Biometric data as special-category data
Biometric data is defined in Article 4(14) as personal data from specific technical processing of physical, physiological or behavioural characteristics that allow or confirm unique identification (e.g. facial images, fingerprints). It exists as raw data or a biometric template. Its two main uses are identification (who are you?) and authentication (are you who you claim to be?). Crucially, it is Article 9 special-category data only when the purpose is to uniquely identify a person - otherwise it is ordinary personal data.
| Use | Question answered | Example |
|---|---|---|
| Identification | Who are you? | Facial recognition of individuals in social-media photos |
| Authentication | Are you who you claim to be? | Fingerprint to unlock a device, or palm print to enter a secure area |
Biometric data is special-category data under Article 9 only when processed for the purpose of uniquely identifying a natural person. A facial photo used merely to permit access alongside other information does not engage Article 9 - but it remains personal data by definition.
- Examples: DNA, fingerprints, palms, vein patterns, retina and iris patterns, odour, voice, face, handwriting, keystroke technique and gait
- Biometric data may be raw (the image of a face or fingerprint) or in template form (a digital representation of extracted features)
- A template must hold enough detail to identify the individual from the stored population
- Member states may impose further restrictions on processing biometric data - check national law