The ruling provides an essential frame of reference for all professionals in the field of personal data protection.
The Spanish Data Protection Agency (AEPD) has issued a legal opinion in response to a consultation on the use of biometric data for access control to facilities of the State Security Forces and Corps.
In its statement, the AEPD recalls that, in accordance with Guidelines 5/2022 of the European Data Protection Board, biometric data constitutes a special category of personal data, both in identification and authentication processes.
It is important to distinguish between these two concepts.
Identification consists of recognizing a user within a set of possible identities (one-to-many relationship).
Authentication, on the other hand, refers to verifying that a person is who they say they are (one-to-one relationship) by comparing their biometric data with a unique template previously associated with their identity.
In this regard, the AEPD emphasizes that the impact of each type of biometric processing is not the same. Therefore, not all involve the same level of risk, nor do they require the same protective measures.
Furthermore, it highlights that localized biometric authentication, well designed and adapted to the specific circumstances of the particular case, can in many contexts be more proportionate and less intrusive than other methods.
However, the AEPD insists that the Impact Assessment remains an essential tool. It is through this assessment that the data controller can justify the necessity and proportionality of the use of biometric data, evaluating whether the intended purpose justifies such processing or whether there are less invasive alternatives that can achieve the same objective, taking into account the protected assets and interests.
Finally, the legal criteria issued by the AEPD should be given special attention, as they guide its decisions and provide an essential frame of reference for all professionals in the field of personal data protection.
Likewise, this ruling by the Spanish Agency may be considered for Chilean Personal Data legislation, which will come into force in December 2026, and the recent Law No. 21,734, which authorized the use of biometric authentication by the Investigative Police (PDI) of our country.
For more information on these topics, please consult:
Rodrigo Albagli | Partner | ralbagli@az.cl
Eugenio Gormáz | Partner | egormaz@az.cl
Yoab Bitran | Director Compliance Group | ybitran@az.cl
Antonia Nudman | Senior Associate az Tech | anudman@az.cl
Esteban Orhanovic | Associate IP, Tech and Data Group | eorhanovic@az.cl
Felipe Barrera | Associate Compliance Group | fbarrera@az.cl
Be part of our multimedia platform and you can receive the latest legal news, events, podcazt and webinars.
