Biometrics

According to the General Data Protection Regulation (GDPR), biometric (personal) data are personal data that is the result of a specific technical processing of physical characteristics, physiological characteristics or behavioural characteristics of a person. Based on these data, unique identification of that natural person is possible. Or the identity of that person is confirmed.

On this page

  1. General information

Examples of biometric personal data are fingerprints or facial images. These body characteristics are unique. This means that they can be traced back to one specific individual. That is why organisations can use biometrics for identifying people. And for verifying if someone is who they say they are. 
Because biometric data are unique, these data entail significant risks for the privacy of the data subjects. For example, in the case of a data breach. People can change their password if it has been leaked, but not, for example, their fingerprint.

Application of biometrics

The most commonly applied forms of biometrics are the fingerprint, the iris or retina scan, voice recognition, and the face scan (facial recognition). Organizations often deploy these forms of biometrics for access control.
Organisations can also use certain physical characteristics for identifying a natural person. For example, the distance between someone's eyes. 
 

Quick answers

How does facial recognition work?

When you use facial recognition for identifying people or confirming someone's identity, a few concepts are important. 

  • Unique identification. This is about: who is this person? ‘Unique’ means that biometric data for identification can be ascribed to one specific person only. The biometric data is therefore unique to that person. A way to ensure unique identification is comparing (a template of) someone's face with (templates of) faces of a group of persons in a database (a ‘one-to-many’ comparison). The aim is to establish whether the templates match and identify the person. 
  • Confirming identity. When confirming someone's identity, a comparison is made between two faces: is face A equal to face B? This is a ‘one-to-one’ comparison: the biometric data of oneperson is compared with one other biometric data only. The aim is to check whether someone is the same person whose biometric data have been recorded earlier. And therefore whether someone is who they say they are. 


    Note: Article 9 of the GDPR and Article 29 of the GDPR Implementation Act deal with exceptions to the prohibition on processing biometric data for unique identification. Processing someone's biometric data for confirming someone's identity (authentication) also falls under the scope of these articles. This means that the same rules apply for authentication through facial recognition as for unique identification through facial recognition. 
     

Can I access my data at an organisation, or have them rectified or removed?

Yes, you can. If an organisation uses your personal data, you have a number of rights. This will ensure that you keep a grip on your personal data. These are the most important privacy rights:

Do you want to know what other rights you have? Check out Privacy rights under the GDPR.

What can I do if I have a question or complaint about the use of my personal data?

Always submit your questions or complaints to the organisation that uses your personal data first. Do you have a complaint and are you and the organisation unable to work it out together? Then you can lodge a complaint with the Dutch Data Protection Authority (DPA).

Related themes and topics

Camera surveillance

Camera surveillance at organisations

Camera surveillance at organisations (e.g. shops or schools) is only permitted if these organisations meet a number of conditions.
Go to subject
Identificatie

Personal data on a passport or identity card

A passport or an identity card contains several personal data. Including some data that organisations need to handle with extra care. Failure to do so will result in privacy risks.
Go to information page
Employment and benefits

Monitoring employees

Employers may feel the need to monitor their employees. For example, when people work from home. Monitoring personnel is not always prohibited.
Go to subject