The Spanish data protection authority ('AEPD') issued, on 27 July 2021, its decision in proceeding PS/00120/2021, fining Mercadona, S.A. €2,520,000, following the conclusion of the AEPD's investigation into the use of facial recognition systems carried out in Mercadona's establishments for the purpose of detecting the individuals with criminal convictions or restraining orders. In particular, the decision highlights, among other things, that the processing of biometric data through the facial recognition system did not only occur in relation to the identification of individuals with convictions or criminal offences, but rather affected any customer who walked into the supermarkets, including children, as well as Mercadona's employees. 

Furthermore, the decision finds that the processing of personal data through facial recognition systems by Mercadona does not fall under the exceptions of the general prohibition of processing special category data under Articles 9(2)(f) and 9(2)(g) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Consequently, the decision concludes that the processing of personal data was not legitimate based on the criteria under Article 6 of the GDPR, and was also contrary to the principles of necessity, proportionality, as well as data minimisation pursuant to Article 5(1)(c) of the GDPR. Moreover, the decision outlines that the Data Protection Impact Assessment carried out by Mercadona was incorrect, in the sense that it did not take into account the specific and unique risks for Mercadona employees posed by the data processing through facial recognition systems. In addition, the decision outlines that Mercadona's data processing violated the transparency requirements under Articles 12 and 13 of the GDPR and the principle of Data Protection by Design under Article 25(1) of the GDPR.

You can read the decision, only available in Spanish, here.