New rules on the usage of biometric data issued by the Italian data protection authority (the “Garante” or “DPA“) are meant to clarify the applicable obligations with the purpose to ease the adoption of technologies relying on them in connection for instance to mobile devices and therefore also of wearable technologies part of the Internet of Things. However, such rules, that are now subject to an open consultation, set stringent obligations in their processing that might require improvements to avoid they reppresent a barrier for the launch of new products.
On the basis of the guidelines just issued, the DPA required for the processing of biometric data (e.g. finger prints, facial recognition or retina scan technologies, techniques of recognition of vocal emissions etc.) among others:
- The provision to individuals (i.e. the data subject) of a privacy information notice that not only shall list all the information prescribed by Italian law, but shall also inform them on whether there are technologies alternative to the collection of biometric data, shall mention specific instructions regarding the usage of the device held by the user and shall include signs or warnings where such data are collected for instance in case of access to specific areas;
- The prior consent from the individuals;
- The prior notification of the data processing to the DPA, save for some exceptions such as the processing performed by medical practitioners;
- The implementation of stringent security measures in terms, among others, of
- obligations of deletion of raw data collected during the biometric capture,
- usage of encryption technologies for their storage and transfer and
- usage of mobile device auditing technologies;
- The storage of such data for no longer than the term required which varies depending on the type of processed biometric data;
- The notification to the DPA through a dedicated email address of data breaches; and
- The prior approval by the DPA which will prescribe the measures to be implemented in the data processing whose application shall list specific information.
However, with an order just issued by the DPA together with the guidelines listed above, the DPA prescribed that the usage of technologies of recognition of finger prints, of the topography of the palm of the hand and of hand signatures does not require its prior approval when biometric data collected through these technologies are processed for:
- Electronic authentication,
- Access to dangerous areas,
- Circumstances where fingerprints and the topography of the palm of the hand are used to facilitate the usage of some functioning, and
- The execution of electronic documents through the so called advanced electronic signature.
The order in any case sets out very stringent obligations in the data processing necessary for the applicability of the exemption especially with reference to the security measures to be implemented, the term and place of storage of data etc. Additionally, in such exempted cases the technology shall still comply with the obligations listed in points 1 to 6 above.
Given the sensitivity of the matter the guidelines and the order are now subject to a 30 days consultation and this will be a great opportunity for companies planning to invest in this type of technologies or to use them in their devices to recommend the changes to the guidelines and the order necessary to enable (or more easily enable) the usage of their technologies.