Yoti has been fined 950,000 euros (roughly US$1.1 million) by Spanish data protection regulator AEPD for the handling of biometrics and other data within its digital identity app. The regulator has ruled Yoti violated three clauses of the EU’s General Data Protection Rule (GDPR). At issue are the consent flow used, Yoti’s claim to immediately delete the facial image used in age estimation immediately after it has been processed and most importantly of all, whether it has lawful grounds to process biometric data at all.