Biometric data in video material are a special category of personal data if they are processed using specific technical means for the purpose of uniquely identifying a natural person. This follows from Article 4(14) and Article 9(1) of Regulation (EU) 2016/679, i.e. the GDPR. In practice, this means that a recording of a face is not always biometric data in itself, but it may become biometric data when the facial image is analyzed algorithmically in order to recognize or verify the identity of a specific person.
Biometric Data Under GDPR Article 9 (Video) – Definition
The GDPR defines biometric data as personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that person. In the context of video, this most often includes a facial image, facial geometry, distinctive anatomical points, gait pattern, or other characteristics that can be extracted from a recording.
Two conditions are key here. First, there must be technical processing that goes beyond simply recording or playing back an image. Second, the purpose of the processing must be the unique identification of a person. For this reason, a standard CCTV recording will not always involve biometric data. However, if the system extracts a facial feature vector, compares it against a reference database, or enables a specific person to be searched by face, then the processing falls within the scope of GDPR Article 9.
The European Data Protection Board has indicated that a facial image is not automatically special category data. Classification depends on the context and purpose of the processing. This distinction is highly relevant for photo anonymization and video anonymization. A system used solely to detect a face in order to blur it does not necessarily identify a person. A system used for facial recognition does.
Prohibition on Processing Biometric Data in Video
Article 9(1) GDPR establishes a general prohibition on processing special categories of personal data, including biometric data used for the purpose of uniquely identifying a natural person. For a controller handling video material, this means that facial recognition, matching faces against a database, or any other biometric processing leading to unique identification requires a specific legal basis. A general reference to security or operational convenience is not enough.
In practice, three situations should be clearly distinguished:
- ordinary image recording – this does not always mean biometric data processing,
- face detection for anonymization – as a rule, this is used to locate an object in the image rather than identify a person,
- facial recognition – as a rule, this falls under GDPR Article 9 if it leads to unique identification.
This distinction is especially important when assessing anonymization tools. A deep learning model may be necessary to automatically detect faces or license plates in photos and videos, but the use of a neural network alone does not automatically mean biometric data processing within the meaning of Article 9. What matters is the purpose of the system and how the analysis results are used.
Exceptions to the Prohibition – When Processing May Be Lawful
The prohibition in Article 9(1) GDPR is not absolute. Article 9(2) provides an exhaustive list of exceptions. In the context of video recordings, several legal grounds are commonly considered, but each must be interpreted strictly and properly documented.
Exception under Article 9(2) GDPR | Practical relevance for video | Compliance notes
|
|---|---|---|
Explicit consent of the data subject | May legalize facial recognition | Must be freely given, specific, informed, and capable of being withdrawn |
Substantial public interest under EU or Member State law | Possible in regulated sectors | Requires a specific statutory basis and safeguards |
Establishment, exercise, or defense of legal claims | May be relevant incidentally in evidentiary material | Does not justify permanent deployment of a facial recognition system |
Important public interest laid down by law | Possible only with a clear legal basis | Cannot result solely from the controller’s own decision |
In standard processes involving publication of recordings, training materials, incident documentation, or sharing video with third parties, the safest approach is to avoid biometric processing and anonymize faces in advance.
Importance for Photo and Video Anonymization
In the field of privacy protection, the purpose of anonymization is to limit or eliminate the possibility of identifying a person visible in the material. In practice, this usually involves face blurring, face masking, and license plate blurring. This process reduces the risk of GDPR violations during further use of the recording, for example in publication, transfer to a contractor, training use, or working archive storage.
Technically, automatic face blurring usually relies on machine learning models, most often deep learning. The model is first trained to detect regions corresponding to a face based on a training dataset, and then locates the face in the frame and passes the coordinates to a masking module. This is an object detection process, not necessarily person identification. From a compliance perspective, that distinction matters.
In the Gallio PRO environment, automation covers faces and license plates. The software does not perform real-time anonymization and is not intended for anonymizing live video streams. It does not blur full body silhouettes. It does not automatically detect logos, tattoos, name badges, documents, or images displayed on monitor screens. Such elements can be masked manually in the editor. This is important for risk assessment, because the controller should evaluate whether the material contains identifiers other than faces and license plates.
Controller Obligations When Processing Video
If video material can lead to the identification of individuals, the controller must implement the principles set out in Articles 5 and 25 GDPR. In practice, this means applying privacy by design and privacy by default. Where potentially biometric processing is involved, the obligations are more extensive.
- define the purpose of processing and the legal basis before launching the process,
- assess whether facial analysis serves only detection for anonymization or also identification,
- minimize the scope of data and the retention period for recordings,
- implement technical and organizational measures appropriate to the risk,
- carry out a DPIA where the processing is likely to result in a high risk to the rights and freedoms of individuals,
- control access to non-anonymized materials,
- ensure accountability, including documentation of decisions and anonymization process settings.
For on-premise tools, an additional advantage is the ability to keep files within the organization’s own infrastructure. This reduces exposure associated with transferring data to external services. However, the deployment model itself does not remove GDPR obligations.
Key Parameters and Metrics in the Video Anonymization Process
The effectiveness of video anonymization should not be assessed only descriptively. In practice, it is worth measuring detection quality and the risk of leaving identifiable frames unmasked. These parameters should be documented for the specific type of material, such as CCTV, body cam footage, mobile recordings, or press photography.
Parameter | Meaning | Compliance relevance
|
|---|---|---|
Detection recall | The percentage of actual faces detected by the system | Low recall increases the risk of leaving faces non-anonymized |
Detection precision | The percentage of correct detections among all detections | Low precision reduces material quality, but usually affects privacy less than low recall |
False Negative Rate | The percentage of missed faces | A key risk indicator for disclosure of personal data |
IoU – Intersection over Union | Accuracy of the detection box placement relative to the object | If IoU is too low, parts of the face may remain outside the mask |
Processing time per file | Performance of the batch process | Affects operational planning, but does not determine legal compliance |
If an organization uses automatic anonymization, it is advisable to adopt a post-processing quality control procedure. In practice, this means manual sampling, escalation rules, and additional masking of elements that were not detected automatically.
Legal and Interpretive References
When assessing biometric data in video, the primary sources should be legislation and guidance issued by European authorities. The most important reference points are as follows:
- Regulation (EU) 2016/679 – Article 4(14), Article 9, Article 25, Article 35,
- EDPB – Guidelines 3/2019 on processing of personal data through video devices, version adopted after consultation in 2020,
- CJEU case law on the broad interpretation of personal data and identifiability,
- national guidance issued by supervisory authorities, including the Polish DPA (UODO), regarding publication of image and data minimization.
On a practical level, it should also be remembered that the obligation to anonymize faces before publishing or sharing material may arise not only from the GDPR, but also from laws protecting personality rights and image rights. Exceptions usually concern public figures, an image forming only a detail of a larger whole such as a public gathering, landscape, or public event, and situations where the person has received agreed payment for posing. However, each of these cases requires a separate legal assessment.