It should be mentioned, that even under the Directive, the expression of “data concerning health” was interpreted by the European Court of Justice widely so as to include information concerning all aspects, both physical and mental of the health of an individual, based on which even the reference to the fact that an individual suffered an injury can constitute sensitive personal data2.
What is the definition of “biometric data” as per GDPR?
Pursuant to Art. 4 (14) GDPR, “biometric data” means “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. This definition is rather broad, in order to include not only current but possible also new means of processing of such data through the development of future technology.
Biometric data includes both physical and behavioral characteristics of an individual. As such, they may include fingerprints, iris scans, facial recognition through scanning systems, but also a physical person’s personality characteristics, such as reactions and habits that could lead to a unique identification of a data subject, such as hand-written signature verification, keystroke analysis, etc.3
What is the definition of “genetic data” as per GDPR?
Pursuant to Art. 4 (13) GDPR, “genetic data” means “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, in particular”.
Genetic data contain unique information on individuals that differentiate them from each other. The DNA analysis is of great importance, as it may even reveal information on a data subject’s predisposition on illnesses and diseases, as well as show hereditary traits. As such, extra caution should be made on their processing, which should only be permitted under strict technical and legal conditions.
Were health, genetic and biometric data protected under the previous regime?
Directive 95/46/EC defined “special categories of personal data” as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life4”. Although it included personal data related to health, it did not specifically mention biometric and genetic data. This was reasonable, as at the time when Directive 95/46/EC was introduced, the use of genetic and biometric data was not widespread. However, as the modern enterprise has undergone a digital transformation spearheaded by the use of additional types of data, it has become more apparent that the definition of special categories of personal data should also include those types of personal data and warrant them a higher level of protection.
What is the legal basis for processing of health, biometric and genetic data?
Health, biometric and genetic data constitute sensitive personal data (special categories of personal data). In general, GDPR provides for harmonized conditions for the processing of those categories of personal data, in respect of specific needs for the benefit of natural persons and society as a whole. The need to respect the principle of purpose limitation requires a clear determination of the purpose on the ground of which such data are collected and processed5. GDPR calls for a higher level of protection on those categories of personal data. As such, their processing is prohibited under GDPR, unless one of the legal bases provided in Art. 9 GDPR are applicable.
These legal bases include: (i) the explicit consent of the data subject concerned, (ii) the performance of obligations of the data controller and the exercising of the data subject’s rights in the field of employment and social security and social protection law, (iii) the protection of the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent, (iv) the pursuance of the legitimate activities which appropriate safeguards by a foundation, association or any other notfor- profit body with a political, philosophical, religious or trade union aim, (v) cases where processing relates to personal data which are manifestly made public by the data subject.
Special notice is being made in the Regulation for the types of processing which relate to the management of health or social care services and systems. In this respect, the processing of health, genetic and biometric data can be valid when the processing is necessary for reasons of substantial public interest, where it is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional, the processing is necessary for reasons of public interest in the area of public health or, finally, the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Does GDPR allow Member States to introduce “deviations” on their national laws on the processing of health, genetic and biometric data?
GDPR allows Member States to maintain or introduce further (stricter) conditions to the processing of sensitive data, including health, biometric or genetic data6. However, as it is mentioned in the recital of GDPR “this should not hamper the free flow of personal data within the Union when those conditions apply to cross-border processing of such data7”. In this respect, Member States may derogate from the prohibition on processing of those types of personal data. Those prohibitions are allowed, under GDPR, under the condition that there are suitable safeguards in place, so as to protect personal data and other fundamental rights. The German Data Protection Law, for example, provides that, in certain circumstances, sensitive personal data can be processed without prior consent of the data subjects, when processing is necessary for the provision of preventive medicine services, when it is necessary for the assessment of employee’s working capacity, as well as to ensure high standards of quality within the health care industry and for medical products and medical devices8. Moreover, the UK Data Protection Act 2018 includes provisions restricting the application of rules contained in the GDPR (i.e. the rights and obligations which may be restricted by virtue of Ar.23(1) GDPR) relating to health in some cases, such as when processing is without consent for medical purposes by health professionals9.
What should data controllers take into account when they are processing or considering to process biometric data?
The first step, when processing those types of personal data is to base the processing on one of the legal bases provided by GDPR. However, this may not always be enough. Data controllers should also assess whether the processing of the personal data in question is necessary for the purpose pursued, which cannot be achieved by any other –less intrusivemeans.
Pursuant to GDPR, data controllers should take relevant technical and organizational measures even by default and by design. This obligation is more relevant in cases of processing of genetic and biometric data, which include the use of new technologies. More specifically, biometric data may be used by means of new technology, as a way of authentication of the identity of individuals. As technology evolves, it becomes more apparent that special measures should be enforced in order to protect individuals from malicious theft of their biometric data. Moreover, the collection and further processing of these types of personal
data adds extra security obligations on organizations who use them, who also need to provide enough evidence of their need.
As processing of biometric data will, in most cases, involve the use of new technologies and be conducted on a large-scale basis, its performance will usually need a Data Privacy Impact Assessment to be conducted. In such cases, data controllers should be in the position to identify the risks of processing and set in place adequate measures to mitigate them.
How is the principle of proportionality applied in cases of processing of genetic, health and biometric data?
GDPR requires data controllers to limit the amount of personal data they collect and further process to what is relevant, necessary and adequate to accomplish the purposes they pursue. This requirement of data minimisation is especially relevant in the processing of sensitive data, such as genetic, health and biometric data. Data controllers should always verify whether there are alternative, less intrusive to the data subject, means, by which they could achieve their purposes. For example, the collection and processing of fingerprints, as means of identification, may, in many cases, be considered as disproportionate means that could be achieved by less intrusive means (such as ID cards).
In terms of processing, the Article 29 Working Party (WP29) has provided relevant guidance. For example, in terms of biometric data, the WP is of the opinion that biometric systems related to physical characteristics which do not leave traces (e.g. shape of the hand but not fingerprints) or that they do not rely on the memorization of the data, create less risks for the data subjects and, thus, are more likely to pass the proportionality test10.
What security measures should be taken in terms of processing?
In order to be able to assess that, GDPR requires for a data privacy impact assessment (DPIA) to be performed each time a new processing activity is being introduced which may result in a high risk to the freedoms and rights of data subjects. A DPIA is mandatory (amongst other cases) where personal data are processed for taking decisions regarding specific natural persons following the processing of special categories of personal data or biometric data. This may be the case, especially when the processing involves the use of new technologies. Furthermore, GDPR provides for an additional obligation for data controllers each time the DPIA shows that there are not enough mitigating measures in place. In such cases, where the DPIA indicates that the processing is still likely to result in a high risk to the rights and freedoms of data subjects, GDPR requires data controllers to consult with the relevant supervisory data protection authority and wait for their outcome before proceeding to the processing.
Are there special rules for processing of health, genetic and biometric data in the employment sector?
GDPR allows Member States to introduce further legal requirements in terms of processing, in order to ensure fair processing in certain processing situations, including the employment sector.
The Greek DPA, has already ruled in its 112/2001 Guidance under the previous legal regime, that lawful ground for processing of biometric data in terms of employment can be considered the implementation of especially high security standards in the work area, when there are no other means to achieve this purpose. In that case, the data controller should, in a systematic way, balance the necessity of biometric technology on one hand and the rights of employees on the other (see also Decision 56/2001).
The same prohibition in the employment sector applies to genetic data. Pursuant to the same provision, employers, when acting as data controllers are not allowed to process genetic data of their employees, unless processing is permitted by law which describes the relevant process and the guarantees, or else when processing of genetic data is necessary for the protection of vital interests of employees or third parties and the data controller has consulted the national supervisory authority.
Are photographs considered as sensitive personal data?
Pursuant to the Recital 51 of the GDPR, processing of photographs may be considered as biometrical data and, as such, be treated as sensitive personal data, only when they are being processed through a specific technical means process, which allows the unique identification of a natural person. In any other case, they should be treated as (simple) personal data.
Conclusion
GDPR came into force on 25 May 2018 with a view to harmonize data processing laws among Member States. One of its main purposes was to face the new challenges that rapid technological developments have brought for the protection of personal data, as well as to expand the spectrum of choice of legal basis of processing. These new challenges are more apparent in the processing of health, biometric and genetic data. Their special nature, as sensitive personal data who may reveal unique information on the individuals concerned, calls for a higher level of protection and imposes the obligation of a higher level of security for the data controllers and processors who process them.
* By the date of submission of the present paper, the Greek national Law on Data Protection had not yet been adopted.
1. Recital 35 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation- GDPR).
2. Case C101-01, Bodil Lindqvist, 6 November 2003.
3. WP29 - Working Document on biometrics, 12168/02/EN, WP 80, adopted on 1 August 2003, see also Decision 57/2010 Greek DPA
4. Art. 8 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281 , 23/11/1995 P. 0031 – 0050.
5. WP29, Working Document on biometrics, 12168/02/EN, WP 80, adopted on 1 August 2003
6. Art. 9 para. 4 GDPR
7. Recital 53 GDPR
8. Art. 22 of the German Federal Data Protection Act (BDSG)
9. Schedule 3 of the UK Data Protection Act (2018)
10. WP29, Working Document on biometrics, 12168/02/EN, WP 80, adopted on 1 August 2003
