This paper integrates and cuts through domains of privacy law and biometrics. Specifically, this paper presents a legal analysis on the use of Automated Facial Recognition Systems (the AFRS) in commercial (retail store) settings within the European Union data protection framework. The AFRS is a typical instance of biometric technologies, where a distributed system of dozens of low-cost cameras uses psychological states, sociodemographic characteristics, and identity recognition algorithms on thousands of passers-by and customers. Current use cases and theoretical possibilities are discussed due to the technology's potential of becoming a substantial privacy issue. First, this paper introduces the AFRS and EU data protection law. This is followed by an analysis of European Data protection law and its application in relation to the use of the AFRS, including requirements concerning data quality and legitimate processing of personal data, which, finally, leads to an overview of measures that traders can take to comply with data protection law, including by means of information, consent, and anonymization.