Spain Supervisory Authority (AEPD) opinion on GDPR biometric data
AEPD 10thAnnual Session took place last June, and some of the main questions that were addressed in the meeting have now been publicly published.
Participants were specially concerned about GDPR biometric data and its processing under certain circumstances, like labour sphere.
Spanish Data Protection Legislation previous to GDPR (LOPD) did not contain any specific definition of “biometric data”, but it was instead included within the general concept of “personal data”. It means that there were no particular requirements to be taken into account for the processing of such information.
According to RGPD, “biometric data” is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. Additionally, GDPR biometric data is a special category of personal data (Article 9 GDPR), which means that its processing shall be prohibited except for some cases, like explicit consent from the data subject.
As one could note, there is a big difference between the previous legislation (AEPD) and the current one (RGPD), which has not been totally implemented yet, so that is why AEPD opinion becomes so important for latest and future data protection issues in Spain.
Participants asked about the use of biometric technology with facial recognition in case any Article 9 GDPR exception apply. AEPD claimed that minimisation and lawfulness should govern any data processing. However, two scenarios were underlined: labour sphere and critical infrastructures. The latter requires additional security measures that might themselves justify the use of biometric technologies. Labour sphere is subject to specific Labour Legislation (“Estatuto de los Trabadores (ET)” in Spain) which imposes its own requirements. AEPD stated that, according to such Legislation, the use of biometric data in companies falls under the scope of employee monitoring, so it is subject to proportionality and prior information instead of employees’ consent. Nevertheless, AEPD did stress the importance of good practices, and asserted that it is highly recommended to avoid storing such data (e.g. including the data in a smart card which is always in employees’ possession).
