Biometric Data

Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of an individual that allows or confirms unique identification. This includes fingerprints, facial recognition data, iris scans, voiceprints, palm prints, gait analysis, and keystroke dynamics. What makes data biometric isn't just that it relates to physical characteristics—it's that it's processed specifically to identify someone uniquely. A regular photograph isn't biometric data, but facial recognition templates derived from that photo are. Biometric data receives special protection under GDPR Article 9 as sensitive data because it's uniquely tied to individuals, can't be changed if compromised, and creates significant privacy risks. Processing biometric data for identification purposes generally requires explicit consent or another Article 9 exception. Organizations using biometric systems must conduct data protection impact assessments, implement strong security, and provide clear information to individuals.