SPAIN Trends and Developments Contributed by: Agustín Puente Escobar and Natalia González Vera, Broseta Abogados
Broseta Abogados Paseo de la Habana 101 Madrid 28036 Spain Tel: +34 914 323 144 Email: info@broseta.com Web: www.broseta.com
The Positions of the Spanish Data Protection Agency and the European Data Protection Board Regarding the Legal Grounds for Biometric Data Processing In recent times, the use of biometric technolo - gies has grown exponentially in a wide range of areas, including: • identity verification for access control, espe - cially in sectors such as sports, gambling venues, or environments requiring a specific level of security; • workplace access control for employees and visitors; or • the authentication of data subjects in certain online services or applications (eg, banking apps or even for unlocking mobile devices). Alongside this growth, data protection authori - ties have also increased their concern about the processing of these categories of data – given that, by referring to unique and immutable char - acteristics of individuals, such categories of data can pose significant risks in the event of their misuse by third parties. Based on the various documents adopted by a multitude of authorities and organisations, these risks can be summa - rised as follows. • Immutability of the biometric vector – unlike other authentication methods, biometric
templates cannot be modified or revoked throughout the life of the data subject. • Reversibility of the biometric vector – it is possible to reconstruct the original biometric information from stored templates, when they represent specific and characteristic points of the element from which the biometric data is extracted. In this way, in the event of an attack on a centralised base, it would be possible to rebuild the model from which that template was generated. • Interoperability of biometric recognition systems – once the biometric templates are created, they could be reused in different systems for multiple purposes. On the other hand, biometric data processing is not only governed by the EU’s General Data Protection Regulation (GDPR), but also by the Artificial Intelligence Regulation (IAR), which classifies such processing into three categories: • generally prohibited processing activities; • high-risk activities; and • activities not included in the previous catego - ries. This regulatory impact is driven by advance - ments in biometric recognition technologies. Traditional systems-based biometrics patterns and distance measurements between data
401 CHAMBERS.COM
Powered by FlippingBook