Spain: AEPD publishes report on use of facial recognition for AML/CFT compliance
The legal cabinet of the Spanish data protection authority ('AEPD') published, on 2 July 2021, an unfavourable report on the use of facial recognition for the registration of clients for compliance with the identification obligations relating to anti-money laundering and countering the financing of terrorism ('AML/CFT') provided for in Law 10/2010, of April 28, on the Prevention of Money Laundering and Terrorist Financing ('the AML/CFT Law'). In particular, the report highlights that the AML/CFT Law specifically stipulates the identification means that should be used, which do not include biometric data, and therefore concludes that the use of facial recognition for this purpose is not authorised in accordance with Article 9(2)(g) of the General Data Protection Regulation (Regulation (EU) (2016/679) ('GDPR').
Furthermore, the report notes that although data processing through facial recongition techniques may be based on consent in certain circumstances, provided that requirements under Articles 4(11) and 7 of the GDPR are met, in the present case, the specific legal obligation mentioned above would not be fulfilled, and the mandatory use of facial recognition would be disproportionate. Moreover, the report notes that the proposed processing would be in violation of the GDPR principles of data minimisation, necessity, and proportionality.
You can read the report, only available in Spanish, here.