AEPD restricts the processing of biometric data for access control
The Spanish Data Protection Agency (AEPD) launches a new update to its Guide for Presence Control Treatments using Biometric Systems, in view of the rapid technological evolution associated with this type of personal data processing, including the use of artificial intelligence, as well as the possibility of obtaining specially protected data without transparency and cooperation on the part of the interested party, a circumstance pointed out by the authority in recent sanctioning procedures.
Consequently, the AEPD adopts a restrictive position on the legitimacy of the processing of biometric data for the purpose of identifying and authenticating individuals, compared to previous interpretations established by different authorities, such as Information Commissioner's Office from the United Kingdom.
According to the Spanish authority, the processing of personal data for both purposes in the context of an employment relationship cannot be justified by the consent of the interested parties, given the subordination relationship inherent to the work dynamic. The hypothesis for the legitimation of the treatment in these cases would be the existence of a rule with the rank of law that specifically authorizes the use of biometric data for this purpose.
With regard to processing contexts that are not of a work nature, the use of specially protected data based on the consent of the interested parties cannot be justified either, taking into account the associated high risk and the incompatibility with the principle of necessity.
Finally, the AEPD highlights the importance of carrying out an impact assessment on the protection of biometric data, and considers it necessary to take into account the impact of artificial intelligence tools and automated decisions without human intervention, extensive transparency in processing, the possibility of revoking the identity link by the interested party and the limitation of the purpose of the processing and disclosure of personal data.