Access control using biometrics
Do you, as an organisation, want to use biometrics, such as a fingerprint, for giving people access? For example, to a building, an area or a system? This is almost always prohibited. Here you can read when this is allowed and what you have to pay attention to in that case.
On this page
Exceptions to the prohibition on the use of biometrics
As an organisation, you are only allowed to use biometrics for access control if a statutory exception to the prohibition on the use of biometrics for the purpose of identification applies in your situation. These are the 2 most common exceptions that may apply:
- The data subjects have given their explicit consent. This is one of the exceptions from the GDPR to the prohibition on processing special categories of personal data.
- Processing is necessary for purposes of authentication or security. This exception can be found in the GDPR Implementation Act. However, there will not be such necessity very soon. It must concern a substantial public interest. For example, the security of a nuclear power plant or of information that constitutes a state secret.
Tip: Also view the other common exceptions to the prohibition on processing special categories of personal data.
Access control at work
As an employer, you can use one of the exceptions to the prohibition on processing biometric data.
Exception: security or authentication
If you want to use biometric data for access control, this will only be allowed if this is necessary. To determine if there is a necessity in your case, you must consider whether your building, area or system must be secured to such extent that you have no option other than using biometrics.
Exception: (explicit) consent
The exception of explicit consent will hardly ever apply in the relationship between employer and employee. As your employees are dependent on you, they are not in a position to refuse. This means that you are unable to meet the requirement that consent must have been given freely.
Access control with consent
Do you, as an organisation, want to process biometric data of your customers for the purpose of access control? And is there no unequal relationship, such as the relationship between employer and employee? Then you can ask your customers for explicit consent for the use of, for example, their fingerprint.
Your customers are not obliged to give consent. Therefore, you must actively offer your customers the option to gain access in another way. For example, by showing their identity document or using an access pass.
DPIA in the case of access control
Before you can start using biometric data for access control, you must carry out a data protection impact assessment (DPIA) first.
Security of biometric data
If you are going to process biometric data for access control, make sure then that you meet the requirements for security of biometric data.
Also view
Privacystory
Doris (22) takes a firm stand now that she can only get access to the stockroom using a finger scan. "It's not just about the access, you can derive a lot more from it."