Quiz Entry - updated: 2026.05.25
What three legal requirements must private organisations meet to use face recognition under data-protection law (e.g. GDPR)?
A clear legal basis (usually explicit consent or an overriding legitimate interest), purpose binding to a specific legitimate aim, and proportionality (least-invasive means, benefit must outweigh the privacy intrusion).
Private actors face especially strict requirements when processing biometric data:
- Legal basis required: a clear legal basis for processing biometric data — usually explicit consent, unless an overriding legitimate interest exists.
- Purpose binding: use must serve a specific, legitimate purpose (e.g. access control, theft prevention); changing the purpose later is allowed only under strict conditions.
- Proportionality: the measure must be appropriate — less invasive alternatives must be considered, and the benefit must outweigh the intrusion into privacy.
Private actors bear the burden of proof for the lawfulness of their processing; documentation and transparency are essential.
Tip: "Proportionality" is the recurring legal hurdle for surveillance tech — even with consent and a purpose, you must show no gentler method would have worked.