GDPR and biometric data: compliance considerations for identity verification vendors

GDPR Article 9 classifies biometric data processed for the purpose of uniquely identifying a natural person as special category personal data. Special category data receives enhanced protection: processing is prohibited unless a specific condition under Article 9(2) applies.

Identity verification (IDV) services commonly process biometric data including facial recognition, fingerprint matching, liveness detection, and voice biometrics. Both IDV vendors and their customers must address Article 9 requirements when biometric processing is involved.

The special category classification applies to the biometric data itself, not only to associated identity documents. A facial scan used for liveness detection during onboarding is special category data even when the verified output is a simple pass/fail result.

Standard Article 6 lawful bases are insufficient alone for special category data. Article 9(2) provides ten specific conditions permitting processing, including explicit consent (9(2)(a)), employment law obligations (9(2)(b)), and substantial public interest (9(2)(g).

For commercial IDV services, explicit consent is the most commonly relied upon condition. Consent must be freely given, specific, informed, and unambiguous, with clear affirmative action. Pre-ticked boxes, bundled consent with terms of service, or consent as a condition of service access may not satisfy GDPR standards.

Some EU member states impose additional restrictions on biometric processing through national legislation. GRC teams should review member state-specific requirements in markets where IDV services are deployed, not only the GDPR baseline.

Article 35 requires Data Protection Impact Assessments (DPIAs) for processing likely to result in high risk to data subjects. EDPB guidelines identify biometric processing for identification purposes as a processing operation that always requires a DPIA.

DPIAs for IDV services should address: necessity and proportionality of biometric processing, risks to data subjects including function creep and re-identification, measures to address risks, and consultation with the DPO. DPIAs must be completed before processing begins and reviewed when processing changes.

IDV vendors should provide DPIA-supporting documentation: technical architecture descriptions, data flow diagrams, retention schedules, security measures, and subprocessor details. Customers relying on vendor IDV services need this documentation for their own DPIA obligations.

Organizations using IDV vendors act as controllers for the biometric data processed during verification. Article 28 DPAs with IDV vendors must address special category data processing explicitly, including Article 9 lawful basis documentation and enhanced security requirements.

Evaluate IDV vendors against GDPR-specific criteria: biometric data retention periods (shorter is better), on-device versus cloud processing (on-device reduces transfer risks), deletion after verification completion, certification status (ISO 27001, SOC 2), and subprocessor transparency.

Assess whether the IDV vendor acts as a processor or joint controller. Joint controller arrangements require an Article 26 arrangement defining respective responsibilities. Most IDV SaaS models involve processor relationships, but architecture variations may create joint controllership.

Article 32 security measures for biometric data should reflect the heightened sensitivity. Encryption at rest and in transit, strict access controls, pseudonymization where feasible, and automated deletion after verification completion are baseline expectations.

Biometric template storage requires particular care. Where possible, process biometrics ephemerally (verify and delete) rather than storing templates for future matching. If templates must be stored, apply additional encryption and access restrictions beyond standard personal data protections.

Logging and monitoring should track access to biometric data with enhanced alerting. Unauthorized access to biometric databases carries higher regulatory and reputational risk than access to standard personal data.

IDV services often involve cross-border data flows: biometric data captured in the EU may be processed on US-based infrastructure. Valid transfer mechanisms (SCCs, adequacy decisions, or DPF certification) must cover biometric data transfers specifically.

Transfer impact assessments for biometric data should evaluate the receiving country's legal framework for government access to data, particularly relevant for US transfers post-Schrems II. Document supplementary measures such as encryption with controller-held keys.

Consider data residency options offered by IDV vendors. Processing and storing biometric data within the EEA eliminates transfer complexity but may not be available for all vendor architectures.

EU regulatory attention on biometric processing is increasing. The proposed AI Act classifies biometric identification systems as high-risk AI systems with additional conformity requirements. GRC teams should monitor AI Act implementation timelines for IDV services using AI-based facial recognition.

National biometric-specific legislation is emerging in several member states, including restrictions on facial recognition in public spaces and requirements for biometric data processing registers. Track legislative developments in your primary EU markets.

Transparency with data subjects about biometric processing builds trust and satisfies GDPR accountability requirements. Privacy notices should clearly explain what biometric data is collected, how it is processed, retention periods, and how data subjects can exercise their rights including withdrawal of consent.