The Possible Fall of the AEPD’s Biometric Guide Reopens Digital Registration

The National Court has reportedly upheld the Spanish Association of Security Companies (AES) appeal against the Spanish Agency for Data Protection (AEPD) guidance on presence control through biometric systems. The information, leaked on 07/15/2026 by El Confidencial, suggests that the court has invalidated its approval and publication, ruling that it functioned in practice as a general instruction without following the procedure reserved for circulars.

The key points of biometric clocking in 20 seconds

  • The ruling questions the format used by the AEPD, not the protection of biometric data.
  • Fingerprints and faces remain subject to the General Data Protection Regulation (GDPR).
  • The decision does not automatically authorize biometric clock-in systems.
  • Providers and companies should wait for the full text before modifying their projects.

The complete ruling was not yet available among the official judicial sources consulted while preparing this article, so caution is advised. The guidance itself from November 2023 remains accessible on the AEPD website, but all its pages are now marked with the phrase “UNDER REVIEW.”

The case is of particular interest to the tech sector because it goes beyond whether a company can clock in using a fingerprint. It also raises questions about the extent of an authority’s influence through guidance that, although not legally binding norms, can end up conditioning purchasing decisions, software development, contracts, and legal assessments.

It’s not a permit to return to fingerprint-based clocking

The main misconception to avoid is that the National Court has legalized biometric time tracking. Based on available information, the court analyzed the instrument used by the AEPD without making a general ruling on whether an employer can identify workers via face, fingerprint, iris, or hand geometry.

The 2023 guidance set very restrictive criteria. It considered biometric identification—comparing a sample against multiple identities—and authentication—one-to-one verification—could involve processing special categories of data when they allow unambiguous identification. It also categorized these projects as high-risk processing and mandated a Data Protection Impact Assessment (DPIA) before implementation.

These criteria had immediate effects on the market. HR departments, security integrators, terminal manufacturers, and SaaS providers reviewed projects that were previously offered as a convenient way to avoid cards, codes, or manual logs.

The possible annulment of the guidance would remove or weaken this administrative reference, but would not eliminate the GDPR. Any organization processing biometric data must still have a legal basis under Article 6 and a condition to lift the restrictions of Article 9 when processing special categories.

It must also demonstrate that the system is necessary for the intended purpose. The legal obligation to record working hours does not require biometric data: it can be fulfilled with an app, card, code, digital certificate, or organizational procedure. The company would need to justify why these alternatives are unsuitable in their case.

Consent does not always solve the problem either. In employment relationships, it can be difficult to prove that an employee’s decision is truly voluntary, especially when rejecting biometric systems results in disadvantages, additional procedures, or limited access to the workplace.

Technology does not eliminate legal risks

Providers often find it tempting to present architectures as solutions that no longer process biometric data. It’s common to hear that a mathematical template isn’t a fingerprint, that the system doesn’t store photographs, or that the pattern cannot reconstruct the original face.

However, the AEPD’s guidance states that a biometric template remains a personal data when it allows for identifying a person within a system. The fact that a human cannot interpret the file directly does not eliminate its capacity to link records, authenticate access, or trigger automated decisions.

The way the product is designed does influence the risk level. A system that stores the template on a card under the user’s control presents different risks than a central database holding biometric patterns for all employees. Similarly, local one-to-one authentication and one-to-many recognition to find a match among thousands are not equivalent.

Measures to reduce exposure include local storage, encryption, separation between the template and identifiable data, periodic renewal of biometric references, and automatic deletion once employment ends. None of these alone establish legal authorization but can help satisfy criteria of necessity, proportionality, and security.

Technical managers should also consider what happens if a reference is compromised. Passwords can be changed, but a fingerprint or facial features remain with the individual for life. Mechanisms that generate revocable or unlinkable templates across services can mitigate some risk, provided their properties are demonstrated and not just marketed claims.

The impact assessment should extend beyond the biometric reader. It should cover the management app, application programming interfaces (APIs), backups, access logs, cloud provider, support equipment, and any integration with payroll, attendance tracking, or physical security systems.

Implications for companies and tech providers

If the upheld ruling confirms the broad scope discussed, it could influence how the AEPD issues general criteria. The Organic Law 3/2018 allows the Agency’s President to issue circulars establishing the authority’s criteria. These are binding once published in the Official State Gazette (BOE).

The AEPD’s Statute requires a process involving a technical report, necessity justification, legal opinion, consultation procedures, State Council opinion, approval by the Presidency, and publication in the BOE. The court’s stance suggests that a guidance document cannot substitute that process if its wording effectively functions as a general rule.

For businesses, this creates uncertainty but not free rein. Companies that already abandoned a biometric project shouldn’t reactivate it solely based on a headline. Those operating such systems also can’t assume their compliance is resolved.

It is advisable to review, at minimum, the specific purpose, legal basis, condition under Article 9 of GDPR, less intrusive alternatives, technical architecture, retention periods, and mechanisms for individuals unable or unwilling to use the system.

Providers should avoid claims like “complies with GDPR” or “does not store biometric data” without explaining how the product actually works. Compliance depends not only on the device or algorithm but also on who uses it, for what purpose, how it’s configured, and what decisions are based on its outputs.

The ruling may lead the AEPD to issue a new, more guidance-oriented document, adopt a circular through the formal process, or wait until specific cases and rulings clarify the criteria.

Until the full decision is known, an appeal cannot be ruled out. The exact wording of the judgment will determine whether the entire guidance is invalidated, only the act that approved its publication, or only sections deemed to go beyond an informational role.

Frequently Asked Questions

Is it legal now to clock in using a fingerprint in a company?

There is no general authorization. Each organization must justify the treatment necessity, legal basis, and the condition allowing the use of biometric data.

What about biometric systems already installed?

They must still comply with GDPR. The potential annulment of the guidance does not eliminate impact assessments, security measures, or proportionality analyses that are required.

Does encrypting a biometric template make it no longer a personal data?

Not necessarily. Encryption protects the data but does not change its nature when it can still be used to identify or authenticate a person.

Can the AEPD set new criteria on biometric clocking?

Yes. It can issue guidelines, resolve specific cases, or develop circulars through the procedures provided by its Statute and Organic Law 3/2018.

Source: Abogados Contratos

Scroll to Top