The European Data Protection Board (EDPB) published on 29 January 2020 a guide to explain the compliance of data processing through video-surveillance with the GDPR. In its fifth part the guide deals with sensitive data such as biometric data used by facial recognition technologies. On the basis of concrete examples, the guide aims to help controllers to comply with the legal requirements of the GDPR or to clarify when processing of sensitive data is prohibited without any exceptions.
While specifying the contours of consent, the EDPB recalls the central role of the purpose and the proportionality of the processing for assessing its lawfulness. It also asserts that “the data controller must offer an alternative solution that does not involve biometric processing”.