Specific regulation of personal data protection part 1: health, genetics, biometrics
What is biometric data?
The GDPR states that it is personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Examples of biometric data include fingerprints, retinal patterns, facial structure, voices, vein patterns, and handwriting or behavioural traits (e.g. distinctive walking or speaking characteristics). Because of the unique connection of these data with a specific person, it can be used to identify a data subject.
It is important to note that human tissue samples are themselves sources out of which biometric data are extracted, but they are not biometric data themselves (as, for example, a pattern for fingerprints is biometric data, but the finger itself is not). Thus, the extraction of information from the samples is the collection of personal data, to which the GDPR applies.
Are photos biometric data?
It depends on the context and the way they are processed. According to the GDPR, photos are covered by the definition of biometric data only when they are processed through specific technical means allowing the unique identification or authentication of a natural person. Such special technical means may include facial recognition algorithms that identify people by their unique facial features.
The most common and widespread uses of biometric data today are identity authentication, unlocking access, or confirming payments in online banking. For this purpose, face, voice, or fingerprint recognition methods can often be used.
What is genetic data?
The GDPR states that it means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
How do they differ from biometric data?
Genetic data includes, for example, chromosomal analysis, DNA or RNA analysis, and embryo genetic analysis. In other words, unlike biometric data, genetic data does not relate to a person’s external physical attributes but provides information about their internal genetic characteristics. It is necessary to analyse human biological samples to obtain genetic data.
Such data can be used not only by medical institutions but also by startups whose main activity is related to genetics research: for example, building family trees and searching for related people or determining the prevalence of haplogroups.
Why is it important to separate data concerning health, biometric data, and genetic data, among other categories?
According to the GDPR, these data constitute special categories of personal data or, in other words, are sensitive data. Their unsecured storage or disclosure can lead to significant harm to data subjects, and therefore, the GDPR establishes additional requirements for these data.
As a general rule, the GDPR prohibits processing these data. However, it is allowed under certain conditions, described in Article 9(2) of the Regulation, for example:
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Therefore, sensitive personal data may be processed only in exceptional cases provided for by the GDPR. That is why companies that process data concerning health, biometric data, or genetic data must take a consistent approach to such processing, complying with the specific requirements of the GDPR.
