Legal Basis Guidance
Version 1.0 · Effective date: 21 June 2026
As a Pariah customer you are the data controller for the facial recognition you operate. You must identify and document both:
- a lawful basis under UK GDPR Article 6; and
- a separate condition under UK GDPR Article 9 (because facial templates are special‑category biometric data used for unique identification).
You cannot process biometric data on Article 6 alone.
1. Article 6 — lawful basis
For commercial premises security, controllers most commonly consider:
- Legitimate interests (Art. 6(1)(f)) — often the most realistic basis, requiring a documented Legitimate Interests Assessment (LIA) showing your security purpose, necessity, and that it is not overridden by individuals' rights. Facial recognition is intrusive, so the balancing test is demanding.
- Consent (Art. 6(1)(a)) — rarely workable for indiscriminate public‑space capture (consent must be freely given, specific, informed, unambiguous), but may suit access‑control scenarios.
- Legal obligation / public task — generally only relevant to specific regulated or public bodies.
2. Article 9 — special‑category condition
You must also satisfy an Article 9 condition. The realistic candidates for private security are narrow:
- Substantial public interest (Art. 9(2)(g)) with a basis in the Data Protection Act 2018, Schedule 1 — e.g. the preventing or detecting unlawful acts condition — which carries its own appropriate policy document requirement.
- Explicit consent (Art. 9(2)(a)) — high bar; usually impractical for general surveillance.
If you cannot meet an Article 9 condition, you must not process biometric data through the Platform.
3. Necessity, proportionality, and the DPIA
Even with a basis and a condition, processing must be necessary and proportionate. A DPIA is mandatory for facial recognition (see /legal/dpia). Consider whether a less intrusive measure would achieve your aim, minimise the people enrolled, set short retention, and provide strong notice.
4. Practical checklist
- [ ] Documented Article 6 basis (+ LIA if legitimate interests).
- [ ] Documented Article 9 condition (+ DPA 2018 Sch.1 appropriate policy document where required).
- [ ] Completed DPIA, kept under review.
- [ ] Signage and privacy notice in place.
- [ ] Watchlist entries individually justified and proportionate.
- [ ] Retention periods set and enforced.
- [ ] Process for data‑subject rights, including erasure for listed individuals.
- [ ] Human review before significant decisions.
5. How Pariah helps
Pariah is your processor. Architecture choices that support proportionality include on‑premises (local) continuous processing, configurable retention, role‑based access, and audit logging. These help, but the lawful basis, DPIA, and notices are your responsibility.
This guidance references the ICO's published materials on facial recognition, live facial recognition, and biometric recognition. The Data (Use and Access) Act 2025 (in force from 19 June 2025) amends UK data protection law and the ICO's biometric guidance is under review — always check the current guidance at ico.org.uk and consult your own adviser. Questions: dpo@pariah.dev