Personal data protection /

Biometric data processing – court ruling eases restrictive approach of the Polish supervisory body

Last year we reported on the first penalty imposed by the President of UODO for processing biometric data in violation of the GDPR rules by a school that introduced fingerprint verification of students using the canteen ( After the school appealed against the decision, it was overruled by the WSA.

principle of data minimization

In the justification of the verdict, the court presented a different position on the data minimisation principle referred to in Article 5(1)(c) of the GDPR than taken by the President of UODO. According to him, the data minimisation principle means the necessity to limit the scope of collected data only to a necessary minimum, and to process only such data, without which it would be impossible to achieve the objective of the controller.

In the opinion of the court, such a perception of the minimisation principle is too strict, because it does not take into account other principles of personal data processing indicated in Article 5(1) of the RODO, i.e. the principles of adequacy and relevance, which are equally important. Adequacy of data processing manifests itself in the necessity to process only those data which are necessary for the realization of a specific purpose – i.e. data which are adequate and compatible, whose scope is not excessive or disproportionate.

As a result, processing of personal data which are required for a specific purpose (e.g. because they can help to achieve the purpose quicker) does not violate the minimisation principle even if the purpose could be achieved without the data.

UODO does not agree with the verdict of the WSA and announced to file a cassation complaint in this case. According to the office, such an interpretation of the rules of personal data processing allows for processing an unlimited scope of data under the pretext of its usefulness.

Strict approach to biometric data processing

The decision of the President of UODO is in line with the practice of other European supervisory authorities, which are sceptical about the processing of biometric data, especially of entities that are not on an equal footing with the controller (e.g. students, employees) and thus their consent to the processing of such data may not be voluntary. Similar penalties have been imposed by the supervisory bodies in Sweden (for facial recognition system introduced at a school) and Romania (for system of access to premises using fingerprints of employees).

Author team leader DKP Legal anna szymielewicz
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Anna Szymielewicz

Contact us

Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]