Fingerprint enrolment (biometric data) of staff for any workplace access is not something that can be done ad hoc. Data-protection legislation (GDPR)[1] states that biometric data is a special category of personal data and subject to specific processing conditions. The European Data Protection Supervisor (EDPS) raised this very same issue with the European Parliament in 2023[2].

Any decision to push ahead with such an idea requires a legal basis covering the decisions to collect and to use this data which needs to detail how to ensure compliance with the applicable data-protection rules, this would include all of the following.

1. The grounds for lawfulness under Article 5(1): ‘lawfulness, fairness and transparency’, ‘purpose limitation’, ‘data minimisation’, ‘storage limitation’ and ‘integrity and confidentiality’ and the internal rules applicable, in order to be able to rely on them as legal basis for the processing of biometric information as the means for accessing the premises.
2. The exception the data controller would rely on for its processing of special categories of personal data under Article 9 of the Regulation, such as Article 9(2)(g); provide a detailed substantiation of why this exception would be applicable.
3. An alternative building-access procedure to ensure that the staff whose fingerprints are not recognised can still enter.
4. Documents concerning the feasibility of other available alternative options that would not require the use of sensitive data, compare all options and document conclusions.
5. Documents confirming suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests (Article 23(2)(b) of the Regulation).
6. Evaluations of the system to effectively minimise the amount of personal data used.
7. An updated data-protection notice on building access and ensure that all staff are specifically informed about the new system and all its modalities before starting the processing. If the processing involves automated decision-making, include meaningful information on the logic involved as well as the significance and the envisaged consequences of the processing.

Generation 2004 requests that any entity intending to use fingerprint access address all of the issues listed above. The standards are there for the EU as a whole and public institutions are treaty bound to live up to the highest standards.  A failure to meet these responsibilities might bring not only reputational damage but also EDPA fines [3].

As always, we would love to hear from you. Please do not hesitate to get in touch with us or leave a comment below.

If you appreciate our work, please consider becoming a member of Generation 2004.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Article 9) Processing of special categories of personal data.

[2] EDPS Supervisory Opinion on the MEP biometric attendance register, 11.05.2023

[3]  European Commission Data Protection Guide, 2019