LOGBOOK

HELP

Quiz Entry - updated: 2026.05.25

What three legal requirements must private organisations meet to use face recognition under data-protection law (e.g. GDPR)?

A clear legal basis (usually explicit consent or an overriding legitimate interest), purpose binding to a specific legitimate aim, and proportionality (least-invasive means, benefit must outweigh the privacy intrusion).

Private actors face especially strict requirements when processing biometric data:

  1. Legal basis required: a clear legal basis for processing biometric data — usually explicit consent, unless an overriding legitimate interest exists.
  2. Purpose binding: use must serve a specific, legitimate purpose (e.g. access control, theft prevention); changing the purpose later is allowed only under strict conditions.
  3. Proportionality: the measure must be appropriate — less invasive alternatives must be considered, and the benefit must outweigh the intrusion into privacy.

Private actors bear the burden of proof for the lawfulness of their processing; documentation and transparency are essential.

Tip: "Proportionality" is the recurring legal hurdle for surveillance tech — even with consent and a purpose, you must show no gentler method would have worked.

From Quiz: PRIVACY / Device Tracking: Biometrics, RFID/NFC & E-Passports | Updated: May 25, 2026