Image as Special Category Data – Definition
An image captured in a photo or video recording is not automatically special category data within the meaning of Article 9(1) of the GDPR. As a rule, it is personal data if it makes it possible to identify a person directly or indirectly under Article 4(1) of the GDPR, but not every facial photograph qualifies as biometric data. The threshold is higher.
Under Article 4(14) of the GDPR, biometric data means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or fingerprint data. In practice, three conditions must be met together: specific technical processing, a link to the person’s characteristics, and an outcome consisting of unique identification or authentication.
From a compliance perspective, this means that simply storing CCTV footage, publishing a photograph, or manually reviewing video material does not necessarily amount to processing special category personal data. An image taken from a recording becomes biometric data under Article 9 GDPR only when the controller uses techniques to extract and compare facial features in a way that enables the unique identification or authentication of a person. This position follows from the GDPR, Recital 51, and the guidance of the European Data Protection Board on biometric data processing and facial recognition technologies.
The Article 9 GDPR Threshold for Photos and Video
In practice, the assessment does not depend solely on the fact that a face is visible in the material. What matters is whether the system or process converts the facial image into a set of features used to distinguish one specific person from others. That is why it is important to distinguish between image processing for anonymisation and image processing for identification.
The table below shows the basic qualification thresholds.
Scenario | Is it biometric data under Article 9 GDPR? | Reasoning
|
|---|---|---|
Standard CCTV footage without facial analysis | Generally no | It is personal data, but without specific technical processing aimed at unique identification |
Automatic face detection solely for blurring | Generally no | Face detection is used to locate an image area, not to confirm the identity of a specific person |
Extraction of a facial embedding and comparison against a reference database | Yes | There is specific technical processing and an outcome in the form of unique identification or authentication |
1:1 face verification during login or access control | Yes | The processing is used to confirm the identity of a specific person |
1:N face recognition across a set of recordings | Yes | The processing is used to find and identify a person among many records |
The key distinction concerns the relationship between face detection and facial identification. Detection answers the question of whether a face appears in a frame and where it is located. Identification answers the question of whose face it is. These are not the same operations, either technically or legally.
Why This Matters for Photo and Video Anonymisation
Photo and video anonymisation processes typically use deep learning detection models. These are necessary to automatically locate faces or licence plates in an image and then apply masking, blurring, or pixelation. However, such an AI model does not necessarily involve the processing of biometric data under Article 9 GDPR if it is not used to identify a person.
In the context of Gallio PRO, this means that the automatic blurring of faces and licence plates is, as a rule, a protective measure rather than an identification tool. The software is not designed to recognise people’s identities, does not perform facial recognition in video streams, and does not blur entire body silhouettes. It automatically detects only faces and licence plates. Other elements, such as documents, ID badges, tattoos, logos, or on-screen content, can be masked manually in the editor.
From the perspective of a Data Protection Officer, it is important to document that the processing pipeline does not include the creation of biometric templates, comparison of facial features against a database, or functions for identifying an individual. This helps reduce the risk of falling within the scope of Article 9 GDPR.
Technical Criteria for Assessing the Processing Operation
A compliance assessment should not stop at the system’s marketing description. It is necessary to verify which technical operations are actually performed on the image and which data artefacts are stored. In audit practice, the following questions are particularly useful.
- Does the system create facial feature vectors, for example a 128D, 512D, or similar embedding?
- Are these vectors stored, cached, or transmitted to other services?
- Does the system perform 1:1 matching or 1:N search?
- Is the output of the process “face detected in area X,Y,W,H”, or rather “this is person A with probability P”?
- Do logs, metadata, or telemetry contain information that would make it possible to reconstruct an identification?
If the answer to the first three questions is yes, there are usually strong grounds for concluding that biometric data processing is taking place. If the system stops at detecting and masking the facial area, the legal classification may be different.
Key Parameters and Metrics in Face Blurring Systems
In anonymisation projects, detection effectiveness must be measured because it determines the level of risk that a person’s image will be disclosed. Technical parameters do not in themselves define the legal status of the data, but they do affect the assessment of whether safeguards are appropriate under Article 5(1)(c) and Article 32 GDPR.
Parameter | Practical significance | Typical interpretation
|
|---|---|---|
Detection recall | The percentage of actual faces detected by the model | Low recall increases the risk of leaving faces unblurred |
Detection precision | The percentage of correct detections among all detections | Low precision increases the number of unnecessary masks |
False Negative Rate | The percentage of missed faces | A critical metric from a privacy perspective |
IoU – Intersection over Union | The overlap between the detected area and the reference area | A box that is too small may fail to cover the entire face |
Processing time per file or frame | Affects process planning and environment capacity | Important in on-premises environments and high-volume workflows |
For anonymisation functions, a low false negative rate is more important than classification accuracy. In practice, this means preferring model settings that detect more faces, even at the cost of some false positives, as long as the material can be reviewed before publication or disclosure.
Normative References and Differences in Interpretation
The assessment should be based on primary legal sources. The most important is the GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable from 25 May 2018, in particular Article 4(1) and 4(14), Article 9, and Recital 51. In addition, EDPB guidelines and the positions of supervisory authorities on facial recognition are relevant.
In legal literature and regulatory practice, there is general agreement that not every facial image is special category data. Differences in interpretation arise in borderline systems that analyse a face in great detail but formally do not include an identification module. In such cases, the real purpose of the processing, the system architecture, the logs, the scope of metadata, and the possibility of secondary use of facial features must all be examined.
Where recordings are shared externally, for example in response to requests, for publication, or for evidential purposes, a prudent approach is to blur the faces of all individuals who do not fall within legal exceptions permitting the publication of a person’s image. This reduces the risk of privacy infringements and limits the secondary use of the material for biometric identification.