The GDPR classifies biometric data as a type of special category of personal data.
This means that you may not process biometric data.
Even so, the GDPR allows you to process special categories of personal data if your processing falls within one of the lawful reasons for processing.Oct 5, 2023.
Biometric data which is used to identify an individual uniquely is included, alongside other types of sensitive personal data, as “special category biometric data” under Article 9 of the GDPR and is prohibited for processing unless one of a number of specific conditions for processing special category personal data .
What is biometric data? The GDPR defines biometric data as a special category of sensitive personal data resulting from a specific technical processing related to the physical, physiological or behavioral characteristics of a natural person.May 17, 2022.
All biometric data is personal data, as it relates to an identified or identifiable individual.
Biometric data is also special category data whenever you process it “for the purpose of uniquely identifying a natural person”.
This means that biometric data will be Special Category Data in many cases..
More precisely, biometric data are "personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data.".
Biometric data can also be stored on an end-user's device.
This is most common on smartphones that use touch ID fingerprint sensors, such as Apple's iPhone.
On-device storage can be used to store biometric data through a chip that holds the data separately to the device's network..
Given these trends, it is unsurprising that regulators have taken notice.
The General Data Protection Regulation is a perfect example of that, representing a more active approach with respect to the privacy of biometric data.
Steps for organisations to ensure compliance with GDPR To ensure compliance with GDPR when handling biometric data, organisations can follow these steps:.
1) Understand the GDPR requirements:Familiarize yourself with the key principles, legal bases, and obligations under the GDPR concerning the processing of personal data, including biometric data. .
Definition and types of biometric data Biometric data refers to the unique physiological or behavioural characteristics of an individual that can be used to establish their identity or verify their identity against a stored template.
Common types of biometric data include:.
1) Fingerprint: The unique patterns and ridges on a person’s fingertips. 2. .
Legal basis for processing biometric data under GDPR To process biometric data under the GDPR, organisations must establish a lawful basis for its processing.
Several legal bases may apply to the processing of biometric data:.
1) Consent:Organisations can rely on the explicit consent of the data subject as a legal basis for processing biometric data.
The GDPR defines biometric data broadly, in many cases requires privacy impact assessments for its processing, and empowers Member States to pursue divergent protections for biometric data.
As such, data controllers who are processing or may process biometric data should take note.
Despite the very particular character of such information, virtually no legal provisions worldwide are specific to biometric data protection.
Legal texts instead rely on provisions relating to personal data protection and privacy broadly.
But such legislation sometimes proves to be poorly adapted to biometric data.
Overview of notable cases and regulatory actions related to biometric data and GDPR Several notable cases and regulatory actions have emerged in recent years, shedding light on the intersection of biometric data and GDPR compliance.
Some key examples include:.
1) Google LLC (France, 2019): Google was fined €50 million by the French data protection a.
Explanation of the key principles of GDPR The GDPR is built upon several fundamental principles that serve as the foundation for data protectionand privacy.
Understanding these principles is crucial for organisations handling biometric data to ensure compliance:.
1) Lawfulness, fairness, and transparency: This principle requires that organisations p.
As such, data controllers who are processing or may process biometric data should take note.
As mentioned above, in a shift from the Data Protection Directive, the GDPR specifically recognizes biometric data as a subset of sensitive personal data deemed a “sensitive category of personal data.” .
