Data Protection Commission Issues €550,000 Fine Over DSP Biometric Data Use
The Data Protection Commission (DPC) has issued its final decision following an inquiry into the Department of Social Protection’s (DSP) use of biometric facial templates and facial recognition technology in the Public Services Card registration process, known as SAFE 2 registration. The inquiry, which began in July 2021, focused on whether the DSP had a lawful basis for collecting and retaining biometric data and whether it complied with transparency and data protection impact assessment requirements under the GDPR.
The investigation found that the DSP did not have a valid legal basis for collecting biometric data during SAFE 2 registration, resulting in violations of key GDPR provisions, including Articles 5, 6, and 9. The DSP was also found to have unlawfully retained biometric data and failed to provide clear and transparent information to data subjects, breaching Articles 13 and 35 of the GDPR related to transparency and data protection impact assessments.
As a result, the DPC reprimanded the DSP, imposed administrative fines totaling €550,000, and ordered the DSP to stop processing biometric data within nine months unless a lawful basis is established. The inquiry did not find any issues with the technical or organizational security measures employed by the DSP but focused strictly on the legal framework and compliance aspects of the biometric data processing.
The DPC emphasized that the findings do not question the principle of SAFE 2 registration itself but highlight deficiencies in the legislative framework and operational compliance with data protection law. The full decision and further details will be published by the DPC in due course.
