Czech Republic and EU: Biometric data processing under the GDPR

On 25 May 2018, the General Data Protection Regulation, shortly GDPR, will come into effect, which sets the rules for collecting, processing and storing personal data.

The Regulation also extends the definition of personal and sensitive data, taking into consideration the development of information and communication technologies. At present, the Act on the Protection of Personal Data considers a part of the biometric data to be sensitive data. Interpretative Opinion No. 3/2009 of the Office for the Personal Data Protection divides systems with biometric data into common systems and systems requiring special protection.

According to Article 9 of the GDPR, biometric data, as well as the ethnic or racial origin of a data subject, belong to a specific category of personal data. Inclusion into this category brings about the need for their increased protection and an emphasis on their stricter safekeeping when handling them. An important aspect is also the determination of special legal grounds for their processing – otherwise their processing is, in general, prohibited. Such exceptions include, for example, a situation where the data subject has given explicit consent to such processing, or where such processing is necessary to protect the public interests. Member States may retain the conditions or restrictions set out by the GDPR, or introduce additional ones.

With the effectiveness of the GDPR, the relevant provisions of the Act on the Protection of Personal Data and the Interpretative Opinion of the Office for the Personal Data Protection will be replaced. During the inspections that will very likely take place in the subsequent period and focus on personal data processing, the regulation under the GDPR will probably be applied; based on the results of such inspections, the Office will publish a new interpretative opinion on this issue.