PRAIVON
← Blog·Privacy

Your face is special category data. Here's what GDPR Article 9 means for you

April 2026·7 min read

Most personal data under GDPR — your name, email, address, browsing history — is governed by general rules. Biometric data is different. Under Article 9, it's classified as 'special category' data, alongside health information, political opinions, and religious beliefs. The protections are significantly stronger, and the obligations on companies that process it are correspondingly higher.

What counts as biometric data

Article 9 specifically protects 'biometric data for the purpose of uniquely identifying a natural person.' That includes facial fingerprints, voice prints, fingerprints, iris scans, and any technical processing that turns physical characteristics into a unique identifier.

Note the qualifier: 'for the purpose of uniquely identifying.' A casual photo on social media isn't biometric data under Article 9. The same photo run through facial recognition to create an identifier — that's biometric data.

Your rights

  • Right to explicit consent. Companies cannot process your biometric data based on legitimate interest. They need your explicit, specific, informed consent — and you can withdraw it at any time.
  • Right to erasure. You can demand deletion of your biometric data, and companies must comply without undue delay (typically within 30 days).
  • Right to access. You can request a copy of all biometric data a company holds about you.
  • Right to data portability. You can request your data in a structured, machine-readable format.
  • Right to restriction. You can demand a company stop processing your data while a dispute is resolved.

What companies must do

Companies processing biometric data have heightened obligations: a Data Protection Impact Assessment (DPIA) before processing begins, appointment of a Data Protection Officer (DPO) for most cases, stricter security measures, and 72-hour breach notification to authorities and affected individuals.

Storage location matters. EU-based processing keeps your data under GDPR's strongest protections. Transfer to non-EU countries requires specific safeguards (Standard Contractual Clauses, adequacy decisions) and has been the subject of repeated court challenges (Schrems I, Schrems II).

How to exercise your rights

Any company processing your biometric data should provide a clear way to exercise these rights — typically through privacy@ or a dedicated dashboard. If they don't respond within 30 days, you can lodge a complaint with your national data protection authority. In Romania, that's ANSPDCP. In France, CNIL. In Germany, BfDI.

The bottom line

Your face is not just data. Under European law, it's protected with the same gravity as your medical history. Companies that treat it casually are violating the law — and you have specific, enforceable rights to make them stop.

← Back to all articles

Take it back

Reclaim what's yours.

Most takedowns start within 24 hours of signup. The sooner you seal it, the less of you they have.