Is all biometric data special category data?

Only when it is processed for the purpose of uniquely identifying a person. A photo or voice recording is ordinary personal data until you run it through biometric matching to identify someone, at which point Article 9's special-category rules apply.

Which Article 9 exception usually applies?

For most private-sector uses the realistic exception is explicit consent (Article 9(2)(a)). Employment-context processing can sometimes rely on 9(2)(b) where authorised by law, and there are exceptions for vital interests, public health, and substantial public interest with a legal basis.

When is a DPIA mandatory?

A DPIA is required for large-scale or systematic processing of special-category data, which biometric identification typically is. Most supervisory authorities list biometric identification on their mandatory-DPIA blacklists, so assume a DPIA is needed unless the use is genuinely small and incidental.

Is consent valid in the workplace?

Consent in an employment relationship is fragile because of the power imbalance — it is often not freely given. Where possible, rely on a clear legal authorisation under Article 9(2)(b) plus a non-biometric alternative, rather than employee consent alone.

What safeguards are expected?

Pseudonymisation or template protection, encryption at rest and in transit, strict access controls and logging, data minimisation, storage limitation with deletion timelines, and a documented DPIA. Storing raw images rather than protected templates is a common and avoidable risk.

Biometric Data Processing Impact Checker

Biometric data is only special-category data when it is used to identify a person — but once it is, GDPR Article 9 prohibits processing unless a specific exception applies. This checker finds the realistic exception for your use, tells you whether a DPIA is mandatory, and lists the safeguards regulators expect.

How it works

The tool applies the Article 9 structure:

Step 1: Is the biometric data used to UNIQUELY IDENTIFY a person?
   No  → ordinary personal data, Article 6 lawful basis is enough.
   Yes → special-category data, Article 9 applies — an exception is required.
Step 2: Which Article 9(2) exception fits?
   explicit consent (a) · employment law authorisation (b) · vital interests (c)
   · substantial public interest with a legal basis (g) · public health (i)…
Step 3: Safeguards — DPIA (usually mandatory), template protection,
   encryption, access control, minimisation, retention limits.

If no Article 9 exception fits, the processing cannot lawfully proceed in that form.

Notes and tips

Two practical traps dominate. First, workplace consent rarely meets the “freely given” bar because of the employer-employee power imbalance — prefer a clear legal authorisation and always offer a non-biometric fallback (PIN, card). Second, store protected biometric templates, never raw face or fingerprint images: template protection plus encryption is the difference between a defensible system and a breach headline. Biometric identification is on most authorities’ mandatory-DPIA lists, so plan to complete and document one. This is an educational aid, not legal advice.