{"id":58199,"date":"2018-08-29T08:30:22","date_gmt":"2018-08-29T07:30:22","guid":{"rendered":"https:\/\/blogs.dlapiper.com\/iptitaly\/?p=58199"},"modified":"2019-06-24T11:42:34","modified_gmt":"2019-06-24T09:42:34","slug":"are-your-customers-images-biometric-data-under-the-gdpr","status":"publish","type":"post","link":"https:\/\/blogs.dlapiper.com\/iptitaly\/2018\/08\/are-your-customers-images-biometric-data-under-the-gdpr\/","title":{"rendered":"Are your customers’ images biometric data under the GDPR?"},"content":{"rendered":"

When are images and in particular customers\u2019 pictures biometric data? And what are the obligations triggered under the GDPR at the age when the automation is meant to increase?\"Giulio<\/span><\/p>\n

A frequent question that I have been asked during the last months is whether images are biometric data. As most of the questions, we as lawyers usually respond<\/p>\n

\n

it depends\u2026<\/em><\/p>\n<\/blockquote>\n

Indeed, the definition of biometric data is not 100% clear as it provides that they are<\/p>\n

\n

\u201cpersonal data\u00a0resulting from specific technical processing<\/strong>\u00a0relating to the physical, physiological or behavioural characteristics of a natural person, which allow or\u00a0confirm the unique identification of that natural person, such as facial images or dactyloscopic data<\/strong>\u201c<\/em><\/p>\n<\/blockquote>\n

So when it comes to the picture of an individual taken for instance as part of a KYC process,\u00a0there is a technical processing, but<\/p>\n

\n

is the processing able to\u00a0uniquely identifiying<\/strong>\u00a0the individual?<\/em><\/p>\n<\/blockquote>\n

A considerable support is given by the recitals of the European privacy regulation which clarify that<\/p>\n

\u201cThe processing of\u00a0photographs should not systematically be considered to be processing of special categories of personal data<\/strong>\u00a0as they are covered by the definition of biometric data\u00a0only when processed through a specific technical means allowing the unique identification<\/strong>\u00a0or authentication of a natural person.\u201d\u00a0<\/em><\/p><\/blockquote>\n

Therefore, in our example above, it might be possible to argue that if customers\u2019 pictures are reviewed by the customer support which is made only of \u201chumans<\/em>\u201d that look at the pictures, no biometric data is expected to be processed. But\u00a0if the same pictures are analyzed by a machine<\/strong>\u00a0able to uniquely distinguishing an individual from another, such images \u2013 subject to a case by case review \u2013 might be qualified as biometric data.<\/p>\n

What happens if your customer\u2019 pictures are biometric data?<\/h2>\n

Biometric data is under the GDPR a special category of personal data. This means that for instance\u00a0the performance of the contract with a customer or an employee cannot be the legal basis<\/strong>\u00a0under which they are processed. This is a \u201ctricky<\/em>\u201d scenario since if the legal basis is consent, the point is whether consent is actually free if it is compulsory in order to enjoy a service and whether alternative solutions which do not require the collection of biometric data need to be offered.<\/p>\n

Also, the other options granted by the GDPR shall be \u201ctested<\/em>\u201d under the local laws of each EU Member State. Indeed, the scenarios when a processing occurs in the \u201cpublic interest<\/em>\u201d shall be assessed by the data controller or expressly provided by local law?<\/p>\n

The situation is even more complex in an employment relationship when the\u00a0consent from an employee is not a strong legal basis\u00a0since it might not be free\u2026<\/p>\n

What is your view on the above? Happy to discuss and\u00a0if you found this article interesting please share it on your favourite social media<\/p>\n

@GiulioCoraggio<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

When are images and in particular customers\u2019 pictures biometric data? And what are the obligations triggered under the GDPR at the age when the automation is meant to increase?<\/p>\n","protected":false},"author":41,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"yes","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-58199","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts\/58199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/comments?post=58199"}],"version-history":[{"count":0,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts\/58199\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/media?parent=58199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/categories?post=58199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/tags?post=58199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}