The GDPR (General Data Protection Regulation) has been in force since 2018, and this has not gone unnoticed. Many organisations still struggle with its interpretation. In our own field, biometric access control, the GDPR also has the necessary impact.
The court ruled in that case that the shoe store chain should not have required employees to provide their fingerprints for biometric access to the checkout system. Manfield’s case raises the question: what is actually allowed and what is not allowed under the GDPR? In this article, we outline the legal framework to be taken into account by organisations using or considering introducing biometric access control.
Taking account of the GDPR
By now, the GDPR is a familiar acronym. It is the European General Data Protection Regulation. Slightly less known, but certainly no less relevant when talking about biometric access control and privacy, is the GDPR Implementation Act, or GDPRIA.
Where the GDPR leaves room for national choices, these have been incorporated into the GDPRIA where appropriate. The use of biometric access systems is not discussed within the GDPR, which applies to all European member states. The GDPRIA, which applies exclusively in the Netherlands, does address this.
GDPR: processing biometric data only with explicit consent and freedom of choice
The GDPR provides that use of biometrics is prohibited (Article 9(1)) “…unless the data subject has given explicit consent to the processing of those personal data for one or more specified purposes…”.
Thus, only when someone gives explicit consent may their biometric data be processed. And note that there must also be freedom of choice. So, as an organisation, you should also always offer another method to identify the person in question.
Data Protection Impact Assessment (DPIA)
Want to use biometric access control yourself? If so, a Data Protection Impact Assessment (DPIA) must always take place beforehand. This is a tool that allows organisations to identify the privacy risks involved in processing biometric data. In addition, the DPIA may describe measures to mitigate these risks.
The DPIA must include at least the following components:
A systematic description of the data processing
The purpose of the processing
An assessment of the necessity of the processing, in relation to the invasion of privacy
Description of the privacy risks
Measures to mitigate these risks
DPIA: where to begin?
Interesting option: biometric access control without database processing
Many of the privacy concerns around biometric access control stem from the processing of personal data in a database. Because what if unauthorised persons get access to such a database? With this in mind, it is worth noting that today there are also solutions where a person’s biometric data is not stored and processed in a database, but put on a card.
Incidentally, even for this type of solution, one system is not the other, for example when it comes to the encryption technology used. So whatever solutions you compare, always look at them through GDPR perspective. Only in this way will you ensure that both biometric access control and the privacy of your employees are well managed. As required by law.
Want to know more or looking for a biometric security solution for your organisation?