Facial Recognition at the Fitness Center Under the General Data Protection Regulation Article 9(1) and 9(2)(a)

Facial Recognition at the Fitness Center Under the General Data Protection Regulation Article 9(1) and 9(2)(a)

There are significant concerns regarding the legitimacy of biometric data processing within the European Union. Therefore, it is imperative that facial data processing adheres to the criteria and standards outlined in the General Data Protection Regulation (GDPR).
According to GDPR Article 9(1), the processing of biometric data is prohibited. In high-incursion situations that involve the private sphere, obtaining consent becomes crucial. It requires further justification and confirmation about the lawfulness of the process, as specified in GDPR Article 6. Hence, the European Union relies on Data Protection Authorities in Member States to assure obedience to GDPR in practice. Regardless above mentioned, the authors aim to investigate compliance with the GDPR Article 9(1) and 9(2)(a) through the case study about facial recognition technology with biometric involvement at a fitness center in Denmark.
The research focuses on analyzing the Danish Data Protection Agency’s investigation of FysioDanmark concerning the facial biometric recognition of customers’and employees’faces at the entrance to a fitness center for membership control checks and business optimization. The authors have made the following findings. The Agency warned the entity in question about the use of a system in fitness centers to uniquely identify customers without obtaining their consent. Furthermore, the research has shown that the application of consent as a legal ground to avoid prohibition to uniquely identify employees can’t be granted as an appropriate argument due to an imbalance of employment relationships meaning the consent is not freely given.
Based on the given outcomes, the authors propose measures to prevent noncompliance with biometric facial technology and advocate respect for individuals’right to personal data protection by mandating consent for facial recognition, specifically for the purpose of unique identification, prior to the performance of facial biometric scans. And, the authors’advice is not to regard the GDPR Article 9(2)(a) in terms of biometric facial employees’data processing because it is not a legal ground to exempt from Article 9(1) at the fitness workplace center.