Ireland’s DPC Fines Department of Social Protection Over Facial Recognition Practices

On 12 June 2025, Ireland’s Data Protection Commission (DPC) published the findings of its investigation into the Department of Social Protection’s (DSP) use of facial matching technology as part of the SAFE 2 registration process for issuing Public Services Cards (PSC).

The DPC found that the DSP lacked a valid legal basis under the GDPR for processing biometric data, including facial images.

This decision represents a notable example of GDPR enforcement in Ireland, particularly concerning biometric technologies used in the public sector.

Key findings included:

  • Infringed Articles 5(1)(a), 6(1), and 9(1) GDPR by failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration at the time of the inquiry;
  • Having regard to the preceding finding, infringed Article 5(1)(e) GDPR by retaining biometric data collected as part of SAFE 2 registration;
  • Infringed Articles 13(1)(c) and 13(2)(a) GDPR by failing to put in place suitably transparent information to data subjects as regards SAFE 2 registration; and
  • Infringed Articles 35(7)(b) and (c) GDPR by failing to include certain details in the Data Protection Impact Assessment that it carried out in relation to SAFE 2 registration.

As a result, the DPC issued:

  • A €550,000 administrative fine
  • A formal reprimand
  • An order requiring the cessation of biometric data processing within nine months, unless a lawful basis is identified

While acknowledging that technical and security safeguards were in place, the DPC underscored the importance of legal clarity and foreseeability when processing sensitive biometric data, especially in public-sector services where individuals may have limited choices.

What This Means for Organisations

This case highlights the need for public and private sector organisations to:

  • Establish a lawful basis before processing biometric or other special category data
  • Ensure full transparency towards data subjects
  • Conduct comprehensive DPIAs that consider necessity, proportionality, and risks
  • Leverage tools like DPO365 to manage compliance tasks efficiently

As GDPR enforcement in Ireland continues to evolve, it’s increasingly important for organisations to align with regulatory expectations and uphold data protection by design, particularly when deploying biometric technologies.

Reference
You can read the full press release from the Data Protection Commission on their official website.