Biometric data is only special-category data when it is used to identify a person — but once it is, GDPR Article 9 prohibits processing unless a specific exception applies. This checker finds the realistic exception for your use, tells you whether a DPIA is mandatory, and lists the safeguards regulators expect.
How it works
The tool applies the Article 9 structure:
Step 1: Is the biometric data used to UNIQUELY IDENTIFY a person?
No → ordinary personal data, Article 6 lawful basis is enough.
Yes → special-category data, Article 9 applies — an exception is required.
Step 2: Which Article 9(2) exception fits?
explicit consent (a) · employment law authorisation (b) · vital interests (c)
· substantial public interest with a legal basis (g) · public health (i)…
Step 3: Safeguards — DPIA (usually mandatory), template protection,
encryption, access control, minimisation, retention limits.
If no Article 9 exception fits, the processing cannot lawfully proceed in that form.
Notes and tips
Two practical traps dominate. First, workplace consent rarely meets the “freely given” bar because of the employer-employee power imbalance — prefer a clear legal authorisation and always offer a non-biometric fallback (PIN, card). Second, store protected biometric templates, never raw face or fingerprint images: template protection plus encryption is the difference between a defensible system and a breach headline. Biometric identification is on most authorities’ mandatory-DPIA lists, so plan to complete and document one. This is an educational aid, not legal advice.
What counts as biometric data — and when Article 9 applies
Not every data point about a person’s body is biometric data under Article 9. A photograph of an employee’s face is personal data under Article 6, but it only becomes special-category biometric data once it is processed through a recognition algorithm to uniquely identify that person. Similarly, a voice recording used for tone-of-voice analytics is different from a voiceprint used for identity verification. The key trigger is the purpose of unique identification.
This distinction matters practically: a photo used purely for a staff directory does not need an Article 9 exception, but the same photo fed into a facial recognition system at the office entrance does. Many organisations inadvertently cross this line when they integrate AI-powered access control or analytics tools without auditing what those tools actually do with biometric features.
Technical safeguards regulators expect
| Safeguard | What it means in practice |
|---|---|
| Template protection | Store a mathematical template, not the raw image. Templates should not be reversible to the original biometric |
| Encryption at rest and in transit | AES-256 at rest, TLS 1.3 in transit as a minimum |
| Access controls and audit logging | Strict least-privilege access; every read and match event logged with a timestamp and requester |
| Data minimisation | Collect only what the identification purpose requires; do not retain raw images if a template is sufficient |
| Retention limits | Delete templates when the person leaves or when the identification need ends |
| Non-biometric alternative | Always offer a fallback — PIN, access card, or manual check-in — especially for employees |
DPIAs for biometric systems
A Data Protection Impact Assessment is required under Article 35 GDPR before deploying large-scale or systematic biometric identification. Most EU supervisory authorities publish their own lists of processing operations that always require a DPIA; biometric identification appears on virtually all of them. The DPIA should document the purpose and necessity of the processing, the Article 9 exception relied on, the risks to data subjects if the biometric is compromised, and the safeguards in place to mitigate those risks. Regulators expect to see the DPIA before deployment, not after a complaint.