Spain: Data Protection Agency issued a warning to Tools for Humanity concerning the resumption of operations in Spain for World project

On 16 February 2026, the Spanish Data Protection Agency (AEPD) issued a warning to Tools for Humanity regarding planned Orb-related processing operations in Spain. The company had informed the AEPD that it acts as sole data controller, that operations would relaunch in Barcelona in February 2026, that a new subscription-based rewards model would replace token-based rewards, and that the Worldcoin Foundation is no longer involved in processing due to anonymised multi-party computation. After reviewing the Data Protection Impact Assessments and public information, the AEPD stated that the Orb may process biometric data, including iris images used to generate a uniqueness code. It recalled that such high-risk processing requires a proper impact assessment, a demonstrated necessity and proportionality analysis (including consideration of non-biometric alternatives), and a valid legal basis under Articles 6 and 9 GDPR. The AEPD also found that the privacy documentation did not clearly identify the legal bases, the applicable exception for biometric data processing, or the required supplementary information. Finally, the authority stated that it had not identified information in the Privacy Notice, Annex I, or the Biometric Data Retention Policy clarifying the legal bases relied upon, the applicable exception lifting the prohibition on processing biometric data, or the exercise of data subject rights. It also noted that supplementary information required under recital 60 of Regulation (EU) 2016/679 had not been provided.