News top

Processing biometric data

What is biometric data and what your company has to consider when processing it?

The GDPR considers biometric data, as a special category data that is more sensitive and requires special attention and protection. GDPR article 4 defines biometric data as “physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint identification] data”. Defining biometric data under such broad terms, the GDPR seems to acknowledge that biometric technology is relatively new and will continue to evolve and develop. As such, the definition seems well-positioned to encompass types of biometric data that may arise through the development of future technology.

The definition also distinguishes two main parts that could be considered as biometric data. The first is straightforward - the data related to the physical characteristics of the data subject like facial characteristics, fingerprints etc. The second part of the definition is broader and a bit controversial. It is related to the “behavioral characteristics” of a person that might allow his/her unique identification. However, the question is to what extend the regulatory authorities will interpret this category. Therefore, due to this uncertainty, data controllers must closely monitor the guidance in accordance with the behavioral characteristics, considered as biometric data.

Interesting fact is that, as per Article 9, GDPR prevents the processing of biometric data, even with the standard consent of the data subject. However there are certain conditions under which companies are eligible to process such data. Some of the most important are:

  • The data subject has given explicit consent – this kind of consent must be obtained in a way that leaves no room for misinterpretation. It must be provided in a clear statement – written or spoken;
  • Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment and social security and social protection law;
  • Processing is necessary for reasons of public interest in the area of public health;
  • Processing is necessary to protect the vital interests of the data subject;
  • Processing relates to personal data which are manifestly made public by the data subject.


​Moreover, the European legislation has left room for the national governments to maintain or introduce other limitations regarding the processing of biometric information.

The processing of biometric data is just one interesting GDPR requirements that companies must consider. Are you handling personal data and ready for a GDPR audit? You can easily check that on – we have developed GDPRQ, a simple, but effective self-assessment tool that will generate your compliance evidence report. Get started today!


A honlap utolsó módosításának időpontja: 2019.10.01