Answer the question
In order to leave comments, you need to log in
Is fingerprint personal data?
Good day to all.
Is fingerprint personal data?
If not, what is the minimum information that can be added to it to make it all personal data?
If I have a user's fingerprint, with which, upon request to an open api, I can make a request and get some last user actions, do I need to take consent from the user for data processing?
Answer the question
In order to leave comments, you need to log in
If a fingerprint is enough to identify a person , then this is uniquely personal data.
In your case, fingerprint only identifies a specific device , not a person. That is, it is impossible to say what kind of person he is and even what gender he is. Similarly, you can say about the user's login on your site - this is not personal data, although it can quite accurately determine the devices from which a person uses your site.
So the answer is no, it is not personal data.
However, the wording of the law is so vague that no one can accurately interpret it. In a particular case, the court will decide what is PD and what is not. The kokretika is scooped from already taken out judgments. In particular, it is precisely known that the full name is a PD. So if the user specifies his full name as the User Agent (of course, you need to try, but technically it is possible), and you just use the User Agent to generate a fingerprint, then the fingerprint will be personal data . It's not certain, but it most likely will be. Similarly, a user can upload his own photo as an avatar - this is also a PD.
In general, everything that can identify a person, including full name, address, passport, phone number, etc. (any of) is a PD.
To insure against the court, simply take consent to processing from everyone from whom you want to take a fingerprint. For example, in Europe it is already the norm to ask on the site whether it is possible for the user to slip cookies. And if it is problematic to take such consent, then most likely there will be no one to complain about you.
And one more nuance. If you hash all the received data (and it doesn’t matter if there is a full name or not), then this will already be anonymized personal data. They are not personal data. The main thing is to choose such an algorithm that it is irreversible, that is, that it is impossible to restore the original data.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question