The present section defines ‘biometric system’ as any system capable of uniquely identifying natural persons (with a certain degree of probability) by performing specific technical processing relating to the physical, physiological, or behavioral characteristics of the natural persons[1]. The definition covers both all-in-one systems that perform all the steps (e.g., data acquisition, data elaboration, data storage, etc.) or clusters of systems each performing individual steps (e.g., a network of data capturing module based on a camera, a biometric mapping software and a database for storage). When a system performing one or more individual steps (hereinafter, “system X”) does not in itself qualify as a biometric system –as per definition above – but is nevertheless part of a cluster of systems that include biometric ones, system X should be considered as a biometric system unless it can be demonstrated – possibly through documented evidence – that it does not process biometric data and that risks are effectively mitigated (e.g., the risk of an unauthorized third parties using system Xto gain access to another system directly linked to system X where biometric data are processed).
Often, biometric systems rely on artificial intelligence technology. The use of such artificial intelligence poses further data protection risks that data controllers need to address. Therefore, it is advisable to consult the part on ‘Artificial intelligence in ICT research and innovation‘ in these Guidelines.
References
1Although the International Organization for Standardization produced a detailed vocabulary of terms related to biometrics, which include the definition of ‘biometric system’, the other of the present document prefer to adopt a definition built on the provisions of the GDPR. See International Standardization Organization and International Electrotechnical Commission, ‘ISO/IEC 2382-37 – Information Technology – Vocabulary – Part 37: Biometrics’, 2017. ↑