Treatment of biometrically processed personal data: Problem of uniform practice under EU personal data protection law

The valid EU law on personal data protection expresis verbis does not regulate processing biometric data in detail leaving member states freedom of choice. Meanwhile, the General Data Protection Regulation leaves no alternatives, ascribing biometric data to sensitive data, subject to a prohibition for processing that may be deemed an extreme position and justification of which is uncertain. Therefore, the authors of the publication present their insights and evaluations by classifying personal data processing by means of biometric technologies into two groups. Such classification directly affects evaluation of personal data processing from the legal point of view. The key conclusion made by the authors is that in certain cases where the risk to privacy is minor, the use of biometric technologies to process personal data should not be prohibited. The practice of non-prohibition would encourage the use of biometric technologies equally applicable in all EU member states. The present context has prompted the authors to discuss possible consequences and effects of the adopted regulation and suggest carrying out reliable research in the field and urging an immediate discussion of stakeholders.