On Taking Biometric Photographs and Using ID Photos Pro Software in the Light of the GDPR
Expertise drawn by Katarzyna Orzeł, Legal Counsel, Owner of a Legal Counsel Office in Cracow
1. WHAT IS GDPR?
EU General Data Protection Regulation* was adopted by the European Parliament and the EU Council in April 2016, and its provisions are effective as from 25 May 2018. Since then, all businesses operating on the territory of the European Union are obliged to comply with the new rules regarding transfer and processing of personal data of natural persons. In practice, this provides a better protection to individuals, and limits the possibilities of trading and sharing data to other entities without their knowledge.
*Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
2. MY COMPANY IS LOCATED OUTSIDE THE EUROPEAN UNION – DOES GDPR APPLY TO ME?
GDPR applies to all entities that process the data of natural persons from the EEA area, if these entities provide services in the territory of the EU (i.e. if the recipient of the service is located in the EU and uses the service there). This means that by providing services to such natural persons under the stated conditions, you are required to apply EU regulations regarding the protection of personal data. Non-EU entities do not have to adhere to GDPR regulations during interactions with EU citizens if they provide the services outside of its borders (e.g. providing services to Polish citizens, but only during their visit to Turkey, and only on Turkish territory).
3. DOES GDPR APPLY TO PHOTOGRAPHERS?
Absolutely YES. New regulations apply directly (are binding to every entrepreneur) and apply to every company that delivers its products or services to private (natural) persons within the whole European Union.
Photographers process personal data within the scope of several processing activities. First of all, they process data of their customers. Additionally, they also process images of other persons taking part in photo sessions conducted by the photographers. Such images are also personal data and should be processed according to the GDPR.
Moreover, according to the GDPR, in some circumstances, processing of photographs may be also considered processing of biometric data, and as such is subject to separate restrictions.
4. IS EVERY PHOTO A BIOMETRIC DATA?
According to the GDPR, a photograph itself is not a biometric data. However, the way it is processed (used) may be biometric data processing. This results from the fact, that according to the GDPR, use of photographs is processing of biometric data only if they are processed by means of special technical methods that allow unambiguous identification of a natural person or confirmation of that person’s identity. This means that biometric data processing takes place only if we use images with special software designed for biometric identification.
Article 4(14): ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
Therefore, if a person uses a photograph for the purposes of biometric identification — he or she processes biometric data. GDPR imposes stricter responsibilities on such GDPR administrators than on administrators of “ordinary” data As a result, a photographer who only takes photographs that can be later used for biometric purposes does not process biometric data — as he or she does not use these photographs for identification by means of special technical means.
5. ID PHOTOS PRO AND GDPR
ID Photos Pro is a tool to “process” personal data, namely images. Data processed using this software are prepared to be used as biometric data. They are not biometric data themselves but they can be very easily used for this purpose (are taken in a way that allows to use them for identification purposes).
Therefore, these data should be particularly protected.
However, information about the principles of operation of ID Photos Pro indicate that this software does not process images for identification purposes (it does not record biometric points). Thank to that, there is no obligation to obtain customers’ consent to use ID Photos Pro for processing their photographs.
However, photos taken to be used as biometric data should be particularly protected from unauthorized access. Thus, is it particularly important that they are processed while keeping the highest safety standards.
6. IS ID PHOTOS PRO COMPLIANT WITH GDPR?
Analysis of ID Photos Pro operations and modifications used indicate the system may support meeting data processing requirements in compliance with the GDPR. The analyzed modifications and add-ons are to help fulfill obligations under the GDPR i facilitate choosing the right settings compliant with the new regulations.
Comment from Pixel-Tech:
As from version 8.3, the software has been featuring various functions allowing meeting the GDPR criteria, including a dedicated GDPR Assistant that regularly controls and recommends optimal program security settings.
An important element here are ongoing updates resulting from Subscription, as only the most recent version of the software ensures secure personal data processing.
7. DOES ID PHOTOS PRO HAVE TO BE CONSTANTLY UPDATED?
According to good practices in personal data processing, it should always be done using the means that guarantee the highest security level. The basic principle is to process data with the hardware with only updated and legal versions of installed software.
In this case, it refers both to ID Photos Pro and the operating system or other software used to process photographs.
Article 24(1): Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Availability of Subscription and automatic update notifications surely help to exercise this obligation.
8. WHAT EASY STEPS CAN BE TAKEN TO COMPLY WITH THE GDPR WHEN TAKING ID PHOTOS?
A photograph shop that processed biometric data should ensure legal compliance of their processing process in the first place. For this purpose, a necessary step is to prepare a register of the processing operations and conduct the initial analysis of risks associated with personal data processing. Depending on the results, it may be necessary to conduct an assessment of the consequences processing may have for the rights and freedoms of the data subjects.
Reports from the analyses should be stored together with personal data processing documentation.
Regardless of the above, it is recommended to introduce personal data processing policy describing the rules of processing personal data in a unit. Such policy should include document templates (such as: obtained consents, information sent to persons whose data are processed, authorizations) and principles of acting in case of requests or questions raised by persons whose data are processed. In our Office, we are currently developing solutions dedicated to different industries, including photography sector. According to the GDPR, solutions applied should be adapted to the specifics of certain operations.
Regardless of the above, it must be ensured that processing operations were performed according to safety principles. Therefore, changes in work organization might be necessary (securing cabinets where documents are kept, securing other data carriers).
Of course, such agreements may take the form of approved contractual models and terms of service.
9. DO I HAVE TO OBTAIN CONSENT FROM EVERY CUSTOMER?
A consent must be obtained from a customer only when we want to use his or her data for the purposes other than the performance of the agreement. For example, consents are necessary to use photographs in a portfolio or a publication.
In addition, always when we want to communicate with a customer via his or her e-mail address, we must obtain his or her consent for this method of communication. The only exception is when sending e-mail message is necessary to perform the agreement — in such case, the e-mail address may be used for this purpose only.
10. WHAT ARE THE CONSEQUENCES OF FAILURE TO COMPLY WITH GDPR?
Save for being beneficial to individuals, the GDPR also supports enforcement of laws by Polish data protection body. Once the GDPR enters into force (25 May 2018), a new entity — the President of the Office for Personal Data Protection — will be established that will take over the competencies of the General Data Protection Inspector.
Within the scope of supervisory competencies, the President will be entitled to impose a wide range of penalties for the breach of personal data processing rules.
Mild penalties include warning or reprimand. A more severe sanction may be an order to comply with the request of the data subject or adopting data processing rules to the applicable regulations. An even more severe penalty may be temporary or permanent prohibition of personal data processing by certain administrator. of course, this sanction should apply only as a last resort. In particular, it is possible to apply a temporary prohibition of processing data until organization adapts its procedures to the GDPR requirements.
The supervisory body is also eligible to impose pecuniary penalties with each sanction, up to 4% of the company’s annual turnover for the preceding year.
11. IS ID PHOTOS PRO A SAFE SOLUTION IN THE CONTEXT OF PERSONAL DATA PROCESSING?
In general, we can state that ID Photos Pro allows to process data according to the GDPR. In general, yes. It is a secure software, installed locally and it never independently process or sends any personal data outside the computer is it installed in. In this regard, you can be ensured that Pixel-Tech does not process personal data of your customers with ID Photos Pro.
However, in the context of the GDPR, some available solutions or functionalities of the software should be evaluated separately. These functionalities are not obligatory in the photo processing, and their use depends on a sole discretion of the administrator. The functionalities are described in sections 11 to 17.
12. “SECURE CLOUD STORAGE” SERVICE
Comment from Pixel-Tech:
This is a new service by Pixel-Tech designed for ID Photos Pro to ensure secure and GDPR-compliant delivery of digital biometric photographs to individuals.
Secure Cloud Storage provides secure, coded transfer of photographs to a server localized in the European Union. Customers have access to their photographs thanks to special Code valid for a certain number of days, and they decide to remove the photographs from the server themselves.
It is a very good solution in the light of the GDPR provisions. First of all, it allows to avoid the transfer of personal data via e-mail which by principle increases the risk of leakage. This is particularly because free/public domains apply lower levels of security than private ones. It may also be dangerous to transfer data to carriers provided by customers — this may entail the risk of infecting the photographers’ hardware with viruses and malware “brought” by the customer.
At the same time, according to provided information, data shared in the Secure Cloud Storage service are stored in secured servers in the territory of the European Union, what guarantees their safety.
Additionally, when using this solution, the Photographer is not responsible for personal data — they are transferred to another Administrator, that is, PIXEL-TECH which is now responsible for data security before the customer.
13. SENDING PHOTOGRAPHS BY E-MAIL
According to the GDPR, this is not a good idea. Personal data (a photograph) may be accessed by third parties due to, e.g. unauthorized access to the mailbox or providing the wrong e-mail address by individual. It will also require additional Personal data processing outsourcing agreements with each of the e-mail service providers.
Comment from Pixel-Tech:
Into the context of the GDPR, the problem of e-mails is even greater as most photographers and their clients use free mailboxes that do not guarantee the satisfactory level of security. We need to be aware, that when we send a photograph via a free mailbox, we do not really know and have no control over what the operator would do with it and how long this data will be stored.
The functionality is available in the software so its previous functioning is not limited. The GDPR Assistant introduced from the 8.3 version informs that in the light of the GDPR, this is not an optimal solution.
14. EXPORTING PHOTOGRAPHS TO CUSTOMER’S PENDRIVE
The very fact of copying photograph on customer’s carrier is acceptable. However, security of the photographer shop should be considered. Introducing external carriers to computer memory in the shop brings the risk of infecting it by viruses and spyware and, consequently, personal data theft and data theft in general. This is definitely against the GDPR that imposes general care for the safety of hardware and software used to process personal data. If such solution is applied, some additional security measures, such as anti-virus scanning of carriers) must be introduced.
Comment from Pixel-Tech:
The functionality is left available in the software so its previous functioning is not limited. The GDPR Assistant introduced from the 8.3 version informs that in the light of the GDPR, this is not an optimal solution.
15. CD BURNING
This is acceptable solution given that you possess a device to destroy such data carrier (in case of theoretical CD burning failure there is a risk that already burned personal data will remain in the disk).
Comment from Pixel-Tech:
This functionality is left available due to the low degree of risk.
However, remember that most modern computers do not have a CD drive at all, so customers may have problems with accessing their photos.
16. RECENT PHOTOGRAPHS REPOSITORY
Comment from Pixel-Tech:
The software has a built-in option of removing files from data carriers, therefore, for the technical purposes it is necessary to use Photo repository. Repository allows to retrieve recently taken photographs if the original print was incorrect, for example due to a failure of printing equipment. Repository features the option of setting the number of days after which the photograph is automatically removed from this location. For GDPR settings, we recommend the period of 3 days.
For technical purposes associated with the execution of agreement (in this case, taking an ID photograph), the photograph can be stored for a short period. The GDPR does not define the term “short period”, but 3 days are surely a safe option. However, we do not recommend extending this period.
17. PHOTO ARCHIVE
Biometric photos are valid for 6 months from the day they were taken and an individual has the right to make a complaint regarding his or her photograph during this period (e.g. if it has not been accepted by the appropriate Office). The photographer must be able to retrieve such photograph in the program, correct it and print it again. This functionality is enabled by the optional Archive which removes the photographs 7 months after they were taken, thus allowing time for submitting complaints and process claims.
For statistical and control purposes, the work done may be collected based on a separate agreement or when other grounds for processing occur — for example, to process data when executing an archiving agreement or to secure data for debt recovery purposes.
Katarzyna Orzeł, Legal Counsel
Katarzyna Orzeł, Legal Counsel — expert on personal data protection, intellectual property protection and telecommunications law. She has been providing legal services for entrepreneurs for 10 years, specializing in the TMT sector. She works with business organizations, including the National Chamber of Ethernet Communications (Krajowa Izba Komunikacji Ethernetowej), Our Vision Foundation (Fundacja Nasza Wizja), where she designs, among others, regulations for personal data protection for businesses and service providers. She has been exploring the issues of personal data for years, training entrepreneurs how to use data during conferences and developing data management and protection policies. She is has also authored many articles in industry magazines focusing on legal use of personal data.