Before identifying the most appropriate legal basis, the developers need to assess if one of the exemptions to the processing of special categories of personal data applies.
| Available legal bases provided by the GDPR to process biometric data | ||
| Explicit consent | ✓ | Applies |
| Employment, social security, and social protection | ✗ | Does not apply (requires additional law; a compliance assessment confirmed it does not exist in the State) |
| Vital interests | ✗ | Does not apply |
| Activities from associations and other not-for-profit entities | ✗ | Does not apply |
| Data have been published by the data subject | ✗ | Does not apply |
| Legal claims or judicial acts | ✗ | Does not apply |
| Substantial public interest | ✗ | Does not apply (requires additional law; a compliance assessment confirmed it does not exist in the State) |
| Health or social care | ✗ | Does not apply (requires additional law; a compliance assessment confirmed it does not exist in the State) |
| Health public interest | ✗ | Does not apply (requires additional law; a compliance assessment confirmed it does not exist in the State) |
| Archiving, research, and statistics | ✗ | Does not apply (requires additional law; a compliance assessment confirmed it does not exist in the State) |
Since the only applicable exemption is ‘explicit consent’, the developersalso decide to adopt ‘consent’ as legal basis for the data processing.
Having regarded the legal basis and considering that the collection will occur directly from the data subjects (see ‘Identify the data collection approach’), the developers prepare the informationthat will be provided to the data subjects in the consent form.
| Information to be provided to data subjects according to the collection approach | |
| The identity and contact details of the controller | Developing Inc. (data controller)
Developers Street, 99, 21010, Developonia +00 – 0123456, info@developinginc.com |
| If applicable, the identity and contact details of the controller’s representative | Not applicable |
| The contact details of the data protection officer | John Doe (DPO of Developing Inc.)
Developers Street, 99, 21010Developonia +00 – 0123457, dpo@developinginc.com |
| The purposes of the processing | Research an approach to use palmprints to identify workers at work sites, develop and testits technology, and publish the results |
| The categories of personal data concerned | Name, surname, birthdate, address, phone number, email, palmprint impressions |
| The legal basis for the processing | Explicit consent |
| If applicable the legitimate interests pursued by the controller or by a third party | Not applicable (no legitmate interes pursued) |
| Recipients or categories of recipients of the personal data | Developing Inc. (data controller) |
| The intention of the controller to transfer personal data to a third country or international organization | Not applicable (no transfer) |
| In case of transfer, the existence or absence of an adequacy decision, or reference to the safeguards and the means by which to obtain a copy of the data | Not applicable (no transfer) |
| The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period | Duration of the research (expected to start on 0101/2022 and last a year), until the system is developed and tested |
| The existence of the right toaccess, rectification or erasure, restriction of processing, objection, and portability | Data subjects can exercise their rights as per articles 12-22 GDPR |
| In case of ‘explicit consent’ as legal basis, the existence of the right to withdraw consent at any time and without any negative consequence | Data subjects can withdraw consent. If this occurs, Developing Inc. will identify new data subjects |
| The right to lodge a complaint with a supervisory authority | Complaints can be lodged with the DPA of Developonia. Contacts will be provided |
| Whether the provision of data is a statutory or contractual requirement, or necessary to enter into a contract, if the data subject is obliged to provide the data and the consequences of failure to provide | The provision is not a statutory or contractual requirement |
| The existence of automated decision-making, including profiling | The processing does not include automated decision-making |
| In the case of automated decision-making, information on the logic involved, its significance and the envisaged consequences for the subject | Not applicable |