Rules for the use of biometrics

When is something a biometric data?

The term 'biometric data' often has a meaning in science that differs from the meaning given to it in the General Data Protection Regulation (GDPR). Whether something is a biometric data as referred to in the GDPR depends on 3 things. Do all 3 points apply? Then you must comply with the rules for processing biometric data if you use facial recognition.

1. The nature of the data. In the case of biometric data, it concerns physical characteristics, physiological characteristics or behavioural characteristics that belong to 1 person, usually permanently. An example of a physical characteristic is the distance between someone's eyes. A physiological characteristic is, for example, muscular power or brain activity. A behavioural characteristic may be the way someone walks. 
2. The means for and the manner of processing. In the case of biometric data, it concerns personal data that are the result of ‘a specific technical processing’. This means that data are analysed using technical means, and subsequently are compared with a certain reference. Whether data are to be regarded as biometric within the meaning of the GDPR therefore depends on how they are used. Placing a photo of someone in a newspaper, for example, is not a specific technical processing. In that case, no analysis and comparison are made. There is a specific technical processing when the characteristics of the face captured in the image are converted into a template. Such template is unique and specific for 1 person. Facial recognition takes place by comparing the template with other templates. Also read: The technique behind facial recognition. 
3. The purpose of processing. Processing makes establishing or confirming someone's identity possible. 

Do not all 3 points apply? Then it does not concern a biometric personal data. If you process other personal data, you have to comply with the general rules of the GDPR, though. 

Privacy risks associated with biometric data

A privacy risk of biometric data may arise, for example, when data are stolen. Adjusting a facial image or fingerprint is not possible, while this can easily be done with a PIN code or password.
In addition, biometric data often contain more information than strictly necessary for the purpose of the data processing, such as identification. For example, someone's health or ethnicity can also be derived from certain body characteristics.

Special categories of personal data

The GDPR stipulates that processing biometric data for the purpose of uniquely identifying someone is a processing of special categories of personal data.
This means that strict rules apply for the use of biometric data, because processing special categories of personal data is in principle prohibited. 

Exception: personal or domestic use

Does the processing only serve a personal or domestic purpose? For example, when people unlock their own mobile phone using a fingerprint or face scan? Then the GDPR does not apply. 
Do you want to rely on this exception? Then you have to meet a number of requirements:

1. The deployment by the user of mobile electronics of the device or service for gaining access to (downloaded applications on) the device can be regarded as private use;
2. The user is not told by an employer or other third party to use biometric data. The user therefore has chosen themselves to use the option of gaining access by means of processing biometric data. The user can also opt for an alternative, such as logging in using a password;
3. The biometric data that have been stored of a user are not accessible to third parties. The data cannot, for example, be forwarded to an external database, and third parties cannot access these data. Besides, the storage of the data has been secured properly;
4. The biometric data are saved to the device using state-of-the-art encryption;
    
5. In the case of access control, the technique only provides a notification stating whether or not recognition was successful.

Exceptions to the prohibition on the use of biometrics

In the case of biometric data that are used for unique identification, these are the 2 most common exceptions to the prohibition on processing:

• The data subjects have given their explicit consent. This is one of the exceptions from the GDPR to the prohibition on processing special categories of personal data.
• Processing is necessary for purposes of authentication or security. This exception can be found in the GDPR Implementation Act. However, there will not be such necessity very soon. It must concern a substantial public interest. For example, the security of a nuclear power plant or information that constitutes a state secret.

Tip: Also view the other common exceptions to the prohibition on processing special categories of personal data.

Use of biometrics for purposes of authentication or security

Do you, as an organisation, want to use biometric data for purposes of authentication or security? Then, in order to rely on Article 29 GDPR Implementation Act, you have to consider whether, for example, the level of security of a building or an information system must be so high that this can only be achieved by using biometrics. Article 29 of the GDPR Implementation Act gives content to Article 9, paragraph 2, point g of the GDPR.

Necessary and proportionate

The exception in Article 29 of the GDPR Implementation Act requires that you consider whether unique identification using biometric data is necessary for purposes of authentication or security. In addition, processing of biometric data must be proportionate.
You must assess on a case-by-case basis whether there is a necessary processing of biometric data for reasons of a substantial public interest by means of forms of facial recognition for purposes of authentication or security. This assessment of the necessity and proportionality is essential. If processing biometric data has a significant impact and alternatives are available, processing biometric data is not necessary.
 

Example: nuclear power plant
In the case of access to a nuclear power plant, the importance of security is significant (substantial public interest), and only certain people are allowed to have access. In this case, the use of biometrics for access control is permitted.
Example: access control
In the case of access to a recreational area or the garage of a repair shop, the necessity of security is probably not great enough to permit the use of biometrics for access control.
Example: hazardous substances
ISPS companies (port operators dealing with international shipping traffic) may process substances that may have significant consequences for the health and safety of employees and the surrounding area. In addition, ISPS companies may be a target for (drug-related) criminals or terrorists. In that case, facial recognition may be necessary for preventing the risk of serious accidents or for securing staff and goods. The ISPS companies have to make a concrete assessment based on the ‘double necessity check’ (Article 29 GDPR Implementation Act).
Example: supermarket
A supermarket wants to deploy facial recognition to combat theft and protect property and employees. The supermarket wants to ask data subjects for explicit consent for this purpose. Customers must be informed about this in a manner they can understand and be able to give the explicit consent freely by means of a clear affirmative action from which the consent is apparent. In practice, it is probably impossible for a supermarket to inform each customer sufficiently, and therefore, to ask explicit consent from each customer. Using this ground for exception will therefore probably not be feasible for a supermarket.
Article 29 GDPR Implementation Act (and the proposed new text for this article) does not seem to offer an exception for a supermarket either, because the bar for successful reliance on this article has been raised high. If a supermarket wants to deploy facial recognition with the aim of protecting property and employees, this interest may be important, but there do not seem to be any substantial public interests here. Besides, deploying facial recognition is a serious invasion of the privacy of all visitors, which outweighs the important private interests of the supermarket.
 

Note: the above examples are intended for clarification of the explanation and terms on this page. These examples do not say anything about whether these applications are permissible under the GDPR.

Use of biometrics with explicit consent

In some cases, biometrics may be deployed if data subjects have given explicit consent for this purpose. Explicit consent is a heavier form of consent. Some strict requirements apply for this form of consent:

• Data subjects must give the consent freely. The consent is not valid if a data subject does not have a real choice, feels compelled to give consent (for example, in the case of an employment relationship), or if a refusal to give consent has negative consequences for the data subject.

You must inform data subjects in a way they can understand, in any case, the following: 
o your identity as a controller;
o which types of data you collect and use;
o the purpose of the use of biometrics (such as facial recognition) and the legal basis for processing the personal data; 
o the right of the data subjects to withdraw the consent, followed by the right to removal of these data; 
o who the recipient of the data is;
o the retention period of the data; 
o the options to make use of an alternative to facial recognition (note: you have to point out this alternative actively to data subjects);
o the use of the data for automated decision-making, if applicable; and
o the risks of transmission of data to countries outside the EEA if there are no adequacy decisions and appropriate safeguards.

• Data subjects must clearly and actively agree to the use of biometrics. You require separate consent for each purpose for which you use facial recognition. If a purpose changes, you must ask for explicit consent again. Besides, the consent must be unambiguous. This means that someone gives consent by means of an affirmative action or statement. Agreeing to any (other) agreement or general terms and conditions is not regarded as consent. 
• You must be able to prove that you have received consent. For example, with a list on which you have registered all consents given.
• Data subjects must be able to withdraw their consent. This must be as easy as giving consent.

Do you, as an organisation, want to use biometric data based on explicit consent (Article 9, paragraph 2, point a GDPR)? In that case, a higher threshold than the ‘ordinary’ consent from Articles 6 and 7 of the GDPR applies. Explicit consent must, for example, be given freely, unambiguously, in a well-informed manner, specifically and explicitly by means of a statement or an unambiguous affirmative action. For more information, view the facial recognition legal framework and the general information about (explicit) consent.
 

Example: explicit consent
A supermarket wants to deploy facial recognition to combat theft and protect property and employees. The supermarket wants to ask data subjects, in this case the customers, for explicit consent for this purpose. In practice, it is probably impossible for a supermarket to ask explicit consent from each customer. Using this ground for exception will therefore probably not be feasible for a supermarket.

 

Note: the above example is intended for clarification of the explanation and terms on this page. The example does not say anything about whether this application is permissible under the GDPR.

You must carry out a DPIA

Before you can start using biometric data for the purpose of identification, you must carry out a data protection impact assessment (DPIA) first. This is because processing biometric data is on the list of processing operations for which carrying out a DPIA is mandatory. In addition, there are other criteria that you must take into account for carrying out a (mandatory) DPIA. In the case of processing of biometric data this may concern, for example:

• Automated decision-making with legal effect or a comparable significant effect;
• Sensitive data or data of a highly personal nature;
• Data processed on a large scale;
• Data relating to vulnerable data subjects; or
• Innovative use or innovative application of new technological or organisational applications.

Does your DPIA show that you are unable to take sufficient measures for reducing the privacy risks associated with the use of biometrics? Then you must apply to the Dutch Data Protection Authority (Dutch DPA) for a prior consultation.

Securing biometric data

Are you, as an organisation, going to use biometric data for the purpose of identification or for confirming someone's identity, such as a fingerprint? This is only allowed if you are able to take measures that ensure a high level of protection. After all, it concerns special categories of personal data. You can, for example, make these measures demonstrable in the DPIA. Usually, carrying out a DPIA is mandatory for this type of processing operations.