Access control using biometrics

Do you, as an organisation, want to use biometrics, such as a fingerprint, for giving people access? For example, to a building, an area or a system? This is almost always prohibited. Here you can read when this is allowed and what you have to pay attention to in that case.

On this page

Exceptions to the prohibition on the use of biometrics

As an organisation, you are only allowed to use biometrics for access control if a statutory exception to the prohibition on the use of biometrics for the purpose of identification applies in your situation. These are the 2 most common exceptions that may apply:

  • The data subjects have given their explicit consent. This is one of the exceptions from the GDPR to the prohibition on processing special categories of personal data.
  • Processing is necessary for purposes of authentication or security. This exception can be found in the GDPR Implementation Act. However, there will not be such necessity very soon. It must concern a substantial public interest. For example, the security of a nuclear power plant or of information that constitutes a state secret.

Access control at work

As an employer, you can use one of the exceptions to the prohibition on processing biometric data.

Exception: security or authentication

If you want to use biometric data for access control, this will only be allowed if this is necessary. To determine if there is a necessity in your case, you must consider whether your building, area or system must be secured to such extent that you have no option other than using biometrics.

Exception: (explicit) consent

The exception of explicit consent will hardly ever apply in the relationship between employer and employee. As your employees are dependent on you, they are not in a position to refuse. This means that you are unable to meet the requirement that consent must have been given freely.

Access control with consent

Do you, as an organisation, want to process biometric data of your customers for the purpose of access control? And is there no unequal relationship, such as the relationship between employer and employee? Then you can ask your customers for explicit consent for the use of, for example, their fingerprint.

Your customers are not obliged to give consent. Therefore, you must actively offer your customers the option to gain access in another way. For example, by showing their identity document or using an access pass.

DPIA in the case of access control

Before you can start using biometric data for access control, you must carry out a data protection impact assessment (DPIA) first.

Security of biometric data

If you are going to process biometric data for access control, make sure then that you meet the requirements for security of biometric data.

Privacystory

Doris (22) takes a firm stand now that she can only get access to the stockroom using a finger scan. "It's not just about the access, you can derive a lot more from it."
 

""