The Spanish Data Protection Agency (AEPD) has imposed a fine of over €10 million on Aena for a facial recognition pilot project carried out at Spanish airports, including Barcelona's. This is a record fine for the AEPD, only matched by the one levied against Google in 2022. Aena "respectfully disagrees" with the sanction. "Both on substantive and procedural grounds, as well as because we believe it does not comply with the principle of proportionality," the airport operator stated. According to the company, chaired by Mauricio Lucena, the sanction is based on an "alleged breach of a formal obligation." Specifically, the AEPD considers that Aena failed to conduct a data protection impact assessment that met all regulatory requirements. Aena will appeal the decision in court. The biometric program that has led to sanctions against the Spanish Data Protection Agency (AEPD) was implemented at the Menorca, Madrid, and El Prat airports between 2019 and 2022. Aena has emphasized that all personal data obtained has been deleted and that no such system for passengers currently exists in its network. Furthermore, it stresses that there has been no security breach or data leak.

Now that the summer holidays are approaching, the Spanish Data Protection Agency (AEPD) warns: it is prohibited to request a copy of your ID card when staying at a hotel. The agency has issued a information note Remember that, although Royal Decree 933/2021 establishes the obligation of the owner of the hostel or hotel to collect certain data from the people who use their services, this request for information does not authorize requesting a copy of the client's identity document, since this "would violate the principle of data minimization and would constitute excessive processing."