When are images and in particular customers’ pictures biometric data under the GDPR? And what are the relevant privacy-related obligations at the age when the automation is meant to increase?
It is a hot topic at the moment, and you can watch my video in Italian as part of Diritto al Digitale and read the article in English below
Images are not always biometric data
A frequent question is whether images are biometric data. As with most of the problems, we as lawyers usually respond
Indeed, the definition of biometric data is not 100% clear as it provides that they are
“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data“
So when it comes to the picture of an individual taken for instance as part of a KYC process, there is technical processing, but
is the processing able to uniquely identifiying the individual?
Considerable support comes from the recitals of the European privacy regulation which clarify that
“The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.”
Therefore, in our example above, it might be possible to argue that if customers’ pictures are reviewed by the customer support which is made only of “humans” that look at the pictures, no biometric data is expected to be processed. But if the same images are analyzed by a machine able to uniquely distinguishing an individual from another, such images – subject to a case by case review – might be qualified as biometric data.
What happens if your customer’ pictures are biometric data?
Biometric data is under the GDPR a special category of personal data. It means that for instance, the performance of the contract with a customer or an employee cannot be the legal basis of the data processing. It is a “tricky” scenario since if the legal basis is consent, and the point is whether consent is free if it is compulsory to enjoy service and whether the offering alternative solutions which do not require the collection of biometric data is possible.
Also, the other options granted by the GDPR shall be “tested” under the local laws of each EU Member State. Indeed, an assessment of the scenarios when processing occurs in the “public interest” is a responsibility of the data controller or expressly provided by local law?
The situation is even more complicated in an employment relationship when the consent from an employee is not a strong legal basis since it might not be free.