How biometric identification can revolutionize the UX by complying with the norm

The collection of biometric information is a sensitive topic. Therefore, the existing regulation in Europe is very strict. B-FY guarantees its clients adequate compliance with current regulations.

Biometrics is becoming the technology of choice for the authentic identification of persons in various industries. The main reason for this is that it uses biological patterns, unique to each person, to ensure that you are who you say you are.

In addition, because it is a technology that offers greater guarantees than systems such as the use of passwords, it is the safest to prevent the violation of user data.

However, we must remember that the collection of biometric information is a sensitive issue. Therefore, the existing regulation is very strict as to when and how this information can be collected, and for how long a company can keep this data.

In Europe, the rule that governs the collection of biometric data, as well as other types of personal and biographical data –date of birth, marital status, gender, name or address– is the General Data Protection Regulation, which came into force in 2016.

The GDPR is mandatory in all 27 EU member states and protects around 500 million people, including EU citizens and long-term residents.

In the case of biometric data, the RGPD establishes that "its treatment to uniquely identify a natural person is prohibited". This rule defines biometric data as "special categories of personal data" and establishes a series of exceptions for its collection and treatment.


One of the first ideas on which this company is based is to protect people against fraud and protect their identity.

By using the B-FY system to identify their users, our clients integrate our bookstore service into their application. To verify the user's identity, we only need their email and phone number, so that the device is associated with a single person.

Unlike other applications where the person accesses the service with a password, and then associates a biometric pattern such as their fingerprint or face with that password, in the case of B-FY there are no passwords that can be stolen or hacked.

When a password associated with the biometric pattern is used, anyone who has access to that password can associate their own biometric pattern on any device and access the service.

With B-FY, the biometric pattern of a person is associated with the device that they have registered as theirs, and their data always remains in the hands of the user. Thus, no one will be able to access a service protected with B-FY by entering the password on a phone other than the one registered as theirs and associating a different biometric pattern, because such password does not exist as part of the identification protocol.

The GDPR is mandatory in all 27 EU member states and protects around 500 million people, including EU citizens and long-term residents.
The GDPR is mandatory in all 27 EU member states and protects around 500 million people, including EU citizens and long-term residents.


The registration data (phone and email) are stored in a database, which is in a sealed network that is only accessible from the B-FY platform itself.

The client company must integrate the B-FY solution in the places where it wishes to make an identification, whether online (web, support systems, or any relevant application depending on the sector), and also physically, in a control system of access to buildings, events or where it is considered appropriate.

They will show a QR code that the user will read from the application installed on their phone device, and that will implicitly have the service they want to access. With this, geolocated access controls can also be applied, without activating the geolocation of mobiles, removing something else that generates a lot of friction regarding the privacy of people's movements.

This procedure will start a communication process between the smartphone and the website during which the user will identify himself with the biometric parameter of the website. This way we guarantee the identity of the user.


Through a Data Processing Contract (DPA) it is established that the client is the owner of the collected data (email and telephone of the user), while B-FY oversees the treatment of those data that it uses for the identification process.

B-FY is always in charge of managing the data, since their treatment is not subcontracted, nor is it delegated to third parties. In the same DPA that establishes the ownership and management of the data, it is specified that, as soon as the provision of services between B-FY and its client ends, the data will be deleted.

In compliance with the law, our clients must specify in their Privacy Policy addressed to the end user that there is a transfer of data to B-FY to identify them. This is indicated by the GDPR regulations.

Do you want to know more? Request a free demo here.