In Effect European Union Fintech, Healthcare, Identity Verification, All industries

GDPR – Biometric Data

General Data Protection Regulation (EU) 2016/679 – Biometric Data Provisions (Article 9)

Biometric data processed for identification is classified as special-category data requiring explicit consent, legal basis documentation, and data minimization.

Effective: May 25, 2018 Verified: July 2026 Official source

What this covers

GDPR Article 9 puts biometric data – fingerprints, face geometry, iris patterns, voiceprints – in the same category as health data and racial origin. Processing it requires a lawful basis under Article 9(2), not just Article 6. For identity verification, the most common bases are explicit consent (Article 9(2)(a)) or necessity for a legal obligation (Article 9(2)(b)).

The data minimization principle (Article 5(1)(c)) creates a practical problem: biometric templates generated during liveness checks or face matching must be deleted once the verification purpose is complete. Many vendors now offer "liveness-only" modes that compare the live capture to the document photo without storing a biometric template – this significantly reduces GDPR exposure.

For EU-based controllers using non-EU KYC vendors, international transfer rules apply. The vendor must operate under an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules. After Schrems II, verify that your vendor has completed a Transfer Impact Assessment (TIA) for US-based data processing.

Frequently asked questions

Does GDPR require consent for biometric identity verification?

Not always. Explicit consent is one lawful basis under Article 9, but identity verification for a contract (Article 9(2)(b)) or legal obligation (Article 9(2)(c)) can also apply. The lawful basis must be documented before processing begins.

What happens to biometric data after GDPR-compliant verification?

GDPR requires data minimization: biometric templates used for liveness or face matching must be deleted once the verification purpose is complete, unless retention is justified by a separate legal basis.

Can a company outside the EU use EU citizens' biometric data?

Yes, but they must either establish an EU presence subject to GDPR or use an adequacy-covered jurisdiction or Standard Contractual Clauses (SCCs) for international data transfers.