-

IRIS must: Collect only data strictly necessary for drowsiness detection Clearly define and document processing purposes Limit data retention periods Restrict secondary uses (e.g., no emotion or health profiling) Conduct a DPIA before deployment

Collect only necessary data • Define explicit purpose, limit retention • Secure storage, encryption, audits

Ensure it is collected appropriately and stored properly

Only data necessary for fatigue detection should be collected and stored for limited periods. Users must understand why their data is processed. Regular checks ensure the data is not reused beyond its purpose.

Define clear purpose Collect only necessary data Limit retention Pseudonymize/anonymize data

To comply with data minimisation and purpose limitation under the GDPR and Article 5 of the EU AI Act, the collection and processing of biometric data for driver fatigue detection must be strictly limited to what is necessary for real-time safety purposes. The purpose of processing should be clearly defined and documented as the estimation of driver fatigue to support immediate safety alerts, with no secondary use such as identity recognition, emotional analysis, health diagnosis, or performance monitoring. Only the least intrusive data required to achieve this purpose should be collected, meaning facial imagery should be restricted to the minimum facial features necessary to infer alertness (for example eye-related indicators) and heart-rate processing should focus on short-term, fatigue-relevant metrics rather than raw physiological signals. Wherever possible, data should be processed in real time or on-device, with raw images and heart-rate signals neither stored nor reused beyond the immediate detection task. Retention periods must be minimal and clearly justified, and any data that is no longer required should be immediately deleted or irreversibly anonymised. Access to biometric data should be tightly controlled, and technical and organisational safeguards should be in place to prevent function creep or unauthorised reuse. Finally, these limitations must be transparently communicated to users through clear notices and reflected consistently across the system’s DPIA, technical documentation, and governance controls.

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

Being able to prove you are using the data for the stated purpose Not selling data to third parties or making sensitive data public

To comply with GDPR principles and EU AI Act Article 5, IRIS must implement the following steps: Clearly define the specific purpose of data collection (fatigue detection only). Collect only the minimum data necessary (e.g. facial landmarks instead of raw video where possible). Limit data retention to what is strictly required for training, validation, and safety monitoring. Prohibit secondary use without renewed legal basis and transparency. Regularly review whether collected data remains necessary as models improve. These steps ensure proportionality and prevent the expansion of surveillance beyond the system’s original safety objective.

Collect only data strictly necessary for fatigue detection

Collects data that is stictly necessary for fatigue detection

Biometric data must be collected with a clear purpose, processed transparently and fairly, limited to what is necessary, and never reused in a way that is incompatible with the original purpose.

Collect only data strictly needed for fatigue detection. Define and document the explicit purpose for each data type. Limit retention periods and delete data after purpose is fulfilled. Ensure access controls and security to prevent secondary use. Regularly review datasets to remove unnecessary or outdated data.

To comply with data minimization and purpose limitation under GDPR/EU AI Act Article 5 for biometric data collection in driver fatigue detection, the required steps involve strictly limiting data collection to what is necessary for the specific purpose, ensuring data is not used for other purposes, and implementing robust security and retention policies.

a "closed-loop" architecture that processes biometric data locally on the vehicle, converts raw imagery and heart-rate signals into anonymized metadata in real-time, and immediately deletes the original raw files once the drowsiness assessment is complete.

The reason for collecting the data must be disclosed and should be used for no other reason. No further data should be collected as well.