We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


DPC fines department over Public Services Card
Pic: RollingNews.ie
12 Jun 2025 data law Print

Watchdog fines DSP over use of facial data

The data-protection watchdog has reprimanded the Department of Social Protection (DSP) and fined it €550,000 for breaches of the GDPR linked to the use of biometric data.

The Data Protection Commission (DPC) inquiry covered the department’s processing of biometric facial templates as part of the registration process for the Public Services Card.

The DPC pointed out that this process, known as SAFE 2 registration, was mandatory for anyone who wanted to apply for a Public Services Card.

“Persons who do not submit to such processing cannot access DSP services – including welfare payments,” it said, adding that the department held biometric facial templates on 70% of the population by 2021.

GDPR breaches

Under the GDPR, biometric data is special-category data, to which higher protections and safeguards must be applied.

The DPC found that the department had infringed the GDPR by:

  • Failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration,
  • Retaining biometric data collected as part of SAFE 2 registration,
  • Failing to put in place suitably transparent information on SAFE 2 registration to data subjects, and
  • Failing to include certain details in the Data Protection Impact Assessment that it carried out in relation to SAFE 2 registration.

It has ordered the DSP to halt the processing of biometric data in connection with SAFE 2 registration within nine months of this decision “if the DSP cannot identify a valid lawful basis”.

‘Concrete rules and safeguards’

The watchdog said that the scale and intrusive nature of this processing needed “precise legal justification” to protect people against arbitrary interferences with their rights.

It added that “concrete rules and safeguards” governing the processing of such data were vital, “irrespective of the public policy objectives and benefits it is intended to achieve”.

DPC deputy commissioner Graham Doyle stressed that none of its findings were linked to the roll-out of SAFE 2 in principle, adding that the inquiry did not find any evidence of inadequate technical and organisational security measures deployed by the DSP.

“This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data-protection law and whether the DSP operates SAFE 2 registration in a data-protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard,” he concluded.

In 2019, a separate DPC inquiry into certain aspects of the processing of data linked to Public Services Cards led to a legal challenge by the DSP, which was settled by an agreement reached between the two organisations in December 2021.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland
Copyright © 2025 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.