What should you pay attention to when performing remote biometric verification of customers and business partners?

With the adoption of the new Personal Data Protection Act ZVOP-2, Slovenian organizations have also gained the possibility to use biometric technologies in their business processes. Biometric data are con- sidered personal data because of their unique characteristics and constancy for each individual, on the basis of which the person is identified and determinable.

The law distinguishes two methods of individual recognition when it comes to biometric measures: iden- tification and authentication. Identification involves determining the characteristics of an individual in order to identify them, while authentication involves comparing the characteristics of an individual to verify their identity or identity. In our case, we will deal with biometric authentication or verification of individuals, for the purpose of using digital services for end customers and organizations. As far as per- sonal data is concerned, the law does not distinguish between the two types of business, as both involve individuals with personal data in the procedures.

Why is biometric authentication even relevant?

Biometric authentication is useful for obtaining the right to use a commercial digital service where personal and other sensitive data is stored and processed. Examples of such digital services include opening a bank or trading account, electronic wallets, online gambling, obtaining a credit card, concluding a remote credit or life insurance contract, trading in stocks and securities, accessing audit data, remote notary services, and the like. Actually, these are digital services that occur in activities defined by the Prevention of Money Laundering and Terrorist Financing Act, as well as public administration or public institutions. These services require the highest level of trust, for which until recently, identity verification could only be carried out through physical verification in the branch office.

High level of trust is increasingly demanded by partners in supply chains. Companies want to know who they are doing business with and, on the other hand, reduce operational risks in their ongoing organiza- tional operations. They offer their partners various digital services, such as web applications for config- uring and ordering products, remote signing of contracts, downloading technical documentation for pro- duction, or services such as e-auctions.

The basic legal requirements for biometrics

In Slovenia, biometric measures are regulated by the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, no. 163/22; ZVOP-2), from articles 81 to 84. It should be emphasized that the processing of biometric personal data is expressly prohibited by the provisions of this chapter of ZVOP-2. Furthermore, ZVOP-2 also sets conditions for the processing of biometric data under other laws, with the possibility of restricting the use of biometric personal data. In general, this is necessary for carrying out activities, for the safety of people, property, protection of confidential information or business secrets.

Biometrics in the private sector

The use of biometric measures in business operations, such as remote biometric verification based on a facial photograph, is further defined in Article 83 of the ZVOP-2. In general, the processing of biometric personal data in the private sector can only be carried out if it is necessary for the performance of the activity, for the safety of people, property, protection of classified information or trade secrets. However, in relation to identities, the law states that a private sector entity may process biometric personal data for the purpose of ensuring the accuracy of their customers’ identities. In connection with identities, the law states that a person in the private sector can process biometric personal data for the purpose of protecting the accuracy of their customers’ identities. The law allows such processing in cases where an- other law specifies it for the purpose of protecting interests as mentioned above, if a contract specifically provides for it, or if the parties have given their consent. When biometric personal data is processed on the basis of a contract with a consumer, the controller must also provide the individual to whom the per- sonal data relates with a means of identification without processing biometric personal data.

Permission for processing

Processing of biometric personal data may also be carried out provided that the processing actions of such data are under the exclusive control or authority of the data subject and confirmed in accordance with the powers of the Information Commissioner. In addition, individuals must be allowed to expressly authorize the processing of such data by other processors and controllers for the purpose of proving the accuracy of their identity. Individuals must be informed about the processing of biometric personal data before processing begins. When it comes to employees, for example for the purpose of recording work- ing hours, access control, or using their own business information services, the controller must consult with them in advance on the proportionality of the processing.

Verification and confirmation of processing of biometric data.
All actions related to the processing of biometric personal data must be confirmed in accordance with Article 52 of this law. In Slovenia, the list of validation mechanisms is managed by the Information Commissioner. Validated solutions for biometric authentication will be available in Slovenia in 2024, but companies now have a one-year transitional period in which they can already use uncertified solutions.

The operation and use of these solutions are verified by the supervisory authority of the Information Commissioner’s Office, with the inspection procedures differing depending on whether it involves pro- cessing of biometric data that is under the individual’s exclusive control or authority or whether it in- volves storing biometric data in records. The first process involves the authentication of a person, as enabled by the service Verified by Photko. This service carries out a guided process of capturing and verifying biometric data from a video recording and a biometric ID document, using the user’s smart mobile phone. The service only stores biometric data for the purposes of the verification process and automatically deletes them upon completion of the process. For the use of a service such as Verified by Photko, confirmation of compliance by the Information Commissioner is sufficient during the transitional period, which this service has already obtained.

To store and process biometric data, the organization must obtain permission from the Information Com- missioner in addition to the compliance certificate. Yes, it is true that for violations, fines are imposed as specified in the General Data Protection Regulation, and they can be astronomically high.

Linking collections of biometric personal data
It is already prohibited by the General Data Protection Regulation (GDPR) to link collections of biometric personal data with other collections and to enable the portability of such data. ZVOP-2 allows for some exceptions: this is possible in cases where the linking or portability is determined by another law or if the individual to whom the biometric data relates expressly consents to such activities.

At first glance, it may seem that the legal framework for the use of remote biometric authentication makes the use of biometric measures more difficult. However, in practice, it is confirmed that such lim- itations are meaningful and welcome, as they relate to the use of personal data of such a type that peo- ple mostly do not want to share. On the other hand, digital service users expect providers to handle their biometric personal data safely and responsibly, which the latter can only demonstrate by obtaining the appropriate certificates and permits. Thus, the legal framework has set the rules of the game and en- abled the game to begin - to the mutual benefit of digital service providers and their users.

© E-RASTA 2023