-

Both facial imagery and heart-rate signals raise critical concerns around surveillance, autonomy, and data misuse. Under GDPR Article 9, facial data used for identification and heart-rate data used to infer health states can be considered special category personal data, requiring explicit consent, DPIAs, and strict access controls.

Special category data (facial + heart rate) • Requires risk assessment, transparency, accuracy, human oversight, post-market monitoring

Yes

If passengers are unintentionally captured, privacy and consent issues arise. Operators must minimize incidental recording and clearly inform passengers. Safeguards are needed to prevent unnecessary data collection.

Facial images and heart-rate signals are special-category data under GDPR Article 9. Using them for drowsiness detection makes IRIS a high-risk AI system under the EU AI Act, raising key ethical and legal issues around consent, data minimization, accuracy, transparency, security, and liability.

Unlawful processing without a valid Article 9 condition • Overreach beyond safety monitoring into health assessment

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

States can limit the data processed like heart rate signal

Under the EU AI Act, the collection and processing of biometric data for a safety-critical system like IRIS raises critical ethical and legal concerns related to fundamental rights, proportionality, and discrimination. High-risk AI systems are expected to minimise risks to privacy, ensure fairness, and implement strong governance mechanisms. Under GDPR Article 9, both facial imagery (when used for facial analysis or identification) and heart-rate signals fall under special categories of personal data: Facial imagery qualifies as biometric data. Heart-rate signals qualify as health data. Processing this data is prohibited unless a specific exception applies (e.g. explicit consent, substantial public interest, or safety-related necessity combined with safeguards). This significantly raises the compliance threshold for IRIS and increases the importance of documentation, consent management, and technical safeguards.

Yes, they are special category of personal data under GDPR 9. They race ethical and legal issues around consent, privacy, bias, security, and high-risk AI compliance under the EU AI Act.

Heart rate signal and it falls under prohibited facial recognition

Yes they do in GDPR Article 9 number 1

Biometric and physiological data are high-risk AI inputs. Facial images - biometric identifiers; heart-rate - health data. Both are special categories under GDPR Article 9 - require explicit consent and lawful processing. Must demonstrate risk mitigation, fairness, transparency, and accountability.

Yes, the collection and processing of biometric data like facial imagery and heart rate signals fall under the special categories of personal data in GDPR Article 9.

Yes

Yes, it falls under personal data and that infringes on privacy.