Andorra Cracks Down on Biometric Access in Businesses and Gyms
Experts and data protection agency warn that fingerprints and facial scans violate strict proportionality rules, urging less invasive alternatives.
Key Points
- Biometrics qualify as 'especially sensitive' data under Andorran LQPD, requiring explicit consent or public interest and proportionality.
- Less intrusive options like cards or codes must be provided; convenience doesn't justify biometrics.
- Mandatory impact assessments needed; no fines yet but complaints could lead to penalties.
- Irreversible nature of biometrics heightens breach risks, demanding encryption and deletion safeguards.
The use of biometric data such as fingerprints, facial recognition or iris scans to access businesses, gyms and other public venues is raising serious concerns in Andorra over its legality and risks to fundamental rights. The Andorran Data Protection Agency (APDA) and legal and tech experts agree that these qualify as "especially sensitive" data, and in most cases fail to meet the proportionality requirements under current rules.
Andorran law, outlined in Qualified Law 21/2019 on personal data protection (LQPD) and its implementing regulations, does not explicitly ban biometrics but imposes strict limits on processing special-category data. The APDA stresses that such processing is only permissible in narrow circumstances, backed by robust legal grounds like explicit user consent or essential public interest. "If access can be achieved with a less intrusive system, the law requires it," said Víctor Rosselló, a lawyer specialising in data protection.
The regulations often mandate a data protection impact assessment before deploying biometric systems, particularly for sensitive data or ongoing public monitoring. No fines have yet been issued in Andorra for misuse, but the APDA warns that complaints could trigger investigations and penalties. Consent must be free, specific, informed and unambiguous; if relied upon, businesses must provide a genuine, less invasive alternative.
Biometrics are treated on par with health data due to their sensitivity, Rosselló explained, adding that convenience never justifies them over options like cards or codes. Their use in gyms or shops, he argued, clashes with core data protection principles, including minimisation. Núria Viladrich, director at OCPS-Tarinas Compliance, noted that while not outright prohibited, biometrics demand case-by-case scrutiny of purpose, necessity and proportionality. Alternatives should always be prioritised, especially for clocking in at work or gym entry, to ensure truly voluntary consent.
Tech specialist Sebastián González of Dcode Informàtics echoed this, saying biometrics are justifiable only in high-security settings like critical infrastructure—not shops, hospitality or gyms, where less invasive methods exist. Employee consent in workplaces is often not fully free, heightening legal exposure.
Experts and the APDA also highlight security risks: unlike passwords or cards, biometric data cannot be changed if breached. Strict safeguards like encryption, access controls and prompt deletion—such as when a gym member cancels—are legally required.
Original Sources
This article was aggregated from the following Catalan-language sources: