Abstract

The use of biometric and behavioural data raises many practical concerns, partially due to the lack of clear guidelines on their processing. There is no legal definition of behavioural data and often both the definition of personal and data and biometric data proves to be challenging, especially in the context of new processes and services. “Biometric data” means personal data arising from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm unique identification of that natural person, such as facial images or fingerprint data. However, new data processing technologies are emerging in market practice, for the assessment of which an in-depth analysis of the possibilities of data processing and whether or not the constitute biometric data is needed. In particular, the distinction between the information allowing for identification and the information on the behaviour that are non-identifying is unclear. The existing opinions, judgments or guidelines on the matter do not propose any practical test that may be used for legal assessment. The aim of my paper is to begin the discussion that would hopefully bring about more detailed opinions on the application of the GDPR, in particular concerning biometric data.