Mercadona sanctioned by the AEPD

Mercadona sanctioned by the AEPD

Mercadona was fined 170,000 euros. On May 5, a resolution was published by the Spanish Data Protection Agency (AEPD) sanctioning Mercadona for the use of facial identification systems in the open field without the user’s consent.

The AEPD allows, in principle, biometric identification and verification, complying with the provisions of the General Data Protection Regulation (GDPR). However, it indicates that due to the fact that it is a 1:N identification system, which uses biometric data to identify a specific person among many, it would be in accordance with the provisions of article 9 of the General Data Protection Regulation, in what which refers to the processing of special category data.

In this sense, data processing not only affected people with final judgments and restraining orders, but also any Mercadona worker or buyer, becoming a massive and remote facial recognition system, as defined in the White Paper on Artificial Intelligence of the European Commission.

Thus, the AEPD concluded its study by pointing out that the processing of facial recognition data for identification purposes implemented by Mercadona is prohibited by art. 9.2 of the RGPD, since its use was not proportionate to the purpose it was intended to pursue.

Mercadona alleges having made an “involuntary” mistake

Mercadona pointed out in its allegation brief that an internal investigation carried out by the company itself detected a human and involuntary error in the management of the claim presented by the client, which caused the management not to be transferred to the DPO or the team.

After what happened, Mercadona tried to reach an agreement with the affected party to compensate her for the damages caused, and for those derived from not having been able to comply with her right of access to her personal data.

Likewise, the company informed the AEPD that, as a result of the event, technical, organizational and disciplinary measures had been taken so that the failure would not happen again. Not convinced of Mercadona’s arguments, the agency specified in the sanctioning resolution that said human error that caused the deletion of the images had not been detailed at any time. The sanctioning authority maintains that, even if the client had desisted in her claim after the agreement reached, this would not imply the consequent filing of the file, since the personal data protection regulations had been violated.

That is why the AEPD finally sanctioned Mercadona with a fine amounting to 170,000 euros.

• In the first place, for having violated the principle of transparency of information, communication and modalities of exercising the rights of the interested party, contained in article 12, related to number 15 of the General Data Protection Regulation (RGPD), with a fine of 70,000 euros.
• Second, for failing to comply with the principle of legality of the processing of customer data in article 6 of the same regulation, with an amount of 100,000 euros.

It is not the first sanction that the AEPD imposes on Mercadona

Last February, a resolution of the AEPD was published in the Official State Gazette in which a list of companies that were sanctioned in 2021 with sanctions that exceeded one million euros was reflected.

In this regard, Mercadona occupies fourth place in the ranking, having been fined 2.5 million euros as a penalty for a pilot project that it tested in 48 of its supermarkets. This technology worked as a test and was uninstalled in May 2021, since it was limited to detecting only and exclusively people with a final judgment and a restraining order from the establishment issued by a court.