Biometric payments and the protection of personal data – R
Shopping with new technologies is standard nowadays, but identity verification using biometrics is a new solution that may raise some legal questions. Is such authentication secure in terms of personal data protection?
The definition of „biometric data” is contained in Article 4 (12) of the General Data Protection Regulation („GDPR”) It means personal data that result from specific technical processing, concern physical, physiological or behavioural characteristics of a natural person and allow or confirm the unambiguous identification of that person. For example, a facial image or dactyloscopic data can be considered biometric data.
The legislation prohibits the processing of special categories of data, including biometric data, without a proper legal basis. The grounds for processing sensitive data are contained in Article 9(2) of the RODO. One of the grounds for processing is consent, which should be explicit but need not be sensitive in writing.
In the case of financial services, a possible ground for processing would be Article 9(1)(g) RODO, according to which the processing is necessary for reasons of substantial public interest, based on Union or Member State law, which are proportionate to the aim pursued, do not prejudice the essence of the right to
data protection and provide for suitable and concrete measures to protect the fundamental rights and interests of the data subject.
The indicated legal basis refers to a rather broad notion of „public interest”, which could be considered as such, inter alia, the possibility to use banking services without restrictions.
From the controller’s point of view, the processing of personal data on the basis of Article 9(1)(g) of the RODO, which does not require the collection of each consent, but gives the possibility to perform the operation of processing personal data for the purposes of making payments, will be the most beneficial. In connection with the use of solutions using biometrics, it is necessary to have appropriate equipment and technical infrastructure that is necessary for identity verification.
Security measures may include the use of pseudonymization, i.e. the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is covered by technical and organizational measures that prevent it from being attributed to an identified or identifiable natural person.
Administrators may also implement measures in accordance with their risk analysis to ensure that the biometric data stored are subject to appropriate organisational protection measures as well as technical security measures. Appropriate procedures may also be implemented for the authorization of data processing, including in electronically processed files or by means of appropriate procedures for gaining access to such data.