On July 26, 2021, the Spanish Data Protection Authority (AEPD) issued a €2,520,000 fine to Mercadona, S.A. -one of the leading supermarket and online shopping companies in Spain. The fine was issued for unlawful use of a facial recognition system.
The AEPD conducted an investigation that uncovered serious violations of the General Data Protection Regulation (GDPR), related to the insufficient legal basis for data processing and unlawful processing of sensitive personal data.
Mercadona was using a facial recognition system in 48 of their locations for several months. The reason behind the installation of such a system was to detect individuals with prior criminal convictions, particularly individuals with restraining orders issued for assaulting an employee or that had been convicted for an incident that previously happened in the store.
Unfortunately, the facial recognition system captured images and processed biometric data of Mercadona’s employees and customers, including children.
The AEPD’s investigation uncovered there were no legal grounds for processing sensitive personal data in accordance with Article 9, and processing did not follow the principles of data minimization, proportionality, or necessity.
The AEPD also found that Mercadona did conduct the data protection impact assessment (DPIA). However, they assessed it as insufficient and incomplete as it did not account for the risks posed to Mercadona employees.