Biometric data are the result of specific technical processing of physical, physiological or behavior-related characteristics of a person, such as facial images or fingerprints. Based on this unique data, unambiguous identification or confirmation of identity is possible. Besides facial scan and fingerprint, iris or retinal scan and voice recognition are the most common and applied forms of biometrics. Organizations can also use behavioral traits, such as the signing of a signature, for identification.

Privacy

When deploying biometrics, ensuring the privacy of data subjects is important. The unique body characteristics can be traced back to a single individual. In addition, biometric data often contain more information than is strictly necessary for identification, which means that a person's race, religious background or health status could be inferred from certain body characteristics.(1) Thus, this is highly sensitive information that carries great risks in the event of a data breach or hack.

Legal prohibition and exceptions

The General Data Protection Regulation (AVG) governs the processing of biometric data. Under the AVG, biometric data processed in the context of unique identification are special personal data. Since the processing of special personal data is generally prohibited, the processing of biometric data to identify a person is also prohibited in principle.

However, there are exceptions to the general prohibition. For example, biometric data may be processed when data subjects have given their explicit consent, when it is necessary to serve someone's vital interest or in the case of important public interest.

The AVG Implementation Act (UAVG) fleshes out the prohibition. The Dutch legislator considers the ban on processing biometric data not applicable when if the processing is necessary for authentication or security purposes.(2)

Footnotes

(1) https://www.autoriteitpersoonsgegevens.nl/nl/onderwerpen/identificatie/biometrie
(2) Idem