The Spanish Data Protection Agency (AEPD) publishes, on 18 May 2021, the guide “Data protection in labour relations”.
Do biometric data always involve the processing of special categories of data?
The guide confirms that not all processing of biometric data implies processing special categories of data.
Article 4.14 of the General Data Protection Regulation (GDPR) defines biometric data broadly as “personal data obtained from specific technical processing, relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or fingerprint data”.
Article 9(1) of the GDPR, which defines the special categories of data, only includes one type of use, biometric data: ‘biometric data intended to identify an individual uniquely.
From the reading of these two precepts and by the guidelines of the White Paper on Artificial Intelligence, the AEPD concludes in this guide a guideline that it had already been giving in its latest resolutions: not all processing of biometric data should be considered processing of special categories of data or sensitive data.
What is the difference between verification and biometric identification?
There are two ways of carrying out biometric recognition: verification and identification. Based on the characteristics of these two types of system, the AEPD guide concludes that “in general, biometric data are only considered a special category of data in cases where they are subject to technical processing aimed at biometric identification (one-to-many) and not in the case of biometric verification/authentication (one-to-one)”.
- Biometric verification or authentication: The purpose is to check whether an individual is who he or she claims to be, by comparing the individual’s data only with other data associated with the claimed identity (one-to-one, 1:1).
- Biometric identification: The purpose is to know whether a particular individual is one of the members of a pre-determined group, by comparing the data of the individual to be identified with the data of each and every individual included within that group to check whether he/she is one of them (one-to-many, 1:N).
The AEPD recommends using biometric verification but does not prohibit biometric identification; on the contrary, it expressly contemplates it for access control and employee time recording. The rest of the requirements established in the GDPR are met.
When is the processing of biometric data legitimate?
Personal data may only be processed if one of the legitimate grounds provided in Article 6 of the GDPR.
In the case of special categories of data, the processing is prohibited unless one of the exceptions set out in Article 9.2 of the GDPR applies. In addition to the legitimate basis for processing, one of the exceptions must also use in these cases.
The user’s consent constitutes both a legitimate basis for any data processing and one of the cases foreseen for processing special categories of data; therefore, if the individual consents to such processing, the processing of biometric data may be carried out.
The AEPD now states that, within the framework of an employment relationship, the implementation of an employee access control and working time registration system using biometric data can be based on the fulfilment of the obligations and the exercise of the rights that labour, security and social protection legislation provides for the employer. Therefore, without the need for the consent of the employees.
Is any facial recognition system valid?
The AEPD reminds that biometric systems must always comply with the requirements established in the RGPD, among which are:
- Clear and transparent information to the users of the system. The worker must be informed about the processing.
- Data protection “by design” of the system.
- Preferential storage of biometric vectors rather than raw data (e.g. facial image, audio, etc.). In addition, storage on personal rather than centralised devices will be preferred.
- Biometric vectors not interoperable with other systems. This is an intrinsic characteristic of using current biometric systems, which are based on Artificial Intelligence, such as those used by dasGate.
- It ensures that the data is not used for any other purpose.
- Adequate protection of biometric data by means of encryption technology.
- Possibility to revoke the identity link. In this regard, reference should be made to the irreversibility of vectors in AI-based biometric systems, such as those used by dasGate.
- Limitation of the purpose of processing.
- If a biometric identification system is used, an impact assessment should be carried out.
dasGate and Veridas, leaders in the biometrics industry
dasGate’s access control systems use Veridas’ biometric technology, which are AI-based and designed to protect data by default and by design. These engines are based on Artificial Intelligence and designed for data protection by default and by design. dasGate and Veridas also promote impact assessments of their solutions, to help their customers in the process of analysis and implementation of their services. In addition, both companies have implemented an information security management system, backed by certifications such as ISO/IEC 27001 and the National Security Scheme.