8 Aleksandr Sergheevici Puskin, Bucharest, District 1, PC 011996, Romania
(+4) 0745 007 311
ArticlesJuly 4, 20240

The influence of GDPR on facial recognition technologies

In an increasingly digitalized world, the protection of personal data has become a priority. At the same time, facial recognition technologies have advanced significantly and are used in various fields such as retail, health, or advertising.

GDPR imposes a series of strict rules regarding biometric data, which are considered sensitive because they are unique to each individual and, once compromised, cannot be changed, unlike passwords or other authentication methods. Article 4, point 14 of the GDPR defines biometric data as personal data resulting from specific technical processing related to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that person, such as facial images.

For data processing in this field to be legal, a series of principles must be respected:

  • They must be processed fairly and transparently;
  • They must be collected for explicit, legitimate purposes and not processed in a way incompatible with those purposes;
  • They must be adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed;
  • They must be accurate and up-to-date;
  • They must be stored in a form that allows the identification of the data subjects only for the duration necessary to fulfill the purposes for which they are processed;
  • They must be processed in a way that ensures adequate security.

Additionally, according to Article 9, paragraph 1 of the GDPR, the processing of biometric data is prohibited. However, there are exceptions involving strict conditions, such as the explicit consent of the data subject or the necessity for fulfilling specific obligations in the field of labor, social security, and social protection, protecting the vital interests of the data subject, or for purposes of public interest archiving, scientific or historical research, or statistical purposes.

The operator must provide the data subject with concise, easily understandable, transparent, intelligible information, using simple and clear language regarding the processing of their personal data. According to GDPR, organizations must publish privacy policies explaining how facial data is collected, used, stored, and protected. They must also appoint a Data Protection Officer (DPO) to oversee GDPR compliance and manage requests and complaints from data subjects and inform the competent authorities and data subjects in the event of a breach. GDPR grants individuals extensive rights regarding the processing of their personal data, including the right to access, request correction or deletion, or object to the processing. These rights complicate the use of facial recognition as organizations must be prepared to respond to these requests and manage data in accordance with GDPR.

A very important aspect is that a Data Protection Impact Assessment (DPIA) is required when processing can pose a high risk to the rights and freedoms of natural persons (Article 35 of GDPR). Due to the sensitive nature of the data processed, facial recognition technologies require a DPIA to identify and mitigate potential risks. DPIA involves identifying potential risks and vulnerabilities associated with processing, implementing measures to reduce identified risks, such as pseudonymization or encryption, keeping a detailed record of the DPIA and the measures taken to protect the data.

The implementation of GDPR has posed significant challenges for the use of facial recognition. Supervisory authorities in EU member states have raised issues regarding the legality of using this technology without the explicit consent of individuals. For example, the use of facial recognition by law enforcement has been a major controversy in France, where the National Commission for Information and Liberties (CNIL) has banned the use of facial recognition in schools to protect children’s identities.

In conclusion, facial recognition technologies offer significant benefits but also bring important challenges in terms of personal data protection. The GDPR imposes strict rules that must be followed to ensure the confidentiality and security of data. By adopting appropriate technologies, companies can overcome these challenges and ensure the ethical and compliant use of facial recognition technologies.

For further information or any additional inquiries, please do not hesitate to contact us:

➡ Phone: (+4) 031 426 0745
📧 Email: office@grecupartners.ro

We are here to assist and provide legal support for all your needs. We look forward to discussing with you.

Raluca Rășcanu – Attorney at Law

Leave a Reply

Your email address will not be published. Required fields are marked *