Crossmatch, GDPR and Biometrics

Crossmatch, the General Data Protection Regulation (GDPR) and Biometric Data

What is Crossmatch’s approach to GDPR and biometric data?

Crossmatch does not collect or store any of our customers’ data (including biometric data) gathered through the use of our products or software. Crossmatch does not have a hosted cloud platform and does not remotely access customer databases where this information is stored. Simply put, Crossmatch does not access, store or process our customers’ personal or biometric data through the solutions we offer.

Crossmatch manufactures biometric identity and advanced authentication hardware and develops software that work in larger biometric collection systems. How these systems are deployed, implemented and used; how they are accessed; the security controls around; and how users’ biometrics are enrolled is the responsibility of the individual customer. We encourage all customers to become familiar with the GDPR and best practices around processing and protection of biometric data.

For further information, please see the Crossmatch Privacy Policy.

What does the GDPR say about biometric data?

The GDPR regulation calls out biometric data as a ‘special type’ of personal information.

According to GDPR Article 4 No. 14, biometric data are “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”

Simply put, biometric data is any information that can uniquely identify an individual and is obtained through a variety of digitally-based techniques. The GDPR calls for this type of information to be handled more carefully than just standard personal information. According to the GDPR, the processing for the purpose of “​uniquely identifying a natural person” is prohibited.

However, there are exceptions.

What are the exceptions for processing of biometric data under the GDPR?

Article 9 (2) does contain some exceptions:

  • If consent has been given explicitly for one or more specified purposes
  • If biometric information is necessary for carrying out obligations of the controller or the data subject in the field of employment, social security and social protection law
  • If it’s necessary to protect the vital interests of the individual and he/she is incapable of giving consent
  • If processing relates to personal data which are manifestly made public by the data subject
  • If it’s vital for any legal claims
  • If it’s necessary for reasons of public interest in the area of public health.

It’s important to note that individual Member States may decide to further regulate biometric data with their own individual mandates.

How is Crossmatch innovating to help customers who store biometric data?

Crossmatch has a patented technology called Biometric Tokenization.

Biometric Tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. Biometric tokenization is available in DigitalPersona 2.3 and higher. We encourage customers to learn more by visiting our website or contacting a Crossmatch authorized reseller.

Still have questions regarding Crossmatch, GDPR and biometric data?

Questions can be directed to the Crossmatch Data Protection Officer at DataProtectionOfficer@crossmatch.com. Crossmatch strongly recommends that parties consult legal counsel prior to initiating any biometric deployment.