News & Media

DPC announces conclusion of investigation into use of facial matching technology in connection with the Public Services Card by the Department of Social Protection

12th June 2025

The Data Protection Commission (DPC) has today announced its final decision following the conclusion of an inquiry into the Department of Social Protection (DSP). This inquiry, which commenced in July 2021, examined the DSP’s processing of biometric facial templates, and usage of associated facial matching technologies, as part of the registration process for the Public Services Card. This process is known as “SAFE 2 registration”.

 

Background

This inquiry followed on from a separate inquiry previously carried out by the DPC into certain aspects of the DSP’s processing of personal data in connection with the issuing of Public Services Cards, which concluded in 2019. The DSP initially brought legal proceedings against the decision of the DPC in that inquiry by way of an appeal to the Circuit Court. This appeal was ultimately withdrawn and a joint agreement between the DPC and the DSP, as well as the final investigation report from that inquiry, were published in December 2021.

That final investigation report stated that processing of personal data, including biometric data, by the DSP in respect of SAFE 2 registration was to be addressed separately by the DPC. Today’s decision is the culmination of that separate inquiry process.

 

Rationale for the inquiry

SAFE 2 registration is mandatory for anyone who wishes to apply for a Public Services Card. Persons who do not submit to such processing cannot access DSP services, including welfare payments. The rollout of Safe 2 registration has resulted in the ongoing collection, storage and processing of highly sensitive personal data, including biometric data consisting of facial templates, on a large scale by the DSP. Under the GDPR, biometric data is categorised as special category data to which higher protections and safeguards must be applied. In 2021, the DSP held biometric facial templates relating to 70% of the population of the State.

The facial matching technology used by the DSP involves the creation of biometric data relating to a very substantial proportion of the population. The scale and intrusive nature of the processing requires precise legal justification. In such circumstances, it is established European case law that legislation which is precise and foreseeable is necessary to ensure protection against arbitrary interferences with the rights of individuals. 

In light of the above, it is vital that SAFE 2 registration rests on a suitably clear and precise legal foundation providing for concrete rules and safeguards governing the nature and specific arrangements for the underlying processing of biometric data, irrespective of the public policy objectives and benefits it is intended to achieve.

 

Scope of the inquiry

The scope of the inquiry concerned an examination and assessment of the following:

  1. Whether the DSP had a lawful basis for collecting biometric data for the purposes of conducting facial matching as part of SAFE 2 registration;
  2. Whether the DSP had a lawful basis for retaining biometric data collected as part of SAFE 2 registration;
  3. Whether the DSP complied with its transparency obligations in respect of data subjects undergoing SAFE 2 registration; and
  4. Whether the DSP had carried out an adequate Data Protection Impact Assessment as part of SAFE 2 registration.

 

Findings

The DPC’s decision, which was made by Commissioner Dale Sunderland, and was notified to the DSP this week, finds that the DSP:

  • Infringed Articles 5(1)(a), 6(1), and 9(1) GDPR by failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration at the time of the inquiry;
  • Having regard to the preceding finding, infringed Article 5(1)(e) GDPR by retaining biometric data collected as part of SAFE 2 registration;
  • Infringed Articles 13(1)(c) and 13(2)(a) GDPR by failing to put in place suitably transparent information to data subjects as regards SAFE 2 registration; and
  • Infringed Articles 35(7)(b) and (c) GDPR by failing to include certain details in the Data Protection Impact Assessment that it carried out in relation to SAFE 2 registration.

 

Corrective Powers Exercised

In light of the infringements identified above, the DPC has (1) reprimanded the DSP, (2) issued administrative fines totalling €550,000, and (3) issued an order to the DSP requiring it to cease processing of biometric data in connection with SAFE 2 registration within 9 months of this decision if the DSP cannot identify a valid lawful basis.

 

Deputy Commissioner, Graham Doyle commented:

“It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle. The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry.

This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard.”

 

The DPC will publish the full decision and further related information in due course.