In a decision dated February 20, 2022, the data protection authority addressed the processing of biometric data for the purpose of driver’s license validation via app by a car rental company.
The respondent rents motor vehicles commercially without providing a driver. In fulfillment of his duty under § 103 para. 1 Z 3 KFG to ensure that its customers have a valid driver’s license (driver’s authorization), they shall be requested to present a driver’s license when the contract is first concluded and at regular intervals thereafter. The respondent enables its customers to perform this verification via app by uploading a photo of the driver’s license as well as a self-portrait (selfie). The uploaded images are compared using special technical procedures to clearly identify the customers. The respondent obtains customer consent for this in advance via app. When uploading the recordings, the complainant experienced a technical error in the app, which meant that he was unable to consent to or object to the processing of his biometric data. In the absence of validly given consent, the data protection authority found a violation of the complainant’s right to confidentiality. The data protection authority was unable to identify the alleged violation of the right to information. The decision is legally binding.
Source: DSB Austria