FysioDanmark: Use of facial recognition system Summary The Danish Data Protection Agency’s The Danish DPA initiated an investigation into decision FysioDanmark Hillerød ApS’s (”FysioDanmark”) The Danish DPA issued a warning to FysioDanmark that concerning their proposed implementation of a it would probably violate the GDPR if FysioDanmark: biometric identification system. This system, which utilized facial recognition technology, was intended • for statistical and business optimization purposes, to regulate access to the company’s fitness center by processes biometric data for the purpose of both customers and employees. The system would uniquely identifying a data subject without collect direct and derived data for the purpose of obtaining consent from the data subject in optimizing business operations. accordance with GDPR, Article 9(2)(a) and According to FysioDanmark, the system would only • use the facial recognition system in the manner be used with the prior consent of customers and envisaged, as this would involve the processing employees. To regulate access, users’ photos would be of biometric data for the purpose of uniquely uploaded to an underlying database, and a camera at identifying a natural person on those individuals the entrance would scan faces to determine whether who have not consented to the processing, which they matched any of the photos uploaded in the is prohibited, as no exception can be identified in database. However, the system would scan a person’s GDPR, Article 9(2). face, regardless of whether they had given consent and was registered in the user database. Through the intended use of the system, FysioDanmark would process the biometric data for the purpose of uniquely identifying individuals, which in general is prohibited to process, cf. GDPR, Article 9(1), unless an exception to this prohibition can be identified in paragraph 2 of the article. The Danish DPA stated that the only possible legal basis for the intended processing would be consent, GDPR cf. Article 9(2)(a). It should be noted that in the decision, the Danish DPA only considered whether GDPR, Article 6 or 9 could form the basis for the proposed processing, and not any other data protection law issues. Published: 17-03-2022 Journal number: 2021-431-0145 Tags: 01 Legal basis for processing and principles of processing 127