Spain fines Yoti €950K

AEPD split the sanction across three specific breaches: €500,000 for unlawful processing of biometric (special-category) data under Article 9, €200,000 for invalid consent under Article 7, and €250,000 for breaching the storage‑limitation rule in Article 5(1)(e). (dataguidance.com) The regulator concluded Yoti’s Digital ID app did more than “authentication,” treating facial data as identification that uniquely identifies a person and therefore falls squarely under GDPR’s Article 9 protections. (legalarmy.net) AEPD found Yoti’s consent UX deficient: consent for research and development processing used pre‑ticked boxes and users could advance through onboarding without actually opening the privacy policy. (legalarmy.net) The agency documented retention specifics: account data (including biometric templates) was kept while accounts were active plus three years of inactivity, liveness video recordings were retained for around 30 days, and documents flagged as fraudulent could be retained for up to two years and reused to train models. (legalarmy.net) The enforcement timeline shows an AEPD sanction issued in a resolution dated 23 November 2025 that was later confirmed on administrative review in early March 2026, after an inquiry that the regulator opened in late 2023. (dataguidance.com) Yoti publicly rejected the ruling, said no user data had been breached, claimed it was not notified of the investigation timeline, and has launched an appeal to the Spanish High Court while disputing the findings. (yoti.com)