Data protection in biometric identification
Some examples of data protection in biometric identification can be found in airport security checks, building entrances, access to digital banking. But these are just some of the examples in which biometric identification is increasingly used, and in all of them it is essential to know the flow of personal data affected, the security measures implemented and the impact that such processing has on the rights and freedoms of users.
Biometric identification systems
The first thing to consider when addressing data protection in biometric identification and the impact of biometric identification in relation to data protection is, logically, the existing biometric identification systems, since the personal data processed will be different depending on which one is used.
This is without prejudice to the fact that, in any case, biometric data processing aimed at uniquely identifying a natural person will always require special protection, regardless of the identification mechanism used.
In relation to the main types of biometric identification, it is important to highlight at this point, by way of summary, that there would be, among others, the following:
- Fingerprint scanning.
- Iris scanning.
- Facial recognition.
- Hand geometry.
- Voice recognition.
- Retina scanning or iris scan as biometric identification.
- Vein recognition.
In all the above biometric identification systems, as can be seen, the relevant element varies, but they all deal with personal data considered as a special category by the General Data Protection RegulationGDPR) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), which means that the protection and guarantees that must be applied to them are particularly considerable.
Therefore, although the regulation does not define the specific measures that must be implemented in each case, the data controller that is going to process biometric personal data must carry out an analysis of the technical, organisational and legal measures that it has in place in its organisation, as well as an impact assessment that determines the risk of the processing to be carried out (as well as the need for additional measures, if applicable).
Data protection in biometric identification: the law
Both the RGPD and the LOPDGDD expressly mention special categories of data and, consequently, biometric data.
It should be borne in mind that Article 9.1 of the GDPR states that “The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data intended to uniquely identify a natural person, data concerning health or data concerning the sexual life or orientation of a natural person shall be prohibited“.
However, paragraph 2 of the same Article itself establishes a series of exceptions allowing the processing of such personal data, including, as a paradigm of the possibility to carry out such processing, explicit consent.
Such explicit consent (not to be confused with express consent) implies that users must provide the data controller with enhanced consent, which is not appropriate, for example, by ticking a box on a form, but must be an express manifestation of will (positive response to an e-mail, signature of a document).
In addition to the above, the applicable regulations also refer to technical and organisational measures, so that it is not enough to have the appropriate legal documents to regulate the relations between the different parties involved in the processing of these personal data, but the controller must also have appropriate technical and organisational measures in place to certify the relevant guarantees.
In this regard, on the one hand, the internal structure of the controller must be designed from the ground up in such a way that only certain personnel, who are indispensable for the provision of the biometric identification service, are involved.
On the other hand, technical security measures must be put in place in at least two ways:
- Technical measures to ensure that only appropriate personnel of the controller access or process such personal data.
- Technical measures, especially in the field of cybersecurity, aimed at preventing fraud or unlawful access by third parties.
At Letslaw we have a team of data protection lawyers as well as a team specialised in cybersecurity that can help you deal with particularly sensitive data with full guarantees.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.