Under the GDPR, biometric data processed as a unique way of identifying a person is a new item in the category of special personal data. Processing this type of data is not permitted, unless a special legal exception has been made. Furthermore, the Netherlands has added an additional possible exception to its AVG implementing law (article 26). What is this exception? How is it applied in organisations?
Biometric data consists of a person’s non-transferrable unique properties, such as an iris scan, facial recognition or a fingerprint. This is extremely sensitive data that can be used to determine a person’s identity. Consequently, organisations must treat this information with the utmost care and attention.
Passport photos are only classified as biometric data if they are being processed by using certain technological means that enable the unique identification or authentication of a natural person. A book of colleagues’ photographs is therefore not classified as the processing of special categories of personal data.
The ban on processing biometric data can be lifted for an organisation if the organisation is able to demonstrate, based on a legitimate interest, that doing so is necessary and proportional for the objective it wishes to achieve. Admittance to a soccer stadium makes for a completely different context than conducting an identity check before entering the UN tribunal. Organisations must evaluate the impact and scope and then make the right decision.
Organisations are required to conduct a Privacy Impact Assessment PIA if they plan to use biometrics for their access control. A PIA is used to map out the privacy risks of the data processing in advance. Appropriate measures can then be taken to reduce these risks.
In short, using biometric data for access control is permissible in some situations, provided that the use has been properly substantiated. Nevertheless, the owner of the personal data must always be properly informed. The processor is required to follow the procedures outlined in the processing register. Since the processing of biometric data is a more sensitive issue than the processing of ‘regular’ personal data, additional care must be taken when processing this type of data.
Together with Privacy Management Partners, Nsecure works with you to find ways to become GDPR-compliant without disrupting your operations. Over the course of the next few weeks, we will be publishing a series of articles about the GDPR in relation to access control. If you want to stay up to date or learn more about this subject, please follow us on LinkedIn or Twitter or contact us via firstname.lastname@example.org.