Spain's privacy regulator, the AEPD, has fined supermarket chain Mercadona 2.5 million euros. The supermarket used facial recognition technology to track individuals with criminal records or restraining orders. The regulator's investigation found that the processing of biometric data was not only in connection with this purpose, but affected every customer who entered the supermarket, including children, as well as Mercadona employees.
The regulator also noted in its decision that the processing of personal data through facial recognition in this case does not fall within the exceptions to the general prohibition on processing special personal data contained in Article 9 of the General Data Protection Regulation (GDPR).
Also, the processing is considered unlawful based on Article 6 AVG and was in violation of the principles of necessity, proportionality and data minimization. Mercadona did not sufficiently consider the specific risks to employees associated with the use of facial recognition systems in the Data Protection Impact Assessment (DPIA) conducted.
Read here AEPD's decision (Spanish)
