GDPR and facial recognition
Legal bases when using facial recognition technology
“Consent” and “Contract” are two legal bases that may be appropriate to support processing when done through the use of facial recognition technology.
Facial recognition technology is biometric data
Since facial recognition technology is biometric data, which is sensitive personal data under the GDPR, the processing requirements are stricter. For example, it is not allowed to support the processing of sensitive personal data on the legal basis of “legitimate interest”.
Legal bases when using facial recognition technology
There are six (6) legal bases in the GDPR. Companies must always apply a legal basis for each individual processing, otherwise the processing is not allowed to be carried out. Contracts with data subjects and consent from data subjects are two common legal bases when using facial recognition technology.
GDPR - Contract with a data subject
Contract with a data subject is a legal basis that means that a company needs to process the personal data in order to enter into or perform a contract with the data subject. For example, this is used by companies that process the buyer’s name and home address in order to deliver the purchased products.
Here are two examples of when this legal basis may be suitable for use in processing related to facial recognition technology:
Login system
For example, a workplace can use facial recognition technology to log in authorized users to different systems. In that way no unauthorized person can access them. It may therefore be part of the employee’s duties under the employment contract. That means that contract with the data subject is the legal basis.
Unmanned gyms/shops
Unmanned services, such as gyms or stores, can use facial recognition technology to give authorised individuals access. For example, an individual must go through a passage with a camera, which compares a previously taken image of him, in order for the technology to determine whether there is a sufficiently high probability that he is an authorised person, in order to provide access to the premises. Facial recognition can in these cases be said to be a necessary process for the company to fulfill the contract entered with the data subject.
Consent
Consent is the most common legal basis for private actors to support the processing with facial recognition technology.
Requirements for valid consent
The following requirements must be met for a valid consent under the GDPR. The fifth requirement concerns consents relating to sensitive personal data.
Voluntary and Specific
Voluntary
The data subject shall give consent freely, and without pressure, coercion or negative consequences. In order to assess whether consent is voluntary given or not, the power relationship between the parties must be taken into account. If it is unequal, it is usually not considered a voluntary consent. For example, between an employee and employer, or municipality and citizen. A school that used facial recognition technology for attendance control was considered to be in breach of the GDPR, as students are in a position of dependence on the school and thus were not considered to meet the requirements for valid consent.
Specific
The consent shall be valid for a clear and distinct purpose. It should be a limited consent, which only applies for a specific purpose. The data subject must know exactly what they agree to.
Informed, Withdrawal and Explicit
Informed
Companies must inform data subjects about the processing in a clear and transparent manner, when giving their consent. It shall, inter alia, be done in accessible language and include information on how the technology works, how the processing of personal data is carried out and which alternative means of identification in addition to biometric identification can be used.
Withdrawal
Data subjects shall be able to withdraw their consent at any time. Withdrawal of consent should be as easy as giving it. In addition, the information provided to the data subjects shall specify how the revocation can take place.
Explicit
When it comes to the requirements for consent when processing sensitive personal data, they are higher. It requires the explicit and unambiguous consent of the data subject, which is not required for the processing of ordinary personal data.
More about GDPR
Take appropriate measures to minimise the risks posed by facial recognition technology
The GDPR requires companies to implement adequate technical and organisational safeguards when processing personal data. The more important the personal data, the higher the requirements. Facial recognition technology involves the processing of sensitive personal data and therefore the security requirements are high. For example, it may be appropriate to carry out an impact assessment before processing and possibly request a prior consultation with the national data protection authority.