Biometric data and their processing according to GDPR
Biometric data constitute a unique category of personal data and are therefore subject to special protection. The provisions of the GDPR, as a rule, prohibit the processing of biometric data, except in particularly justified cases.
Which data is biometric data?
Until the entry into force of the GDPR Regulation, the definition of biometric data in Polish law was present only in the Act on Passport Documents - according to the definition given there, the facial image and fingerprints placed in electronic passport documents are considered to be biometric data. Exceptionally, biometric data could be considered as the so-called sensitive data within the meaning of the previously applicable Personal Data Protection Act.
Currently, biometric data has been unequivocally defined in the GDPR regulation - the definition contained therein is much broader than the previous regulations.
Definition of biometric data according to the GDPR (provision of Article 4 (14) of the GDPR)
"... personal data resulting from special technical processing relates to the physical, physiological or behavioral characteristics of a natural person and allows or evidences that person's unequivocal identification, such as facial image or fingerprint data."
Pursuant to the provision cited, biometric data are all personal data (i.e. data enabling the identification of a natural person) regarding:
(e.g. DNA code, facial image, fingerprint pattern, iris of the eye);
(e.g. way of moving);
(e.g. analysis of the vote or the method of handwritten signature),
if these data result from special technical processing and allow or confirm the identification of a natural person.
Special technical processing should be understood as the use of such methods and means, the purpose of which is to analyze biometric features and lead to the identification of a natural person on the basis of the analysis performed. Examples of special technical processing include fingerprint or iris scanning.
Processing a photograph (e.g. an employee's identification photo) will not always mean processing biometric data - a photograph is biometric data only when it is processed in accordance with the definition contained in art. 4 point 14 of the Regulation, i.e. by means of special technical methods.
For example, keeping photographs in employee files will not constitute processing of biometric data.
It is worth noting that the definition of biometric data within the meaning of the provisions of the GDPR is not closed - with the development of technology, further features of natural persons may be considered biometric data.
Can biometric data be processed according to the GDPR?
The motives of the GDPR indicate that certain categories of personal data - including biometric data - require special protection. These data are considered to be particularly sensitive as they enable the unambiguous identification of a natural person and thus may, in exceptional cases, represent a serious risk to fundamental rights and freedoms.
The provision of art. 9 sec. 1 of the GDPR
"The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data in order to uniquely identify a natural person or data concerning health, sexuality or sexual orientation of that person."
The GDPR regulation in the provision of art. 9 expressly prohibits the processing of biometric data if it is done for the purpose of uniquely identifying a natural person or identifying health, sexual or sexual orientation data.
The GDPR prohibits the processing of biometric data, unless one of the cases explicitly indicated in the provisions of the regulation, which is described below, occurs.
An example of a situation where the processing of biometric data is permissible is the data controller obtaining the explicit consent of the data subject.
When does the GDPR allow biometric data to be processed?
The ban on processing biometric data is not absolute - the provision of art. 9 of the Regulation contains a substantial list of exceptions in which the processing of this particular category of information is considered admissible.
The administrator may process biometric data in the following cases:
the data subject has expressly consented to their processing;
processing is necessary for the performance of obligations and the exercise of specific rights by the controller or the data subject in the field of labor law, social security and social protection (if permitted by EU or Member State law);
processing is necessary to protect the vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent;
processing is carried out as part of authorized activities carried out with appropriate safeguards by a foundation, association or other non-profit entity with political, ideological, religious or trade union purposes in relation to members of this organization or former members;
the biometric data is obviously made public;
processing is necessary for the establishment, exercise or defense of legal claims or in the course of the administration of justice by courts;
processing is necessary for reasons of important public interest;
processing is necessary for the purposes of preventive health care or occupational medicine, for the assessment of the employee's ability to work, medical diagnosis, the provision of health care or social security, treatment or the management of health or social care systems and services;
processing is necessary for reasons of public interest in the field of public health;
processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes.
In addition to the 10 exceptions indicated directly in the provisions of the GDPR, the regulation also grants Member States the right to introduce additional exceptions to the prohibition of processing biometric data in local law.
Any entity that intends to process biometric data (e.g. fingerprints) should investigate whether one of the exceptions provided for above applies to them. Most often, the processing of this data will be possible after obtaining the consent of the data subject - importantly, this consent must be explicit, not implied. This means that the person must be fully informed about the purposes, principles, effects of processing and the security measures applied. Consent must be given unambiguously and consciously.
Based on the above-mentioned provisions, the employer will be able to process the biometric data of its employees (e.g. use a fingerprint reader that allows access to a specific building or room), provided that the employee obtains the express consent of the employee to take such actions.
When proceeding to the processing of data considered as biometric, however, one should remember about the basic principles of the GDPR, which include, inter alia, the principle of adequacy - the data controller is obliged to limit the scope of data processing only to the data necessary to achieve the legitimate purpose assumed by him. Therefore, if the data controller can achieve the same effect by processing data that is less sensitive than biometric data, it should choose this method.