The final step before deploying the biometric system is to test it and validate its outputs. There are two possible scenarios. In the first one new data need to be collected, while in the second scenario the researchers employ the same data processed during the development phase. The first scenario occurs when, for instance, new subjects are brought in specifically for testing the system. In this case, the data controller needs to perform the steps already mentioned in regard to the preparation phase. In the second scenario, the researchers need to consider whether this further testing was comprised among the initial purposes (for more information(see the “Purpose limitation” subsection in the Principles section of the General Part of these Guidelines). Indeed, ‘testing the system’ configures a different processing than ‘developing the system’ and might therefore require a different legal basis, especially when the two processing require different sets of data. In such cases, the researchers should not assume that, since they complied with the obligations related to the development of the system, they automatically comply with those related to testing. It is important they look at this step with a critical approach and aim at minimizing risks to the rights and freedoms of the data subjects as their priority.