Scenario
A Sports Club wants to implement facial recognition technology for the purposes of security, access control, surveillance and accounting.
Will the DPDP Act 2023 (Digital Personal Data Protection Act 2023) be applicable for Face recognition?
Yes. DPDP Act 2023 will be applicable.
Does Facial Data fall under the purview of the DPDPA?
Yes. Facial data is classified as “personal data” and often qualifies as “sensitive personal data” due to its biometric nature.
This means that when the facial data is stored digitally along with the name or any identifying details of the person it will fall under section 2(t) and 2(n) of the DPDP Act. This will apply to a member / employee / guest / vendor / contractor / visitor etc.
Though the DPDP Act does not differentiate between sensitive and non-sensitive personal data, a related statute i.e. the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 defines Biometrics as:
2(b) “Biometrics” means the technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘voice patterns’, “facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes;
2(i) “Personal information” means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
- Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;—
(i) password;
(ii) financial information such as Bank account or credit card or debit card or
other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
Who will be the Data Principal as per the DPDPA?
Data Principal = member / employee / guest / vendor / contractor / visitor etc.
In this case the member / employee / guest / vendor / contractor / visitor etc. will be the Data Principal as their facial data is being captured / stored along with some other identifiable information like their name / aadhaar number / mobile number etc.
Who will be the Data Fiduciary?
Data Fiduciary = Sports Club
In this case the club will be the Data Fiduciary as the club management will determine the purpose and means of processing the data and will also process the data.
What will be the obligations of the Sports Club as a Data Fiduciary?
- Security and access control is a lawful purpose. However, consent of the Data Principal i.e. the member / employee / guest / vendor / contractor / visitor etc. must be taken.
- Upon collecting the information the club needs to show a Notice to the member / employee / guest / vendor / contractor / visitor etc. and must collect their consent.
- the club needs to appoint certain officers as per DPDP Act including a Grievance Redressal officer.
- the club needs to have a system of allowing the person to withdraw their consent easily.
Does the club need to enable a system for withdrawal of consent to process Personal Data?
Yes. This means there will have to be a sign-out option which will allow the guest to remove their data through the same system.
Which officers does the club need to appoint?
As a Data Fiduciary the club must:
- Appoint a Data Protection Officer (DPO) due to processing data of children and also to answer queries and give information of people as to what data of theirs is stored or captured by the club.
- Conduct Data Protection Impact Assessments (DPIAs) if the processing poses high risk (biometrics typically do).
- Grievance Redressal Officer
Can the DPO be an outsourced resource or agency or can it be an addon responsibility to one of the existing Managers like an HR Manager or Legal Manager etc.?
Yes the officers can be existing officers who take on an additional role or DPO / GRO or they can be outsourced consultants / staff who can also handle grievances and complaints.
So also, the club can appoint a third party Consent Manager / Data Processor to manage the consent / data, although in this case just for facial recognition it may not be suitable.
How will the facial recognition system impact member’s children / minor guests etc.?
There are some added safeguards for data protection of children.
- Parental consent is required.
- No tracking, profiling, or targeted advertising is allowed for children.
Retention of Facial Data
If the club has a rule to allow a certain guest only 4 times in a month, the data will be retained for a month atleast and then be auto-deleted. However the club has to also have the provision of allowing the guest to get their data manually deleted before that time frame but then the club will not be able to track their monthly number of entries to the club and may have some conditions on reentry.
What will the Notice to member / employee / guest / vendor / contractor / visitor etc. look like?
SAMPLE NOTICE UNDER SECTION — of the DPDP Act 2024.
(Option for other languages also needs to be given)
We, at XYZ Club, use facial recognition technology to:
Authenticate and manage member access to the club premises
Enhance security for members, guests, and staff
Maintain attendance and entry logs
| What data is being collected? | We will collect and process your facial image using secure biometric recognition systems. photograph, Name, Mobile Number etc. |
| Who is collecting the data? | (Sports Club Name) Full Address / Contact Details the club may share data with a third party vendor |
| For what purpose will your data be used? | Your facial data will be used only for the purposes stated above.We will not use your data for marketing, profiling, or unrelated purposes without your explicit consent. Security, Accounting, Access Control and collecting statistics |
| How can you withdraw consent once given? | Your data will be automatically erased on or before the 1st date of the next calendar month as the club has a policy of allowing a guest only upto 4 times a month. If you wish to have the data removed before that date, you can send an email to the DPO. |
| How can you record a grievance with the club under the DPDPAct? | CallEmailWhatsApp |
| Details of Data Protection Officer of the club | Mr. / Ms. Email: |
| Appeal to the Board | If your query is not addressed by the grievance officer of the club you can make an appeal to the Data Protection Board of India. |
I hereby agree and give free, specific, informed, unconditional and unambiguous consent to the club (Data Principal) for the purpose of processing of my personal data for the purpose of (security…….) and all actions which are necessary for such specified purpose.
I AGREE
In case of minor (parent / guardians consent)
Note: The rules under the DPDP Act are yet in a Draft State and not notified. The above note is subject to the change in the rules. The Act however has been notified and is in force.
The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 will also be applicable to Facial recognition systems and will require additional action like setting up a privacy policy and publishing of various other information on the website of the club (as it should already have been done).