Biometric access control and privacy: what does the GDPR say?

The GDPR (General Data Protection Regulation) has been in force since 2018, and this has not gone unnoticed. Many organisations still struggle with its interpretation. In our own field, biometric access control, the GDPR also has the necessary impact.

The court ruled in that case that the shoe store chain should not have required employees to provide their fingerprints for biometric access to the checkout system. Manfield’s case raises the question: what is actually allowed and what is not allowed under the GDPR? In this article, we outline the legal framework to be taken into account by organisations using or considering introducing biometric access control.

Taking account of the GDPR

By now, the GDPR is a familiar acronym. It is the European General Data Protection Regulation. Slightly less known, but certainly no less relevant when talking about biometric access control and privacy, is the GDPR Implementation Act, or GDPRIA.

Where the GDPR leaves room for national choices, these have been incorporated into the GDPRIA where appropriate. The use of biometric access control is not discussed within the GDPR, which applies to all European member states. The GDPRIA, which applies exclusively in the Netherlands, does address this.

GDPR: processing biometric data only with explicit consent and freedom of choice

The GDPR provides that use of biometrics is prohibited (Article 9(1)) “…unless the data subject has given explicit consent to the processing of those personal data for one or more specified purposes…”.

Thus, only when someone gives explicit consent may their biometric data be processed. And note that there must also be freedom of choice. So, as an organisation, you should also always offer another method to identify the person in question.

Data Protection Impact Assessment (DPIA)

Want to use biometric access control yourself? If so, a Data Protection Impact Assessment (DPIA) must always take place beforehand. This is a tool that allows organisations to identify the privacy risks involved in processing biometric data. In addition, the DPIA may describe measures to mitigate these risks.

The DPIA must include at least the following components:

  • A systematic description of the data processing

  • The purpose of the processing

  • An assessment of the necessity of the processing, in relation to the invasion of privacy

  • Description of the privacy risks

  • Measures to mitigate these risks

DPIA: where to begin?

Many of the components within the DPIA relate to the operation of the biometric product you want to use. Therefore, the supplier of your system is a logical starting point. In any case, for our own systems, we have accurately mapped all relevant information.

Interesting option: biometric access control without database processing

Many of the privacy concerns around biometric access control stem from the processing of personal data in a database. Because what if unauthorised persons get access to such a database? With this in mind, it is worth noting that today there are also solutions where a person’s biometric data is not stored and processed in a database, but put on a card.

Incidentally, even for this type of solution, one system is not the other, for example when it comes to the encryption technology used. So whatever solutions you compare, always look at them through GDPR perspective. Only in this way will you ensure that both biometric access control and the privacy of your employees are well managed. As required by law.

Want to know more or looking for a biometric security solution for your organisation?


Superuser functionality biometric technology

Due to the explosive growth of cybercrime, the need for higher levels of security will increase enormously in the coming years, especially biometric security solutions based on vein pattern recognition.* Ironically, their implementation may actually create new...

FAR and FRR: security level versus ease of use

FAR and FRR. Anyone looking to assess or compare the performance of biometric security systems cannot avoid these terms. In this article, we explain what FAR and FRR mean, how they affect each other and their implications for security level and ease of use. Let us...

5 common biometric techniques compared

The best-known forms of biometric security are the fingerprint and iris scan. In addition, facial recognition and vein pattern recognition (of both finger and palm) are also on the rise. In this article, we list the pros and cons of all these forms. 1. Fingerprint...

How does vein pattern recognition work

There are three forms of vein pattern recognition. Palm vein pattern recognition, finger vein pattern recognition (both of which work using so-called near infrared* light) and retina vein pattern recognition. 1. Palm vein pattern recognition The haemoglobin in your...

The basics of biometrics

In order to compare biometric applications, it is useful to know something about the basics. In this article, we briefly outline the 'basics of biometrics' for you. 1. General definition of biometrics Biometric features are unique, person-specific characteristics that...