Loro Parque Fined €250,000 for Biometric Data Breach
Spain’s Data Protection Agency (AEPD) has imposed a €250,000 fine on Tenerife’s Loro Parque for its fingerprint-based access system. The regulator ruled that collecting biometric data from visitors – including minors – violated fundamental privacy rights under EU law. The controversial system was used for the park’s Twin Ticket (TT) offering, which granted discounted entry to both Loro Parque (zoo) and Siam Park (water park).
How the Fingerprint System Worked
The TT system required visitors to register fingerprints when purchasing tickets, though this wasn’t clearly disclosed during sales. The park stored mathematical representations (“minutiae”) of fingerprints to verify identity when guests visited the second park within six months. Loro Parque argued this didn’t constitute personal data since the templates couldn’t reconstruct actual fingerprints or identify individuals.
Regulator’s Counterarguments
The AEPD rejected these claims, stating the templates still qualified as biometric data under GDPR Article 4.14. Investigators proved the system could uniquely identify individuals by matching stored templates during second visits. The agency noted Loro Parque failed to properly inform visitors about biometric collection or obtain explicit consent.
Park’s Defense and New System
Loro Parque maintained the encrypted templates were deleted after ticket expiration and couldn’t identify users. They called the fine disproportionate and requested case dismissal, arguing the procedure violated their right to defense. The park has since implemented a new access system as of September 2024, though details remain undisclosed.
Broader Implications for Tourism
This landmark case establishes important precedents for biometric data use in Spain’s tourism sector. The AEPD emphasized that even processed biometric data requires strict protections. Visitors to Canary Islands attractions should now expect clearer disclosures about any personal data collection methods.
