Società per Azioni Esercizi Aeroportuali S.E.A. – Violation Found (Italy, 2025)
Società per Azioni Esercizi Aeroportuali S.E.A. faced scrutiny for its facial recognition system used at Milan airports. The DPA found that the system didn't allow users to control their biometric data properly. This is significant because it raises concerns about privacy and data security in technology used at public places.
What happened
S.E.A. installed a facial recognition system for passenger identification without proper user control over their biometric data.
Who was affected
Passengers using the facial recognition system at Milan airports were affected.
What the authority found
The DPA found that the company violated GDPR by not allowing users to control their biometric data and failing to secure it properly.
Why this matters
This case highlights the need for transparency and user control in biometric data usage. Companies using similar technologies should ensure compliance with data protection laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is Società per Azioni Esercizi Aeroportuali (S.E.A.), the group of companies that manage 2 airports in Milan. The controller installed and started using a facial recognition system, called "FaceBoarding", for the purpose of passenger identification at the access gates to the sterile area and boarding gates at Milan Linate Airport In July 2025, the DPA initiated investigations regarding this system. First, the DPA found that the biometric template of the data subjects remained stored exclusively in the centralized system of the controller, preventing active control on the part of the data subject over his or her own biometric data. This did not comply with the [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_de EDPB’s Opinion No. 11/2024 on the use of facial recognition for the streamlining of passenger flows] and therefore violated Article 5(1)(f) GDPR, Article 25 GDPR and Article 32 GDPR. Second, it found that the privacy notice issued by the controller contained inaccurate information where it reports that, with respect to the methods of joining the system via the dedicated App, "the biometric template remains stored exclusively in the smartphone" of the passenger. Third, the ruled that the controller did not take measures to encrypt the biometric template when storing it in its systems, resulting in a violation of Article 32 GDPR. It also foresees extended retention periods for biometric templates of up to 12 months, in in violation of Article 5(1)(e) GDPR and Article 32 GDPR. Fourth, the gates dedicated to FaceBoarding "are hybrid in nature," i.e., they can also be used by passengers who have not joined the aforementioned system. In this circumstance, a biometric template of the data subject is nevertheless generated, although the data subject has not given consent to its processing, in violation of violation of Article 6 GDPR. Consequently, the DPA decided to or
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Società per Azioni Esercizi Aeroportuali S.E.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
11 September 2025
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-9547About this data
Cite as: Cookie Fines. Società per Azioni Esercizi Aeroportuali S.E.A. - Italy (2025). Retrieved from cookiefines.eu
Last updated: