How do we ensure our processing of biometric data is transparent?

At a glance

• To comply with the transparency principle, there is certain information that you must share.
• There is not a fixed way in which you must share this information.
• In deciding how you are going to share this information, you should consider several factors.

In detail

• What information do we have to share to comply with the transparency people?
• How should we provide transparency information?

People have a right to know how and why you’re processing their information. If you are using any biometric system that processes personal information, you must explain how in a way which is clear, concise, and easy to access.

What information do we have to share to comply with the transparency principle?

You must provide the following information:

• your retention periods for that personal information, and who you will share it with;
• all relevant contact information (eg the name and contact details of your organisation) (and your representative, if applicable) and the DPO’s contact details;
• the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing);
• details of all personal information that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations;
• retention periods for the personal information, or if that is not possible, the criteria used to determine the period;
• details about people’s rights including, if applicable, the right to withdraw consent and the right to make a complaint; and
• whether people are under a statutory or contractual obligation to provide the personal information (if applicable, and if you collect the personal information from the person it relates to).

You must provide privacy information to people at the time you collect their personal information from them, or ahead of time. This is because people have the right to be informed about the collection and use of their personal information.

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people. But getting it wrong can leave you open to fines and lead to reputational damage.

How should we provide transparency information?

The best way to provide this information may differ depending on:

• your relationship to the people whose information you are processing;
• what your processing involves; and
• what your use case is.

You should consider how people will interact with the technology or the wider context of how you are using it when deciding how to provide this information. This will help you work out the most effective way of informing people.

You should also consider the potential impacts of any decisions biometric recognition systems will make and what people should know about these. It might be appropriate to provide information in different formats or levels of detail for different people, depending on their level of pre-existing knowledge.

For example, you could make information available in the following ways:

• using leaflets or digital techniques (eg QR codes and other local media), in advance where possible;
• members of staff on hand to discuss the processing;
• visual or audio signals; and
• making information available online and through social media, and otherwise using digital spaces that visitors are likely to use in advance of visiting the premises.

You should also consider who someone should ask if they have questions about the processing.

Once you have put in place mechanisms for providing transparency information, you could do user testing and surveys to assess whether the information is sufficiently clear and accessible.