Biometric Data Breach Definition
A biometric data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to biometric data processed as personal data. The legal basis for this definition is Article 4(12) GDPR for the concept of a personal data breach and Article 4(14) GDPR for the concept of biometric data. Under the GDPR, biometric data means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm that person’s unique identification, such as facial images or fingerprint data.
In the context of photos and video recordings, this concept primarily covers materials that can be used to recognize a person based on their face, as well as technical derivatives such as a face embedding, feature vector, landmark map, or comparison template used by a recognition system. A facial image alone is not always biometric data within the meaning of Article 9 GDPR. It becomes biometric data when it is processed using specific technical means for the purpose of uniquely identifying or authenticating a person. This distinction matters when classifying an incident, assessing risk, and determining notification obligations.
In the practical context of photo and video anonymization, a breach may concern both the source material before face blurring and the intermediate data generated by computer vision algorithms. If an organization trains or uses a deep learning model to detect faces, it creates a processing pipeline that may include video frames, detections, bounding box coordinates, object identifiers, and timestamps. If that pipeline serves only to detect and blur faces rather than recognize identity, not every operation will amount to processing special category data. However, a leak of non-anonymized recordings containing faces may still qualify as a personal data breach involving a high risk to data subjects.
How to Classify a Breach in Photo and Video Material
Classifying an incident requires separating three layers: input data, intermediate data, and the purpose of processing. This distinction determines whether we are dealing with a breach of ordinary personal data or a biometric data breach involving special category data under Article 9 GDPR.
In photo and video materials, the following scenarios are most commonly assessed:
Scenario | Nature of the Data | Compliance Notes
|
|---|---|---|
Leak of a non-anonymized recording with visible faces | Personal data, not always biometric data | Assessment depends on the purpose and technical method of processing |
Leak of a database of facial embeddings used for identification | Biometric data | High likelihood of high risk |
Unauthorized access to a model matching faces to identities | May involve biometric data and system confidentiality | The possibility of reconstructing or misusing templates must be assessed |
Accidental publication of material before faces or license plates were blurred | Personal data, sometimes biometric data | Especially relevant for CCTV footage and photos taken in public spaces |
The European Data Protection Board, in Guidelines 01/2022 on the right of access, notes that a photograph alone is not always biometric data, but it may become biometric data depending on how it is used. In Guidelines 05/2022 on the use of facial recognition technology in law enforcement, the EDPB describes this area as requiring a strict assessment of purpose, proportionality, and legal basis. For a Data Protection Officer, this means that the incident should not be described only by asking, “Did a facial image leak?” but also, “Did the organization create or store templates used for unique identification?”
Why It Matters for Photo and Video Anonymization
In the process of photo and video anonymization, the goal is to reduce the risk of identifying a person by irreversibly, or at least practically irreversibly, removing identifying features. In practice, Gallio PRO automatically blurs faces and license plates in stored materials rather than in live streams. This reduces the attack surface, but it does not eliminate risks during the import, processing, export, and archiving of source files.
Automatic face blurring typically relies on deep learning models for object detection or segmentation. The model must first be trained on appropriate datasets containing faces labeled through annotations. It then detects the location of faces in frames and passes the coordinates to a blur or masking module. If the system does not assign the detected face to a specific person’s identity and does not compare it against a template database, its function is generally detection rather than identification. Even so, the input material still contains personal data, and a leak may still require data breach notification.
A practical problem is that even a short time window between acquiring a file and anonymizing it is a period of heightened risk. A breach may occur due to misconfigured network shares, excessive operator permissions, export of an intermediate file, an unencrypted backup, or accidental publication of the pre-anonymized version.
Notification Obligations After a Biometric Data Breach
The GDPR imposes obligations based on the level of risk to the rights and freedoms of natural persons. The controller must assess the likelihood and severity of the consequences of the incident, not merely the technical fact that a breach occurred. In the case of biometric data, the risk threshold is usually higher because a biometric template cannot be effectively “changed” like a password.
The main obligations are as follows:
- Article 33 GDPR – notify the supervisory authority of the breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons,
- Article 34 GDPR – inform the data subject when the personal data breach is likely to result in a high risk to their rights and freedoms,
- Article 33(5) GDPR – document all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken.
When assessing high risk, the WP29 Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01, later endorsed by the EDPB, remain particularly useful. For biometric data, especially relevant consequences include identity theft, secondary profiling, unauthorized tracking of a person across systems, and long-term loss of control over a unique biometric identifier.
Key Parameters for Incident Assessment
In an image-processing environment, a file list alone is not enough to assess a data breach. Measurable technical and operational parameters are needed. These help evaluate the scale of exposure and the effectiveness of remedial measures.
Parameter | Meaning | Example Use
|
|---|---|---|
Number of records / files | Scale of the incident | 12,400 photos, 380 recordings |
Number of identifiable individuals | Actual impact on data subjects | Estimate based on a sample or metadata |
Face detection recall | Percentage of faces detected by the model | Undetected faces increase the risk of personal data exposure |
False negative rate | Percentage of missed faces | Critical for anonymization QA |
MTTD / MTTR | Time to detect and remediate the incident | Operational security metrics |
Exposure time | How long the data was accessible | For example, 9 hours of public access |
Encryption status | Whether the data was cryptographically protected | Relevant to Article 34(3)(a) GDPR |
For technical teams, a simple operational exposure metric can be useful:
Risk Exposure Index = number of individuals x exposure time x identification reversibility factor
This is not a legal formula, but it is a practical internal tool for prioritizing incident response. The identification reversibility factor should be higher for raw footage containing faces than for material that has been effectively blurred.
Remedial and Preventive Measures
After an incident, it is not enough just to cut off access. It is also necessary to reduce the risk of re-identification from photo and video material. Measures should cover both the information security layer and the anonymization process itself.
The following measures are commonly used:
- immediate withdrawal or blocking of access to non-anonymized files,
- verification that the correct version of the file was published after faces and license plates were blurred,
- reprocessing the material with quality control for face and license plate detection,
- encryption of data at rest and in transit in line with the security policy,
- segregation of training, testing, and production environments,
- minimization of retention periods for source files before anonymization,
- event-based access logging without logging the personal data itself,
- testing the effectiveness of the anonymization process on a control sample.
In an on-premises environment, controlling local repositories, backups, and administrator permissions is especially important. If the organization uses Gallio PRO, it should be noted that the software automatically blurs only faces and license plates. Other elements, such as documents, tattoos, logos, or images displayed on a monitor, may require manual action in the editor. This limitation should be reflected in the risk analysis and the publication procedure for materials.
Legal References and Sources
The definition and obligations should be based on primary legal sources and official guidance from European authorities. For photos and video, the most important references are the legal acts and interpretive guidelines relating to biometric data, data breaches, and facial recognition.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – GDPR, Article 4(12), Article 4(14), Article 9, Article 33, Article 34
- WP29, Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01, 6 February 2018, endorsed by the EDPB
- EDPB, Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement, adopted version of 26 April 2023 – important for understanding facial recognition techniques
- EDPB, Guidelines 01/2022 on data subject rights – Right of access, adopted version of 28 March 2023 – clarifications regarding photographs and biometric data
- ENISA, Personal Data Breach Notification Tool and materials on incident classification – practical support for risk assessment
- ISO/IEC 2382-37:2022 – biometrics vocabulary
- ISO/IEC 24745:2022 – biometric information protection