Regarding the information published by several media, which assure that hundreds of people, including minors, accept the scanning of their irises in exchange for cryptocurrencies at various commercial establishments in Catalonia, the Catalan Data Protection Authority ( APDCAT) wants to highlight the following:
• This action involves the communication of personal data considered to be a particularly sensitive category. It is a biometric data that allows the unequivocal identification of the person through a physical characteristic that cannot be varied throughout life.
• This category of data has special protection by data protection regulations, given the high risk that its treatment entails for the rights and freedoms of people and the numerous damages that could result from a bad use.
• The processing of personal data requires a legal basis to carry it out, and, in the case of biometric data, it may be explicit consent. It must be free, informed, specific and unequivocal. This requires that the person granting it must be fully aware of the consequences that may arise from the processing of their information.
• In the case of children under 14, consent must be given by parents or legal guardians.
• Consent is not enough to process biometric data, but the organization that carries out the treatment must inform people about aspects such as:
• Who processes the data (identity and contact details) and for what purpose
• Contact details of the Data Protection Officer.
• What is the legal basis that allows you to treat them.
• The time it will keep them
• If you transfer them to third parties
• If international data transfers will be made outside the European Union
• Before whom and how the rights of access, rectification, deletion or opposition and limitation of treatment can be exercised
• The right to submit a claim to the data protection control authority.
• This information to the person affected by the processing of their data must be clear, concise and adapted to each group, especially in the case of minors. Therefore, this informed consent requires that the person also understands and is aware of what the processing of their personal data actually entails.
• Various bodies and authorities of the European Union are currently investigating whether this initiative conforms to the principles and obligations established by the General Data Protection Regulation, and it is necessary to be cautious until its real impacts are determined.
• The use of biometric data with technologies such as facial recognition is limited to very specific cases of data protection regulations, given the high impact it can have on the rights and freedoms of people. The proportionality of this type of system must be well justified, and the principle of data minimization must be guaranteed (use the minimum data for the intended purpose).
• The APDCAT recalls the need to be aware of the value of personal data and the risks associated with sharing and transferring it without control. Thus, disseminating information about geolocation, physical and health status, etc. that serves to identify a certain person can contribute to suffering undesirable situations such as impersonation, cybercrime, cyberharassment, or condition the present and future professional, among others.
• The APDCAT makes its reporting and complaint channels available to citizens in the event of breaches of data protection regulations.