ARCHIVED - 1,500-euro fine cancelled for Murcia gym which used fingerprint ID admission procedure

The policy is ruled not to have contravened data protection laws in Spain but the situation may now be different, experts warn

Numerous eyebrows were raised in July 2018 when the Spanish Data Protection Agency (AEPD) imposed a 1,500-euro fine on a gymnasium in Murcia for using fingerprint recognition technology to allow members to gain admission to the premises, and the issue is now back in the news after the National Court annulled the punishment.

The case was brought to the attention of the AEPD by a member of the gym who until February 2017 was using an identity bracelet to enter the establishment, until the management decided to change the admission system (possibly due to the ease with which one person’s bracelet can simply be lent to another, allowing non-paying users to use the facilities). The new system relied on identifying features of the member’s fingerprint – although not the entire fingerprint – and the management clearly informed all members of the use to which the information gathered was to be put.

Despite this, though, the AEPD ruled that this was a disproportionate and excessive use of the data and, with no alternative admission procedure being offered, issued the corresponding 1,500-euro fine.

But an appeal was lodged and has now been upheld by the National Court, not on the grounds that the data used to identify people are not their actual fingerprint but an algorithm generated by certain features of it, but because they consider that the use of that algorithm does not in any way infringe Article 4.1 of the law which governed data protection in Spain until December 2018. The Court understands that in this case the collection of data related to fingerprints is used in order to supply a service, and that it is necessary in order to prevent the fraudulent use of other systems such as the bracelets which were used previously. It is also ruled that the security measures implemented are proportionate to the purpose of the procedure, paying particular attention to the fact that it is the algorithm not the fingerprint itself which is stored.

However, with the introduction of a new data protection law last December the current situation is still not clear, and experts warn that the use of fingerprint identification procedures could now be considered a punishable infringement.

Follow Murcia Today on Facebook to keep up to date with all the latest news, events and information in the Region of Murcia and the rest of Spain: https://www.facebook.com/MurciaToday/