Spain's data protection authority issued a formal preventive warning to Tools for Humanity GmbH on February 13, 2026, cautioning that the company's planned iris-scanning operations in Spain could violate the General Data Protection Regulation. The Agencia Española de Protección de Datos (AEPD) filed the warning under reference EXP202602591, invoking its corrective powers under GDPR Article 58.2(a), just days before the company that operates the World Network - formerly known as Worldcoin - intended to relaunch its biometric verification activities in Barcelona.

The warning, signed by AEPD President Lorenzo Cotino Hueso, does not constitute a fine or finding of an actual violation. Rather, it exercises the authority's explicit precautionary function: alerting a data controller that planned processing activities "may" infringe GDPR requirements before those activities begin. The distinction matters. No penalty has been imposed. The AEPD is, in effect, raising a red flag ahead of the relaunch.

The relaunch that triggered the warning

On January 23, 2026, the AEPD received an email from Tools for Humanity's Data Protection Officer, informing the authority of a series of organizational updates and announcing the company's intention to resume Spanish operations. According to the document, the email stated the company planned "to relaunch our operations in Spain in February 2026 with the opening of a new location in Barcelona," following a communication issued in November 2025 about the anticipated return.

The email outlined several significant changes. First, as of October 2025, Tools for Humanity GmbH - the German entity - was designated as the sole data controller for all Orb-related processing activities involving users located in Spain, under GDPR Article 56 governing the single EU establishment mechanism. This replaced a previous structure under which both the company and the Worldcoin Foundation shared data responsibilities. The Worldcoin Foundationremains the steward of the World ID protocol, according to the email, but "is no longer involved in data processing activities."

Second, the company introduced a modified rewards model for Spain. Instead of the token-based rewards that characterized its original rollout - where users received Worldcoin (WLD) cryptocurrency in exchange for biometric enrollment - the pilot in Spain would offer benefits linked to local or online services and digital subscriptions. According to the communication, this change "is intended to align the user experience with the current and future use cases of the World Network, while preserving transparency and user choice at all times."

Third, the company highlighted three technical privacy enhancements introduced over the prior year: the open-source release of the Orb hardware to facilitate public audit, a personal custody model giving users direct control over their biometric data and World ID, and the introduction of Anonymized Multi-Party Computation (AMPC), which the company describes as enabling verification without transferring or storing special categories of personal data.

What the Orb actually does - and why it concerns regulators

The AEPD's analysis centers on the Orb device and the data it captures. The Orb is a spherical device about the size of a bowling ball that scans a user's iris and face to generate a unique biometric code. The stated purpose is to verify that each person is a unique human being - a "proof of personhood" - distinguishing real individuals from bots or duplicate registrations.

According to Tools for Humanity's own materials cited in the AEPD resolution, the Orb "can distinguish you from others without storing any personal data, not even your name." The company describes a process whereby, after registration, data is encrypted with the user's public key, the "result of this process is a collection of encrypted data packets that reside exclusively on your device," and the information "is always deleted from the Orb once it has been sent to your device."

The AEPD's concern, however, focuses on whether this process constitutes processing of biometric data as defined by GDPR Article 4.14. That provision defines biometric data as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person." The authority's analysis identifies four elements that appear to be satisfied: personal data are obtained (the iris code), through specific technical processing (the Orb), based on physical characteristics (iris images), and used to confirm unique identification (preventing duplicate registrations). The conclusion is direct: the responsible party "could be carrying out processing of biometric personal data."

This categorisation is significant. Biometric data is a special category under GDPR Article 9, subject to stricter requirements and a general prohibition on processing unless one of the explicit exceptions in Article 9.2 applies. The most likely exception in this context is explicit consent under Article 9.2(a).

The custody model and its limitations

Tools for Humanity's personal custody model - presented as a privacy innovation - received particular scrutiny in the AEPD analysis. Under this model, the encrypted biometric template is stored not on company servers but on the user's own device, within the company's application.

The AEPD noted that when the company refers to "your device," this appears in practice to mean "the TfH application installed on a user's device." That application, the authority observed, forms part of the data processing chain and remains under some degree of the controller's control. According to the resolution, "the user does not appear to have full control over the data, insofar as their access to the data would be conditioned on the use of the application provided by TfH."

The implication is precise. Personal custody does not automatically equal user control if the data remains accessible only through proprietary software. Whether a user can export, delete, or independently access their biometric data without relying on the company's application is a material question for the DPIA.

The AMPC (Anonymized Multi-Party Computation) system was also mentioned in the company's communication. According to Tools for Humanity, AMPC enables verification without transferring or storing special category personal data - an architecture the company argues removes the Worldcoin Foundation from data controller status entirely, because data is anonymized once it leaves the Orb. The AEPD's warning does not directly challenge AMPC's effectiveness but notes that the DPIA documentation reviewed did not resolve key questions about the system's risk profile.

The data protection impact assessment problem

The core of the AEPD's regulatory concern lies in the Data Protection Impact Assessment (DPIA). GDPR Article 35.1 requires controllers to conduct a DPIA before processing that is "likely to result in a high risk to the rights and freedoms of natural persons," particularly when using new technologies. The AEPD has published a list of processing types requiring DPIAs, and biometric data processing falls under criteria 4 (biometric data), 5 (new technologies), and 10 (innovative use of established technologies).

According to the resolution, Tools for Humanity provided DPIA documentation during technical meetings held with the AEPD prior to the warning. The authority's review of those documents identified material gaps. Specifically, the DPIAs reportedly concluded that the processing does not constitute processing of special category data under Article 9.1 GDPR, because - in the company's framing - the purpose of the processing is not to identify a person but to verify uniqueness.

The AEPD rejected this framing, at least provisionally. A DPIA under Article 35 must justify the necessity and proportionality of the processing. Where multiple equally effective measures exist, the least intrusive one should be selected - and this includes evaluating whether a non-biometric alternative could achieve the same goal. The resolution stated that the DPIA "must justify the necessity and proportionality of the treatment to be launched," adding that proportionality "also requires that, when several equally effective measures exist from the controller's knowledge, the least burdensome one is chosen, which includes the assessment of a possible non-biometric alternative."

The AEPD distinguished between biometric authentication - which is localised, well-designed, and typically less intrusive - and biometric identification at scale, which "tends to require much stronger justifications, if only because a greater number of data subjects are affected." The authority noted that a global proof-of-personhood system that processes iris images across a large user population sits closer to the high-risk end of this spectrum and therefore demands stronger DPIA documentation.

Additionally, the documentation provided by Tools for Humanity did not, according to the AEPD, identify the specific risks associated with centralized versus decentralized biometric storage, or provide differentiated analysis for each biometric function implemented in the system.

Transparency gaps in the privacy policy

Beyond the DPIA issues, the AEPD identified a second concern: the company's transparency obligations under GDPR. The authority reviewed Tools for Humanity's Privacy Policy, its Annex on legal bases and purposes (Annex I), and its Biometric Data Retention Policy - all as published on the company's website as of February 6, 2026. The AEPD stated it did not find, across those documents, "information about the legitimising bases, the circumstances of the lifting of the prohibition, or the exercise of rights" in relation to biometric data processing.

GDPR's transparency requirements, particularly under Recital 60, call for providing data subjects with "fair and transparent processing" including information about purposes and legal bases. According to the resolution, users are not adequately informed about what processing is being carried out on iris-derived data stored in their devices, or what the legal basis for that processing is.

The AEPD also noted that where consent under Article 9.2(a) is the chosen legal basis - as appears to be the case in the World ID verification process based on the company's privacy policy references - the consent process must meet GDPR standards for validity. This includes not only the consent mechanism itself but also age verification, ensuring that minors are not enrolled in biometric processing without appropriate safeguards.

The AEPD relied on GDPR Article 58.2(a), which grants supervisory authorities the power to "issue a warning to a controller or processor where processing operations are likely to infringe provisions of this Regulation." The word "likely" - or "puedan" in the Spanish text - is the operative term.

Critically, the authority cited the opinion of Advocate General Dean Spielmann, issued on September 23, 2025, in Case C-474/24, which articulated the precautionary dimension of supervisory powers. According to the AEPD's citation of Spielmann's conclusions, a warning under Article 58.2(a) "is part of a 'precautionary' approach to the rights of data subjects" and does not require the authority to have confirmed an actual infringement. The warning is an instrument of prevention, not punishment.

The resolution also referenced consistent CJEU jurisprudence, including the March 7, 2024 judgment in Case C-604/22, which described the GDPR's objective as "ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to private life with regard to the processing of personal data, as enshrined in Article 8(1) of the Charter."

The AEPD's supervisory authority over Tools for Humanity in Spain is grounded in GDPR Article 55.1, which grants each national authority competence over processing activities in its territory, and Article 47 of Spain's Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), which assigns the full range of GDPR Article 58 powers to the AEPD.

What the warning means in practice

The AEPD's warning does not prohibit Tools for Humanity from launching in Spain. It conveys a formal regulatory concern, and it obliges the company to review its planned operations. The authority explicitly stated the purpose of the warning is "to transfer to the controller the detected risk and allow it to assess the advisability of revising and, where appropriate, adapting such processing."

This precautionary model - warning before enforcement - reflects a broader approach to high-risk data processing that European authorities have pursued with increasing consistency. The Spanish AEPD previously fined Informa D&B €1.8 million for processing personal data without valid legal basis, and has separately penalised airport operator AENA for deploying facial recognition technology at Spanish airports without conducting adequate DPIAs - a case where biometric processing had already taken place across multiple airports before adequate documentation was in place.

The World Network, developed by Tools for Humanity and founded in 2019 by Sam Altman, Max Novendstern, and Alex Blania, had previously suspended Spanish operations in 2022 following an earlier AEPD investigation into its iris-scanning practices. That suspension preceded the company's rebranding from Worldcoin to World in 2024. The current relaunch attempt - with revised technical architecture, a new EU data controller structure, and a modified rewards model - represents a second attempt to establish operations in Spain under a significantly different regulatory and technological framework than the original rollout.

The AEPD's warning is a clear signal that the authority intends to scrutinize that new framework closely before and after any commercial launch. For the marketing and identity verification technology sector, the case highlights that biometric data processing at scale - even under a personal custody architecture - requires not only technical privacy measures but also comprehensive DPIA documentation that justifies necessity, addresses proportionality, and demonstrates adequate safeguards for each distinct processing function.

Data protection authorities across Europe have shown consistent willingness to intervene in biometric processing deployments - from French regulators rejecting AI-powered age estimation cameras in retail settings to privacy advocates challenging Ryanair's mandatory facial recognition requirements for flight bookings. The Spanish AEPD fined Informa D&B €1.8 million in early 2025 for processing personal data without valid legal basis, and the authority has separately penalised airport operator AENA for deploying facial recognition systems without compliant data protection impact assessments. The pattern reinforces that processing involving iris data, facial recognition, or other biometric identifiers at population scale faces regulatory requirements that consent alone cannot satisfy.

Timeline

  • 2019: Tools for Humanity founded by Sam Altman, Max Novendstern, and Alex Blania; development of the Worldcoin project begins
  • 2022: AEPD investigates Worldcoin operations in Spain and suspends biometric processing, following early rollout of iris-scanning activities
  • 2022EDPB issues guidance on biometric data and facial recognition, emphasizing user control and data minimisation principles
  • 2023: Worldcoin launches out of beta after accumulating $250 million in venture capital funding; biometric Orb enrollment expands internationally
  • 2024: Worldcoin rebrands as World; partnerships announced with governments of Taiwan and Malaysia on digital identity
  • October 2025: Tools for Humanity GmbH designated as sole data controller for Orb-related processing involving users in Spain, under GDPR Article 56 single EU establishment mechanism; Worldcoin Foundation removed from data processing role following introduction of AMPC
  • November 2025: Tools for Humanity communicates to AEPD plans to relaunch operations in Spain
  • November 2025: AEPD announces €1.8 million fine against AENA for inadequate data protection impact assessments in the airport facial recognition program; AEPD had previously fined Informa D&B €1.8 million for similar data processing violations
  • January 23, 2026: AEPD receives formal notification email from Tools for Humanity DPO announcing imminent relaunch in Barcelona in February 2026, new rewards model replacing token-based system, and governance updates
  • February 6, 2026: AEPD reviews Tools for Humanity's publicly available documentation, including Privacy Policy, Biometric Data Retention Policy, and Annex I on legal bases
  • February 13, 2026: AEPD President Lorenzo Cotino Hueso issues formal warning (Advertencia, reference EXP202602591) to Tools for Humanity GmbH under GDPR Article 58.2(a), flagging potential GDPR violations in planned biometric data processing

Summary

Who: The Agencia Española de Protección de Datos (AEPD), Spain's national data protection authority, issued a formal warning to Tools for Humanity GmbH, the German entity that operates the World Network and its iris-scanning Orb verification system. The warning was signed by AEPD President Lorenzo Cotino Hueso.

What: A preventive warning under GDPR Article 58.2(a), reference EXP202602591, cautioning that Tools for Humanity's planned biometric processing activities in Spain - including the iris and facial scanning conducted by its Orb device for World ID verification - may violate GDPR. Specific concerns include insufficient data protection impact assessments, questions about whether iris code processing constitutes biometric special category data under GDPR Article 9, and transparency gaps in the company's privacy documentation regarding legal bases and user rights.

When: The warning was issued on February 13, 2026, following receipt of a formal notification from Tools for Humanity's DPO on January 23, 2026, and a review of the company's publicly available documentation as of February 6, 2026.

Where: The warning concerns planned operations in Spain, specifically a new location in Barcelona that Tools for Humanity announced as its first operational site in the country's relaunch. The corporate entity subject to the warning, Tools for Humanity GmbH, is based in Germany and serves as the designated single EU establishment for Orb-related processing under GDPR Article 56.

Why: The AEPD deployed its precautionary powers under GDPR Article 58.2(a) after reviewing DPIA documentation and public privacy materials from Tools for Humanity and identifying potential gaps in the company's justification for processing iris-derived biometric data at scale. Key concerns include whether the DPIAs adequately demonstrate necessity and proportionality, whether non-biometric alternatives were properly evaluated, whether the personal custody model genuinely delivers user control, and whether transparency obligations have been met in relation to the legal bases for biometric processing.

Share this article
The link has been copied!