The AEPD has released guidance on biometric data to help controllers to securely process this data pursuant to the GDPR.
Biometric data may have a significant degree of intrusiveness on the privacy of individuals and, if not properly processed, it may also involve high risks to their rights and freedoms. According to the AEPD, elements such as the techniques used, the definition of the processing itself, its nature, the scope or extent of the processing, its context and, in particular, the purposes that are pursued should be taken into account when assessing the impact of using this technology. In order to support controllers when processing information falling under this category of special data, the Spanish Supervisory Authority has published some guidance providing advice around the criteria used to classify biometric operations . Where a Data Protection Impact Assessment (DPIA) is required, this criteria can also be used for demonstrating the adequacy of a processing operation under the GDPR.
What is biometric data and how it is defined by the GDPR?
The GDPR defines ‘biometric data’ as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” and it is listed among the special categories of personal data of Article 9 GDPR, meaning that specific conditions need to be met and additional security measures have to be applied in order for the processing to be lawful.
Considering that the biometric data operations are likely to result in a high risk to the rights and freedoms of the individuals involved, it is normally required to perform a DPIA in order to confirm whether the processing is feasible and, should that be the case, identify the mitigation measures that should be implemented.
Biometric data processing techniques should be assessed on a case-by-case basis.
Whereas some biometric data processing methods require the cooperation of the individual, other techniques make it possible to capture biometric data remotely, without being necessary the involvement of the individual and without the individual’s awareness. The latter are much more intrusive and entail a higher risk to the privacy of the data subjects. Accordingly, the security measures applied in these cases should be reinforced and additional guarantees should be provided, especially in terms of transparency, data minimisation and data protection by design and by default.
The AEPD recommends that any of the different biometric techniques used is assessed according to their adequacy, proportionality and necessity, their purpose, their impact on the rights and freedoms of natural persons and the risks involved, both for the individual and for society. To this end, the AEPD considers that it is appropriate to use classification criteria for biometric operations from a data protection point of view and in relation to the processing in which it is implemented and offers a list that may be useful in typifying biometric operations in this context.
The AEPD points out a list of biometric data processing techniques and criteria.
The AEPD provides a non-exhaustive list of some criteria that may be helpful for sorting biometric data operations and carrying out an analysis of regulatory compliance, necessity and proportionality of the processing, including:
- Purposes of processing;
- Legal framework;
- Scope of processing;
- Human intervention;
- Type of data processed;
- Transparency;
- Degree of user choice;
- Degree of user control;
- Adequacy of the processing operation;
- Data minimisation;
- Suitability and need for biometric operation;
- Implicit collateral effects;
- Potential impact of a data breach;
- Controller’s control over the implementation;
- Context.2
Performing such an analysis will support the controller’s risk management and allow them to comply with their obligations under the GDPR and national law.