Introduction and scope of the guidelines section
Research activities may sometimes involve the processing of biometric data, which requires researchers and research institutions acting as data controllers or processors to address data protection requirements. Since biometric data enjoy a special protection regime under the EU regulatory framework, researchers working with biometric data should comply not only with the general data protection requirements and the specific requirements provided in article 89 of the European General Data Protection Regulation (GDPR) related to research activities, but they should also implement additional safeguards tailored to the specificities of biometric data and/or biometric processing.
The following guidelines provide guidance on ICT research activities that include the development of ICT systems employing biometric data. The authors acknowledge that nowadays it is common for such systems to adopt artificial intelligence technologies. A dedicated chapter on artificial intelligence will address this.
This part is addressed to ICT research institutions working with biometric technology as data controllers, including not only the researchers, who might not be aware of the legal obligations coming from their research activities, but also other concerned parties such as legal departments or ethical committees, which might be more versed on legal aspects but not necessarily on the special data protection regimes applicable to biometric data and research activities. To ensure both these audiences can easily access the contents of the guidelines, this part of the Guidelines. The document attempts to strike a balance between technical details (both regarding ICT and biometric technology, and data protection law) and general accessibility.
This chapter is divided in four main sections. The first introduces the main concepts related to biometrics. Sections 2-4, instead, design, correspond to the preparation and execution phases in the development of an ICT tool. They are aimed at providing an overview of practical steps that can be taken when developing biometric technologies or when employing such technologies in the context of ICT research and innovation. These steps can help researchers to comply with data protection obligations. The recommendations are applicable to biometric systems regardless of the biometric data they generate and process (for more information see ‘Biometric system’).
This part of the Guidelines was written at a time when the ePrivacy Regulation, the AI Regulation or the Data Governance Act had not been passed. It may happen that at the time of using this tool, these Regulations are in force. If so, it will be necessary to take into account the possible changes that this may have produced in the regulatory framework.
1‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such’ (2016). ↑