Formal warning to supermarket about facial recognition Summary Our remarks A Dutch supermarket received a formal warning from • As facial recognition processes biometric data, the Dutch Data Protection Authority due to the use of one needs to be able to use one of the exceptions facial recognition technology. Although the system in GDPR, Article 9(2). Pursuant to GDPR, Article was turned off in December 2019, the supermarket 9(2)(a), explicit consent can be an exception to expressed interest in turning it back on. the prohibition of processing sensitive personal data. Walking into a store cannot count as explicit The supermarket used the technology to protect consent itself, as there is no active action from the its customers and staff from potential shoplifting data subject regarding the consent. by comparing the faces of those entering the store to a database of banned individuals. The system • In the opinion of the Dutch DPA, facial recognition automatically scanned everyone who entered the can also be used for ensuring authentication or store’s face to do this. security. But there is a high threshold for when the need for it is serious enough. In their opinion, it is The decision of the Dutch DPA appropriate to use facial recognition for ensuring • The Dutch DPA issued a warning to the security at nuclear power plants, but the purpose supermarket, prohibiting the use of facial of avoiding shoplifting is not enough to justify facial recognition in the stores. recognition. • This is a bit of a strict interpretation. For example, in Denmark, it has been accepted to use facial recognition for identifying banned football fans outside football stadiums. • Nevertheless, if one wants to use facial recognition one must carefully assess the processing before taking the system into use. This can be done by doing a risk assessment, where it should be evaluated which other purposes the data collected can be used for, for example, profiling, surveillance, etc. Published: 15-12-2020, Journal number: N/A Tags: 01 Legal basis and principles of processing 32