Limitations and Safeguards Applying to Taking of Fingerprints and Image
Acquisition by Banks
Provision of 27 October 2005, published in the Official Journal of the Italian Republic no. 68 of 22
March 2006
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, with the participation of Prof. Francesco Pizzetti, President, Mr. Giuseppe
Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr.
Giovanni Buttarelli, Secretary General;
Having regard to international and Community legislation concerning personal data protection
(Directive no. 95/46/EC);
Having regard to the Personal Data Protection Code (legislative decree no. 196 of 30 June 2003), in
particular to Section 17 thereof;
Having regard to the provisions taken by the Garante on 29 April 2004, concerning video
surveillance, and 28 September 2001, concerning biometric data acquisition by banks;
Having considered the requests for prior checking lodged by several credit institutions pursuant to
Section 17 of the Code in respect of the processing of biometric personal data as related to security
requirements applying to bank agencies; having regard to the draft guidelines the Italian Banking
Association is about to issue to banks, which were submitted to the Garante for consideration;
Having regard to the considerations made by the Secretary General in pursuance of Section 15 of
the Garante’s Rules of Procedure (no. 1/2000);
Acting on the report submitted by Mr. Giuseppe Fortunato;
WHEREAS
1. Foreword
Some credit institutions lodged requests for prior checking with the Garante, in pursuance of
Section 17 of the Code; the requests concerned the processing of personal data as consisting in
coupling customers’ biometric data – based, in particular, on the taking of fingerprints via scanners
connected and/or integrated with a computerised system – with other personal data concerning
customers to be collected by means of video surveillance systems.
The requests were lodged also in pursuance of the guidelines issued by the Garante in its provision
on video surveillance of 2+9 April 2004 (see point 3.2.1 thereof) and were aimed to allow gathering
evidence to be possibly used in cases involving criminal conduct.
The Italian Banking Association submitted statistics relating to criminal activities against banks –
with particular regard to bank robberies – and highlighted, in turn, that the need for equipping some
especially at-risk agencies and branches with devices to gather biometric data was supported by
many banking institutions.
Having concluded complex preliminary enquiries, the Garante considers it necessary to adopt a new
general provision to take account of the innovations brought about by the Code that came into force
on 1 January 2004, by having regard to the general principles set out in its provision of 28
September 2001. This applies, in particular, to the requirements contained in Sections 17, 24(1),
letter g), and 154(1), letter c), of the said Code. Indeed, the Garante is in charge of laying down
measures and precautions addressing “specific categories of processing and data controller” within
the framework of a check to be carried out prior to start of the relevant processing (as per Section
17 of the Code), whenever the processing concerns personal data other than sensitive and/or judicial
data that entail specific risks for the data subjects’ fundamental rights, freedoms, and dignity.
In the case at issue, as already highlighted in point 3.2.1 of the 2004 provision, the specific risks
result from the deployment of “video surveillance systems entailing image collection either in
connection and/or matched and/or compared with other specific personal data” as well as from the
specific features of some of the data to be processed – namely, those based on the taking of
fingerprints.
Therefore, this provision is aimed at setting out the measures and precautions to safeguard data
subjects that will have to be implemented by all credit institutions operating in the national territory,
where they plan to avail themselves of the systems in question, if the preconditions mentioned
below are fulfilled and providing they comply with the principles laid down in the Code.
2. Lawfulness, Purpose Specification, Data Minimisation, and Proportionality
The blanket, undifferentiated use of systems allowing data subjects to be identified by means of a
mix of different data acquisition mechanisms is not permitted as it is in breach of the data
minimisation principle – whereby information systems and software should be configured in such a
manner as to rule out the processing of personal data (here, the biometric data) that are unnecessary
for the purposes to be achieved (see Section 3 of the DP Code).
The blanket collection of highly significant data – such as those related to fingerprints – in respect
of all bank customers is to be regarded as unlawful, especially if it is only accounted for by unspecific security requirements.
Failing specific proof of the concrete existence of a considerable risk, this would disproportionately
impinge on the data subjects’ freedom and dignity and would expose them to the risk that highly
sensitive personal data such as fingerprints data may be misused.
The personal data at issue may only be processed in compliance with adequate safeguards and
exclusively in view of enhancing the security of property and individuals – namely, bank employees
and customers. To that end, it is necessary for specific circumstances to apply as related to objective
situations such as to give rise to a concrete, considerable risk, which each bank is required to assess
with special care (see the Garante’s provisions of 11 December 2000 and 7 March 2001).
The specific circumstances in question, possibly supported by the findings of the competent law
enforcement and public policy bodies, may be related, in particular, to the location of a bank agency
– e.g. where the latter is placed in high-crime-rate areas, isolated, or close to “escape routes” for
criminals. Account may also be taken of the circumstance that a given bank agency, maybe like
other agencies located in the same area, was the subject of robberies. Other specific circumstances
may also be considered, where they may give rise to a real danger in respect of one or more bank
agencies – such was the case, in the past, in connection with the increased amount of cash available
in banks at the time the Euro was introduced.
The existence of the said circumstances should also be reviewed on a regular basis by having regard
to any factor that is liable to affect the risk exposure level – e.g. the establishment of a police station
nearby, or the enhancement of manned surveillance inside a bank agency. Based on the outcome of
this review, any data processing operation that is found not to be justified any longer must be
terminated or suspended.
3. Information Notices
Data subjects must be adequately informed both of the presence of fingerprint acquisition systems
and of the association between fingerprints and images (as per Section 13 of the DP Code). The
information must be provided prior to data collection and anyway before a person accesses a
double-door / revolving door entrance, if any.
The information notice must contain the items referred to in the DP Code (Section 13), and may be
worded concisely on condition the information is clear and unambiguous. It must highlight that the
person is free to access the bank without having his/her fingerprints taken, in which case an
alternative procedure should be applied also based, if necessary, on customer identification.
The Garante has developed a model “minimum” information notice data controllers might want to
use at the entrance(s) to banks; this notice must be supplemented by a more detailed notice to be
posted inside the bank. Both models are annexed to this provision.
4. Measures and Precautions to Be Taken
The use of fingerprinting systems jointly with video surveillance equipments must take place in
compliance with the additional precautions and measures listed below to safeguard data subjects:
a) Alternative options to access the bank
The taking of fingerprints should not entail a compression of the bank customers’ freedom and
dignity. If access to the bank is envisaged by way of the systems in question, it should be ensured
that, if the customer objects to or is unable to undergo fingerprinting because of his/her personal
circumstances, access to the bank is enabled in any case by means of an alternative entrance – and
anyway without the customer’s being obliged to provide his/her personal data – and, if necessary,
by taking certain precautions that are left to the bank manager’s discretion (e.g. the request for
producing an ID document). As already pointed out in the Garante’s provision of 2001, any
arrangements that are burdensome to a customer or else suitable for dodging the obligation to allow
entrance without taking the customer’s fingerprints are prohibited.
b) Data collection mechanisms
The deployed video surveillance systems must be oriented exclusively towards the entrance area of
the bank and not film any other buildings or, in particular, the entrances thereof.
As for the biometric data to be collected, it is sufficient to take one fingerprint of the person
concerned.
c) Security measures
The systems deployed for collecting images, whether fixed or moving, and taking fingerprints must
ensure that the data are immediately encrypted before being recorded in a database – irrespective of
the relevant configuration – in compliance with high security standards.
It must be ensured that images and fingerprints are matched unambiguously to prevent
identification errors.
Special attention should be paid to the encryption techniques applied to both images and
fingerprints.
The data must be processed via “robust” encryption systems using either symmetric or asymmetric
encryption algorhythms, or else both types of algorhythm.
In particular, if the data are encrypted by means of symmetric encryption techniques and the
symmetric keys relating to each data and/or each data portion are encrypted by means of
asymmetric or public key encryption techniques, the whole encryption process must be guaranteed
by an escrow agent – namely, the person in charge of an internal independent auditing function, or
another independent entity to be nominated by the latter – acting as the custodian of the encryption
keys that can allow de-crypting the information kept by the bank.
It must be prevented that the acquired information may be decrypted without the said escrow
agent’s involvement.
Access to decrypted information, either on judicial grounds or following exercise of the data
subject’s rights (pursuant to Section 7 of the DP Code), must only take place by the agency of the
said escrow agent.
The obligation to take such minimum security measures as are compliant with the benchmarks set
out in the DP Code (see Section 31 thereof and Annex B to the Code) is hereby left unprejudiced.
This applies, in particular, to access by persons in charge of the processing and/or system
administrators in charge of specific tasks related to operation or maintenance of the systems in
question.
Finally, the systems deployed must meet stringent data reliability and integrity requirements in
pursuance of such certifications and/or authorisations as may have been granted to them. In this
context, the banks where the systems are deployed must obtain and keep the certificate to be issued
by the installer as per Rule no. 25 in the Technical Specifications concerning minimum security
measures (Annex B to the DP Code).
d) Data retention
The encrypted data relating to fingerprints and images, if any, must be retained for no longer than
one week and stored in chronological sequence so as to allow them to be retrieved promptly, also by
organising them as appropriate by date of recording.
Mechanisms must be in place to automatically erase all the information upon expiry of the said
term. It must also be prevented that the retention period is increased surreptitiously by creating
backup copies.
This is without prejudice to the possibility for the bank to make the data available by preventing
them from being automatically erased upon expiry of the relevant data retention term, if the data
subject lodges a data access request, criminal events have taken place, or a request is lodged by
judicial authorities.
Finally, no interlinking is allowed between the acquired data and other data held by the bank and/or
third parties, nor may additional databases be set up or facial recognition systems deployed.
e) Data access
The information gathered by means of the data acquisition systems in question may only be
decrypted and accessed by judicial and police authorities in connection with specific investigations
related to detection or prevention of offences as carried out pursuant to the Criminal Procedure
Code. To that end, the co-operation of the aforementioned escrow agent may be sought, who may
lawfully access the data if this is necessary in discharging his/her tasks – also whenever a data
subject exercises his/her right to access the personal data concerning him/her.
Conversely, the staff – including external staff – that are specifically in charge of operating and
maintaining the equipment may in no way be enabled to access the “plain-text” version of the
encrypted data (whether images or fingerprints).
5. Balancing of Interests
If the prerequisites and conditions referred to above are fulfilled, the processing of personal data
shall be regarded as lawful also in the absence of the data subjects’ consent under the terms of
Section 24(1), letter g), of the DP Code.
This finding is based on the specific purposes sought as well as on the consideration both of the
mechanisms applying to the processing, which is of a provisional nature and must be compliant
with the measures and precautions set out herein, and of the further purposes aimed at by the other
data controllers that may receive the data (i.e. judicial and police authorities).
The data subject’s consent must be considered to be also unnecessary with regard to decryption of
the processed data by the escrow agent, whose additional processing operations must not go beyond
the communication of the “plain-text” version of the data either to the aforementioned entities or to
the data subject requesting access to his/her data as per Section 7 of the DP Code.
6. Specific Requirements
It is to be recalled, first and foremost, that the processing operations in question must be notified to
the Garante pursuant to Section 37(1), letter a), of the DP Code.
Additionally, each credit institution is required to provide the Garante – by May 31st, 2006 – with
the list of all the respective agencies/branches where the devices at issue had been deployed prior to
issuance of this provision.
Where a credit institution plans to install new equipment, or modify the existing equipment, an adhoc prior checking application will have to be lodged with the Garante by means of the forms
annexed hereto. The said prior checking will be performed once only prior to start of the processing,
as per Section 17 of the DP Code. To that end, it is permitted to provide a single list including all
the relevant agencies/branches where the said equipment is to be deployed by specifying the
concrete risks that account for such deployment, as assessed by having regard to other available
measures.
In addition to the above requirements, each bank agency/branch will have to keep and update the
following documents also in view of possible inspections by the Garante:
a) a copy of the prior checking application lodged with the Garante;
b) documents pointing to the existence of concrete risks to the relevant bank agency/branch;
c) technical documents concerning installation of the deployed biometric and video surveillance
systems, showing their compliance with the conditions set out herein. The said documents must also
include:
- the features of the video equipment (e.g. location of camera(s) and respective technical
features);
- the features of the biometric data collection device(s);
- the features of the information systems used for processing images and biometric data with
particular regard to the encryption process;
- the maximum data retention period;
d) a copy of the information notice provided to customers;
e) such documents as can allow outlining the alternative access mechanisms to the bank
agency/branch in question;
Based on the above premises, the Garante
1. Orders all data controllers, under section 154(1), letter c), of the DP Code, to take the necessary
measures laid down herein in order to bring their processing operations into line with the legislation
in force;
2. Specifies, in pursuance of section 24(1), letter g), of the DP Code, the cases in which personal
data may be processed by credit institutions in connection with the information systems referred to
herein without the data subjects’ consent in order to pursue legitimate interests, under the terms
detailed in the Premises and in compliance with the limitations and conditions specified herein;
3. Orders that a copy of this provision be forwarded to the Ministry of justice – Publishing
Department in order for it to be published in the Official Journal of the Italian Republic as per
section 143(2) of the DP Code.
Done in Rome, this 27th day of October 2005
THE CHAIRMAN
Pizzetti
THE RAPPORTEUR
Fortunato
THE SECRETARY GENERAL
Buttarelli
Fac-simile information notices to be posted by data controllers: