Biometric data fall within a special category of personal data under the GDPR and are defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that person.
It should be noted that these characteristics are intrinsically linked to an individual’s identity (such as fingerprints, facial recognition or iris data) and that their use has become widespread in multiple everyday contexts, ranging from access control and security systems to authentication mechanisms on electronic devices such as computers and smartphones. Their attractiveness lies precisely in the increased reliability they offer in identifying a natural person.
However, it is precisely this reliability that justifies a reinforced level of protection.
The growing use of biometric data by private entities, often integrated into innovative or technologically intensive business models, has raised critical issues relating to privacy, proportionality and security of processing.
A case widely reported in the media in 2024 illustrated these risks in a particularly clear manner: a financial sector entity was collecting iris data in exchange for cryptocurrency. In March 2024, the Portuguese Data Protection Authority (“CNPD”) suspended the collection of such data within national territory, with a view to safeguarding the fundamental right to the protection of personal data, in particular that of minors, and in order to assess, among other aspects, the existence of explicit, informed, specific and freely given consent by the data subjects concerned; the purpose of the processing; the data retention period; the information provided to data subjects regarding their rights and how to exercise them; and the potential unauthorized transfer of data to third parties.
Indeed, when viewed through the lens of the GDPR, biometric data constitutes a category of data whose protection must be particularly robust. Accordingly, the processing of biometric data requires compliance with a number of requirements, including the obligation of the data controller to (i) obtain the explicit consent of the data subjects, (ii) ensure data security through appropriate technical and organizational measures, and (iii) comply with the principles of data minimization and (iv) the purpose for which the data were obtained or collected.
During the digital era, the importance of protecting personal data is undeniable, particularly as such data has become a resource present in many of our daily activities.
It is important to emphasize that compliance with data protection laws and regulations (compliance mechanisms) not only protects individuals’ rights but also strengthens trust in the entities that process such data.
Ultimately, effective protection of biometric data requires a holistic approach combining technology, legal compliance and good governance practices, ensuring that digital innovation does not come at the expense of personal data privacy and security.
Our Clients are increasingly aware of the relevance of personal data protection, investing in clear and transparent information provided to users on their digital platforms (websites), as well as in compliance with informed consent requirements and the formalization of the necessary subcontracting agreements.
Belzuz Abogados, S.L.P. has lawyers with extensive experience in Data Protection Law, Digital Law and Regulatory Law, who can provide legal assistance in this matter.