New AEPD legal report on the use of biometrics for access control
Biometric access control? The AEPD assumes that it is feasible.
Until now, the AEPD had been reluctant to accept the use of biometrics for access control, on the premise that, as less intrusive methods existed, this modality did not pass the triple test of suitability, necessity and proportionality. The message was clear: Biometrics for access control: highly intrusive treatment + existence of less intrusive means = possible infringement.
However, on 18 July 2025, the AEPD published a legal report on an access control system to Civil Guard facilities based on biometric authentication, which, in addition to a clear call to the legislator, sheds light on possible contexts in which the use of this technology may be justified. Express reference is made to technical and organisational measures whose adoption contributes significantly to minimising the impact on the rights and freedoms of the persons concerned, thus reducing the degree of intrusiveness associated with the processing.
Although we cannot forget that this report refers to a specific case and with a specific regulatory context, neither can we ignore the relevant change in the AEPD's approach, as it opens the door to the possibility that, in certain contexts and under specific conditions, biometric authentication may be considered an appropriate option for access control.
1. Consent as a valid basis for legitimation?
While in this case the processing of biometric data finds various regulatory support on the appropriateness of the adoption of sufficient security measures, e.g. Organic Law 7/2021 of 26 May on the protection of personal data processed for the purpose of the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties, applicable to this case, as well as Directive (EU) 2022/2551 of the European Parliament and of the Council of 26 May on the protection of personal data processed for the purpose of the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties.Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC, which is currently being transposed into law by means of a preliminary draft bill, what is really striking is the turn taken by the AEPD in contemplating, for the first time clearly, consent as a valid basis of legitimisation for this type of processing. This recognition is not minor, as until now the sufficiency of consent to lift the prohibition was questioned as it was a high-risk processing operation that did not meet the requirement of necessity.
Although this does not imply a generalised change of criterion, this new interpretation could have very relevant practical implications by opening the door to the use of biometric systems for access control in unregulated environments, provided that the necessary guarantees and measures are met and the proportionality test is passed.
2. Determining the context and how to mitigate the associated risks.
Equally relevant is the fact that, in this report, the AEPD repeatedly acknowledges that access control by means of biometrics is more effective than the use of cards, passwords or manual registers, as it enables more reliable verification of who is accessing protected spaces, avoiding identity theft and allowing unauthorised access to be restricted.
In any case, any data controller wishing to implement this type of system must carry out an impact assessment and analyse in detail the suitability, necessity and proportionality of the processing.
For this reason, the AEPD establishes that it is necessary to determine the perimeter and the type of system to be implemented, since implementing a biometric system to control access to the facilities of critical entities is not the same as using it in less sensitive environments, since the level of risk and the guarantees required vary significantly.
In addition to the context in which it is implemented, the type of system used also influences the level of risk. The AEPD makes it clear that one-to-one authentication or verification (1:1), which answers the question, are you who you say you are? presents less risk than identification (1:N), which answers the question, who are you among all possible people, while the former option has less impact on data subjects' rights, as it involves more limited processing.
Thus, European authorities and courts have held that the implementation of such measures should be limited to what is strictly necessary. In other words, they should only be applied when the objectives cannot reasonably be achieved with the same effectiveness by less intrusive alternatives.
Consequently, where there are several technically effective options, the decision-maker should opt for the one that is most appropriate to the aim pursued, provided that it respects the principle of proportionality and minimises the impact on the rights and freedoms of those concerned.
The question that inevitably arises is: how can the impact of such processing operations on individuals' rights be reduced? In this regard, the AEPD admits that, in the case analysed, the adoption of appropriate technical and organisational measures contributes significantly to mitigating the impact and reinforcing data protection guarantees.
3. Duties for the legislator and roadmap for data controllers.
Through the report, the AEPD also requires the legislator to play an active role, proposing the drafting of a specific regulation that incorporates adequate guarantees in the use of biometric technologies within the framework of the issue raised, as well as in different regulatory models already under development that contemplate the installation of biometric recognition systems, proposing a set of specific recommendations that could be incorporated into a future regulation.
Nevertheless, the guidelines given by the AEPD to the legislator can be taken as a roadmap that allows data controllers to consider the technical and organisational measures proposed prior to the implementation of these systems. The following are highlighted:
- Assisted data collection: biometric data must be collected with the intervention of qualified personnel.
- Duty of information: data subjects must be clearly and fully informed about the processing, the available alternatives and the risks of the processing.
- Exclusive control by the data subject: the data must be kept under the exclusive control of the data subject.
- Protection against third parties.
- Prohibition of centralised storage: biometric identifiers should not be stored in centralised repositories.
- Local and isolated generation: data should be generated in local systems, not connected to networks.
- Non-interoperability: the system should not be interoperable with other systems or databases.
- Renewable and expiring identifiers: identifiers that can be regenerated and have a limited validity should be used.
- Destruction procedures: there must be a defined protocol for the secure destruction of data.
- Limited retention of associated data: non-biometric personal data linked to the system shall be retained for a maximum of 30 days before being blocked.
- Minimisation principle: the system must not store information beyond what is strictly necessary for each authentication.
- Prohibition of transmission: data transfers outside the system shall not be enabled.
- Controlled infrastructure: biometric devices must be installed in physically secure and controlled locations.
- Impact assessments: Impact assessments should be conducted prior to system implementation and should be updated every four years.
- ENS compliance at a high level: compliance with the high level of the National Security Scheme, including periodic audits.
Information note written by the Data Protection area of ECIJA Madrid.