The APDCAT Defends In Mobile The Limited Use Of Biometric Data Such As The Iris

The Catalan Data Protection Authority announced the need to limit the use of biometric data, such as the iris of the eye, due to the significant risks associated with it. In the talk 'Biometric data: a new paradigm for privacy', the Head of the Legal Advise, Xavier Urios, recalled that the iris or fingerprint are personal data that allow the unequivocal identification of the person, based on a physical characteristic that does not change throughout life. Thus, the fact of transferring them without control entails significant risks that could cause harm to people, such as for example identity fraud.

Urios added that these high risks are the reason why the General Data Protection Regulation has provided for special protection for this type of data, so that its use is only allowed in specific circumstances. If this is the person consent, it must be free, informed, specific and unequivocal. In this sense, it is necessary to inform the individual about who processes the data (identity and contact details) and for what purpose, for how long they will be kept, if they will be transferred to third parties, or outside the European Union, and where to exercise the rights of access, rectification, deletion or opposition and limitation of treatment, among other aspects. In addition, regarding minors under 14, the consent must be given by their parents or legal guardian.

In addition to talking about recent cases of the last few weeks in Catalonia, such as the iris scan in exchange for crypto, Urios also explained others, such as the new criteria regarding the use of the fingerprint in control of workers at their place of work. Thus, this use would not be allowed, because the organization does not have a legal basis that enables it and, moreover, the consent of the employees cannot be considered free, nor the measure provided.

Source: Catalan Data Protection Authority media announcement