The AEPD also ruled that the GSMA collected passports and EU identity documents from attendees and made their consent to biometric data collection a requirement during the upload process. However, the GDPR mandates that consent must be specific and freely given, which was not the case for attendees who were unable to attend without uploading their passport details.
Dr Anastasia Dedyukhina, a digital wellness advocate, highlighted this issue in a LinkedIn post, stating that she could not find a reasonable justification for the data collection and was forced to join the event virtually after refusing to upload her passport details.
