Legal aspects have to be handled when performing acquisition, storage and exchange of biometric data as biometric data are considered as sensitive data and go into the field of application of the personal data protection. The first convention who is taking rules of data protection is the 108 convention of European council at 28 January 19811, the second one is the 1995 European Directive2 . More recently, the new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) were published. This regulation intends to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive it does not require any enabling legislation to be passed by national governments. For the BioSecure Database the 1995 European procedure2 applies.
Therefore the distribution of BioSecure databases is subject to certain formalities and procedures. More precisely, a license agreement and data protection issues have to be signed by an authorized person of your institution. Upon receipt of these documents, (for non EU institutions), the association will submit a file to the French data protection authority to get their formal authorization . This step is not necessary for EU institutions.
You have to note that we are strictly forbidden to transfer personal biometric data before their acceptance. The establishment of a personal data processing is subject to certain formalities and procedures. A complete document describing the rules at the period of the registration of the BioSecure database can be found here .
Last modify 8 February 2019