Biometrics and data protection
Biometrics and data protection
The confrontation between the Data Protection Regulations and biometric techniques, are the protagonists of consultations by our clients in our headquarters in Valencia.
And it is not surprising because this type of data identifies us unequivocally and the proliferation of biometric system in companies requires an analysis of the implications it has with the European data protection regulations(RGPD) and Spanish(LOPD-GDD) which are currently in force in our country for any entity or professional.
Definition of biometric data by the Data Protection Regulation data protection
Article 4.14 of the GDPR defines biometric data as personal data obtained from specific technical processing, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.
Special category of data
The regulatory framework in the field of data protectionThe regulatory framework on data protection gives special attention to certain types of data, where it is considered that the guarantee and protection of such data must be higher due to the risks involved in their violation and the impact on the rights and freedoms of individuals.
Articles 9 of the RGPD and 9 of the LOPDGDD determine that this type of data, called “special category of data“, the processing of personal data of this type is generally prohibited.
The reason why the processing of these data is qualified as “special” is because the violation of these data would imply for the data subject the affectation of his/her fundamental rights and freedoms, such as personal and family privacy, honor, religious freedom, preferences, non-discrimination…. in short, the respect and guarantee of human dignity.
When can this data be processed?
However, processing is permitted only with the express consent of the data subject, where it is necessary for the performance of obligations and exercise of specific rights of the controller or the data subject in the field of employment, social security and social protection, where it is necessary to protect the vital interests of the data subject, where the data are public by will of the data subject, for reasons of public interest, for purposes of preventive medicine, for reasons of public interest in the field of public health, or for scientific, historical or statistical research purposes.
Facial recognition as biometric data processing
Facial images are considered biometric data, since our face distinguishes us from the rest of the people, having our own characteristics that identify us and make us unique.
As in any treatment, it is very important to define the purpose of the treatment in order to frame the treatment within the legality.
The use of techniques involving biometric data processing, such as facial recognition, it is important to define whether it is for identification or authentication purposes, as they are two different things.
The Article 29 Working Party (the EU’s independent advisory body on data protection) establishes the difference between the two definitions:
Identification: is the process of comparing the biometric data used by a person in a biometric system with biometric templates stored in a database, by which a one-to-many correspondence search is performed.
Authentication: is the process of comparing the biometric data used by a person with a single biometric template stored in a device by which a one-to-one correspondence search is performed.
The Spanish Agency for Data Protection (AEPD)
the AEPD considers that in general, biometric data will only be considered as a special category of data in the case of biometric identification (one-to-many) and not in the case of biometric verification/authentication (one-to-one).
In order to be able to decide whether to use facial recognition as an identification system, it is necessary to comply with the principle of proactive responsibility of the data controller, carrying out the corresponding risk analysis, based on Article 24 of the RGPD, which will finally integrate the impact assessment, established in Article 28.1 of the LOPD-GDD.
Similarly, the principle of data minimization must be respected in accordance with the purpose pursued.
It should be noted that just a few days ago, the AEPD published a list of common misunderstandings related to biometric identification and authentication techniques, which clarifies some issues related to the intrusion of the use of this type of technique, its accuracy (questioned due to the characteristics that each person may have in his face, as a result of a traffic accident, race or disease), as well as the possibilities of being violated systems, noting that these are not absolute.
Facial recognition at the entrance of supermarkets in Valencia
A few days ago, the news that Mercadona has implemented a facial recognition system at the entrance of its stores, with the aim of identifying people who have been convicted of crimes or have been ordered to stay away from its supermarkets or its workers, was reported in the media.
Doubts about whether the images will be saved by the software of the company providing the service, as well as the origin of the database on which the data will be compared, are on the table.
Also, some questions to reflect on are the purpose of this measure by the Valencian company, as well as whether it complies with all legal requirements due to the fact that special category data is processed.
These doubts not only arise in the public, but the AEPD itself has initiated an ex officio investigation on this matter, which is underway, according to information published in the media.
Beware of penalties for special category data
It is important to bear in mind that there is the possibility of sanctions when the protection of personal data is not guaranteed, being applicable the provisions of Article 84.5 of the GDPR, with fines that can amount to 20 million euros or an amount equivalent to 4% of the annual turnover, whichever is greater.
If your organization has installed technical systems that collect biometric data, or is thinking of implementing them, we suggest you contact us to receive comprehensive advice. Lawyers We are experts Lawyers in data protection Valencia / LOPD Valencia.
Contact with us here