Biometric data in companies

Biometric data in companies

Biometric data are defined by Article 4.14 of the General Data Protection Regulation(GDPR) as personal data obtained from technical processing and referring to certain physical, physiological or even behavioral characteristics of a person and which, with these, allow or confirm the univocal identification of that person, such as, for example, fingerprint data or facial images.

Biometric data and data protection

As a general rule, the processing of this type of data is prohibited, unless one of the circumstances listed in Article 9.2 of the GDPR applies.

They are also considered as special category personal data according to Article 9 of the GDPR.

Taking into account the above, processing biometric data is not exempt from certain difficulties, since in these treatments it is necessary to take into consideration certain factors to determine the level of intrusion in the personal sphere of the data owners, so it is necessary to evaluate whether they are adequate or not, the proportionality and necessity of the processing, the purpose of the processing, the impact on the rights and freedoms of individuals and the risks that this type of processing has both for individuals and for society.

What should be taken into account when processing biometric data?

The AEPD points out some practical criteria to carry out this type of processing, taking into account different important points:

Purpose of treatment:

It must be determined, explicit and legitimate.

Regulatory framework:

Comply with data protection and biometrics-specific regulations, in addition to the regulations of the sector in which the company operates, if applicable. In this case, the provisions of Article 25.1 RGPD regarding data protection by design must be taken into account.

Suitability and necessity:

Carrying out this type of processing always involves the need to carry out an evaluation of the processing in order to assess whether the processing is suitable and necessary in accordance with the purpose for which it is intended. Suitable, because it is the most appropriate, and necessary, because there is no other way to obtain the data for the intended purpose.

Less intrusive treatment:

As far as possible, and having analyzed the appropriateness of the treatment, as well as the proportionality of the measure and the need, it is necessary to use those biometric techniques that are less intrusive for individuals, some examples of which are the following:

  • Detection of human beings
  • Facial, fingerprint, iris recognition
  • Evaluation of people’s patterns and behaviors
  • Automated profiling and decision making
  • Authentication
  • Identification
  • Tracking of people

Impact of treatment:

In order to assess the impact, it will be necessary to consider the following:

  • Number of subjects affected
  • Volume of biometric parameters used
  • Geographical scope of treatment
  • Data retention periods
  • Frequency of data collection

In order to assess the impact, it will also be important to know the context in which the treatment is carried out: regulatory framework, development environment (labor, social, business, etc.).

Human intervention:

If there is human intervention in the biometric techniques, it must be qualified, with the aim of minimizing the risks inherent in the treatment.

Transparency:

In the process of collecting biometric data, for greater protection of individuals, and to be less intrusive, it should be transparent in explaining what type of biometric data will be processed, for what purpose, what are the rights of the individual in such processing, how long the processing will be carried out, as well as the consent of the individual. The less information is provided to individuals about the processing of biometric data, the more intrusive the processing will be.

Data minimization:

In any processing, only the data that are necessary for the purposes described should be used, so that the principle of minimization prevails, since some biometric techniques can obtain additional information from individuals, such as race, facial alterations such as scars, emotional states, which are data that may or may not be linked to the purpose of the processing.

Data control:

In order to make the processing less intrusive, the data subject should, as far as possible and depending on the biometric technique used, be given the greatest possible control over his or her data, in relation to collection, processing and storage.

Vulnerabilities:

As in any processing, it is necessary to evaluate possible security breaches that may occur, and to implement appropriate security measures. As biometric techniques involve special category data, it is essential to be aware of the vulnerabilities of the processing.

Operational:

To implement a biometric operation, it is very important to choose correctly the elements that are involved, both for the collection, processing, storage, conservation periods, security measures, being advisable that the company is the one who can control and access these elements to a greater extent, in order to minimize risks in the treatment.

Data Protection Impact Assessment

All of the above could be part of the Impact Assessment(EIPD), where specific security measures will be determined.

Business Adapter® at your service

If you are not yet a client and you want us to prepare an EIPD or help you to comply with the other obligations established in the European and Spanish data protection regulations(RGPD + LOPD) to which any company or professional is obliged, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!