European UnionA company uses facial recognition on me without consent. Is this legal under GDPR?
No, using facial recognition on you without consent is generally illegal under GDPR unless the company can rely on another lawful basis and meets strict conditions for processing biometric data.
What the Law Says
The General Data Protection Regulation (GDPR) treats facial images used for identification as 'biometric data', which falls under 'special categories of personal data' — triggering strict protections.
Under Article 9(1) of the GDPR, processing biometric data for the purpose of uniquely identifying a natural person is prohibited unless one of the specific exceptions in Article 9(2) applies.
Even if an exception applies, the controller must still satisfy a lawful basis under Article 6(1), such as consent, necessity for a contract, or a substantial public interest — and must conduct a Data Protection Impact Assessment (DPIA) under Article 35(3)(a) due to the high risk posed by facial recognition.
Consent — if relied upon — must be 'freely given, specific, informed and unambiguous', and for biometric data, it must be 'explicit' (GDPR Recital 43 and Article 9(2)(a)). This means a clear affirmative action (e.g., opt-in checkbox), not pre-ticked boxes or implied acceptance.
Statutory TextProcessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person… shall be prohibited.
— Regulation (EU) 2016/679, Art. 9(1) — Prohibition of processing special categories of personal data
Statutory TextProcessing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes…
— Regulation (EU) 2016/679, Art. 6(1)(a) — Lawfulness of processing
Statutory TextMember States may maintain or introduce further conditions, including limitations, with regard to the processing of… biometric data…
— Regulation (EU) 2016/679, Art. 9(4) — Member State derogations
What Courts Have Said
EU courts and data protection authorities have consistently ruled that non-consensual facial recognition in public or private spaces violates GDPR principles — especially when deployed without transparency, necessity, or proportionality.
States that real-time remote biometric identification in publicly accessible spaces is 'high-risk' and generally unlawful under GDPR unless strictly necessary for substantial public interest and authorised by EU or Member State law — and even then, requires prior judicial authorisation in most cases.
Confirmed that biometric data processed via facial recognition constitutes 'personal data' under GDPR and that its collection without valid legal basis infringes Articles 5(1)(a), 6(1), and 9(1); emphasised that consent cannot be inferred from silence or inactivity.
What to Do
Check if the company published a privacy notice explaining why and how they use facial recognition — and whether they named a lawful basis under GDPR Articles 6 and 9.
Withdraw any previously given consent (if applicable) in writing — consent must be as easy to withdraw as to give.
File a complaint with your national Data Protection Authority (e.g., CNIL in France, ICO in UK — though UK is no longer EU, similar standards apply; for EU residents, use your local DPA).
Request access to your biometric data under GDPR Article 15 — the company must disclose what was collected, stored, and shared.
If harm occurred (e.g., denial of service, profiling, discrimination), consider seeking redress through national courts under GDPR Article 79.
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.