FDPIC concludes investigation into voice recognition at PostFinance
The Federal Data Protection and Information Commissioner (FDPIC) has examined whether PostFinance AG is violating data protection regulations when using voice recognition as a means of authentication. It concluded the investigation on 16 May 2025 with a ruling instructing PostFinance to obtain the express consent of the person concerned when creating voiceprints for voice recognition and to delete voice prints for which no consent has been explicitly been given.
Voiceprints are a type of biometric data. Under data protection law, they are considered sensitive personal data if they enable the identification of an individual. Voice recognition and other biometric identification systems can benefit both operators and data subjects. However, in view of increasing technological development, these systems also pose risks with regard to the protection of fundamental rights and freedoms. A person's voice is a unique aspect of their identity and inextricably and irrevocably linked to their personality. Unlike a password, it cannot be recreated in case of misuse.
In its investigation, the FDPIC found that PostFinance's processing of biometric data for authentication purposes violates the principle of proportionality. In addition, voiceprints are being created without customers explicitly providing their consent. This means that customers who do not wish to use voice recognition must actively choose to opt out.
The FDPIC considers this procedure a violation of data protection law and has ordered PostFinance to obtain an explicitly given consent of data subjects when creating voiceprints for use in voice recognition. The company must also delete voiceprints for which no consent has been explicitly given. PostFinance has appealed the FDPIC ruling to the Federal Administrative Court. The ruling has therefore not yet taken full legal effect.