The Dutch DPA has also drawn up a legal framework to provide organisations with guidance on the use of facial recognition. For example, manufacturers or suppliers of cameras with facial recognition. In the legal framework, you can also read more about the technique behind facial recognition.

The technique behind facial recognition

There are several ways to make a computer recognise faces. In the ‘Guidelines on the use of facial recognition technology in the area of law enforcement’ of the European Data Protection Board (EDPB), facial recognition is described as a two-step process: 

• (a) the collection of the facial image and its transformation into a template, followed by 
• (b) the recognition of this face by comparing the corresponding template with one or more other templates. The different phases and steps have been set out in more detail in the facial recognition legal framework.

Exception: personal or domestic use

Does processing only serve a personal or domestic purpose? For example, when people unlock their own mobile phone using a fingerprint or a face scan? Then the GDPR does not apply. 
Do you want to rely on this exception? Then you have to meet a number or requirements: 

1. The use by the user of the mobile electronics of the device or service for gaining access to (downloaded applications on) the device can be regarded as private use;
2. The user is not forced by an employer or another third party to use biometric data. It was, therefore, the user's own choice to use the option of gaining access by means of processing biometric data. The user can also opt for an alternative, such as logging in using a password;
3. The biometric data that have been stored of a user are not accessible to third parties. The data cannot be transmitted to, for example, an external database, and third parties cannot access these data. Besides, there is a proper level of security of the storage of the data;
4. The biometric data are stored on the device with the help of state-of-the-art encryption;
5. In the case of access control, the technique only provides a notification stating whether or not recognition was successful.
 

Also view the facial recognition legal framework.

Exceptions to the prohibition on facial recognition

A facial image is a biometric personal data. When a biometric personal data is used for uniquely identifying someone, it is a special category of personal data. When you use cameras with facial recognition, you therefore process special categories of personal data.
Processing special categories of personal data is prohibited, unless a statutory exception applies. This means that you are only allowed to deploy facial recognition if one of those statutory exceptions applies in your situation.
The 2 most obvious exceptions are:

• The data subjects have given their explicit consent. This is one of the exceptions from the GDPR to the prohibition on processing special categories of personal data.
• Processing is necessary for purposes of authentication or security. This exception can be found in the GDPR Implementation Act. However, there will not be such necessity very soon. There must be a substantial public interest. For example, the security of a nuclear power station or of information that constitutes a state secret.
   

Tip: Also view the other frequent exceptions to the prohibition on processing special categories of personal data.

Assessment for use of facial recognition

Authentication or security

Do you, as an organisation, want to use facial recognition for purposes of authentication or security? Here you can see which requirements apply in that case.

Explicit consent

Do you, as an organisation, want to use biometric data on the basis of explicit consent? Here you can see which requirements apply in that case.

DPIA in the case of facial recognition

Before you are allowed to start using facial recognition, you have to carry out a data protection impact assessment (DPIA) first. Include the privacy risks of facial recognition and the measures for mitigating these risks in your DPIA. These risks are, among other things:

• Bias and errors in facial recognition: the outcomes of facial recognition may be discriminatory and work less well with certain groups of people.
• Nontransparent information collection: currently, facial recognition often works on the basis of algorithms that have been trained with images of people who have not given consent for this.
• Lack of a moment of choice or reflection for the people who are filmed (‘Do I really want this?’).
• Secondary use (reuse) of data: for example, governments that ask companies to provide information they have collected using facial recognition.

Security of biometric data

If you are going to use cameras with facial recognition, make sure then that you meet the requirements for security of biometric data.

Rules for manufacturer or supplier

Are you a manufacturer of cameras with facial recognition? Then you already have to take privacy aspects into account in the designing stage of the cameras. This is called privacy by design and privacy by default. In this way, you technically and organisationally ensure that personal data are handled with due care.
Do you, as a manufacturer, subsequently supply the cameras to customers as well? And are you going to process personal data for them? Then you are the processor of these data. You are also a processor if you are (only) the supplier of cameras with facial recognition and you process personal data for your customers. You have a number of specific obligations as a processor.