Biometrics and law

Biometric data and their regulation

You probably already know that we are a security systems integrator company. Our activities include authorized access systems, which in turn include electronic biometric devices and systems. According to a certain part of the society (significant majority), it contradicts the law that regulates this issue. There are many sayings and differences of opinion regarding this.

Let’s try to figure it out together

What is biometric data:

“Biometric data is a physical, mental or behavioral characteristic that is unique and permanent to each individual

for a person and by which this person can be identified (fingerprint, foot print, eye color

membrane, retinal membrane (retinal image), facial feature)’.

It should also be taken into account that according to the Law of Georgia “On Personal Data Protection”, biometric data is a special category of data only when it enables the identification of a natural person by means of a special category of data, such as racial or ethnic affiliation, state of health, conviction and others. Therefore, during their processing, it is necessary to have at least one of the grounds provided for in Article 6 of the law – for example, the written consent of the data subject. (it is specifically defined in which case the written consent of the data subject is necessary).

(According to Article 2, subsection “c” of the Law of Georgia “On Personal Data Protection”)

რას ნიშნავს ბიომეტრიული მონაცემების დამუშავება:

What does the processing of biometric data mean:

Biometric data processing methods:

In world practice, two main methods of processing biometric data are used, namely verification and identification, the difference between them is essential. Most often, these two methods are used to process biometric data in order to control access to both physical and virtual space (access to a specific server or system).

The method of identification involves checking the authenticity of biometric data against the information in the database and is often referred to as one-to-many, which means that the biometric system determines whether a particular biometric data (fingerprint, voice, handwriting, etc.) belongs to a particular person. Accordingly, the system compares the specific biometric data with all samples in the database.

During the identification method, the existence of a database itself represents a relatively low level of security, because there is a risk of using the data in an illegal way.

The verification method involves checking the authenticity of biometric data without using a database. In particular, the system compares the biometric data entered on the carrier containing biometric data (for example, a service card, which is made for a specific person and contains the biometric data of the mentioned person) with the biometric data of the owner of this card in the database.

This method is referred to as one-to-one. It is believed that the verification method is more secure, because the database through which the system functions does not allow access to specific data, each data in it is encrypted and activated only when the data subject uses the aforementioned carrier. Biometric data processing with this method is more expensive than with the identification method, although it provides a higher level of security and requires appropriate software support. In addition, during verification, the person himself owns the device containing his biometric data (work card, ID card or other), which reduces the risk of unauthorized access to it.

How does the product we offer to the customer respond to the requirements of the regulation:

First of all, we will say, and we think no one will be surprised, that regulation of personal data security law is not invented and developed by the legislation of our country. Trying to implement the experience and standards of others is in our case. Here we will say that all our products are GDPR certified and comply with the Euro regulation:

General Data Protection Regulation – The European Data Protection Regulation applies to all member states from 25 May 2018 to harmonize data privacy laws across Europe. If you find the page useful, feel free to support us by sharing the project.

In addition, we explain to those for whom the products regulated and certified by European legislation are not sufficiently reliable and acceptable, that the hardware and software solutions offered by us for storing biometric information do not use a database to which the user will have access and, if desired, will be able to extract the data for further use. Devices store biometric information in the internal memory in an encrypted form and it is practically impossible to extract it. Accordingly, the devices we offer use the verification method, with the main nuance that they cannot be removed from the device and used further. Please note that the devices mentioned above, biometric or other types of authorized access devices are used by users to implement other regulations. In particular, to record the attendance of employees.

Based on all of the above, we declare that the use of our devices for sanctioned access or hourly recording of visitor attendance does not require a legal basis and the written permission of employees regarding the use of personal data, since the data is not used by any entity. The data is used by the “machine”, an electronic device, for verification on the subject’s device, and it is practically impossible to transfer personal data to any other entity.