Skip to main content
Information to the interested party on data protection

5.95. Access control by fingerprint recognition

Description of the activity

Data processing of AEAT employees, including collaborators and external companies for time and billing control. 

Maintenance of Security at the AEAT headquarters through access control to the buildings that the AEAT shares with other personnel.


Management of employees, assigned to the AEAT, in order to be able to carry out actions to control compliance with the obligations of the personnel at their service.

To guarantee the safety of people, goods and facilities.


Regarding the time and billing control of staff at the service of the AEAT, article 6 of Regulation 2016/679 (EU), relating to the legality of processing, in section 1, letter b) states that “The processing will be lawful if at least one of the following conditions is met: (…) b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of the interested party of pre-contractual measures ( …)”.

By virtue of this precept, the processing of data is lawful, and will not require consent, when the processing of data is carried out for the fulfillment of contractual relations of an employment nature.

This provision would also cover the processing of data of public employees, although their relationship is not contractual in the strict sense.

In both cases, the AEAT processes the fingerprint referred to in the EU Regulation, in its article 9, as “ special categories of data ”.

Thus, article 9.1 of the aforementioned Regulation states that “ The processing of data that reveals ethnic or racial origin, political opinions, religious or philosophical convictions, or union membership, and the processing of data are prohibited. genetic data, biometric data aimed at uniquely identifying a natural person, data relating to health or data relating to the sexual life or sexual orientations of a natural person ”.

However, in section 2, a series of exceptions are established in which such data may be processed. Specifically, letter b) of this section 2 indicates the following: “ Section 1 will not apply when one of the following circumstances occurs: (…) b) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or the interested party in the field of labor law and social security and protection (…)”.

Regarding guaranteeing security in the control of access to buildings by personnel who perform their duties in AEAT buildings, in article 32 “ Security guards and their specialty ” of Law 5/2014 on Private Security establishes that:

1. Security guards will perform the following functions:

a) Exercise surveillance and protection of assets, establishments, places and events, both private and public, as well as the protection of people who may be in them, carrying out the necessary checks, records and preventions to comply with their duties. mission.

b) Carry out identity checks, personal items, packages, merchandise or vehicles, including their interior, at the access or inside of buildings or properties where they provide services, without In no case can they retain personal documentation, but they can prevent access to said buildings or properties. Refusal to display identification or allow control of personal items, packages, merchandise or vehicles will entitle individuals to prevent access or order them to abandon the property or property that is the object of their protection .”

According to this, and in accordance with what is established in article 6.1.f of the Regulation, the consent of the interested parties is not necessary, since art. 51 of Law 4/2014 recognizes the right to “equip oneself with private security measures aimed at protecting people and property and ensuring the normal development of one's personal or business activities.” 


  • Personnel at the service of the AEAT and any other employee, public or private, who performs their duties in AEAT buildings.


  • DNI, Name and Surname
  • Biometric data (fingerprint minutiae, from which the fingerprint cannot be reconstructed)


  • Collection
  • Record
  • Storage
  • Structuring
  • Modification
  • Update
  • Copy
  • Analysis
  • Enquiry
  • Extraction
  • Promotion
  • Interconnection
  • Limitation
  • Suppression
  • Destruction
  • Other 


Not anticipated.

International transfers

are not foreseen

Planned deadlines for deletion

 On a monthly basis, the minutiae of the fingerprints of the interested parties who have been removed from the access control application will be erased.


Does not apply.

Technical/organizational measures

All data processed has been evaluated through a risk analysis, having obtained a list of technical and organizational measures to apply. These measures have been applied in accordance with the approved adaptation plan.

It's important to put attention on:

  • In the fingerprint registration process, only a few minutiae or traces are saved that allow comparison with the employee's fingerprint at the time of access control. At no time is the complete fingerprint recorded and based on these minutiae it is impossible to reproduce the original image of the fingerprint.
  • These minutiae are stored encrypted so that they can only be read on the computers that are part of the access control solution implemented at the Tax Agency.
  • An Impact Assessment has been carried out in the terms of art. 35 of the RGPD, which has been provided to the Spanish Data Protection Agency

These measures have been applied in accordance with the approved adaptation plan.