biometric-dpia
Assessing Biometric Processing Privacy
Overview
Biometric data is classified as a special category of personal data under GDPR Art. 9(1) when processed for the purpose of uniquely identifying a natural person. Processing biometric data on a large scale triggers a mandatory DPIA under Art. 35(3)(b). This skill provides a comprehensive DPIA methodology for biometric systems including facial recognition, fingerprint identification, voice recognition, iris scanning, vein pattern analysis, and behavioural biometrics (gait, typing patterns, signature dynamics).
Legal Framework for Biometric Data
GDPR Definition — Art. 4(14)
"'Biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data."
Art. 9(1) — Prohibition on Processing Special Categories
Processing of biometric data for the purpose of uniquely identifying a natural person is prohibited unless one of the Art. 9(2) exemptions applies.
Critical distinction: Art. 9 only applies when biometric data is processed "for the purpose of uniquely identifying" a person. A photograph used for illustration purposes is not Art. 9 data; the same photograph processed through facial recognition software to identify the person is Art. 9 data.