Duyurular

Irish Data Protection Commission Imposes €550,000 Administrative Fine on the Department of Social Protection for the Use of Facial Recognition Technology

The Irish Data Protection Commission (“DPC”) has imposed an administrative fine of €550,000 on the Department of Social Protection (“DSP”) following an investigation into the processing of biometric data and the use of facial recognition technology in the application process for Public Services Cards.

In this context:

  • In July 2021, the DPC launched an investigation into the use of facial recognition technology and the processing of biometric facial templates during Public Services Card (“PSC”) applications.
  • The DSP refers to its processing of biometric facial templates and the use of related facial recognition technologies as the “SAFE 2 registration” process.
  • SAFE 2 registration was made mandatory for all individuals seeking to access public services. Under this system, biometric data was collected, stored, and processed on a large scale and on an ongoing basis.
  • As of 2021, biometric facial templates of approximately 70% of the population were held by the relevant public authority.
  • The investigation found that there was no adequate, clear, and foreseeable legal basis for the processing of biometric data generated through facial recognition technology.
  • The DPC examined the following aspects of the data processing activities:
    • Whether there was a valid legal basis for the collection of biometric data,
    • The validity of the legal basis for storing such data,
    • Whether transparency obligations toward data subjects were fulfilled,
    • Whether a comprehensive Data Protection Impact Assessment (DPIA) had been conducted.
  • The following violations were identified as a result of the investigation:
    • No valid legal basis had been established for the collection of biometric data,
    • Retention of biometric data was found to be in breach of Article 5(1)(e) of the GDPR,
    • Transparency obligations toward data subjects had not been adequately fulfilled,
    • The DPIA lacked the necessary level of detail required under data protection law.
  • As a result, the DPC imposed the following measures on the Department of Social Protection:
    • A formal reprimand and an administrative fine of €550,000,
    • An order to cease the processing of biometric data under the SAFE 2 process within nine months unless a valid legal basis is established.

You can access the full text of the decision here.  

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.