Poland: UODO publishes guidance on use of biometric data
The Polish data protection authority ('UODO') published, on 3 March 2021, guidance on the use of biometric data. In particular, the guidance notes that the use of biometric data strongly interferes with the privacy of individuals and risks revealing data of specific categories or leading to discrimination. For this reason, the guidance highlights that the use of biometric data may only be used in exceptional circumstances, as outlined under Article 9(2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), preceded by a Data Protection Impact Assessment ('DPIA'), and by taking into account the basic principles of data protection, such as necessity, proportionality, and data minimisation.
Furthermore, the guidance states that various entities in Poland use biometric data without properly conducting a risk assessment or analysing whether the same goal can be achieved by using a less privacy-intrusive method. In this regard, the guidance provides the UODO's recent enforcement action against a school processing the biometric data of children in an excessive manner, as an example, which indicated that the use of biometric data also resulted in discrimination. Lastly, the guidance provides that the Provincial Administrative Court in Warsaw overturned the case above, resulting in UODO filing an appeal to the Supreme Administrative Court.
You can read the guidance, only available in Polish, here.