Legal Opinion answering the following questions: What are the general provisions/references of GDPR and equivalent legislation regarding:
- Voice Identification
- Face Identification
- Eye Identification
- Fingerprint Identification
Whether there are any differences of the treatment of the law on any of the ones mentioned above.
What are the limitations to use the above technologies in?
- Houses
- Apartments buildings
- Hotels
- Public Street
- Government offices
- Offices of Commercial buildings
- Any other specific provisions in the law regarding other places of usage
Can financial service providers (eg Banks) or other service providers use voice biometrics? What are the legal requirements of a database storage system/place? In which case is it required? Any additional information applicable to the tasks above.
Glossary:
GDPR: General Data Protection Regulation 679/2016
Data Subject: a natural person
Personal data: any information relating to an identified or identifiable natural person. This includes any data that directly or indirectly identifies that person. Types of personal data: is a name, an identification number, location data, and an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alternation retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Biometric data: means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images (includes facial recognition, eye identification) or dactyloscopic (meaning fingerprints, footprints) data. Voice recognition is considered a part of biometric data as well.
Cross-border processing: means either:
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Question No 1:
What are the general provisions/ references of GDPR and of related legislation regarding:
- Voice Identification
- Face Identification
- Eye Identification
- Fingerprint Identification
Whether there are any differences of the treatment of the law on any of the ones mentioned above.
Answer:
Lawfulness of processing:
Voice, face, eye, fingerprint identification are considered to be part of biometric personal data. Biometric personal data is part of the special categories of personal data for which processing shall be prohibited unless one or more of the following conditions are met.
a) Data subject has given explicit consent to the processing of those personal data for the one or more specified purposes. This means that in order to process that type of data. Data Processor/or Controller must have obtained explicit consent which fits the purposes provided for. Those purposes must be distinct and binding. Which means that they cannot be alternated ad hoc, nor can they be changed without prior knowledge and consent on behalf of the data subject. Any action taken without that consent is liable to legal claims on behalf of data subject against the Data Controller/or Processor.
b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data Controller in respect of the field of employment and social security, social protection law. Which means that this type of data is necessary for the Controller or Processor to fulfil its legal obligations over the domestic law demands for employment, social security etc.
c) Process is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This applies mostly to individuals with special needs. This article reflects to the only way where personal consent can be put aside for individual that are legally incapable or physically incapable of giving consent (children(0–14), elders etc)
d) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and the personal data are not disclosed outside that body without the consent of the data subjects. This mainly refers to several types of legal entities and in which they might have process of special data of several individuals within the scope of their field.
e) Processing relates to personal data which are manifestly made public by the data subject. This refers to special category of personal data that the individual has made public. It was to be proven that it was public knowledge before the process takes place.
f) Process is necessary for the establishment, exercise or defense of legal claim or whenever courts are acting in their judicial capacity. This means that the existing data can be processed for reasons of legal claims or for courts to act their judicial capacity.
Type of Processing:
Biometric data can be processed as any other type of data that is included in the special category of personal data. This means that any operation automated or not, can perform any type of collection, recording, organization, structuring, storage, adaptation or alternation retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
Principles relating to process of personal data:
The process must be lawful, fair and transparent. It has to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. That personal data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Furthermore there has to be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
The duration of personal data process should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).
Last but not least personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
Conclusion:
The current legislation permits the processing of biometric data, as long as the criteria mentioned above, concerning the lawfulness of processing are met. As far as the type of processing is concerned, there are no restrictions as to how to process biometric personal data. However it is strongly recommended to uphold and maintain a high level of security to avoid any type of personal data breach. Furthermore it is recommended that measures should be taken for data stored in data centers after a certain period of time, in which provided consents’ timeline period has expired (e.g. after 5–7 years from the initial reception of consent). In any case data controller is responsible and has to be able to demonstrate compliance with process of personal data.
Question No 2:
What are the limitations to use the above technologies in?
- Houses
- Apartments buildings
- Hotels
- Public Street
- Government offices
- Offices of Commercial buildings
- Any other specific provisions in the law regarding other places of usage
Can financial service providers (eg Banks) or other service providers use voice biometrics?
Answer:
There are no limitations concerning the processing of biometric personal data in any of the given examples. However there is legislation that has to be applied in certain circumstances. In particular as far as houses, apartments, buildings, hotels and any other private equity holdings are concerned, the current GDPR and LAW 125(I) of 2018 legislation that applies provides a no limit environment for installation and use of that kind of equipment and/or services. Given the fact that the data subjects are aware, have granted their consent in the process of their personal data, and the processing is being performed in a lawful manner (as per the provisions of the GDPR legislation), no grounds for valid legal claims exist. As far as the installation of video cameras and recording devices that monitor several areas on the perimeter of premises, which may include visual record, voice record of publicly accessible places (e.g. public streets), then a Data Protection Impact Assessment should be carried out. A Data Protection Impact Assessment should be carried out, where a type of processing which uses new technologies, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. Data Protection Impact Assessment is required in the case of a systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing (including profiling), which produces legal effects concerning the natural persons or similarly significantly affect the natural persons. It is also required when processing on a large scale of special categories of personal data. Finally when there is a systematic monitoring of a publicly accessible area on a large scale. By introducing the «large scale» criteria we need to point out that there are ways to measure the extent of data processing scale, such as number of data subjects, volume of data, duration, and geographical extent. As far as Public Streets are concerned, Data Protection Impact Assessment is mandatory and potential assignment of Data Protection Officer might be examined.
For Government offices and Offices of Commercial buildings apply the same restrictions and obligations mentioned above, meaning that there is no limit of possible provided services and equipment installation in regards to the processing of personal data. However a high level of security and maintenance should be upheld, while performing the said processing. Data Protection Impact Assessment is mandatory.
As far as the financial services providers are concerned, there is no limit on what equipment or services may be installed / provided. However a Data Protection Impact Assessment is mandatory.
Question No 3:
What are the legal requirements of a database storage system/place? In which case is it required?
Answer:
Depending on the nature, scope, context and purposes of processing combined with the varying risks for the rights and freedoms of data subjects (natural persons), the data controller and the data processor shall implement appropriate technical and organizational measures to ensure a high standard of security appropriate to the risk.
Measures must be implemented to achieve that level of security. Several types of measures can be applied, such as pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and/or a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing (procedures).
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
The level of security is asserted by the risks that are presented by processing in particular from accidental or unlawful destruction, loss, alteration of personal data. Processing that may include unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
The aforementioned clauses impose upon the data controller and data processor the responsibility to receive all necessary and proportionate measures to mitigate/alleviate possible risks in respect a miss process or an unlawful process. The proportionality criterion refers to the scale of processing, the type of personal data and the potential risks that arise from such processing.
The controller and processor shall take steps to ensure that any natural person, acting under the authority of the controller or the processor, who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by the Cypriot legislation.
Geographical Scope of the GDPR Legislation:
GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Furthermore it applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are connected with the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or monitoring of their behavior as far as their behavior takes place within the Union. Storage of personal data is a matter of high importance. This can be divided into accessing personal data and store personal data.
Transfer and store personal data to for a cross- border processing, usually applies when processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State. In this case contracts are a safeguard to ensure the existence of legal safe net. Contract between Data Controller and Data Processor combined with Non-Disclosure Agreements.
For a transfer of personal data to a third country meaning a country outside EU or EEA, the European Commission has to have decided that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection. Such a transfer shall not require any specific authorization. This means that a transfer of data into a third country is lawful only if this country is approved by the European Commission. Additionally, Standard Contractual Closes (SCC) must to be in place between the contracting parties, depending on the nature of the contract. For example, if the contracting parties are an EU controller and a non EU or EEA controller, then Decisions 2001 497/EC and Decision 2004/915/EC should be applied. If the contracting parties are an EU controller and a non-EU or EEA processor then Decision 2010/87/EU should be applied. Additional safeguard protection can be provided by contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization.
Data stored inside a member state shall follow the Standard Contractual Closes which refer to Non-Disclosure Agreements, legally binding parties on the manner of processing of data with further contractual obligations between the controller or processor and the controller, processor or recipient of the personal data.
For a process between Data controller and data processor, the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law. Meaning that courts and local authorities, in their respective jurisdiction, can access and process the data, if such processing falls within the scope of their powers. Furthermore Data Protection Impact Assessment is considered as a mandatory assessment to outline the risks of processing of personal data for data subjects.