Biometrica Compliance with European Union & EEA Privacy Framework

Overview

Biometrica’s public safety systems are built on a foundation of privacy by design, human oversight, and strict data minimization. Our systems are fully compatible with the major European regulatory frameworks governing data protection, law enforcement use of personal data, and AI deployment:

  1. General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
  2. Law Enforcement Directive (LED) (Directive (EU) 2016/680)
  3. EU Artificial Intelligence Act (AI Act) (Adopted March 2024)

GDPR Applicability

The GDPR governs the collection, use, and processing of personal data across the EU and EEA, including sensitive data categories such as biometrics. Biometrica does not operate as a general-purpose controller of biometric data within the meaning of GDPR Article 9, as:

  • Biometrica does not collect, transmit, store, or retain biometric identifiers, biometric templates, faceprints, or any other biometric markers.
  • The biometric comparison process is conducted solely by an independent, NIST-approved third-party provider operating in an isolated, auditable black box environment.
  • Biometrica’s systems only process publicly available law enforcement-sourced data (arrest records, warrants, missing persons, etc.), typically excluded from GDPR’s definition of “personal data” under Article 2(2)(d) when used for law enforcement purposes.

Law Enforcement Directive (LED) Applicability

The Law Enforcement Directive regulates personal data processing for the prevention, investigation, detection, or prosecution of criminal offences.

Biometrica Compliance under the LED:

  • Biometrica systems are designed specifically for public safety and investigative purposes and are only available to:
    • Certified law enforcement agencies.
    • Authorized security partners operating under applicable law.
  • Biometrica acts strictly as a data processor for law enforcement-authorized use cases.
  • Every event within Biometrica’s systems is auditable with immutable chain of custody records.
  • UMbRA (Biometrica’s law enforcement-sourced dataset) is accessible only to authorized, credentialed law enforcement personnel.

AI Act Applicability

The EU Artificial Intelligence Act imposes obligations on high-risk AI systems, including real-time remote biometric identification (RBI).

Biometrica is compliant because:

  • Biometrica does not perform real-time RBI against the general public or conduct mass surveillance.
  • The system triggers alerts only when a human-verifiable, legally relevant match occurs.
  • All biometric comparisons are externalized and isolated via a secure third-party black box system.
  • All alerts are subject to mandatory human-in-the-loop validation.
  • Biometrica maintains no biometric galleries or datasets.

Compliance Highlights

  • Data Minimization: Biometrica deletes unmatched images instantly and stores no biometric identifiers.
  • Purpose Limitation: Only processes information for public safety, law enforcement, and authorized security functions.
  • Proportionality: Alerts are relevance-based and limited to legitimate, justified use cases.
  • Transparency: Every alert, query, and match result is recorded and auditable.
  • No Mass Surveillance: Biometrica systems are incapable of indiscriminate monitoring.
  • No Commercial Exploitation: No Biometrica system is used for advertising, profiling, or commercial purposes.