Mercadona S.A. – €2,520,000 Fine (Spain, 2021)

The Spanish DPA (AEPD) has fined Mercadona S.A. EUR 2,520,000. The controller had installed facial recognition systems in Mercadona stores for the purpose of tracking individuals with criminal convictions or restraining orders. The system captured everyone who entered the stores, including minors and MERCADONA employees. During its investigation, the DPA found numerous privacy violations. For instance, the system violated the principle of data minimization, the principle of necessity and proportionality since the controller could process multiple biometric data - beyond the purpose of the system. In addition, the DPA concluded that Mercadona's privacy impact assessment was deficient as it did not take into account the specific and unique risks to Mercadona's employees posed by data processing through facial recognition systems. Furthermore, MERCADONA had violated its duty to inform according by not properly providing data subjects with information about the processing of their personal data. The original fine of EUR 3,150,000 consisted of EUR 500,000 due to a violation of Art. 5(1)(c), EUR 2,000,000 due to a violation of Art. 6 and Art. 9 of the GDPR, EUR 100,000 due to a violation of Art. 12 and Art. 13 of the GDPR, EUR 500,000 due to a violation of Art. 25(1) of the GDPR, and EUR 50,000 due to a violation of Art. 35 of the GDPR. The original fine was reduced to EUR 2,250,000 due to voluntary payment.