Implementation of Privacy by Design in face-recognition software

A non-EU company supplies software to corporate clients, which are located in the EU. Many products are designed to work with biometric personal data. One of these clients needs to identify a large number of its visitors at the same time for additional sale of services. Obtaining a written consent for the processing of sensitive data (facial recognition) would be difficult and expensive, while other exceptions of Article 9 of the GDPR were not applicable.
Project goals and objectives
  • Defining the responsibilities of the controller and processor in terms of processing and providing access to biometric data.
  • Auditing software for compliance with the GDPR rules.
  • Assessing the possibility of implementing Privacy by Design.
  • Protecting the company from the risk of a fine or a complaint for violation of the GDPR.
  • dpo
    Project summary
    There are only a few exceptions to article 9 of the GDPR, which prohibits the processing of biometric data. The DPO consultant analyzed the purpose, scope and nature of the planned processing, the organizational and technical capabilities of the customer and came to the conclusion that the client can use the exceptions mentioned in paragraph 2 (a) of article 9 of the GDPR. An individual solution has been developed that guarantees the privacy of visitors, taking into account Privacy by Default. Among other things, the possibility of anonymizing data, using other categories of personal data, and ways to transfer the processing to the visitors' devices were considered.
    Project results
    A solution that allows obtaining explicit consent to the processing of sensitive data of 100+ thousand customers in one day has been developed. The solution does not involve large financial cost, but consists in an organizational change. Visitors express their consent without filling out any documents, but at the same time it meets all the requirements of the GDPR (voluntary, not a prerequisite for the providing of services, easily revoked, informed).


    Siarhei Varankevich CIPP/E, CIPM, MBA, FIP
    Founder of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
    MBA, Certified Information Privacy Professional (CIPP/E), Certified Information Privacy Manager (CIPM). Started to work with the GDPR draft version, in 2015, in Munich. Defended his MBA thesis about the Regulation, in Bremen, in 2016. In 2020, he was awarded the title of IAPP Fellow of Information Privacy (FIP) thanks to the recommendations of respected experts.

    Siarhei delivered hundreds of consultations on GDPR issues to companies around the world. He helped to implement the GDPR program as an external project manager in over 50 companies.

    In LinkedIn

    Recommended services

    We can audit your compliance with GDPR. External and internal audits of projects, processes or instances of processing.
    GDPR Implementation
    GDPR Roadmap+ Implementation Program
    Training and consulting support of the working group on the GDPR implementation, ad hoc consultations on problematic areas.
    The course is loading, wait a few seconds