One of the most crucial steps from a data protection standpoint is the identification of the legal basis for the processing of personal data, which are listed in Article 6 GDPR. However, as already mentioned, the processing of biometric data is prohibited and can occur only when specific exemptions apply. These are provided for in Article 9.2 GDPR and are of two types. Those that are immediately valid and applicable, and those requiring additional Union or Member State law before they can be employed to justify a processing of biometric data.
| Available legal bases provide by the GDPR to process biometric data | |
| Requires additional EU or MS law | |
| Explicit consent | |
| Employment, social security, and social protection | ✓ |
| Vital interests | |
| Activities from associations and other not-for-profit entities | |
| Data have been published by the data subject | |
| Legal claims or judicial acts | |
| Substantial public interest | ✓ |
| Health or social care | ✓ |
| Health public interest | ✓ |
| Archiving, research, and statistics | ✓ |
When one of these exemptions applies, then it is possible for the data controller to select one of the legal bases listed in Article 6 GDPR and process personal data accordingly.
Among the ten exemptions of Article 9.2 GDPR, two are particularly relevant in the present document. The first one is the ‘explicit consent’ requirement. In the context of biometric data processing, the consent of data subjects shall be ‘explicit’, meaning that it shall be a clear, specific, and unequivocal statement that the data subjects are consenting to have their biometric data processed for the specific purposes identified by the data controller[1]. For instance, in case of processing of biometric data extruded from pictures, it will not be enough to collect data subjects’ consent about the processing of said pictures. The subjects shall be informed that biometric features will be extracted and processed, and explicit consent shall be collected.
| Example: Consent vs Explicit consent | |
| Consent | Explicit consent |
| “Please provide a front-facing picture of yourself, taken in a well-lit environment.The picture will be used to extract biometric features for the purpose of developing a new biometric recognition system.” | “A – Please provide a front-facing picture of yourself, taken in a well-lit environment.
B – The picture will be used to extract biometric features for the purpose of developing a new biometric recognition system. C – Before sending the picture, please mark the following box to indicate that you are providing your consent as data subject to having your picture processed for the purpose of extracting biometric features to be processed pursuant the purpose described at point B. Check the box ☐” |
When talking about consent in the context of research, it is also important to distinguish between the consent to be a participant in the study, and the consent to have personal data processed. These are two different kinds of consent and shall be collected independently[2]. The research team can rely on a single consent form, provided that the form clearly distinguishes between the two kinds of consent and does not collect them in one single agreement (for more information see the section “Issues and gaps analysis on informed consent in the context of ICT research and innovation”, in the Critical Analysis document produced by the PANELFIT).
Another exemptionto the processing of special category of personal data that is relevant for the purpose of this document is the exemption for processing necessary to research activities. The exemption requires to satisfy two criteria to make it applicable. First, the processing shall be subject to appropriate technical and organizational safeguards as per Article 89.1 GDPR. Second, there should exist Union or Member States law providing a legal ground for processing in the context of a research activity. This last criterion implies that the exemption for research purposes might not be applicable everywhere. Therefore, researchers need to carry out a review of national legislations for all the States where the research is going to be carried out in order to identify if such norms are present (see the “Comparative study of national reports” available in PANELFIT.EU).
References
1The GDPR acknowledges in Recital 33 that it might not be possible to fully identify the purpose of the data processing at the time of data collection and, therefore, that data subjects should be allowed to provide consent to certain “areas of scientific research”. The point raised by Recital 33, and a number of interpretative challenges have been investigated in the document ‘Issues and gaps analysis on informed consent in the context of ICT research and innovation’. ↑
2See European Data Protection Board, ‘Guidelines 05/2020 on Consent under Regulation 2016/679’, May 2020, 30; European Data Protection Board, ‘Opinion 3/2019 Concerning the Questions and Answers on the Interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation’, 2019. ↑