Before defining biometric data, it is necessary to look at ‘special categories of personal data’, also commonly known as ‘sensitive data’. Indeed, article 9.1 GDPR clusters biometric data (or, at least, some of them; see section on Biometric data) in this broader group:
Special categories of personal data |
Data revealing racial or ethnicorigin |
Data revealing political opinion |
Data revealing religious or philosophical beliefs |
Data revealing trade union membership |
Genetic data |
Biometric data (for the purpose of uniquely identifying natural persons) |
Data concerning health |
Data concerning a natural person’s sex life or sexual orientation |
By default, Article 9 GDPR prohibits the processing of special categories of personal data, unless one of the exceptions listed in article 9.2 GDPR occurs. One of these exceptions occurs when the “processing is necessary for […] scientific or historical research purposes”.
It is worth noticing that, in order to be compliant, it is not enough for a processing of special categories of personal data to meet one of the exceptions listed in article 9.2 GDPR. In addition to that, and before the processing begins, the data controller shall identify an appropriate legal basis for the data processing (see section Identify the most appropriate legal basis)[1].
Data controllers should also be aware that as per article 9.4 GDPR, Member States can introduce further conditionsand apply additional requirements and limitationregarding the processing of genetic data, biometric data or data concerning health. Thus, data controllers willing to process these special categories shall always check if there are specific national requirements that apply.Further information can be found in the National Reports produced by the Panelfit consortium (which can be accessed at https://www.panelfit.eu/national-reports/).
Although certain data do not amount to special categories of personal data by themselves, when employed in conjunction to other data they might amount to special categories of personal data. For instance, the addressand mother tongue of a person are not special categories of personal data. However, whenname, birthplace and other data of the data subject is attached to the dataset,the combination might reveal enough information to identify racial or ethnic origin of the data subject with a reasonable degree of certainty (see the “Anonymization and Pseudonimization” subsection in the Concepts section of the General Part of these Guidelines). In this scenario, datashould be subject to the same requirements and limitation of special categories of personal data even if they are not by themselves.
Dataset 1 | Dataset 2 |
Address: Washington D.C. | Address: Washington D.C. |
Mother tongue: French | Mothertongue: French |
Name: Seydou Kablan Bakayoko | |
Birthplace: Abidjan | |
Other known language: Cebaara, English | |
Primary school: École Konan Raphael, Abidjan | |
Dataset 1 does not provideinformation about the racial or ethnic origin of the data subject | The information provided by Dataset 2 could be considered enough to reveal the racial or ethnic origin of the data subject (with a reasonable degree of certainty) |
It should be noted again that data should satisfy a reasonable degree of certainty. This degree of certainty is contextual and needs to be evaluated on a case-by-case basis.
References
1See also Ludmilla Georgieva and Christopher Kuner, ‘Article 9. Processing of Special Categories of Personal Data’, in The EU General Data Protection Regulation (GDPR): A Commentary (Oxford, United Kingdom: Oxford University Press, 2019), 376–77. ↑