Garante per la protezione dei dati personali (Italy) - 10167745

Summary

Italy's Data Protection Authority (Garante) investigated the FaceBoarding facial recognition system deployed at Milan Linate Airport and found multiple GDPR violations including inadequate encryption, unauthorized biometric template collection, misleading privacy notices, and excessive retention periods. The violations affected 24,550 passengers over approximately one year (May 2024–September 2025). No fine was imposed because the controller ceased operations and erased all collected biometric data.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10167745: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 11:04, 15 October 2025 view sourceLe (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators573 editsmTag: Visual edit← Older edit Latest revision as of 11:52, 23 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators582 editsm Tag: Visual edit Line 83: Line 83: === Holding ====== Holding === First, the DPA found that the biometric template of the data subjects remained stored exclusively in the centralized system of the controller, preventing active control on the part of the data subject over his or her own biometric data. This did not comply with the [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_de EDPB’s Opinion No. 11/2024 on the use of facial recognition for the streamlining of passenger flows] and therefore violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], [[Article 25 GDPR|Article 25 GDPR]] and [[Article 32 GDPR|Article 32 GDPR]]. First, the DPA found that the biometric template of the data subjects remained stored exclusively in the centralized system of the controller, preventing active control on the part of the data subject over his or her own biometric data. This did not comply with the [https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_de EDPB’s Opinion No. 11/2024 on the use of facial recognition for the streamlining of passenger flows] and therefore violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]], [[Article 25 GDPR]] and [[Article 32 GDPR]]. Second, it found that the privacy notice issued by the controller contained inaccurate information where it reports that, with respect to the methods of joining the system via the dedicated App, "the biometric template remains stored exclusively in the smartphone" of the passenger. Second, it found that the privacy notice issued by the controller contained inaccurate information where it reports that, with respect to the methods of joining the system via the dedicated App, "the biometric template remains stored exclusively in the smartphone" of the passenger. Line 94: Line 94: == Comment ==== Comment == ''Share your comments here!''The DPA finalised its investigations and issued a decision in March 2026. The DPA stated that the controller had violated [[Article 5 GDPR|Articles 5(1)(a), (e) and (f) GDPR]], as well as [[Article 6 GDPR|Articles 6]], [[Article 13 GDPR|13]], [[Article 25 GDPR|25]] and [[Article 32 GDPR|32 GDPR]]. According to the DPA, the violation lasted approximately one year (May 2024 to September 2025) and affected 24,550 data subjects. However, the DPA did not impose a fine or corrective measures because the controller ceased to process data through the Faceboarding system, and erased the data of the data subjects in its systems. You can read the decision [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10238246 here]. == Further Resources ==== Further Resources == Latest revision as of 11:52, 23 April 2026 Garante per la protezione dei dati personali - 10167745 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 6 GDPR Article 13 GDPR Article 25 GDPR Article 32 GDPR Type: Investigation Outcome: Violation Found Started: Decided: 11.09.2025 Published: Fine: n/a Parties: Società per Azioni Esercizi Aeroportuali S.E.A. National Case Number/Name: 10167745 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Italian Original Source: Garante (in IT) Initial Contributor: Le The DPA imposed a temporary ban on "FaceBoarding", a facial recognition system used for passenger identification in airports. It found that the controller had not implemented adequate security measures. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The controller is Società per Azioni Esercizi Aeroportuali (S.E.A.), the group of companies that manage 2 airports in Milan. The controller installed and started using a facial recognition system, called "FaceBoarding", for the purpose of passenger identification at the access gates to the sterile area and boarding gates at Milan Linate Airport In July 2025, the DPA initiated investigations regarding this system. Holding First, the DPA found that the biometric template of the data subjects remained stored exclusively in the centralized system of the controller, preventing active control on the part of the data subject over his or her own biometric data. This did not comply with the EDPB’s Opinion No. 11/2024 on the use of facial recognition for the streamlining of passenger flows and therefore violated Article 5(1)(f) GDPR, Article 25 GDPR and Article 32 GDPR. Second, it found that the privacy notice issued by the controller contained inaccurate information where it reports that, with respect to the methods of joining the system via the dedicated App, "the biometric template remains stored exclusively in the smartphone" of the passenger. Third, the ruled that the controller did not take measures to encrypt the biometric template when storing it in its systems, resulting in a violation of Article 32 GDPR. It also foresees extended retention periods for biometric templates of up to 12 months, in in violation of Article 5(1)(e) GDPR and Article 32 GDPR. Fourth, the gates dedicated to FaceBoarding "are hybrid in nature," i.e., they can also be used by passengers who have not joined the aforementioned system. In this circumstance, a biometric template of the data subject is nevertheless generated, although the data subject has not given consent to its processing, in violation of violation of Article 6 GDPR. Consequently, the DPA decided to order the measure of provisional limitation of the processing of biometric data of passengers put in place, through the FaceBoarding system, for the purpose of identifying them at the access gates to the sterile area and at the boarding gates at Milan Linate airport, pursuant to Article 58(2)(f) GDPR. Comment The DPA finalised its investigations and issued a decision in March 2026. The DPA stated that the controller had violated Articles 5(1)(a), (e) and (f) GDPR, as well as Articles 6, 13, 25 and 32 GDPR. According to the DPA, the violation lasted approximately one year (May 2024 to September 2025) and affected 24,550 data subjects. However, the DPA did not impose a fine or corrective measures because the controller ceased to process data through the Faceboarding system, and erased the data of the data subjects in its systems. You can read the decision here. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO Press release of September 18, 2025 [web doc. no. 10167745] Measure of September 11, 2025 Register of Measures No. 489 of September 11, 2025 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Guido Scorza, members, and Councillor Angela Fanizza, Secretary General; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); HAVING REGARD to Legislative Decree no. 196 (Personal Data Protection Code, hereinafter "Code"), as amended by Legislative Decree No. 101 of August 10, 2018, containing "Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2

Entities