LEGAL← BACK TO PARIAH.DEV

Legal Basis Guidance

Version 1.0 · Effective date: 21 June 2026

As a Pariah customer you are the data controller for the facial recognition you operate. You must identify and document both:

  1. a lawful basis under UK GDPR Article 6; and
  2. a separate condition under UK GDPR Article 9 (because facial templates are special‑category biometric data used for unique identification).

You cannot process biometric data on Article 6 alone.

1. Article 6 — lawful basis

For commercial premises security, controllers most commonly consider:

2. Article 9 — special‑category condition

You must also satisfy an Article 9 condition. The realistic candidates for private security are narrow:

If you cannot meet an Article 9 condition, you must not process biometric data through the Platform.

3. Necessity, proportionality, and the DPIA

Even with a basis and a condition, processing must be necessary and proportionate. A DPIA is mandatory for facial recognition (see /legal/dpia). Consider whether a less intrusive measure would achieve your aim, minimise the people enrolled, set short retention, and provide strong notice.

4. Practical checklist

5. How Pariah helps

Pariah is your processor. Architecture choices that support proportionality include on‑premises (local) continuous processing, configurable retention, role‑based access, and audit logging. These help, but the lawful basis, DPIA, and notices are your responsibility.


This guidance references the ICO's published materials on facial recognition, live facial recognition, and biometric recognition. The Data (Use and Access) Act 2025 (in force from 19 June 2025) amends UK data protection law and the ICO's biometric guidance is under review — always check the current guidance at ico.org.uk and consult your own adviser. Questions: dpo@pariah.dev