Implementation of Privacy by Design in face-recognition software

A non-EU software company supplies software to corporate clients, which are located in the EU. Many products are designed to work with biometric personal data. One of these clients needs the identification of large number of their visitors at the same time for the additional sale of services. Obtaining written consent for the processing of sensitive data (facial recognition) will be difficult and expensive, but other reasons are inappropriate.
Goals and objectives of the project
Project goals and objectives
  • To define the responsibilities of the controller and processor regarding the processing and providing access to biometric data.
  • To audit software for compliance with the rules of the GDPR.
  • To assess the possibility of implementing Privacy by Design.
  • To protect the company from the risk of a fine or complaint for violation of the GDPR.
  • Brief description of the project
    Project summary
    There are only a few exceptions in article 9 of the GDPR, which prohibits the processing of biometric data. The DPO consultant analysed the objectives, scope and nature of the planned processing, the organizational and technical capabilities of the customer and came to the conclusion that client can use the exceptions mentioned in paragraph 2 (a) of article 9 of the GDPR. Then an individual solution was developed that guarantees the privacy of visitors, taking into account Privacy by Default. Among other things, the possibilities of anonymizing data and using other categories of personal data, ways of transferring the processing to the devices of the visitors were considered.
    Results of the project
    Project results
    A solution that allows obtaining explicit consent to the processing of sensitive data of 100+ thousand customers in one day was developed. This solution does not require large financial cost and consists in organizational change. Visitors express their consent by acting without filling out any documents, but at the same time it meets all the requirements of the GDPR (voluntary and not a precondition for the provision of services, easily revoked, informed).


    Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
    MBA, Certified Information Privacy Professional (CIPP/E), Certified Information Privacy Manager (CIPM). Siarhei has been working with GDPR from 2015 (draft version) in Munich and defended his MBA thesis about Regulation in Bremen in 2016

    Siarhei delivered hundreds of consultations on GDPR issues to companies around the world. He helped to implement the GDPR program as an external project manager in over 50 companies.

    Recommended services

    We can audit your compliance with GDPR. External and internal audits of projects, processes or instances of processing.
    Data protection SaaS products, recommended by our company.