The GDPR defines biometric data as a special category of sensitive personal data resulting from a specific technical processing related to the physical, physiological or behavioral characteristics of a natural person. Biometric data, such as facial, iris or fingerprint data, confirms the unambiguous identification of a person.
This definition entails that technical processing is necessary. For example, a photograph doesn't fall under the category of biometric data, even when it's used for identification. On the other hand, a face print calculation based on a photograph is considered to be biometric data, since this requires technical processing.
According to the definition, biometric data is a special category of sensitive data. The reason for this is that biometric data is unique and can't be replaced, in contrast to passwords. Therefore, extra data protection is necessary.
Can you process biometric data under the GDPR?
In short, Article 9.1. of the GDPR prohibits the processing of biometric data for the purpose of uniquely identifying natural persons. However, according to Article 9.2. of the GDPR there are exceptions:
Explicit consent for the processing from the data subject. This consent should be freely given, specific, informed and unambiguous (Article 4). The data subject must also have the right to withdraw the consent at any time. Since 2018, a couple of initiatives regarding facial recognition for identifying individuals in public areas had to be put on hold, because they didn't comply with this regulation. This exception can be applied in most B2B situations, but isn't sufficient in an employment relationship as employees might feel pressured to consent. In a work situation, at least one of the other exceptions listed below must be met.
Necessary for the vital interest of the data subject (f.e. emergency situations)
The biometric security is necessary for the purposes of carrying out obligations and exercising the specific rights of the data controller or of the data subject in the fields of employment, social security and social protection law
The processing is necessary for the establishment, exercise or defense of legal claims
The biometric layer is essential for reasons of public interests (f.e. safety and security)
These exceptions are applicable on a European level. Each EU member state has the possibility to include extra national exceptions.
Steps to check in order to process biometric data
Make a list of applicable countries
Assess the lawfulness for consent (explicit consent, vital interest of the data subject, etc.) both on a European and a national level
Conduct a data protection impact assessment (DPIA) to identify the potential risks
Communicate clearly with the data subjects on the reason for processing, collection, usage, retention, security, transfer and right to be forgotten in the privacy statements
Take all possible measures to protect, safeguard the shield the biometric data