Biometrics
According to the General Data Protection Regulation (GDPR), biometric (personal) data are personal data that is the result of a specific technical processing of physical characteristics, physiological characteristics or behavioural characteristics of a person. Based on these data, unique identification of that natural person is possible. Or the identity of that person is confirmed.
On this page
Examples of biometric personal data are fingerprints or facial images. These body characteristics are unique. This means that they can be traced back to one specific individual. That is why organisations can use biometrics for identifying people. And for verifying if someone is who they say they are.
Because biometric data are unique, these data entail significant risks for the privacy of the data subjects. For example, in the case of a data breach. People can change their password if it has been leaked, but not, for example, their fingerprint.
Application of biometrics
The most commonly applied forms of biometrics are the fingerprint, the iris or retina scan, voice recognition, and the face scan (facial recognition). Organizations often deploy these forms of biometrics for access control.
Organisations can also use certain physical characteristics for identifying a natural person. For example, the distance between someone's eyes.
Quick answers
How does facial recognition work?
When you use facial recognition for identifying people or confirming someone's identity, a few concepts are important.
- Unique identification. This is about: who is this person? ‘Unique’ means that biometric data for identification can be ascribed to one specific person only. The biometric data is therefore unique to that person. A way to ensure unique identification is comparing (a template of) someone's face with (templates of) faces of a group of persons in a database (a ‘one-to-many’ comparison). The aim is to establish whether the templates match and identify the person.
Confirming identity. When confirming someone's identity, a comparison is made between two faces: is face A equal to face B? This is a ‘one-to-one’ comparison: the biometric data of oneperson is compared with one other biometric data only. The aim is to check whether someone is the same person whose biometric data have been recorded earlier. And therefore whether someone is who they say they are.
Note: Article 9 of the GDPR and Article 29 of the GDPR Implementation Act deal with exceptions to the prohibition on processing biometric data for unique identification. Processing someone's biometric data for confirming someone's identity (authentication) also falls under the scope of these articles. This means that the same rules apply for authentication through facial recognition as for unique identification through facial recognition.
Can I access my data at an organisation, or have them rectified or removed?
Yes, you can. If an organisation uses your personal data, you have a number of rights. This will ensure that you keep a grip on your personal data. These are the most important privacy rights:
- You have a right of access to your personal data.
- Does it turn out that data of you are incorrect? Or that certain data are missing? Then you can ask for rectification of your data (adjustment or addition).
- In some cases, you can also ask for erasure of data.
Do you want to know what other rights you have? Check out Privacy rights under the GDPR.
What can I do if I have a question or complaint about the use of my personal data?
Always submit your questions or complaints to the organisation that uses your personal data first. Do you have a complaint and are you and the organisation unable to work it out together? Then you can lodge a complaint with the Dutch Data Protection Authority (DPA).
