Spanish Data Protection Agency Upholds Fine Against Loro Parque and Siam Park
The Spanish Agency for Data Protection (AEPD) has rejected an appeal from the company operating Loro Parque and Siam Park in Tenerife. This decision follows the imposition of a €250,000 fine for a “very serious” offence, as the company required customers to register their fingerprints upon entering the parks.
Customer Complaints
Three complainants stated they purchased a package to access both parks along with a ferry ticket from Gran Canaria. They were compelled to provide their fingerprints using a scanner to verify that the individual entering both parks was the same person, according to the AEPD’s resolution.
They also claimed they were never informed about the data processing at the time of purchase. Instead, they found a message in several languages stating, “This system is for the exclusive use of visitors who have” a specific type of ticket.
Furthermore, it was noted that no fingerprint images were stored; the system merely scans the fingerprint and provides a series of instructions.
One complainant included their complaints form and ferry ticket, detailing that when they refused to provide their fingerprint, they were barred from entry and advised to request a refund without being offered any alternatives.
The ticket and ferry package expires after fifteen days, after which the right to a refund is lost.
Significant Risks of Biometric Data Use
The AEPD emphasised that the use of biometric data poses “significant risks to fundamental rights and freedoms, and hence its use is initially prohibited.” Notably, leisure activities are not among the exceptions to this rule, nor can it be imposed unilaterally.
The investigation also revealed a connection between ticket purchases and biometric data, as a QR code is used that allows for the full identification of customers.
The fine was deemed appropriate given that the company operates public parks frequented year-round by families, including minors, and failed to provide information or respond to inquiries regarding the matter.
The company claimed it is not legally required to have a Data Protection Officer (DPO). Regarding the lack of information on the verification system, they stated that the biometric data processing has been registered since 2010.
They further argued that this requirement applies to a specific product that allows visitors to experience both parks at a reduced price, necessitating verification of customer identity.
They justified the use of this method, stating it ensures a high level of certainty that “the person entering one park is the same individual who subsequently enters the other, despite not being able to identify the person who purchased the tickets.”
Only a “mathematical representation” would be created, which would be retained as long as the ticket is valid and then destroyed. Their identification document is used to ascertain the resident status of the user, given the price differences established.
Once the appeal was dismissed, the company was informed that voluntary payment must be made before the 20th of September, although they also have the option to take the matter to court.
