The processing of biometric data through facial recognition systems, such as those used in certain airports, raises important legal issues concerning compliance with Regulation (EU) 2016/679, commonly known as the GDPR.

In this context, the Italian Data Protection Authority reviewed the implementation of a facial recognition system and identified several violations of data protection rules.

The GDPR requires that personal data be processed with the utmost respect for individuals’ privacy and retained only for as long as is strictly necessary to achieve the specific purpose for which they are collected, in accordance with the storage limitation principle (Article 5(1)(e)).

However, in the case under review, biometric data were stored centrally and without encryption, in breach of the security of processing principle set out in Article 32 of the GDPR, and retained for excessively long periods (up to 12 months).

Another serious issue concerned the privacy notice provided to users.

According to the transparency principle enshrined in the GDPR, information regarding data processing must be clear and transparent.

In this instance, however, in violation of that principle, the notice given to passengers incorrectly stated that biometric data would be stored exclusively on users’ mobile devices, whereas in fact they were archived within the airport operator’s systems.

Following the identified violations, the Authority ordered a provisional restriction on the processing of biometric data, suspending its use until the conclusion of the investigation.

Furthermore, severe administrative sanctions (up to EUR 20 million or up to 4% of the company’s total worldwide annual turnover, whichever is higher) may be imposed in cases of non-compliance, as provided for by Article 83 of the GDPR.

It is essential that facial recognition systems comply with the fundamental principles of the GDPR, including the principle of data minimisation; this means that data must be processed solely for strictly necessary purposes and must not be collected in excess of the stated objective.

The Law Firm remains available for any further clarification.