More than consent needed for legal biometric data use: Spanish regulator
The Spanish Data Protection Agency (AEPD) has published a guide outlining how biometric data should be used for access control, according to an announcement translated from Spanish using Google Translate.
The document outlines criteria for the use of biometrics both inside and outside of the workplace. The document’s criteria complies with the GDPR and other regulatory frameworks.
The agency describes the processing of biometric data as high-risk and finds it necessary to establish a guide for its use as it grows progressively easier to gather larger volumes of biometric data, sometimes without their knowledge.
The guide notes that there must be a law authorizing the use of biometric data for access control for work purposes in order for it to be lawful for an entity to use an individual’s data for that purpose.
Obtaining consent alone does not automatically make it lawful for an entity to collect a person’s data, either. This would create an imbalance of power between the entity and the individual whose data is being used, the release notes. This rule is based on article 9.2.b of the GDPR.
Because biometric data is considered high-risk, an entity collecting the data needs to assess whether the purpose of collecting the data is necessary enough to warrant taking on such a risk. This rule is based on article 35.7.b of the GDPR.
In cases where it is lawful to collect biometric data, entities are still required to inform people about the risks associated with collecting biometric data. They are also required to implement data protection by design.
The AEPD fined Mobile World Congress earlier this year for violating GDPR with its deployment of face biometrics for attendee registration.