_Privacy and biometric data, food for thought

Privacy and biometric data, food for thought

by Andrea Savoia e Silvia Fumagalli

Through court ruling no. 25686 dated October 15th, 2018, the Court of Cassation has stated that a presence-detection system of a company, which uses employees’ biometric data of the hand, is a “data processing” that shall be subject to the provisions of the Privacy Code (with the related requirements established by the previous legislation).

The abovementioned court ruling, although referred to the regulation prior to Regulation (EU) no. 679/2016 and the Legislative Decree no. 101/2018 which adapts the national legislation to the GDPR, is an excellent starting point to analyze the regulation of biometric data, which are used always more frequently both for personal and work IT tools.

Pursuant to EU Regulation 679/2016, as a general rule, biometric data shall not be processed, unless one of the specific cases set out in art. 9 par. 2 of the Regulation occurs, including the explicit consent of the data subject to the processing of data for a specific purpose; such cases may be further implemented by Member States.

In consideration of the new regulations, the Italian Legislator has thus established (in art. 2 septies of the Privacy Code, introduced by Legislative Decree no. 101/2018) that biometric data may be processed only in the cases set out in par. 2 of art. 9 of the GDPR and in compliance with the guarantee measures issued by the Italian Data Protection Authority, in compliance with the provisions of the same article.

The guarantee measures are issued at least every two years, taking into account: a) the guidelines, recommendations and best practices published by the European Committee for Data Protection and best practices on the processing of personal data; b) scientific and technological development in the field covered by the measures; c) the interest in the free movement of personal data within the European Union.

In the light of the new provisions, particular attention should be paid to the use of biometric data, pending any intervention by the Data Protection Authority confirming or not the validity of the General Provision on Biometrics issued in 2014, which however may be a good starting point.