procedure in which, by means of a final resolution,
determine the use of facial recognition to enforce orders for
remoteness".
Second, that in the case of such invasive technologies and, based on the
Reasons set forth above regarding minors and other vulnerable groups
that deserve special protection, the information provided should be
specific to them.
Recital 58 RGPD, on the principle of transparency (information) “…
Since children deserve specific protection, any information and
Communication whose treatment affects them must be facilitated in clear language and
simple that is easy to understand ”. And article 12 RGPD states that “The
responsible for the treatment will take the appropriate measures to facilitate the
interested party all information indicated in articles 13 and 14, as well as any
communication in accordance with articles 15 to 22 and 34 regarding the treatment, in
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 90/113
concise, transparent, intelligible and easily accessible form, with clear language and
simple, in particular any information directed specifically to a
kid…".
Although the EIPD indicates that “The use of innovative technologies such as
easy recognition poses a risk to subjects due to the novelty that
They present the same and the ignorance about their operation. MEASURES;
It is reported clearly and transparently about the treatment and technology
used ”, page 17, there is no additional measure, specific to
transmit the information adequately to minors and other groups
vulnerable. The information provided is the same for everyone.
Third, regarding transparency and possible transfers
international organizations, which assert that they will not be produced, the truth is that in the
treatment manager contract means that there is the possibility of
international transfer in certain cases: “8.2. In case of
transfer of personal data to a third country that does not belong to the Union
European Union, a country that does not have an adequate level of protection, or a
international organization, the Data Processor must obtain the
prior written authorization of the Data Controller and cooperate to
guarantee an adequate protection framework under current regulations,
through the application of binding corporate rules, the formalization of
standard contractual clauses adopted by the European Commission or, in its
case, obtaining the authorization of the transfer by the authority
competent". They do not inform customers of such a possibility or establish how
it would report if this assumption finally occurred. Previously it has already
noted the absence of technical measures to avoid possible transfers
undue internationals.
The lack of transparency in the information that prevents warning those affected
that the implanted treatment is not possible, rather, it is prohibited,
constitutes another of the volitional elements of responsibility.
Consequently, the information provided by the company both to the public in
general as the employees violates the provisions of art. 12 of the GDPR to
Failure to comply with the requirements cited in arts. 13 of said rule, infringement
typified in article 83.5.b) and considered very serious for the purposes of prescription in
the art. 72.1.h) of the LOPDGDD.
XII
The foregoing is applicable to the information provided in the "privacy policy",
in which it is limited to informing generically - regarding the treatment of
facial recognition system or early detection system-, the following:
Data categories: biometrics (in those stores in Spain where it is
early detection system implemented).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 91/113
Purpose: "Carry out the necessary actions to protect the interests
vital of the clients when it is necessary, or the fulfillment of the
judicial decisions and the measures agreed upon therein ”.
Data maintenance time: "In relation to the protection of the
vital interest of the people and the execution of the judgments or resolutions that
carry restraining orders on the work centers and / or people, the
data will be processed and guarded for the necessary time to give
compliance with the judicial measures of those people sentenced to
said restraining order (in those stores in Spain where it is
early detection system implemented.
However, the data collected accessory to comply with said
purpose will remain on the server only in the process of
check (this check takes tenths of a second). One time
Once this check is performed, it will proceed to be definitively destroyed (in
those stores in Spain where the detection system is implemented
anticipated) ”.
International transfers: “In those cases in which Mercadona
have service providers or suppliers that are outside the
European Union, international transfers made with them are
fully guaranteed according to the standards established by the
Regulation (EU) 2016/679 of the European Parliament and of the council of April 27
of 2016, and criteria of the Spanish Agency for Data Protection ”.
Legitimation: "In the case of the treatment of sensitive data
will be treated for reasons of public interest with the consequent
considerations provided by data protection regulations, which must be
proportional to the objective pursued, which is to enforce the law, respecting the
remaining principles of the data protection regulations and establishing the
adequate and specific measures to protect the interests and rights of
interested, on the basis of the law of the Union or of the member states
(in those stores in Spain where the detection system is implemented
anticipated) ”.
Data communication: “The State Security Forces and Bodies in
by virtue of what is established in the law ”.
Other information: "In the same way we inform you that, in order to improve the
security of customers and employees, Mercadona, based on the public interest can
process your image or your biometric facial profile to identify subjects with a
restraining order 8th analogous judicial measure) in force against Mercadona or
against any of its workers (in those stores in Spain where
the early detection system is in place).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 92/113
These images will only be processed internally by Mercadona, being
exclusively communicated to the Security Forces and Bodies for
protect the safety of Mercadona customers and workers and the
compliance with the measures judicially decreed (in those stores of
Spain where the early detection system is implemented) ”.
Rights: (…) regarding the opposition, “In certain circumstances and for
reasons related to your particular situation to the processing of your data, the
Interested parties may object to the processing of their data. Mercadona will stop
process the data, except for compelling legitimate reasons, or the exercise or
defense of possible claims ”.
XIII
On the other hand, the risks derived from errors in the identification of a
person who is not prohibited from access by the security measure, linked to
form intrinsic to the design by default indicated in art. 25.1 of the GDPR.
In these facial recognition systems, a pattern is used to make the
facial recognition - the result of an initial treatment of personal data by
which also constitutes personal data prepared and contained in the scope
of the right of access that may be exercised-, but it is known that “the
stored biometric information (e.g. pattern) allows to reconstruct
partially original biometric information (eg face). Bliss
partial reconstruction is sometimes faithful enough for another
biometric system recognizes it as the original ”-14 misunderstandings regarding
the identification and biometric authentication of the AEPD-. And this links us with the
need to implement regular evaluations to verify the
relevance and sufficiency of the guarantees granted (section 4 of
Guidelines3 / 2019 on processing of personal data through video devices, del
CEPD).
There are several studies in the framework of facial recognition, both of the type
“One-to-one” (biometric data) as “one-to-many” (biometric data of category
special), which refer to the high error rates in certain
assumptions inherent to the incipient technology and scant datification of the
applied artificial intelligence systems. In this sense, the great demand
global "data" to feed this type of software, makes it necessary to take
measures, at least technical, to avoid undue transfers and, in particular,
possible international transfers that will make possible in the future
identification of the affected person in environments and purposes very different from
initials.
For such purposes, the studies carried out by C.C.C., who put
showed that the high rates of error in the identification of individuals
through facial recognition occur when it comes to individuals of
color and women (in the latter case, whatever the color of their skin).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 93/113
In this second assumption the misunderstandings originate derived from the minimum
number of images of women containing the training sets and the
test sets (which mostly use images of white men).
He also considers that facial recognition does not work well in children and
elderly adults. C.C.C. perceives the existence of what they call the
algorithmic bias.
(*** URL.1)
*** URL.2
In addition, we must bring up the error in the identification that can be
produce currently due to the pandemic situation that requires us to
Mandatory masks for all people. The National Institute of
United States Standards and Technology (NIST) has conducted since
2002 various independent evaluations of TRF's business systems.
It is the Face Recognition Vendor Test. One of his evaluations was
focuses on the massive use of masks, concluding that the error rate in the
Today's most widely used facial recognition algorithms are skyrocketing
between 5% and 50%.
(Retrieved February 22, 2021 from https://www.nist.gov/programs-
projects / face-recognition-vendor-test-frvt
https://pages.nist.gov/frvt/html/frvt_facemask.html
https://www.nist.gov/news-events/news/2020/07/nist-launches-studies-masks-
effect-face-recognition-software)
Identification errors also occur in relation to family members and
brothers, as stated by the AEDP in its note on the “14 mistakes with
relation to biometric identification and authentication ”.
It is true that the predictable error rate issues from the
Design is a controversial issue, since the greatest technological development in the
more or less near future will improve the accuracy rate.
(Retrieved on February 22, 2021 from
https://itif.org/publications/2020/01/27/critics-were-wrong-nist-data-shows-best-
facial-recognition-algorithms)
But, today, it is one more risk that we cannot afford, since the
Inaccuracy is predictable from the moment of design of this type of
information systems when it comes to identifying the convicted person and his confusion with
another person may generate a risk of discrimination and social exclusion
unacceptable. And this to the greater abundance of all considerations
wielded about the lack of regulations that legitimize it (prohibited treatment) and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 94/113
ensure the appropriate level of proportionality vis-à-vis the rights and
freedoms for those affected.
The violation of data protection by design violates article 25.1
of the RGPD, typified in article 83.4.a) and considered serious for the purposes of
prescription in art. 73.d) of the LOPDGDD.
XIV
Regarding the risks derived from the treatment, it must be taken into account
that facial recognition is configured as a method
involuntary identification through the use of biometric data, as stated
established in the Ethical Guidelines for a Reliable AI, a document presented in
2019, produced by the High-Level Expert Group on Artificial Intelligence
under the protection of the European Commission.
The risks derived from such automatism are very high by themselves, since a
person cannot prevent the processing of their personal data, because such
treatment (the capture and subsequent treatment of your biometric data of your
face in the case of facial recognition) occurs automatically, without
human intervention as soon as the corresponding system is installed and activated.
In fact, in the cited document it is listed as one of the first and
major concerns the identification and follow-up of people through
artificial intelligence techniques and, as for what interests us, that "the
automatic identification raises serious concerns both from the point of
legal and ethical view, since it can have unexpected effects on many
psychological and sociocultural levels ”; therefore, they differentiate "between
identification of a person versus track and trace, and between a
selective or massive surveillance ”.
Likewise, they assert that the application of this type of technology must be
clearly justified in existing legislation, which is not the case.
Furthermore, we cannot ignore that the implementation of a system
facial recognition such as the one now analyzed collects much more
information of the subject than other types of treatments, not being able to be prevented
by the affected person, consequence of automation and algorithms
applied, since “depending on the biometric data collected, they can
derive data from the subject such as race or gender (including fingerprints
fingerprints), their emotional state, illnesses, defects and characteristics
genetics, substance use, etc. Being implicit, the user cannot
prevent the collection of said supplementary information "-Note from the AEPD on
the "14 mistakes in relation to biometric identification and authentication" -.
Regarding the risks of social exclusion, discriminatory risks and the principle of
accuracy, it should be noted that we can perceive two major risks of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 95/113
social exclusion derived from a possible malfunction of the system
implanted by the mercantile.
In this sense, it is included in the Guidelines 3/2019 on processing of personal
data through video devices (Version for public consultation. Adopted on 10 July
2019), that “In addition to privacy issues, there are also risks related to possible
malfunctions of these devices and the biases they may induce. Researchers
report that software used for facial identification, recognition, or analysis performs
differently based on the age, gender, and ethnicity of the person it’s identifying.
Algorithms would perform based on different demographics, thus, bias in facial
recognition threatens to reinforce the prejudices of society. That is why, data
controllers must also ensure that biometric adopted 5 data processing deriving
from video surveillance be subject to regular assessment of its relevance and
sufficiency of guarantees provided ”.
(“In addition to privacy concerns, there are also risks related to
possible malfunctions of these devices and the biases that can
induce. The researchers report that the software used for the
facial identification, recognition or analysis is performed in a
different depending on the age, gender and ethnicity of the person who is
identifying. The algorithms would be performed on the basis of different
demographics, therefore, facial recognition bias threatens
reinforce prejudices in society. Therefore, those responsible for the treatment
data must also ensure that biometric data processing
adopted in 5 derived from video surveillance undergo evaluation
periodic review of its relevance and sufficiency of the guarantees provided ”. The
translation is from the AEPD).
On the one hand, we find a long-term risk of discrimination against
a person criminally convicted (even after he has served the
conviction and criminal record expunged) that continues to be identified
as in a situation of distance from supermarkets.
In the DPIA, all issues related to the
principle of accuracy; of the one carried out by the company there is no evidence that
assessed and these risks are specifically considered
previously, which has led to treatment operations
undue with impairment of the guarantees, rights and freedoms for the
affected. To which we must add that it is not contemplated in the EIPD either
provided by the company, evaluation of any impact on minors who
access the premises and their employees, and leaves empty of content in the exercise
of certain rights contained in articles 12 and 13 and 15 to 22 of the RGPD.
These deficiencies in the elaboration of the DPIA with the aforementioned consequences
should be considered a substantial defect that de facto invalidates the DPIA
done. Consequently, the lack of knowledge of the possible impacts of the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 96/113
data processing implemented on the freedoms and rights of those affected
and, consequently, absence of corrective measures that minimize it or, as
is the case, that they invalidate it, supposes an infringement of the provisions of the article
35 of the RGPD, infraction typified in article 83.4.a) of said norm and considered
serious for the purposes of prescription in art. 73.t) of the LOPDGDD.
For illustrative purposes only, we will mean that some companies have
abandoned their businesses and facial recognition programs for
interference with privacy and clear risks of racial discrimination.
There is also a general risk of using biometric data from
facial recognition by converting everyone who enters the
supermarket in possible suspects, subject to biometric surveillance
indiscriminate (does not discriminate neither by group, nor by age, nor by vulnerability,
etc.) which implies an abuse of the use of biometric data and a clear
interference in the fundamental rights and public freedoms of the
citizens. This has been understood by the European Citizens' Initiative (ICE)
entitled «Initiative of the civil society to prohibit the practices of
massive biometric surveillance »(Civil society initiative for a ban on biometric mass
surveillance practices) presented to the European Commission in January 2021.
Regarding the specific risks of vulnerable subjects, the European Agency
Fundamental Rights (European Union Agency for Fundamental Rights,
known by its acronym UEFRA) has produced in 2019 a document entitled
"Facial recognition technology: fundamental rights considerations in the context
of law enforcement ”. In the same examines, in addition to the risks to
privacy, the protection of personal data and discrimination concerned
for a treatment with a facial recognition system, other rights,
freedoms and legal rights affected.
It makes specific mention of certain most vulnerable groups which are
minors, elderly or disabled people.
Regarding minors, it indicates that “Facial recognition systems affect the
rights of children in different ways. […] The child’s best interests must also be
given a primary consideration in the context of using facial recognition technology
for law enforcement and border management purposes. […] Due to the particular
vulnerability of children, the processing of their biometric data, including facial
images, must be subject to a stricter necessity and proportionality test, compared
to adults. […] Software tests clearly indicate that images of younger people result
in considerably more false negatives (misses) compared to other age groups,
most probably due to rapid growth and change in facial appearance ”.
(“Facial recognition systems affect the rights of children from
different ways. [...] The best interests of the child should also receive
a primary consideration in the context of the use of
facial recognition for law enforcement and border management. [...]
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 97/113
Due to the particular vulnerability of children, the processing of their data
biometric data, including facial images, must be subject to a
stricter necessity and proportionality, compared to adults. [...]
Software tests clearly indicate that images of people
Younger people result in considerably more false negatives (faults) in
compared to other age groups, most likely due to the rapid
growth and change in facial appearance ”. The translation is from the AEPD).
Therefore, given the special protection that the legal system provides to the
childhood, the evaluation regarding the proportionality of the data processing
personal data of minors through biometric systems must be subject to a
judgment of necessity proportionality much stricter than that which would refer to
grown ups. This is not reflected in the DPIA carried out by Mercadona. The exam
is absolutely generalist and omits groups at high risk, a circumstance
which, if taken into account, would have reported a risk finding
extremely high unacceptable and therefore prohibited.
Regarding the risks to the rights and freedoms of the employees of
Mercadona have not even been considered in the DPIA presented.
Earlier we mentioned the right to self-determination. Attached to
itself, together with the right to privacy, arises the true risk of loss of
freedom and privacy. Judgment 600/2019 of the First Civil Chamber of the
Supreme Court, of November 7, 2019 (Rec. 5187/2017) examined the
that the right to privacy involved the establishment of a fictitious chamber;
Thus, it is recognized as part of the right to privacy the right not to have to
endure permanent uncertainty regarding a camera that may or may
not be activated, real or fictitious. It is true that it refers to a camera oriented
to a private estate and not to a public space, but it serves to illustrate the
impact on privacy. The undoubted fact is that no one
it behaves the same if it is being recorded or so you think; if a fake camera can
produce a more than significant impact on privacy, is located in a
private or public space, imagine the repercussion of a camera
fully operational and, furthermore, the shock of the use of
massive and indiscriminate facial recognition of the "one-to-many" type. The risk
is increased by the lack of adequate information on the posters, as
as we have expressed in previous sections.
Opinion 3/2012 on the evolution of biometric technologies of the GT29
considers that “However, these systems used on a large scale can
produce serious side effects. In the case of facial recognition, where
biometric data can be easily captured without the knowledge of the
interested, wide use could end anonymity in the spaces
public and allow continuous monitoring of people ”.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 98/113
It is necessary to add, regarding the risks derived from the exercise of rights,
we can see how in the DPIA presented by the company, page 17,
understands as one of the threats to the group of people who
access to supermarkets that "No means have been made available
or the interested party has not been informed about his option of opposition to the taking of
automated decisions ”, explaining that“ Although the
information to the subjects of the possibility of exercising their right to
opposition (based on the legitimacy of article 6 of the RGPD), this can
present certain risks ”.
Subsequently, among the measures to be adopted, they indicate that “based on the article
21.1 MERCADONA must stop processing the data unless it proves
compelling legitimate reasons for the treatment that prevail over the
interests, rights and freedoms of the interested party, or for the formulation, the
exercise or defense of claims ”.
Since the data processing of the facial recognition system is
automatic, massive and remote and the image is captured and processed automatically,
This measure is impossible to carry out (make effective the right to
opposition / deletion) safe from uninstalling the system established in all
supermarkets. If an interested party exercises their right of opposition / deletion and
You have the right to it, your opposition affects the processing of data by the
supermarket from the same capture of the facial image,
regardless of where the supermarket you are
access the interested party.
In the documentation provided by the company (doc 7.1 and Doc. 7.2) it is not justified
the denial of the right of opposition exercised, on a generic basis in the
existence of “… an overriding public interest…”. Recital 69 of the GDPR
states: “(69) In cases where personal data can be processed
lawfully because the treatment is necessary for the fulfillment of a
mission carried out in the public interest or in the exercise of public powers
conferred on the data controller or for reasons of legitimate interests
of the person in charge or of a third party, the interested party must, however, have the right
to object to the processing of any personal data related to your situation
particular. The person responsible must be the one who demonstrates that their legitimate interests
overriding interests or rights and freedoms prevail
fundamentals of the interested party ”. In the same sense, the article 21.1 of the
RGPD: “… The data controller will stop processing personal data,
unless it proves compelling legitimate reasons for the treatment that
prevail over the interests, rights and freedoms of the interested party, or
for the formulation, exercise or defense of claims ... "
It would be leaving without content and de facto the right of opposition or deletion,
remembering that a limitation to these rights can only be established by
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 99/113
of legislative provisions of the EU or of the Member States, in the
terms of recital 73 and articles 23 and 89 of the RGPD.
XV
Furthermore, this approach is not unique at the European level since other
control authorities follow him.
In this regard, the Control Authority of the Netherlands (Netherlands) issued
a formal warning to a supermarket for the use of
facial recognition.
The system implemented, the purpose of its establishment, the question regarding its
lack of legitimacy in relation to facial recognition treatment
used by a Dutch supermarket chain is almost identical to the
Mercadona course.
Thus, this treatment is implemented to prevent certain people from
access supermarkets, in response to a ban issued to that effect. The
supermarket claims that the facial recognition system had been
implemented in order to protect its customers and staff and prevent theft
in the shops. The cameras were also located at the entrance to
the stores and, in the same way as Mercadona, we proceed to scan all the
people entering the store, comparing it with the database of
persons prohibited from entering and, if discarded, deleting the
data processed after several seconds.
The Vice President of the Netherlands Supervisory Authority, has
stated that “It is unacceptable that this supermarket, or any other store
from the Netherlands, start using facial recognition technology ”,
stating that the use of this technology is prohibited in almost all cases.
He goes on to explain that “Facial recognition makes us all walk
barcodes ”, and that“ Your face is scanned every time you enter a
store, stadium or sports stadium that uses this technology. And it is done
without your consent. By putting your face through a search engine, there is
the possibility that your face could be linked to your name and other information
personal. This could be done by matching your face to your social media profile,
for instance".
The Netherlands Supervisory Authority also considers that with the
implantation of facial recognition cameras we can be monitored
continually. And that there is an extremely high (unacceptable) risk of
subsequent use of the information that qualifies us as suspicious or
interest or profile us.
The aforementioned Control Authority continues to indicate that there are two cases of use
allowed to use facial recognition. The first is based on the
explicit consent of the client to process their data; not constituting
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 100/113
explicit consent the informative warning to the client of the use of the
technology in stores. Entering a supermarket cannot be understood
how to give consent.
In our case under examination, Mercadona intends to process the data
biometric data of potential clients without requesting their consent, based on
one of the exceptions indicated in art. 9.2 of the RGPD that, as we have
explained, it is not applicable.
And the second exception is if facial recognition technology is necessary
for security purposes, but only in the public interest
substantial. The supermarket claims that this is the case. But the aforementioned Authority
de Control does not consider it that way. The vice president of the Control Authority of
The Netherlands indicates that the only example in their country is that of security in
a nuclear power plant.
(Retrieved February 19, 2021 from https://edpb.europa.eu/news/national-
news / 2021 / dutch-dpa-issues-formal-warning-supermarket-its-use-facial-
recognition_es)
For its part, the European Data Protection Supervisor, as we have
stated above, published an article on October 28, 2019 titled
"Facial Recognition: A solution in search of a problem?" addressing this type of
treatments.
(Retrieved on February 22, 2020 from https://edps.europa.eu/press-
publications / press-news / blog / facial-recognition-solution-search-problem_en)
In said article, it is indicated that “The purposes that triggered the introduction of
facial recognition may seem uncontroversial at a first sight: it seems
unobjectionable to use it to verify a person's identity against a presented facial
image, such as at national borders including in the EU. It is another level of
intrusion to use it to determine the identity of an unknown person by comparing
her image against an extensive database of images of known individuals ”,
(“The purposes that triggered the introduction of facial recognition
may seem uncontroversial at first glance: It seems unobjectionable to use it
to verify the identity of a person against a presented facial image,
as well as at national borders, even in the EU. It's another level of intrusion
use it to determine the identity of an unknown person by comparing
your image with an extensive database of images of individuals
known ”. The translation is from the AEPD)
That is, it raises more than reasonable doubts due to the intrusion that “using it
to determine the identity of an unknown person by comparing their
image with an extensive database of images of known people "
(one-to-many).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 101/113
And, he adds, that “any interference in fundamental rights under the Article 52 of the
Charter must be demonstrably necessary. The bar for this test becomes higher
the deeper the interference. Is there any evidence yet that we need the
technology at all? Are there really no other less intrusive means to achieve the
same goal? Obviously, ‘efficiency’ and ‘convenience’ could not stand as
sufficient ".
(“Any interference with fundamental rights under Article 52 of the
Letter must be demonstrably necessary. The bar for this test is
it becomes higher the deeper the interference. Is there any evidence
still that we need technology for everything? Are there really no other
less intrusive means to achieve the same goal? Obviously the
"Efficiency" and "convenience" couldn't be enough. " The translation is of
the AEPD).
Another issue that we highlight from your article is the reference to respect for
principles of data minimization and accuracy, when he mentions that “Facial
recognition technology has never been fully accurate, and this has serious
consequences for individuals being falsely identified whether as criminals or
otherwise. The goal of ‘accuracy’ implies a logic that irresistibly leads towards an
endless collection of (sensitive) data to perfect an ultimately unperfectible
algorithm. In fact, there will never be enough data to eliminate bias and the risk of
false positives or false negatives "
(“Facial recognition technology has never been completely accurate, and
this has serious consequences for the people who are identified
falsely, whether as criminals or otherwise. The goal of 'accuracy'
implies a logic that leads irresistibly to an endless collection of
(sensitive) data to refine an algorithm that is ultimately
possible. In fact, there will never be enough data to eliminate bias and
risk of false positives or false negatives ”. The translation is from the AEPD).
XVI
In the present case, it must be concluded that the data processing
personal data through facial recognition on the terms that the
Mercantile has implemented in its supermarkets, it does not allow
exemption of article 9.2.f) of the RGPD to the general prohibition imposed by the
Article 9.1 of said rule. Consequently, from that moment on it is not
possible to legitimize the treatment based on the legality criteria of article 6
of the GDPR. The implanted treatment is prohibited in accordance with
provided in art. 9.1 of the RGPD, regardless of the measures of
security and legality conditions set out in article 6 of the RGPD.
Notwithstanding the foregoing, it would not be lawful to go directly to the provisions
in article 6.1.e) since it cannot be shared that with the measure of
implemented identification is protecting the public interest, but rather,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 102/113
the private or particular interests of the company in question, public interest
which in any case should be essential. In the same vein, the legal basis
provided in art. 6.1.b) GDPR is also not valid for employees every time
that it is a treatment outside the video surveillance system. What's more,
There is no legal regulation that allows it according to the provisions of article 8 of the
LOPDGDD. It should be emphasized that the treatment analyzed is
prohibited from its origin as indicated in article 9.1 of the RGPD
On the other hand, the company does not comply with the right to information.
required in article 12 and 13 of the RGPD. In this sense, it is not reported
significant way on the logic applied in the recognition treatment
applied facial, nor does it allow those affected to exercise their rights given the
immediacy of treatment. It should be emphasized that the treatment analyzed
It is prohibited from origin as indicated in article 9.1 of the RGPD
Nor does it appear that the principle of minimization stated in the
Article 5.1.c) of the RGPD. The treatments carried out through
facial recognition technology are extremely risky treatments
high (unacceptable), with a high probability of incidence and severity which
makes the inherent risk very high and its reduction to
acceptable residual risk, which would allow with a high probability that
carry out treatments of various kinds (including those affected by the article
9.1 of the RGPD) and with great impact beyond what is strictly necessary. In view of
an "unacceptable" level of risk must resort to the provisions of article 36
of the RGPD, prior consultation, which has not been carried out. Also, keep in mind
account of the incorrect assessment of the impact on the rights and freedoms of
those affected when it does not contemplate all of the subjects involved. I know
must insist that the treatment analyzed is prohibited from origin
as indicated in article 9.1 of the RGPD
Furthermore, and without prejudice to the fact that the treatment analyzed is
is prohibited from origin as indicated in article 9.1 of the RGPD with
independence of the security measures implemented, the treatment
analyzed does not have the proper security safeguards from design,
since the implanted system carries out a systematic evaluation and
exhaustive of personal aspects of natural persons on a large scale of data
of special category. In fact, it is clear that the entity in charge of the logic
applied to the treatment undertakes to guarantee a level of security
appropriate to the risk, which, where appropriate, includes, among others: pseudonymisation. In
Consequently, the design admits the possibility that the treatment of
data is carried out on people identified remotely, massively and
indiscriminate.
Finally, and taking into account all of the above, especially the high level of
risk of the violation of the rights and freedoms of those affected by the
treatment object of analysis, it is considered proportional the maintenance of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 103/113
precautionary measure imposed as it is a treatment prohibited from its origin
In accordance with what is stated on the article. 9.1 of the RGPD.
XVII
The facts analyzed could constitute an infringement, attributable to the
claimed, for violation:
of art. 9 of the RGPD (treatment of special categories of data),
typified in article 83.5.a) of said rule and considered very serious for the purposes of
prescription in art. 72.1.e) of the LOPDGDD, which may be sanctioned with
fine of up to € 20,000,000 or, in the case of a company, of
an amount equivalent to a maximum of 4% of the total annual turnover
overall of the previous financial year, opting for the highest amount, of
in accordance with article 83.5.a) of the RGPD.
of art. 6 of the RGPD (legality of treatment), typified in article 83.5.a) of
said rule and considered very serious for the purposes of prescription in art. 72.1.a)
of the LOPDGDD, which may be sanctioned with a fine of up to € 20,000,000
at most or, in the case of a company, an amount equivalent to 4%
maximum of the total annual global turnover of the financial year
above, opting for the highest amount, in accordance with article 83.5.a)
of the GDPR.
of arts. 12 and 13 of the RGPD (transparency of the information provided to
different groups affected), typified in article 83.5.b) and considered very
serious for the purposes of prescription in art. 72.1.h) of the LOPDGDD, which may be
sanctioned with a fine of € 20,000,000 at most or, in the case of a
company, of an amount equivalent to a maximum of 4% of the volume of
total annual global business of the previous financial year, opting for that of
higher amount, in accordance with article 83.5.b) of the RGPD.
of art. 5.1.c) (principle of data minimization) and typified in art.
83.5.a) and considered very serious for the purposes of prescription in art. 72.1.a) of the
LOPDGDD, which may be sanctioned with a maximum fine of € 20,000,000
or, in the case of a company, an amount equivalent to a maximum of 4%
of the global total annual turnover of the previous financial year,
opting for the highest amount, in accordance with article 83.5.a) of the RGPD.
of art. 25.1 of the RGPD (data protection by design) typified in
art 83.4.a) and considered serious for the purposes of prescription in art. 73.d) of the
LOPDGDD, which may be sanctioned with a maximum fine of € 10,000,000
or, in the case of a company, an amount equivalent to a maximum of 2%
of the global total annual turnover of the previous financial year,
opting for the highest amount, in accordance with article 83.4.a) of the RGPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 104/113
of art. 35 of the RGPD (impact assessment), typified in article 83.4.a) and
considered serious for the purposes of prescription in art. 73.t) of the LOPDGDD,
which may be sanctioned with a fine of € 10,000,000 at most or, in the case of
of a company, of an amount equivalent to a maximum of 2% of the volume
total annual global business of the previous financial year, opting for that of
higher amount, in accordance with article 83.4.a) of the RGPD.
Likewise, it is considered that the sanctions to be imposed should be adjusted according to
in accordance with the following criteria as indicated in art 83 of the RGPD:
Art 83.1 of the RGPD. effective, proportional and dissuasive (company size)
"1. Each supervisory authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive ”.
The defendant has a turnover in 2019 (latest audit report
published) of more than 25,000 million euros and 90,000 employees, so that
constitutes a large company, with 1,636 stores open.
Art 83.2 RGPD.
“A) the nature, seriousness and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of interested parties affected and the level of damages
who have suffered "
The data being processed is of a special category and the volume of data
treated can exceed *** NUM. 7 per year of facial examinations,
including minors and vulnerable people. The treatment is carried out in a
remote, massive and indiscriminate.
"B) intentionality or negligence in the infringement"
The development of the early detection system has been promoted by the
responsable. There is no evidence that the respondent has chosen to make a consultation
prior to the AEPD as indicated in art. 36 of the GDPR, even though the
implanted treatment constitutes an extremely high risk
unacceptable source for the rights and freedoms of customers and employees
of the mercantile.
"D) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied in
under articles 25 and 32 "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 105/113
The degree of responsibility is fully attributable to the claimed and consists
that the deficiencies and incompatibilities of the treatment are of decision and
own responsibility, specifically purpose and means.
"G) the categories of personal data affected by the infringement"
From the design of the implanted security system, it is established that a
systematic and exhaustive evaluation of personal aspects of natural persons
large-scale special category data.
“H) the way in which the supervisory authority learned of the infringement, in
particular if the person in charge or the person in charge notified the infraction and, in such case, in
what measure "
It is clear that the AEPD was aware of the treatment now analyzed through
of two claims unrelated to the one claimed.
"K) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through the infringement ”.
Article 76 of the LOPDGDD. Sanctions and corrective measures.
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the
Regulation (EU) 2016/679 will be applied taking into account the criteria of
graduation established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
As aggravating factors:
a) The continuing nature of the offense.
Costa that the treatment is being carried out from July 1, 2020, until
05/06/2021.
b) The linking of the activity of the offender with the performance of treatments
of personal data.
The claimed is a large company in the general distribution sector with
CNAE code 4711, “Retail trade” sector in establishments no
specialized, and processes the personal data of customers and
workers habitually.
(…)
f) Affecting the rights of minors.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 106/113
It is established that the data processing implemented affects minors and
vulnerable people accessing the establishments.
(…)
3. It will be possible, complementary or alternatively, the adoption, when
appropriate, of the remaining corrective measures referred to in article
58.2 of Regulation (EU) 2016/679.
4. The information that
identify the offender, the offense committed and the amount of the penalty imposed
when the competent authority is the Spanish Agency for the Protection of
Data, the penalty was greater than one million euros and the offender is a
legal person. When the competent authority to impose the sanction is
an autonomous data protection authority, its regulations of
app."
As mitigating factors:
Art 83.2) RGPD:
e) There is no record of recidivism or repetition. This mitigation has been of special
relevance to establish the amount of the pecuniary fine now proposed.
From the foregoing, it is considered proportional, effective and dissuasive to impose the
following administrative fines as indicated in art. 58.2.i) of the RGPD that a
The following is indicated:
For the alleged violation of arts. 6 and 9 of the RGPD, typified in art
83.5.a) of said rule and considered very serious for the purposes of prescription in
the art. 72.1.a) and e), respectively, of the LOPDGDD, administrative fine of
amount € 2,000,000.
for the alleged infringement of art. 5.1.c) of the RGPD, typified in art
83.5.a) of said rule and considered very serious for the purposes of prescription in the
art. 72.1.a) of the LOPDGDD, administrative fine of € 500,000.
For the alleged violation of arts. 12.13 of the RGPD, typified in art
83.5.b) of said rule and considered very serious for the purposes of prescription in the
art. 72.1.h) of the LOPDGDD, an administrative fine of € 100,000.
For the alleged infringement of art. 25.1 of the RGPD, typified in art
83.4.a) of said rule and considered serious for the purposes of prescription in art.
73.d) of the LOPDGDD, administrative fine of € 500,000.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 107/113
For the alleged infringement of art. 35 of the RGPD, typified in article 83.4.a)
of said rule and considered serious for the purposes of prescription in art. 73.t) of
the LOPDGDD, administrative fine of € 50,000.
XVIII
The art. 69 of the LOPDGDD, states the following:
“Article 69. Provisional measures and guarantee of rights.
1. During the performance of the preliminary investigation or initiated actions
a procedure for the exercise of the sanctioning power, the Agency
Spanish Data Protection may reasonably agree on the measures
provisional necessary and proportionate to safeguard the right
fundamental to data protection and, in particular, those provided for in article
66.1 of Regulation (EU) 2016/679, the precautionary blocking of data and the
immediate obligation to meet the requested right.
2. In cases where the Spanish Data Protection Agency considers
that the continuation of the processing of personal data, its communication or
international transfer would entail a serious impairment of the right to
protection of personal data, you may order those responsible or in charge
of the treatments the blocking of the data and the cessation of its treatment and, in
If these mandates are not complied with, proceed to immobilize them.
3. When it has been submitted to the Spanish Agency for the Protection of
Data a claim that refers, among other issues, to the lack of
attention within the term of the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, the Spanish Data Protection Agency may
agree at any time, even prior to the initiation of the
procedure for the exercise of the sanctioning power, by resolution
motivated and after hearing the person responsible for the treatment, the obligation to
meet the requested right, continuing the procedure for the rest
of the issues that are the subject of the claim ”.
Preamble I of the LOPDGDD says: “The protection of natural persons in
relationship with the processing of personal data is a fundamental right
protected by article 18.4 of the Spanish Constitution. This way,
our Constitution was a pioneer in the recognition of the fundamental right
to the protection of personal data when it provided that "the law shall limit the use
information technology to guarantee the honor and personal and family privacy of the
citizens and the full exercise of their rights ”. Thus echoed the
work developed since the late 1960s in the Council of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 108/113
Europe and the few legal provisions adopted in countries of our
environment. The Constitutional Court indicated in its Sentence 94/1998, of 4
May, that we are faced with a fundamental right to the protection of
data by which the person is guaranteed control over their data,
any personal data, and about its use and destination, to avoid traffic
illicit of the same or harmful to the dignity and rights of those affected; of
In this way, the right to data protection is configured as a faculty
of the citizen to object to certain personal data being used
for purposes other than the one that justified its obtaining. For its part, in the
Judgment 292/2000, of November 30, considers it a right
autonomous and independent consisting of a power of disposition and control
on the personal data that empowers the person to decide which of those
data to provide to a third party, be it the State or an individual, or which may
this third party to collect, and that also allows the individual to know who owns those
personal data and what for, being able to oppose such possession or use. (…). By
On the other hand, it is also included in article 8 of the Charter of Rights
Fundamentals of the European Union and in article 16.1 of the Treaty of
Functioning of the European Union. Previously, at the European level,
The aforementioned Directive 95/46 / EC adopted, the purpose of which was to ensure that the guarantee
of the right to the protection of personal data does not constitute an obstacle to the
free movement of data within the Union, thus establishing a
common space of guarantee of the right that, at the same time, ensures that in
case of international transfer of data, its treatment in the country of
destination was protected by safeguards adequate to those provided in the
own directive ”.
Article 56 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (hereinafter,
LPACAP), as applicable, states the following:
"1. Once the procedure has been initiated, the competent administrative body to resolve,
may adopt, ex officio or at the request of a party and in a reasoned manner, the measures
provisional that it deems appropriate to ensure the effectiveness of the resolution
that could fall, if there were sufficient elements of judgment for it, of
in accordance with the principles of proportionality, effectiveness and less burdensome.
2. Before the initiation of the administrative procedure, the competent body
to initiate or instruct the procedure, ex officio or at the request of a party, in the
cases of urgent urgency and for the provisional protection of interests
involved, may adopt the provisional measures that are motivated
are necessary and proportionate. Provisional measures must be
confirmed, modified or lifted in the initiation agreement of the
procedure, which must be carried out within fifteen days after its
adoption, which may be subject to the appropriate appeal.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 109/113
In any case, these measures will be without effect if the
procedure within said period or when the initiation agreement does not contain a
express pronouncement about them.
3. In accordance with the provisions of the two previous sections, they may agree
the following provisional measures, in the terms provided in Law 1/2000,
of January 7, of Civil Procedure:
a) Temporary suspension of activities.
b) Provision of bonds.
c) Withdrawal or intervention of productive assets or temporary suspension of
services for health, hygiene or safety reasons, the temporary closure of the
establishment for these or other causes provided for in the regulatory regulations
applicable.
d) Preventive seizure of goods, income and fungible things computable in
cash due to the application of certain prices.
e) The deposit, retention or immobilization of personal property.
f) The intervention and deposit of income obtained through an activity
that is considered illegal and whose prohibition or cessation is intended.
g) Consignment or constitution of deposit of the amounts that are
claim.
h) The withholding of income on account to be paid by the Administrations
Public.
i) Those other measures that, for the protection of the rights of
interested parties, expressly provide for the laws, or that are deemed necessary to
ensure the effectiveness of the resolution.
4. Provisional measures may not be adopted that may cause damage to
difficult or impossible to repair the interested parties or that imply violation of
rights protected by law.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 110/113
5. Provisional measures may be lifted or modified during the
processing of the procedure, ex officio or at the request of a party, by virtue of
circumstances that occurred or that could not be taken into account in the
time of adoption.
In any case, they will be extinguished when the resolution takes effect
administrative that puts an end to the corresponding procedure ”.
In the treatment of data on facial recognition now analyzed and that
it is clear that the claim was being carried out since July 1, 2020
(until 05/06/2021) in various open centers in Spain (at least
forty), is a processing of personal data expressly prohibited by the
Article 9.1 of the GDPR
It is established that on 05/06/2021, the respondent carried out the execution of the
precautionary measure imposed by providing reliable documentation that proves it,
turning off implanted facial recognition systems and removing the
posters.
The adoption of this provisional measure in the Initiation Agreement and its confirmation
and finalization in this Proposal for Resolution, weighs all
the rights and interests in conflict and does not invalidate the security measure
adopted by judicial bodies, but only the means of recognition
facial to carry it out, without prejudice to the fact that the person responsible for the treatment
can adopt other less intrusive systems to achieve such
purpose.
Consequently, the processing of data based on the recognition
facial for identification purposes implanted by MERCADONA is
is prohibited by the provisions of article 9.1, as it does not include
no cause that allows lifting the prohibition among those exposed in the
art. 9.2 of the RGPD, so it is not appropriate to take refuge in the causes of legality
of art. 6.1 of the same. Such a prohibition cannot be obviated by
application of proactive security measures, since the prohibition of
treatment indicated in article 9.1 of the RGPD determines that they are
irrelevant, so they are not analyzed.
In view of the above, the following is issued
MOTION FOR A RESOLUTION
That the Director of the Spanish Data Protection Agency sanction
to MERCADONA S.A., with NIF A46103834, for the violation of the following
articles and penalties:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 111/113
art. 6 and 9 of the RGPD, typified in art. 83.5.a), of said rule, fine
administrative amount of € 2,000,000 (two million euros).
art. 12 and 13 of the RGPD, typified in art. 83.5.b), of said rule, fine
administrative amount of € 100,000 (one hundred thousand euros).
art. 5.1.c) of the RGPD, typified in art. 83.5.a), of said rule, fine
administrative amount of € 500,000 (five hundred thousand euros).
art. 25.1 of the RGPD, typified in art. 83.4.a), of said rule, fine
administrative amount of € 500,000 (five hundred thousand euros).
art. 35 of the RGPD, typified in art. 83.4.a), of said rule, fine
administrative amount of € 50,000 (fifty thousand euros).
Confirm the provisional measure imposed on MERCADONA in the Agreement
of Initiation on the temporary suspension of all data processing
personal information related to facial recognition in their establishments as
said treatment prohibited in accordance with the provisions of the RGPD and regulations
related and be elevated to definitive.
Likewise, in accordance with the provisions of article 85.2 of the LPACAP,
You are informed that you may, at any time prior to the resolution of the
present procedure, carry out the voluntary payment of the proposed sanction,
which will mean a reduction of 20% of the amount of the same. With the
application of this reduction, the penalty would be set at € 2,520,000
(two million five hundred twenty thousand euros) and its payment will imply the termination of the
process. The effectiveness of this reduction will be conditional on the
withdrawal or resignation of any action or appeal through administrative channels
against sanction.
In case you choose to proceed to the voluntary payment of the amount
specified above, in accordance with the provisions of the aforementioned article 85.2,
You must make it effective by entering the restricted account number ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure that appears in the
heading of this document and the cause, by voluntary payment, of
reduction of the amount of the sanction. Likewise, you must send proof of the
entry to the Subdirectorate General of Inspection to proceed to close the
proceedings.
By virtue of this, you are notified of the foregoing, and the
procedure so that within TEN DAYS you can claim how much
consider in your defense and present the documents and information that
deems pertinent, in accordance with article 89.2 of the LPACAP). >>
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 112/113
SECOND: On July 19, 2021, the claimed party has proceeded to pay
the sanction in the amount of € 2,520,000 making use of the reduction foreseen in the
proposed resolution transcribed above.
THIRD: The payment made entails the waiver of any action or recourse in progress.
administrative against the sanction, in relation to the facts to which the
motion for resolution.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the AEPD is competent to sanction the
infractions that are committed against said Regulation.
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), under the rubric
"Termination of sanctioning procedures", provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.
3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.
The percentage of reduction foreseen in this section may be increased
regulations. "
In accordance with the above, the Director of the AEPD,
RESOLVES:
FIRST: DECLARE the termination of the referral sanctioning procedure
PS / 00120/2021 in accordance with the provisions of article 85 of the LPACAP,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 113/113
sanctioning MERCADONA, S.A., with NIF A46103834, for the violation of the
following articles:
art. 6 and 9 of the RGPD, typified in art. 83.5.a), of said rule,
art. 12 and 13 of the RGPD, typified in art. 83.5.b), of said rule,
art. 5.1.c) of the RGPD, typified in art. 83.5.a), of said rule,
art. 25.1 of the RGPD, typified in art. 83.4.a), of said rule,
art. 35 of the RGPD, typified in art. 83.4.a), of said rule,
Prohibit all processing of personal data related to recognition
facial in their establishments, in accordance with article 58.2.f).
SECOND: NOTIFY this resolution to MERCADONA, S.A., with NIF
A46103834 and with address at Paseo de la Castellana 259 C, 28046 Madrid.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
968-160721
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
