The Irish Knowledge Safety Fee (DPC) has fined the Division of Social Safety (DSP) €550,000 for its use of facial recognition and biometric matching software program and not using a legitimate authorized foundation. The fantastic adopted an in depth investigation into the division’s use of facial scanning and biometric matching expertise through the registration course of for Public Providers Playing cards, the place photos of candidates had been cross-checked towards an inside database to detect duplicate identities.
What occurred?
The DSP makes use of facial recognition expertise throughout Protected 2 registration, the method by which people confirm their id to obtain a Public Providers Card (PSC). Candidates submit a photograph, which is in comparison with a database of current photos to forestall duplicate registrations. With over 3.2 million playing cards issued and obligatory use for sure welfare companies, this technique impacts a good portion of the Irish inhabitants.
However the DPC’s investigation, launched in July 2021, discovered a number of failings in how the DSP dealt with this information:
- No legitimate authorized foundation below the GDPR for gathering and processing biometric information
- Illegal retention of delicate information
- Insufficient transparency about how the information was getting used
- A flawed DPIA that omitted important danger and authorized assessments
Consequently, the DPC issued a fantastic and gave the division 9 months to both set up a legitimate lawful foundation for the processing—or cease gathering biometric information altogether.
“Not one of the findings relate to technical safety failings,” famous Deputy Commissioner Graham Doyle. “That is about whether or not the DSP has the authorized and procedural framework in place to make use of one of these expertise in any respect.”
What does the GDPR say about biometric information?
Biometric information, resembling facial templates, is classed below Article 9 GDPR as a particular class of private information. This implies it might solely be processed below strict circumstances, resembling:
- Specific consent
- Employment, social safety or social safety legislation, the place authorised
- Substantial public curiosity, on the idea of Union or Member State legislation
Even then, organisations should exhibit that their processing is critical and proportionate, and that much less intrusive alternate options have been thought of.
What are the takeaways for EU and UK companies?
This case sends a transparent message to any organisation working below UK or EU information safety legislation: utilizing biometric applied sciences like facial recognition requires a stable authorized basis, not assumptions or comfort.
- A sound lawful foundation is important
Whether or not below UK GDPR or EU GDPR, processing biometric information (a particular class below Article 9) calls for greater than only a common justification. You should depend on a selected authorized foundation, resembling express consent or substantial public curiosity, and doc it clearly. - DPIAs are usually not non-obligatory for high-risk tech
Facial recognition and biometric matching fall squarely inside the scope of processing that requires a Knowledge Safety Impression Evaluation. A superficial DPIA that skips over authorized dangers or fails to evaluate proportionality might itself be a breach. - Transparency should be actual, not imprecise
You could inform information topics, clearly and upfront, what information you’re gathering, how it will likely be used, for the way lengthy, and below which authorized foundation. Failure to take action is a direct breach of GDPR obligations. - Retention of biometric information should be justifiable
Holding on to delicate private information “simply in case” isn’t defensible. Your retention coverage should be purpose-driven and legally grounded. - You’re accountable, even if you happen to’re public sector
This fantastic was imposed on a authorities division, however the identical obligations apply to non-public firms, charities, and another information controllers. Regulatory scrutiny round biometric and AI applied sciences is growing, and enforcement our bodies throughout the EU and UK are watching intently. - Don’t assume GDPR is static—particularly within the UK
The Knowledge (Use and Entry) Act 2025 has now handed, introducing modifications like:
- Easing automated decision-making guidelines for non‑special-category information
- Acknowledging “recognised reliable pursuits” for sure processing
- Eradicating obligatory DPIAs and DPO necessities in some instances
These reforms mirror a shift towards flexibility and innovation—but in addition current compliance dangers. Organisations should monitor the UK legislation intently to remain aligned with each UK and EU requirements, notably as divergence continues.
A wider sample in GDPR enforcement?
This isn’t the primary time the Irish DPC has taken concern with the Division of Social Safety. A 2019 investigation additionally discovered critical non-compliance in how Public Providers Playing cards had been issued. Though the division initially appealed, it later withdrew and got here to phrases with the regulator.
However this newest fantastic is a part of one thing greater. Throughout Europe, together with within the UK, GDPR enforcement is shifting. Regulators are more and more concentrating on not simply organisations, but in addition people. Accountability is turning into private, and using rising applied sciences like facial recognition and AI is below intense scrutiny.
For companies, the message is obvious: utilizing biometric or AI-driven information and not using a watertight authorized foundation isn’t a gray space—it’s a quick monitor to enforcement.
How can VinciWorks assist?
- As well as, our GDPR programs embody an in-browser enhancing software that permits you to customise the programs to mirror your info safety challenges and greatest practices.
- Omnitrack’s GDPR Workflows, developed with high legislation companies, streamline compliance by automating information assortment and administration. This ensures completeness, reduces administrative burden, and simplifies regulatory proof.
