Biometric Data Processing Impact Checker

Check lawfulness and safeguard requirements for biometric data under GDPR

Answer questions about your biometric processing purpose, data type, and consent mechanism to find which GDPR Article 9 exception can lawfully apply, whether a Data Protection Impact Assessment is mandatory, and which technical safeguards are required. For HR, security, and DPO teams. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Is all biometric data special category data?

Only when it is processed for the purpose of uniquely identifying a person. A photo or voice recording is ordinary personal data until you run it through biometric matching to identify someone, at which point Article 9's special-category rules apply.

Biometric data is only special-category data when it is used to identify a person — but once it is, GDPR Article 9 prohibits processing unless a specific exception applies. This checker finds the realistic exception for your use, tells you whether a DPIA is mandatory, and lists the safeguards regulators expect.

How it works

The tool applies the Article 9 structure:

Step 1: Is the biometric data used to UNIQUELY IDENTIFY a person?
   No  → ordinary personal data, Article 6 lawful basis is enough.
   Yes → special-category data, Article 9 applies — an exception is required.
Step 2: Which Article 9(2) exception fits?
   explicit consent (a) · employment law authorisation (b) · vital interests (c)
   · substantial public interest with a legal basis (g) · public health (i)…
Step 3: Safeguards — DPIA (usually mandatory), template protection,
   encryption, access control, minimisation, retention limits.

If no Article 9 exception fits, the processing cannot lawfully proceed in that form.

Notes and tips

Two practical traps dominate. First, workplace consent rarely meets the “freely given” bar because of the employer-employee power imbalance — prefer a clear legal authorisation and always offer a non-biometric fallback (PIN, card). Second, store protected biometric templates, never raw face or fingerprint images: template protection plus encryption is the difference between a defensible system and a breach headline. Biometric identification is on most authorities’ mandatory-DPIA lists, so plan to complete and document one. This is an educational aid, not legal advice.

What counts as biometric data — and when Article 9 applies

Not every data point about a person’s body is biometric data under Article 9. A photograph of an employee’s face is personal data under Article 6, but it only becomes special-category biometric data once it is processed through a recognition algorithm to uniquely identify that person. Similarly, a voice recording used for tone-of-voice analytics is different from a voiceprint used for identity verification. The key trigger is the purpose of unique identification.

This distinction matters practically: a photo used purely for a staff directory does not need an Article 9 exception, but the same photo fed into a facial recognition system at the office entrance does. Many organisations inadvertently cross this line when they integrate AI-powered access control or analytics tools without auditing what those tools actually do with biometric features.

Technical safeguards regulators expect

SafeguardWhat it means in practice
Template protectionStore a mathematical template, not the raw image. Templates should not be reversible to the original biometric
Encryption at rest and in transitAES-256 at rest, TLS 1.3 in transit as a minimum
Access controls and audit loggingStrict least-privilege access; every read and match event logged with a timestamp and requester
Data minimisationCollect only what the identification purpose requires; do not retain raw images if a template is sufficient
Retention limitsDelete templates when the person leaves or when the identification need ends
Non-biometric alternativeAlways offer a fallback — PIN, access card, or manual check-in — especially for employees

DPIAs for biometric systems

A Data Protection Impact Assessment is required under Article 35 GDPR before deploying large-scale or systematic biometric identification. Most EU supervisory authorities publish their own lists of processing operations that always require a DPIA; biometric identification appears on virtually all of them. The DPIA should document the purpose and necessity of the processing, the Article 9 exception relied on, the risks to data subjects if the biometric is compromised, and the safeguards in place to mitigate those risks. Regulators expect to see the DPIA before deployment, not after a complaint.