The AEPD concluded that the GSMA’s assessment was superficial and failed to address key aspects of data processing methods and the associated risks and necessity of the BREEZZ system.
Under the GDPR, a thorough DPIA must be conducted when data collection poses a high risk to individuals’ right to privacy. In this case, the use of biometric facial recognition technology to identify MWC attendees falls into that category.
