AEPD Resolution: EXP202602591

The Background (Worldcoin Returns to Spain): Tools for Humanity (TfH), the company behind the Worldcoin / World ID project, wrote to the AEPD in January 2026 to announce it was planning to relaunch its operations in Spain in February 2026, opening a new location in Barcelona. The company's Data Protection Officer sent a formal letter outlining technical improvements made over the prior year, including open-sourcing its Orb hardware, introducing a personal data custody model, and implementing Anonymised Multi-Party Computation (AMPC) — a technology designed to verify users without transferring or storing their biometric data centrally.

The Technology at Issue: TfH operates the "Orb," a spherical scanning device that captures images of a user's iris and face. It processes these images to generate a unique "iris code" — a digital fingerprint confirming the person is human and has not previously registered on the World network. TfH argued this does not constitute biometric data processing under Article 9 GDPR because its purpose is not identification but proof of uniqueness.

The AEPD's Counter-Analysis: The AEPD was unconvinced. Under Article 4(14) GDPR, biometric data is defined as personal data resulting from specific technical processing of physical characteristics that allow unique identification. The Agency concluded that the Orb's iris-scanning process appears to meet precisely this definition — the code produced enables the system to confirm a person's unique identity, regardless of whether the company labels it "identification" or not.

The Transparency Gap: The AEPD also found that TfH's published Privacy Policy, data retention policy, and legal basis annexe failed to provide adequate transparency about the biometric processing involved. Users are not clearly informed of the legal basis for processing special category data, the conditions under which the Article 9(2) prohibition is lifted, or how they may exercise their data rights in relation to the iris data stored on their own device via the World App.

The Core Ruling: Rather than opening a formal sanctions investigation, the AEPD issued a formal Warning (Advertencia) under Article 58(2)(a) GDPR — a preventive measure intended to signal that the planned processing activities may infringe the Regulation, and to require TfH to review and adjust its approach before the relaunch proceeds. No fine was imposed. The resolution was signed by the President of the AEPD, Lorenzo Cotino Hueso.

Based on Resolution EXP202602591, here is the compliance protocol for any organisation considering biometric data collection:

1. "Proof of Uniqueness" Is Not a Free Pass If your technology uses biometric characteristics — even to confirm uniqueness rather than to identify a person by name — you are very likely processing special category data under Article 9 GDPR. Do not assume that relabelling the purpose exempts you from the heightened obligations. Obtain explicit legal advice on whether your processing falls within Article 9(1) before launch.

2. Your DPIA Must Address Proportionality A DPIA is not a box-ticking exercise. It must demonstrate that you have genuinely considered whether a less privacy-intrusive alternative exists. If biometric scanning can be replaced by another mechanism that achieves the same business goal, you must explain why you chose not to use it. The AEPD will scrutinise this.

3. Centralised vs. Device-Side Storage Is a Spectrum, Not a Binary TfH argued that storing data on the user's own device via its app protects privacy. The AEPD noted that the user's access to that data remains conditional on using TfH's application — meaning the company retains a degree of control. If you rely on device-side storage as a privacy safeguard, ensure the user has genuine, independent access to that data.

4. Transparency Obligations Apply to On-Device Processing Too If processing occurs on a user's device via your application, you must still disclose this clearly in your privacy documentation — including the legal basis, the nature of the data, and how rights can be exercised. "The data never leaves the Orb" is not an adequate explanation if the resulting code is then processed by your app.

5. Supervisory Authorities Can Warn Before You Launch Article 58(2)(a) GDPR empowers data protection authorities to issue warnings about planned processing — not just processing that has already begun. If your organisation is preparing a new product or service involving sensitive data, proactively engaging the relevant DPA before launch is both a legal best practice and a reputational safeguard.

Summary of Business Risk

This resolution is significant beyond its immediate subject. The AEPD has signalled clearly that it views iris-based "proof of humanity" systems as biometric data processing subject to the full weight of Article 9 GDPR. Any business deploying similar technology — facial recognition, iris scanning, fingerprint verification — should treat this warning as applicable to their own operations. The absence of a fine reflects the preventive nature of the measure, not a clean bill of health.

Two-Sentence Summary The AEPD issued a formal warning to Tools for Humanity GmbH ahead of its planned relaunch in Spain, concluding that its iris-scanning World ID system likely constitutes biometric data processing under Article 9 GDPR, requiring stronger legal justification and a more rigorous DPIA. The case establishes that "proof of uniqueness" technology does not escape special category data obligations merely because identification is not its stated purpose.