3 minute read
3.2.2 Automated individual decision-making, including profiling
of processing of biometric data using facial recognition, the national data protection supervisory authority should be consulted.
3.2.1.2 Strictly Necessary 73. Processing can only be regarded as "strictly necessary" if the interference to the protection of personal data and its restrictions is limited to what is absolutely necessary48 . The addition of the term “strictly” means that the legislator intended the processing of special categories of data to only take place under conditions even stricter than the conditions for necessity (see above, item 3.1.3.4). This requirement should be interpreted as being indispensable. It restricts the margin of appreciation permitted to the law enforcement authority in the necessity test to an absolute minimum. In accordance with the settled case-law of the CJEU, the condition of “strict necessity” is also closely linked to the requirement of objective criteria in order to define the circumstances and conditions under which processing can be undertaken, thus excluding any processing of a general or systematic nature49 .
Advertisement
3.2.1.3 Manifestly Made Public 74. When assessing whether processing relates to data which are manifestly made public by a data subject, it should be recalled that a photograph as such is not systematically considered to be biometric data50 . Therefore, the fact that a photograph has been manifestly made public by the data subject does not entail that the related biometric data, which can be retrieved from the photograph by specific technical means, is considered as having been manifestly made public. 75. As for personal data in general, for biometric data to be seen as manifestly made public by the data subject, the data subject must have deliberately made the biometric template (and not simply a facial image) freely accessible and public through an open source. If a third party discloses the biometric data, it cannot be considered the data has been manifestly made public by the data subject. 76. Moreover, it is not sufficient to interpret the behaviour of a data subject to consider that biometric data has been manifestly made public. For example, in the case of social networks or online platforms, the EDPB considers that the fact that the data subject did not trigger or set specific privacy features is not sufficient to consider that this data subject has manifestly made public its personal data and that this data (e.g. photographs) can be processed into biometric templates and used for identification purposes without the data subject’s consent. More generally, default settings of a service, e.g. making templates publicly available, or absence of choice, e.g. the templates are made public without the user to be able to change this setting, should not in any way be construed as data manifestly made public.
3.2.2 Automated individual decision-making, including profiling 77. Article 11(1) LED provides for the duty of the Member States to generally prohibit decisions based solely on automated processing, including profiling, which produces an adverse legal effect concerning the data subject or significantly affects him or her. As an exemption to this general prohibition, such a processing may be possible only if authorised by Union or Member State law to which the controller is subject and which provides appropriate safeguards for the rights and freedoms of the data subject, at
48 Consistent case law on the fundamental right to respect for private life, see CJEU Case C-73/07 para. 56 (Satakunnan Markkinapörssi and Satamedia); CJEU, Cases C-92/09 and C-93/09 para. 77 (Schecke and Eifert); CJEU - C-594/12, para. 52 (Digital Rights); CJEU Case C-362/14 para. 92 (Schrems). 49 CJEU Case C‑623/17, para 78. 50 Cf. recital 51 of the GDPR : « the processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. »
