Financial institutions and other obliged entities that are using remote customer identification methods must be in compliance not only with the requirements of money laundering and terrorist financing prevention but follow the requirements of General Data Protection Regulation as well (hereinafter – GDPR).
Article 4, Paragraph 4 of GDPR sets forth that biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data.
European Data Protection Board issued Guidelines on personal data processing through video devices. These Guidelines outline 3 criteria when the biometric data shall be considered as special categories of personal data:
- the data must relate to physical, physiological or behavioral characteristics of a person.
- the data must have been “subjected to special technical treatment”.
- the data must be used for the specific purpose of identifying an individual.
Taking into consideration the above-mentioned, biometric data with the purpose of identifying or confirming the identity of a natural person is a special category of personal data which is prohibited to be processed (as a general rule), except where there are appropriate conditions as defined in Article 9, Paragraph 2 of GDPR for processing special category data.
In accordance with the Article 9 of the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania (hereinafter – Lithuanian AML Law) financial institutions and other obliged entities shall take measures to identify and verify the identity of the customer and the beneficial owner before starting business relationship.
Article 11 of Lithuanian AML Law allows identifying customer and beneficial owner remotely – without his/her physical presence. The most widely used remote customer identification method in Lithuania is a real time photo or video transmission of customer’s facial image and identity document. Additionally, financial institutions and other obliged entities are using vendor services of facial recognition systems, such as matching the face image of customer to the photo on the identity document.
Financial institutions and other obliged entities shall take measures to identify and verify the identity of the customer and the beneficial owner before starting business relationship.
Such data is considered to be a special category of personal data, therefore financial institutions and other obliged entities must identify both a lawful basis under Article 6 of GDPR and an appropriate condition under Article 9 of GDPR for processing of such data. One of the conditions when special category of personal data could be processed is when data subject has given explicit consent to the processing of that personal data for one or several specified purposes.
According to remote identification technical requirements (hereinafter – technical requirements) set by Financial Crime Investigation Service sub-point 22.12, customer identification process shall be terminated if the individual does not consent with real time photo or video transmission. Sub-point 25.1 of the technical requirements state that financial institutions and other obliged entities must ensure that real time photo and video transmission is carried out only with the customer’s consent.
This information is critical for financial institutions and other obliged entities. If customer consent is used as the only lawful basis for the processing of personal data and customer is not offered alternative identification methods, there could be imbalance between the data subject (customer) and the data controller (financial institution or other obliged entity). The data subject would have no alternative and would have to agree with processing of personal data under the conditions of data controller to be able to use its services.
What is more, point 42 of Preamble of GDRP states that consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without consequences for data subject. Financial institutions and other obliged entities have to ensure that if the data subject refuses to identify through remote identification process as previously described, there is an alternative identification method (e.g. facial similarity check could be done by human) for business relationship establishment.
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without consequences for data subject
To sum up, when processing special category of personal data, it is necessary:
- to provide data subject with an easy access to and / or denial of the face similarity check solution and make sure that it is easy for data subject to understand and use the face similarity check solution;
- to provide data subject with an alternative (non-biometric) verification option, e.g. facial similarity check could be done by human, possibility to visit physical location, Skype video call, etc., based on security level;
- to collect an explicit consent of data subject for face similarity check solution;
- to make sure that data subjects are adequately informed about the key elements of data processing in conformity with Article 13 of GDPR: the identity of the data controller, the purposes of data processing, type of data processed, duration of the data processing, the rights of data subjects to access, rectify or cancel their data, the right to withdraw consent, information about the recipients or categories of recipients to whom the data is disclosed;
- the data is used no longer than necessary;
- to conduct Data Protection Impact Assessment before using the face similarity check solution.
If you would like to get more information about the requirements of GDPR and their implementation, please feel free to contact ECOVIS ProventusLaw team.
More to read: