Società per Azioni Esercizi Aeroportuali S.E.A. – Violation Found (Italy, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Società per Azioni Esercizi Aeroportuali (S.E.A.) was found to have violated privacy rules by using a facial recognition system without proper safeguards. This matters because it shows that companies must protect biometric data and ensure users have control over their information. Organizations should review their privacy practices, especially when using advanced technologies like facial recognition.
What happened
S.E.A. used a facial recognition system but failed to comply with privacy regulations regarding data storage and user control.
Who was affected
Passengers at Milan Linate Airport were affected by the facial recognition system's inadequate privacy measures.
What the authority found
The Italian data protection authority found that S.E.A. violated multiple privacy rules by not properly securing biometric data and failing to provide accurate information to users.
Why this matters
This case underscores the need for companies to implement strong privacy protections when using biometric technologies, ensuring users have control over their personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is Società per Azioni Esercizi Aeroportuali (S.E.A.), the group of companies that manage 2 airports in Milan. The controller installed and started using a facial recognition system, called "FaceBoarding", for the purpose of passenger identification at the access gates to the sterile area and boarding gates at Milan Linate Airport In July 2025, the DPA initiated investigations regarding this system. First, the DPA found that the biometric template of the data subjects remained stored exclusively in the centralized system of the controller, preventing active control on the part of the data subject over his or her own biometric data. This did not comply with the [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_de EDPB’s Opinion No. 11/2024 on the use of facial recognition for the streamlining of passenger flows] and therefore violated Article 5(1)(f) GDPR, Article 25 GDPR and Article 32 GDPR. Second, it found that the privacy notice issued by the controller contained inaccurate information where it reports that, with respect to the methods of joining the system via the dedicated App, "the biometric template remains stored exclusively in the smartphone" of the passenger. Third, the ruled that the controller did not take measures to encrypt the biometric template when storing it in its systems, resulting in a violation of Article 32 GDPR. It also foresees extended retention periods for biometric templates of up to 12 months, in in violation of Article 5(1)(e) GDPR and Article 32 GDPR. Fourth, the gates dedicated to FaceBoarding "are hybrid in nature," i.e., they can also be used by passengers who have not joined the aforementioned system. In this circumstance, a biometric template of the data subject is nevertheless generated, although the data subject has not given consent to its processing, in violation of violation of Article 6 GDPR. Consequently, the DPA decided to or
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Società per Azioni Esercizi Aeroportuali S.E.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
11 September 2025
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-9547About this data
Cite as: Cookie Fines. Società per Azioni Esercizi Aeroportuali S.E.A. - Italy (2025). Retrieved from cookiefines.eu
Last updated: