Spain: Spanish Data Protection Agency imposed a total fine of EUR 950'000 on Yoti for violating General Data Protection Regulation

On 10 March 2026, the Spanish Data Protection Agency (AEPD) fined Yoti EUR 950’000 following an investigation into its role as an intermediary in identity and age-verification processes. The fine includes EUR 500’000 for processing special category biometric data without a valid exemption under Article 9 of the GDPR, EUR 200’000 for obtaining consent for research and analytics through pre-ticked boxes in breach of Article 7, and EUR 250,000 for retaining data, including biometric and geolocation information, for longer than necessary in violation of the storage limitation principle under Article 5(1)(e). The AEPD required Yoti to demonstrate within six months that its processing of biometric data, consent mechanisms, and data retention practices comply with the GDPR.