Data Protection Commission finds Department of Social Protection infringed GDPR in use of facial matching technology (dataprotection.ie)

• DPC found DSP's facial matching lacked clear lawful basis under GDPR
• Biometric template retention of up to 7 years deemed excessive
• DSP failed to conduct a mandatory Data Protection Impact Assessment

"The DPC concluded an own-volition inquiry into the Department of Social Protection's (DSP) use of facial matching technology for identity verification in public services. The Commission found that the DSP violated multiple GDPR provisions: processing of biometric facial templates lacked a clear, precise, and foreseeable lawful basis; retention of templates for up to 7 years was excessive; the DSP failed to provide adequate transparency; and it did not conduct a required Data Protection Impact Assessment. The DPC issued an order to cease processing, a reprimand, and an administrative fine."