MERCADONA S.A. – Court Ruling (Spain, 2021)

Two persons were sentenced to prison by a Criminal Court of Barcelona for violent robbery in a Mercadona supermarket. The were also prohibited from entering the supermarket for two years. Mercadona asked the court to allow them to use a system processing biometric data to monitor the entrance of the supermarket and stop them from accessing, as doing it with traditional means (i.e. instructing the security personnel to do it) would be too burdensome and virtually impossible. In order to justify this, they alleged a public interest based on the [https://www.boe.es/buscar/act.php?id=BOE-A-2014-3649 Spanish Private Security Act] and on a legitimate interest to ensure compliance with the judgment of the criminal court. The criminal court rejected the petition, against which the supermarket chain filed an appeal before the Barcelona Court of Appeal (Audiencia Provincial de Barcelona). They argued that: * Even if the category of biometric data is recognized in the GDPR as specially protected data, it does not exclude its use, provided that it is carried out with all the relevant security measures. The controller understands that the proposed security measures do not harm the rights of the data subjects, since, although the biometric data of all users entering one of the establishments are processed, the system instantly (within 0.3 seconds) detects the convicted individuals; while no biometric data of any person who has not been prohibited from entering the place will remain in the system, that will be immediately erased and will never be used. * The purpose of the legislator in the development of the GDPR is not only to protect the rights of natural persons but also the free circulation of data, taking into account the progress of technology. That is why it would be completely ineffective to try to solve a problem such as the control of those individuals with an entry ban by just showing the image of these individuals to dozens of employees of establishments so that they