In recent years, the rapid boost in the availability and accuracy of biometric systems is pushing organisations and businesses to increasingly rely on such technologies. Biometric data are efficiently being used in various areas, including scientific research, forensic science, and security, representing today a valuable element for access control systems. Nonetheless, as the opportunities to use biometric data processing multiply, controllers must have adequate awareness of the basic legal requirements and possible risks to data subjects when using these technologies.
Biometric Data under the GDPR
When dealing with biometric data, there are three specific considerations that need to be taken into account:
- the source of biometric data: the raw data needs to relate to physical, physiological or behavioural characteristics of a natural person (e.g. fingerprints, DNA samples, or hand-written signatures);
- the technique employed: the processing needs to be carried out through specific technical means and measurements that, usually within the same biometric system, allow the enrolment, storage, and matching of biometric data; and
- the purpose: biometric data is commonly processed to achieve so-called ‘biometric recognition’ of individuals, including biometric identification and authorisation.
To better explain how these three factors interplay, Recital 51 GDPR gives the example of processing of digital photographs. In most cases, digital photographs capturing images of people contain raw data relating to the physical characteristics of such natural persons. Nonetheless, this not automatically imply that photographs are considered biometric data. Photographs of individuals fall into the category of biometric data “only when processed through a specific technical means allowing the unique identification or authentication of a natural person.”
Furthermore, Article 9(1) GDPR includes “biometric data for the purpose of uniquely identifying a natural person” in the list of special categories of data deserving a higher level of protection. These purposes include all forms of biometric recognition, including:
- Biometric identification: the identification of an individual among a group, comparing the data of the individual to those of each individual in the group (i.e. a one-to-many matching process)
- Biometric authorisation (or verification): the verification of an individual’s identity, comparing the data of the individual only to the data of the claimed identity (i.e. a one-to-one matching process).
14 Myths about Processing Biometric Data Busted by the EDPS
On June 24, the European Data Protection Supervisor (EDPS) and the Agencia Española de Protección de Datos (AEPD) published a joint paper aiming to list and debunk 14 misunderstandings with regards to biometric identification and authentication. The below table summarises the 14 common misunderstandings identified in this joint paper.
[table id=12 /]
Adapted from the original source: EDPS and AEPD, 14 Misunderstandings with regard to biometric identification and authentication, June 2020
The bottom line
Organisations and businesses aiming to initiate the processing of biometric data need to be aware of their obligations under European and Member State legislation. A focus on the latter is particularly relevant in light of the power to introduce further conditions and/or limitations to such processing given to Member States by Article 9(4) GDPR. For example, one of our recent insights provided guidance on how France has restricted biometric data processing in the context of employment.
In addition to the specific conditions for lawful processing, the general principles and other rules of the GDPR should be attentively considered where processing biometric data. Given the level of risk to data subjects posed by biometrics, the necessity and proportionality of the processing must be adequately assessed. Controllers need to ensure the purpose they wish to achieve warrants the use of the biometrics and could not be achieved through less invasive processing of personal data.
In addition, the requirement to carry out a Data Protection Impact Assessment (DPIA) following the guidance from national Data Protection Authorities (DPA) has to be considered. For example, both the UK and the Irish DPA have determined that a DPIA is mandatory for processing operations involving biometric data where this processing is combined with any other factors indicating the processing is ‘likely to result in a high risk’.
If you are interested in knowing more about your obligations related to the processing of biometric data, or require assistance in setting up your processing operations in compliance with the law, please feel free to contact our Data Governance and Cyber-Risk team.