State data protection inspectorate carried out an investigation on biometric personal data processing in the gyms.
Biometric data is considered to be personal data received after special technical processing, relating to the physical, physiological or behavioral characteristics of a person that can specifically identify or confirm that person’s identity. In General Data Protection Regulation such data is classified as special categories of personal data whose processing is subject to stricter requirements.
In the opinion of State data protection inspectorate, companies planning to process biometric personal data shall be obliged to carry out data protection impact assessment. It is important to determine whether there is any reason to process such personal data in general, to assess the potential risks, and determine security measures that are sufficient to mitigate these risks.
Prohibition on processing special categories of personal data provided in General Data Protection Regulation shall not apply where the data subject has clearly consented to the processing of such personal data for one or more of the specified purposes.
State data protection inspectorate takes the position that biometric data can be processed with received clear, unambiguous, appropriately informed customers’ consents, but when biometric data is processed on the basis of consent, customers must also be given alternative identification options where biometric data is not processed.
If company is willing to process biometric personal data, it shall choose appropriate technical and organizational measures taking into account the high level of risk involved in such processing.
We note essential data security measures that shall be implemented during processing of biometric data:
– Determine in detail the organization’s information security management, clearly define and document employee responsibilities and roles, access to the data control policy;
– Regularly inventory and update hardware, software and network equipment;
– Set basic procedures to be followed in the event of an incident or personal data breach;
– Ensure that employees are able to handle information confidentially.
Do you need a help relating the biometric data proceeding? Please do not hesitate to contact us: