Under the General Data Protection Regulation (”GDPR”), biometric data is considered a “special category of personal data,” which is defined as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data processed for the purpose of uniquely identifying an individual, and data concerning an individual’s health, sex life, or sexual orientation. Following up on our series on video surveillance and the GDPR, this post will delve into biometric data, including what it is and its significance in video surveillance systems.
As one of the types of special category of personal data, biometric data refers to data that is unique to an individual and can be used to identify them, such as fingerprints, facial recognition data, and iris scans. This type of data is increasingly being used in various industries, including law enforcement and security.
With today’s image processing technologies, it is quite straightforward to extract information about a person’s age, gender or facial expression from a simple CCTV / security camera footage. Accordingly, the rise of video surveillance systems and new technologies, such as AI-powered image processing based workplace safety platform that we provide as Intenseye, might raise concerns regarding biometric data and its potential impact on privacy. However, video footage from security cameras, by itself, do not qualify as biometric data by the GDPR, processing of raw data, such as the physical, physiological, or behavioral characteristics of a natural person, must imply measurement of these characteristics.
💡 Intenseye neither collects biometric data nor recognizes faces, and faces are blurred by default face blurring algorithms.
According to the GDPR, biometric data is defined as data that is obtained through the measurement of an individual’s physical, physiological, or behavioral characteristics. This data must be the result of specific technical processing in order to qualify as biometric data. As stated at Section 5 Processing of Special Categories of Data in European Data Protection Board’s Guidelines released on 3/2019; video footage of an individual, on its own, cannot be considered biometric data under the GDPR unless it has been specifically processed with the intention of identifying the individual.
In order for data to be considered biometric data under the GDPR, it must meet the following criteria:
- Nature of data: The data must relate to the physical, physiological, or behavioral characteristics of a natural person. – Intenseye does not relate the data to any characteristics of the individuals.
- Means and way of processing: The data must be the result of “specific technical processing.” – Intenseye does not technically process the data to extract any biometric information.
- Purpose of processing: The data must be used for the purpose of uniquely identifying a natural person. – Intenseye does not identify individuals, it only detect unsafe acts or behaviours.
According to Article 9 of the GDPR, if a data controller stores biometric data in the form of templates that are created by extracting key features from raw biometric data (such as facial measurements from an image) in order to uniquely identify an individual, then the GDPR applies. For example, if a controller wishes to use biometric data to detect when a data subject re-enters an area or enters a different area (such as for the purpose of physical security), the operation would fall under Article 9 from the start because the purpose is to uniquely identify a natural person.
💡 On Intenseye’s platform, individuals’ faces are completely blurred. It is not possible to tell who they are when viewing an image or watching a video. Any biometric data related to the individuals are not retained, either. Intenseye’s only purpose is to analyze how often unsafe acts or conditions happen, and to focus more on the ways to prevent them, and eventually ensure the occupational health and safety. Individuals’ tracking is lost at Intenseye when they go off from the camera’s sight. So no biometric data related to individuals is used for tracking them.
The GDPR states there has to be specific technical processing of that image related to the physical, physiological, or behavioral characteristics in order for it to be considered biometric data. Hence, the image or video footage is not by itself considered to be biometric data under the Article 9 of the GDPR if it has not been specifically technically processed in order to contribute to the identification of an individual.
Be sure to check out our next blog, where we will be addressing Data Minimization and Pseudonymization.