GDPR: biometric data in the new EU Data Protection Regulation

Posted by media on February 20, 2018 at 9:00 AM


Biometric data is defined in the new EU Data Protection Regulation (GDPR). This new legislation, which was several years in the making, encompasses all recent technological developments including social networks, data analysis, the Internet of Things (IoT) and many other technological advances..

In this post we explain how the new GDPR defines and regulates biometric data processing and right to privacy, looking specifically at data protection issues and the free movement of such data.

This post is also available in Spanish.



Biometric data: a key change of the new EU Data Protection Regulation

To understand the topics covered in this post, it is important to note the following two points: firstly, what is "data processing" in the context of data protection and; secondly, what it is meant by "biometric data."

What is "data processing"?

"Data processing" means the treatment and handling of an individual’s data by a professional or entity, and involves basic access to their personal data for purposes of providing a service to the said individual, or to provide a service on behalf of another company or person.  In short, data processing means being able to access and even modify the private data of an individual person for a specific purpose.

Related post > TOP 10 key changes of the New European Data Protection Regulation

What is meant by "biometric data"?

According to the definition in the new GDPR, biometric data is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data.”

Simply put, biometric data is any information that can uniquely identify an individual and is obtained through a variety of digitally-based techniques.



What impact has the new GDPR on biometric data?

Paragraph 1 of Article 9 of GDPR highlights that biometric data is to be considered a special category of personal data that it is prohibited from being used for the purposes of an individual’s identification.

It states the following:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited”.

Related post > What is the role of a data protection officer and when will it be mandatory to incorporate one into companies?


Extenuating circumstances: when can biometric data processing be used for identification purposes?

Article 9 also provides a number of exceptions to this rule:

  • when persons affected by such treatment have given their explicit consent for one or more of the purposes specified, unless that there is a legal ban at a European or national level;
  • when data processing is necessary for the fulfillment of obligations and for the exercise of specific rights of the data controller (the company or person who treats the data initially) or for the exercise of specific rights of the affected or interested party itself, in regards to labor law, safety and social security;
  • when it is necessary to protect vital interests of the concerned individual or other natural person if the he/she is not able to give consent;
  • when data processing involves private data that the concerned individual had previously made manifestly public;
  • when it is in the general public’s best interest;

for all issues relating to preventive or occupational medicine, when it is necessary to evaluate an employee’s mental state, a doctor’s medical diagnosis, and the health and/or social care being provided.

signaturit_ identification_purposes.png


The new GDPR also permits Member States to introduce additional conditions or limitations, especially when genetic data, health-related and biometric data processing are concerned.

The objective of limiting biometric data processing is simply to avoid the risk of infringing upon the rights and freedoms of citizens, ensuring that they can move freely within the European Union, especially when data analyses are being increasingly performed on a large scale.

To achieve this, all entities must now conduct impact assessments before proceeding with this type of data processing.

If biometric data was not collected for the sole purpose of uniquely identifying a user, this particular limitation would not exist.



In short, the new GDPR means that data controllers wishing to use biometric data must take into account that they will not be able to use such data for the merely purposes of identification.

However, if this is necessary, any conduct be in strict adherence to the legislation and, when using biometric data for the provision of services, processing should not go beyond what is necessary.

The regulation insists on especially biometric data processing showing adequate evidence of user explicit consent, ensuring that other principles such as appropriateness or data quality are fulfilled, as well as secure processing and stressing the importance of withdrawal of consent being a straightforward process.

As stated in this article, the above considerations have been deemed particularly important due to the potential risks associated with biometric data processing.

This post is also available in Spanish.

This is a guest post by Vanesa Alarcón Caparrós.

Vanesa is a specialised lawyer in new technologies and intellectual property, and a founding member of Avatic Abogados.


This is a guest post by Vanesa Alarcón Caparrós.

Vanesa is a specialised lawyer in new technologies and intellectual property, and a founding member of Avatic Abogados.


New Call-to-action

Topics: GDPR