Biometrics under the GDPR: Stay compliant

Biometric data can be sensitive and vulnerable to misuse. Laws like the GDPR provide us with guidance on how to safely treat biometric data.

Biometric data as a special category

Biometric data is information collected through biometric technologies such as facial recognition or fingerprint scanners.

There are some genuine privacy and data protection concerns. The misuse of facial features and fingerprints sounds considerably more ominous than the misuse of a cellphone number.

The General Data Protection Regulation contains a set of rules for the protection of personal data inside and outside the EU. The GDPR marks biometric data as a particular category. This means that, in principle, you may not process biometric data. However, the regulation does allow you to process special categories of data if the processing falls within one of the lawful reasons for processing under the GDPR, such as explicit consent or public interest.

Biographical data

This type of information can be collected and stored and can include the person’s name, place of residence and date of birth.

Explicit consent

Processing data is only allowed if the subjects have given their explicit consent to process biometric data and if they are provided with a choice including an alternative.

Public interest

The protection of public health and safety and prevention of environmental damage are considered compelling interests that go beyond business or organizational interests.


Mass surveillance

Currently, there’s a rise in biometric data collection. Data can be collected for surveillance purposes. As biometrics become more popular, certain countries like the USA and UK, have begun using biometric tools as mass surveillance over their citizens. Legal and ethical questions have been raised on the collection, processing, and storage of biometric data such as facial images.

GDPR case

The Swedish Authority for Privacy Protection fined a school for taking attendance through facial recognition technology. The fine was issued because the reason for processing biometric data did not fall into one of the allowed reasons under the GDPR.

The school obtained parental consent to use facial recognition technology. However, the Authority found their consent defective as it was ‘forced’ due to the power imbalance between the school and the parents. In addition, the GDPR states that if you can obtain data through less intrusive means, such as signing a page, this should be opted for.