On August 21, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) published a press release informing of its intention to further investigate a data breach that was notified by Adecco Belgium, a temporary employment agency. The data breach affected thousands of biometric data, including fingerprints and images allowing facial recognition, and was suffered by the company Suprema. The compromised data included approximately 2,000 fingerprints of Adecco Belgium’s employees.
According to David Stevens, the Belgian DPA’s Commissioner, this type of data is particularly sensitive because it cannot be modified in the event of a data breach, while this would be possible with other types of personal data, such as a password. Accordingly, the highest security standards must be implemented when processing biometric data, including fingerprints. In addition, the Commissioner recalls that data controllers should always assess whether the processing of biometric data is necessary for the purposes it is trying to achieve (in this case, for identification purposes), or whether it could be achieved using less intrusive means.
The Belgian DPA further reminded companies of the key principles to account for when processing biometric data:
- The processing of biometric data is, in principle, prohibited under the EU General Data Protection Regulation (“GDPR”), unless one of the exceptions set forth under the GDPR applies;
- The processing of biometric data for identification purposes requires a data protection impact assessment (“DPIA”). If the outcome of the DPIA is that the processing would result in a high risk, the processing should not take place;
- Data controllers and processors with access to biometric data (if any), must implement appropriate technical and organizational measures to ensure the security of the data.