LORO PARQUE SA – €250,000 Fine (Spain, 2024)

Three data subjects filed a complaint to the DPA against LORO PARQUE SA (a zoo, the controller) between August and November 2022. The complaints concerned the mandatory biometric identification methods used to access the park. One of the tickets offered allowed data subjects to access the zoo and water park owned by the controller with one ticket. However, data subjects were obliged to use the controller’s fingerprint identification systems to verify that the same person was accessing both parks, regardless of age. This was carried out in addition to the tickets’ QR code scanning procedure. The controller argued that the process was necessary to verify whether the ticket was used by the same person. In addition, the tickets were deactivated once the data subject had accessed both theme parks, limiting the storage period of data subjects’ biometric data. Finally, the controller argued that it did not process personal data, as it did not identify the data subject through the fingerprint data or store the image of the fingerprints. Rather, the system simply read the fingerprint and created a mathematical representation of the fingerprints’ characteristics (also referred to as a “biometric template”). The DPA first noted that while biometric identification methods were not new, the fact that these processes can be automated with a high level of accuracy raises data protection concerns. According to the DPA, processing this data involves a certain risk, as it is data that a data subject cannot change. This poses a risk of loss of identity for the data subject if the data is misused. The DPA then dismissed the controller’s argument that it is not processing personal data through its fingerprint systems. The biometric template falls under the definition of biometric data (Article 4(14) GDPR), as it acts as a unique identifier of the data subject. According to the DPA, it is irrelevant whether the data subject can be identified, or whether the fingerprint can be reconst