European Union
General Data Protection Regulation (GDPR) and EU Artificial Intelligence Act
The EU has the world's most comprehensive framework for biometric data protection. Under GDPR, biometric data used for identification is classified as "special category data" under Article 9, requiring explicit consent or another specific legal basis for processing. The EU AI Act further restricts real-time biometric identification in public spaces, classifying most facial recognition systems as high-risk AI requiring conformity assessments, transparency, and human oversight.
Key Provisions
- Biometric data for identification is special category data under GDPR Article 9
- Processing requires explicit consent or limited exceptions (employment law, vital interests)
- Data subjects have the right to erasure (right to be forgotten) under Article 17
- EU AI Act bans real-time remote biometric identification in public spaces (with narrow law enforcement exceptions)
- High-risk AI systems must undergo conformity assessments and maintain transparency
- Cross-border data transfers of biometric data face strict adequacy requirements
Your Biometric Rights
- Right to explicit consent before biometric processing (Article 9)
- Right to erasure / right to be forgotten (Article 17)
- Right to data portability (Article 20)
- Right to object to processing (Article 21)
- Right to not be subject to automated decision-making (Article 22)
- Right to lodge a complaint with a supervisory authority
Penalties for Non-Compliance
Up to €20 million or 4% of annual global turnover, whichever is higher. Notable fines: Clearview AI fined €20M by France (CNIL), €9M by UK ICO, €20M by Italy, €20M by Greece.
Our Removal Process
We submit GDPR erasure requests (Article 17) on your behalf to each database operator. EU-based databases must respond within 30 days. For non-EU operators processing EU residents' data, GDPR still applies under its extraterritorial scope.
Get Protected