Netherlands: Adopted Dutch Data Protection Authority guidance on facial recognition

On 2 May 2024, the Data Protection Authority (DPA) published guidance on the legal framework for facial recognition. The DPA states that facial recognition is generally prohibited, with a few exceptions. First, the GDPR does not apply to the use of facial recognition by natural persons for activities with a personal or domestic purpose. Certain criteria apply for making use of this exception for unlocking devices. Second, the DPA defines biometric data in the context of the GDPR, considering the nature of the data, the means and methods of processing, and the purpose of the processing. Third, processing biometric data with the goal of confirming someone's identity is covered by the prohibition of processing of special categories of personal data. Fourth, the DPA outlines possible exceptions to the prohibition for processing data to identify someone, those include explicit consent of the data subjects or an important public interest.