Home Veridas
Get in touch
Request a demo
Get in touch

/Impact Assessment and Biometric Data Protection: How to Overcome Legal Barriers in Digital Identity Projects

Picture of Juan Fernando C. Bulgarelli

Juan Fernando C. Bulgarelli

Global PR & Content Marketing Manager
impact assesment
  • Article

Last update: august 2025

Why Biometrics Raise Legal Concerns (And Why They Shouldn’t)

Many digital onboarding projects using biometrics face the same roadblock: legal concerns. Arguments like “this involves biometric data, so it’s not legal” halt implementations that were already technically and commercially validated.

But in reality, using facial biometrics with consent and safeguards is lawful both in Europe and in Spain. European regulations are clear: biometrics are permitted as long as appropriate guarantees are upheld. To move forward with confidence, it’s crucial to rely on a Data Protection Impact Assessment (DPIA): a structured tool to analyze risks, define necessary measures, and legally justify the processing according to GDPR.

Why a Photo of the National ID (or Other Authentication Methods) Isn’t Enough

In remote processes, simply presenting an image of an ID doesn’t ensure the person presenting it is the rightful owner. The same applies to possession-based (like a token) or knowledge-based methods (like a password). They can all be easily shared, stolen, or used by third parties.

What makes the difference is the inherence factor—who you are. Biometrics introduce this level of verification with technical and legal guarantees that no other method can match. The National Cryptologic Center (CCN) highlighted that Renewable Biometric References (RBRs) “make forgery more difficult compared to other authentication methods,” providing an “additional layer of security.”

The Spanish Data Protection Agency (AEPD) has also recently emphasized that “biometric processing enables more reliable verification of who accesses protected spaces, preventing identity false‑pretences and unauthorized access.”

Moreover, many fraud cases arise due to manipulation or falsification of the document itself. Therefore, the most secure and effective approach is not to choose one method over another, but to combine them: document verification + biometrics with liveness proof. This multilayered approach better addresses fraud and aligns with the highest data protection and identity standards.

Is Biometric Authentication Legal in Onboarding or Age Verification?

Yes. The General Data Protection Regulation (GDPR) allows the processing of biometric data if the user’s explicit consent is obtained and all regulatory requirements are met. In Spain, Organic Law 3/2018 confirms that consent is a valid legal basis for such processing.

The European Artificial Intelligence Regulation (AI Act), approved in July 2024, classifies biometric systems requiring active user participation (like a selfie with liveness) as “low or no risk.”

The Critical Role of a Data Protection Impact Assessment (DPIA)

A DPIA is a legal obligation when sensitive data—such as biometric data—is processed (Article 35 of the GDPR). But rather than being a barrier, it’s a strategic tool that enables legal justification and project progress.

Without biometrics, an organization cannot be certain who is on the other side of the screen. The national ID card alone is easily impersonable—it can be stolen, tampered with, or used by minors. Biometrics introduce the inherence factor, assuring real identity and shielding organizations from severe risks like identity fraud and regulatory penalties, particularly in regulated sectors such as banking, insurance, online gambling, or e-commerce.

A strong DPIA enables you to:

  • Evaluate and demonstrate the necessity of biometric processing versus other alternatives.

  • Ensure proportionality and legitimacy.

  • Identify potential risks during processing.

  • Document technical and organizational measures applied to mitigate those risks.

  • Provide evidence for audits, legal departments, or data protection authorities.

Elements a Complete DPIA Should Include

A robust Data Protection Impact Assessment doesn’t have to be an obstacle. Instead, it serves as a structured guide so that legal teams can identify real risks, apply appropriate guarantees, and document compliance effectively. It should clearly cover seven essential aspects:

  1. What processing will be conducted and why.

  2. What risks may exist and how they will be mitigated.

  3. Why the processing is necessary and proportionate compared to other options.

  4. What legal basis supports it (e.g., consent or public interest).

  5. How GDPR principles are complied with (minimization, purpose limitation, transparency, etc.).

  6. What security measures are applied (technical and organizational).

  7. Evidence to demonstrate compliance and risk management.

Veridas assists data controllers by providing technical and functional details of the solution and implemented security measures, making it easier to address each point without added complexity.

Evolving Technologies, Reduced Risks: The Value of Privacy by Design

Legacy biometric technologies had significant limitations in terms of reversibility, revocability, and effective data control. These limitations shaped cautious legal and regulatory attitudes.

Nowadays, those risks can be addressed with technologies developed from the ground up to meet privacy and security-by-default principles. Renewable Biometric References (RBRs) enable a more granular, secure, and controlled approach to processing. Their architecture includes features like non‑interoperability, regeneration upon suspicion of compromise, and an inability to reconstruct the original physical trait.

Not all biometric processing has the same impact or demands identical protective measures. The system’s proportionality must be assessed based on its specific purpose, the measures in place, and the absence of less intrusive alternatives of equal effectiveness. This is precisely where a DPIA becomes a vital tool.

A strong DPIA not only demonstrates the necessity and lawfulness of processing but also transparently reflects technological improvements over previous options, along with the technical and organizational guarantees implemented. This level of detail is critical for obtaining a favorable evaluation from legal teams or regulatory authorities.

In highly sensitive contexts, such as protecting critical infrastructure or controlling access to restricted areas, the ability to justify, compare, and document biometric processing becomes even more significant. The Spanish Data Protection Agency (AEPD) has acknowledged this in its assessment of a biometric authentication system for secure facilities. It points out that well‑designed technologies can be more proportionate and less intrusive—if they’re properly argued in the DPIA and supported by privacy-by-design measures.

Technological evolution not only mitigates risks: it also provides data controllers with tools to assert compliance through proactive responsibility.

RBRs: Biometric Technology That Complies by Design

Veridas has developed authentication technology based on Renewable Biometric References (RBRs), conceived in alignment with the GDPR and the AI Act:

  • Irreversible: cannot be used to reconstruct the face.

  • Revocable: can be regenerated if compromised.

  • Non‑interoperable: only works in the system where generated.

  • Multiple: allow generating a unique reference for each use.

These features are recognized by the National Cryptologic Center as key for security and privacy.

How Veridas Supports You Through This Process

From the very start of your project:

  • We provide technical and legal documentation for the DPIA.

  • We design the solution with privacy-by-design in mind.

The challenge isn’t legal—it’s technical, interpretive, and about trust. And that’s where Veridas stands out.

Frequently Asked Questions (FAQ)

Is a DPIA mandatory for using biometrics?

Yes. Under Article 35 of the GDPR, a DPIA is required whenever biometric data is processed.

Can biometric processing rely solely on user consent?

Yes—as long as the conditions of GDPR, Spanish LOPDGDD, and the AI Act are met. Consent must be free, explicit, unambiguous, informed, and verifiable, ensuring users understand and accept biometric processing.

What’s the difference between traditional biometrics and RBRs?

RBRs do not store recognizable physical traits and cannot be reversed—making them considerably more secure and privacy-friendly.

What documentation should be submitted to the legal or data protection department?

Veridas offers technical datasheets, compliance matrices, and system descriptions to include directly in the DPIA.

Want to move forward with your digital identity project without legal roadblocks?

Talk to our legal and solutions team and let us guide you in designing a biometric verification process that’s legal, secure, and effective.

In this article you will find...

Need help?

I am Edu Gozalo, Digital Identity consultant at Veridas. If you need to talk to our team, book a meeting.
Book a demo

/Discover more insights and resources

All Resources

EU Brazil Data Agreement
/Article

How the EU-Brazil Adequacy Agreement and Mutual Data Protection Will Redefine Your Identity Strategy

Understanding Biometric Tests and iBeta Certification
/Article

What is iBeta and Why Biometric Tests are Important

customer identification program
/Article

Customer Identification Program (CIP): Key Rules & Steps

Try a demo
Request a demo
Facial Parking Access

Simplify entry, save time, and manage your stadium parking more efficiently.

Quick Facial Parking Access

Enter the parking area in under 1 second with facial recognition technology.

Stress-Free Experience

Simplify the ticket purchase process and enable attendees to enjoy a hands-free experience throughout their stadium stay.

Enhanced Security

Elevate your parking security for peace of mind.

Facial Ticketing

Protect your Stadium with our end-to-end identity verification platform, featuring biometric and document verification, trusted data sources, and fraud detection.

Instant Identity Verification

Verify your attendees’ identity remotely in less than 1 minute.

Pop-up Convenience

Simplify the ticket purchase process and enable attendees to enjoy a hands-free experience throughout their stadium stay.

Maximum Security

Enhance the security of the purchase process, eliminating the possibility of fraud, resale, and unauthorized access.

Learn More
Popup title

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.