DSP Fined €550,000 for Unlawful Biometric Facial Template Processing Under SAFE 2 Registration
Summary
The DPC completed Inquiry IN-21-7-3 concerning the Department of Social Protection's processing of biometric facial templates under SAFE 2 registration for the Public Services Card. The inquiry found the DSP failed to establish a valid lawful basis for collecting special-category biometric data, unlawfully retained such data, violated transparency obligations, and produced an inadequate Data Protection Impact Assessment. The DPC imposed administrative fines totalling €550,000, issued a formal reprimand, and ordered the DSP to cease processing biometric data within nine months unless a valid lawful basis is established.
Public-sector bodies operating mandatory biometric identification systems should treat this as a benchmark enforcement: the absence of a documented lawful basis for special-category data processing is itself a standalone violation. The €550,000 penalty and mandatory cessation order within nine months signal that scale of processing does not substitute for legal basis. DPIAs for biometric systems must specifically address all Article 35(7)(b) and (c) requirements.
About this source
GovPing monitors Ireland DPC Decisions for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.
What changed
The DPC found the DSP infringed Articles 5(1)(a), 6(1), and 9(1) GDPR by failing to identify a valid lawful basis for collecting biometric facial templates; unlawfully retained biometric data in breach of Article 5(1)(e) GDPR; violated transparency obligations under Articles 13(1)(c) and 13(2)(a) GDPR; and breached Articles 35(7)(b) and (c) GDPR by omitting required details from its Data Protection Impact Assessment.
Public authorities and entities processing biometric data at scale should review their lawful basis documentation, retention schedules, transparency notices, and DPIA completeness. The nine-month cessation order creates an urgent compliance deadline for any similar mandatory biometric processing programmes. The DPC explicitly noted the findings do not challenge the technical or organisational security measures implemented by the DSP.
What to do next
- Contact the Data Protection Commission to confirm compliance requirements
- Identify a valid lawful basis for biometric data processing within nine months
Penalties
Administrative fines totalling €550,000 imposed on the Department of Social Protection
Archived snapshot
Apr 23, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Inquiry concerning the Department of Social Protection
IN-21-7-3
Date of Decision: 9 June 2025
The Data Protection Commission (DPC) has completed an inquiry into the Department of Social Protection’s (DSP) processing of biometric facial templates and the use of associated facial matching technologies as part of the Public Services Card (PSC) registration process, referred to as “SAFE 2 registration”.
Background
This own-volition inquiry, which commended in July 2021, follows a prior DPC investigation into certain aspects of the DSP’s processing of personal data in connection with the issuance of PSCs. That investigation resulted in legal proceedings, in which the DSP appealed an Enforcement Notice issued by the DPC, which were subsequently withdrawn. A joint agreement between the DPC and the DSP as well as the final investigation report from that inquiry were published in December 2021. The final investigation report stated that processing of personal data, including biometric data, by the DSP in respect of SAFE 2 registration was to be addressed separately by the DPC. The current inquiry was established to separately examine the processing of biometric data under SAFE 2 registration, as highlighted in the final investigation report.
Rationale for the Inquiry
SAFE 2 registration is mandatory for applicants seeking a PSC, which is required to access a range of DSP services, including welfare payments. Individuals who do not undergo SAFE 2 registration are unable to access these services. The process involves the collection, storage, and processing of biometric data, specifically facial templates, in relation to a substantial proportion of the population of the State. As biometric data is classified as special category data under the GDPR, it attracts enhanced protections and safeguards.
Given the nature and scale of the processing, the DPC considered that it was essential for the DSP to have a clear and precise legal basis for this processing, accompanied by appropriate safeguards to protect personal data and the fundamental rights of individuals.
Scope of the Inquiry
The inquiry focused on assessing whether:
- the DSP had a valid lawful basis for collecting biometric data as part of SAFE 2 registration;
- the DSP’s retention of biometric data collected as part of SAFE 2 registration was lawful;
- the DSP had complied with its transparency obligations to data subjects; and
- the Data Protection Impact Assessment conducted by the DSP for SAFE 2 registration was adequate.
Findings
The DPC’s decision found that the DSP:
- Failed to identify a valid lawful basis for the collection of biometric data, thus infringing Articles 5(1)(a), 6(1), and 9(1) of the GDPR;
- Consequently, unlawfully retained biometric data in breach of Article 5(1)(e) GDPR;
- Did not provide data subjects with sufficiently transparent information about SAFE 2 registration, violating Articles 13(1)(c) and 13(2)(a) GDPR; and
- Did not include required details in the Data Protection Impact Assessment, breaching Articles 35(7)(b) and (c) GDPR.
Corrective Powers Exercised
The DPC imposed the following sanctions:
- A formal reprimand was issued to the DSP;
- Administrative fines totalling €550,000 were imposed; and
- An order was issued requiring the DSP to cease processing of biometric data related to SAFE 2 registration within nine months unless a valid lawful basis can be identified.
Additional Observations
The DPC noted that the findings and corrective measures do not challenge the principle or policy of SAFE 2 registration itself. Furthermore, the inquiry found no evidence of inadequate technical or organisational security measures implemented by the DSP in relation to biometric data processing.
The full decision [1] can be downloaded at this link: Inquiry into Department of Social Protection June 2025 (17MB, PDF).
[1] For completeness, the DSP has noted that the facial matching software provider referenced in the Decision is no longer the current provider in respect of the processing of biometric data that was the subject of the inquiry.
Named provisions
Related changes
Get daily alerts for Ireland DPC Decisions
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from DPC.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when Ireland DPC Decisions publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.