
Is it biometric data processing if it is not stored? APDCAT’s response
In the field of data protection, the processing of biometric data has raised many questions, especially in relation to its storage and use. The Catalan Data Protection Authority (APDCAT) has ruled on whether the simple use of biometric data, without storage, constitutes data processing.
This article explores the APDCAT’s position and its implications for the handling of biometric data in various technological applications.
Purpose of biometric data
Biometric data is data that is obtained from a person’s unique physical or behavioral characteristics, such as fingerprints, facial recognition, iris, voice, or handwriting. These characteristics are inherent to each individual and therefore serve as a highly secure form of identification.
The purpose of biometric data processing may vary depending on the context in which it is used, but generally includes:
- Authentication and security: biometric data is commonly used to verify a person’s identity, providing an additional level of security in access systems, such as in mobile devices, high-security facilities, and access control systems.
- Identification: in some cases, biometric data is used to identify an individual among a group, such as in surveillance systems or government identification databases.
- Personalization of services: some applications use biometric data to personalize services, as in the case of devices that adjust settings based on the identified user.
- Health and wellness: in healthcare, biometric data can be used to monitor vital signs and other health indicators, facilitating medical diagnosis and treatment.
It is important to note that the processing of biometric data is subject to strict regulations due to its sensitive nature, and must comply with data protection principles such as minimization, purpose limitation, and informed consent.
Regulations, such as the General Data Protection Regulation (GDPR) in the European Union, establish specific requirements for the processing of biometric data, including obtaining informed consent, limiting the purposes for which the data is used, and ensuring its security.
How is it stored?
Biometric data storage can be done in several ways, depending on the technology and purpose of the system:
- Biometric templates: instead of storing the full image of a biometric characteristic (such as a fingerprint), a biometric template is stored. This template is a mathematical dataset that represents the unique characteristics of the biometric, allowing identification without the need to store the full image.
- Centralized databases: biometric data can be stored in centralized databases, where it is collected and managed on a central server. This method is common in government systems or large organizations.
- Local storage: in some devices, such as cell phones or smart cards, biometric data is stored locally on the device. This can improve security by reducing the need to transmit biometric data across networks.
- Encryption: biometric data is often encrypted to protect against unauthorized access. Encryption ensures that the data can only be read by authorized systems that possess the decryption key.
- Tokenization: in some cases, biometric data is converted into a token or code that represents the biometric information. This token is used for authentication without the need to store the original biometric data.
Pronouncement of the Catalan Data Protection Authority
The controversy in the processing of biometric data lies in the sensitive nature of this data and the implications for the privacy of individuals.
The sanctioned City Council pointed out that “it does not capture, store or reproduce the fingerprints of workers but the assignment of a code that cannot be reproduced by other systems and that, therefore, cannot be qualified as unique identifiers”.
In this sense, the City Council acknowledged that, based on the distinctive characteristics of a person’s fingerprint, it obtains a code that makes it possible to identify him or her when accessing municipal premises.
This personal data processing process makes it possible to authenticate a person by means of a biometric analysis. The biometric template acts as a unique identifier, similar to a national identification number, which, although it does not allow to obtain or recreate the fingerprint of an individual, it does allow to identify him/her univocally.
The Catalan Data Protection Authority (APDCAT) has determined that this type of processing, carried out for the purposes of time and attendance control of workers, constitutes the processing of special categories of data.

Paula Ferrándiz es abogada especialista en Propiedad Intelectual e Industrial, Nuevas Tecnologías y Derecho de la Competencia.
Apasionada del sector digital y las redes sociales presta asesoramiento legal a todo tipo de clientes tanto nacionales como internacionales en materia de protección de datos, comercio electrónico, publicidad y marketing digital entre otras.