Scenario
A Sports Club wants to implement facial recognition technology for the purposes of security, access control, surveillance and accounting.
Will the DPDP Act be applicable for Face recognition?
Yes. DPDP Act 2023 will be applicable.
Does Facial Data fall under the purview of the DPDPA?
Yes. Facial data is classified as “personal data” and often qualifies as “sensitive personal data” due to its biometric nature.
This means that when the facial data is stored digitally along with the name or any identifying details of the person it will fall under section 2(t) and 2(n) of the DPDP Act. This will apply to a member / employee / guest / vendor / contractor / visitor etc.
Who will be the Data Principal as per the DPDPA?
Data Principal = member / employee / guest / vendor / contractor / visitor etc.
In this case the member / employee / guest / vendor / contractor / visitor etc. will be the Data Principal as their facial data is being captured / stored along with some other identifiable information like their name / aadhaar number / mobile number etc.
Who will be the Data Fiduciary?
Data Fiduciary = Sports Club
In this case the club will be the Data Fiduciary as the club management will determine the purpose and means of processing the data and will also process the data.
What will be the obligations of the Sports Club as a Data Fiduciary?
- Security and access control is a lawful purpose. However, consent of the Data Principal i.e. the member / employee / guest / vendor / contractor / visitor etc. must be taken.
- Upon collecting the information the club needs to show a Notice to the member / employee / guest / vendor / contractor / visitor etc. and must collect their consent.
- the club needs to appoint certain officers as per DPDP Act including a Grievance Redressal officer.
- the club needs to have a system of allowing the person to withdraw their consent easily.
Does the club need to enable a system for withdrawal of consent to process Personal Data?
Yes. This means there will have to be a sign-out option which will allow the guest to remove their data through the same system.
Which officers does the club need to appoint?
As a Data Fiduciary the club must:
- Appoint a Data Protection Officer (DPO) due to processing data of children and also to answer queries and give information of people as to what data of theirs is stored or captured by the club.
- Conduct Data Protection Impact Assessments (DPIAs) if the processing poses high risk (biometrics typically do).
- Grievance Redressal Officer
Can the DPO be an outsourced resource or agency or can it be an addon responsibility to one of the existing Managers like an HR Manager or Legal Manager etc.?
Yes the officers can be existing officers who take on an additional role or DPO / GRO or they can be outsourced consultants / staff who can also handle grievances and complaints.
So also, the club can appoint a third party Consent Manager / Data Processor to manage the consent / data, although in this case just for facial recognition it may not be suitable.
How will the facial recognition system impact member’s children / minor guests etc.?
There are some added safeguards for data protection of children.
- Parental consent is required.
- No tracking, profiling, or targeted advertising is allowed for children.
Retention of Facial Data
If the club has a rule to allow a certain guest only 4 times in a month, the data will be retained for a month atleast and then be auto-deleted. However we can have the provision of allowing the guest to get their data manually deleted before that time frame but we will have to have a policy on that as we will not be able to track their monthly number of entries to the club. For room guests etc. we will need to have special policies.
What will the Notice to member / employee / guest / vendor / contractor / visitor etc. look like?
SAMPLE NOTICE UNDER SECTION — of the DPDP Act 2024.
(Option for other languages also needs to be given)
We, at XYZ Club, use facial recognition technology to:
Authenticate and manage member access to the club premises
Enhance security for members, guests, and staff
Maintain attendance and entry logs
| What data is being collected? | We will collect and process your facial image using secure biometric recognition systems. photograph, Name, Mobile Number etc. |
| Who is collecting the data? | Sports Club Full Address / Contact Details the club may share data with a third party vendor |
| For what purpose will your data be used? | Your facial data will be used only for the purposes stated above.We will not use your data for marketing, profiling, or unrelated purposes without your explicit consent. Security, Accounting, Access Control and collecting statistics |
| How can you withdraw consent once given? | Your data will be automatically erased on or before the 1st date of the next calendar month as the club has a policy of allowing a guest only upto 4 times a month. If you wish to have the data removed before that date, you can send an email to the DPO. |
| How can you record a grievance with the club under the DPDPAct? | CallEmailWhatsApp |
| Details of Data Protection Officer of the club | Mr. / Ms. Email: |
| Appeal to the Board | If your query is not addressed by the grievance officer of the club you can make an appeal to the Data Protection Board of India. |
I hereby agree and give free, specific, informed, unconditional and unambiguous consent to the club (Data Principal) for the purpose of processing of my personal data for the purpose of (security…….) and all actions which are necessary for such specified purpose.
I AGREE
In case of minor (parent / guardians consent)
Note: The rules under the DPDP Act are yet in a Draft State and not notified. The above note is subject to the change in the rules. The Act however has been notified and is in force.
The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 will also be applicable to Facial recognition systems and will require additional action like setting up a privacy policy and publishing of various other information on the website of the club (as it should already have been done).