Irish SA announces conclusion of investigation into use of facial matching technology in connection with the Public Services Card by the Irish Department of Social Protection
Background information
- Date of final decision: 12 June 2025
- National case
- Controller: Department of Social Protection’s (DSP)
- Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 13 (Information to be provided where personal data are collected from the data subject), Article 35 (Data protection impact assessment)
- Decision: Administrative fine, Compliance order and Reprimand
- Key words: Lawfulness of processing, Sensitive data, Biometrics
Summary of the Decision
Origin of the case
This inquiry, which commenced in July 2021, examined the Department of Social Protection’s (DSP) processing of biometric facial templates, and usage of associated facial matching technologies, as part of the registration process for the Public Services Card. This process is known as “SAFE 2 registration”.
Key Findings
The Irish Supervisory Authority (SA) found that the DSP:
- infringed Articles 5(1)(a), 6(1), and 9(1) GDPR by failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration at the time of the inquiry;
- having regard to the preceding finding, infringed Article 5(1)(e) GDPR by retaining biometric data collected as part of SAFE 2 registration;
- infringed Articles 13(1)(c) and 13(2)(a) GDPR by failing to put in place suitably transparent information to data subjects as regards SAFE 2 registration; and
- infringed Articles 35(7)(b) and (c) GDPR by failing to include certain details in the Data Protection Impact Assessment that it carried out in relation to SAFE 2 registration.
Decision
In light of the infringements identified above, the Irish SA has (1) reprimanded the DSP, (2) issued administrative fines totalling €550,000, and (3) issued an order to the DSP requiring it to cease processing of biometric data in connection with SAFE 2 registration within 9 months of this decision if the DSP cannot identify a valid lawful basis.
For further information: