The use of biometric data by employers

A new draft recommendation of the Belgian Data Protection Authority (DPA).

Biometric data (such as fingerprints and facial recognition) benefit from special protection under the GDPR due to their sensitive nature. The Belgian Data Protection Authority (DPA) has recently published a draft recommendation that data controllers can use as a guide when processing such data. Below we take a closer look at this recommendation, and more in particular to the use of biometric data of employees for access control by their employer.

The use of biometric control systems - e.g. for the control of access to company premises, computers, work place applications, etc. – are on the rise. This is however not without risk from a data protection point of view.

Indeed, biometric data are considered a special category of personal data under the GDPR given their sensitive nature, as they are unique and irreplaceable, contrary to e.g. a password. Increased protection is therefore necessary. The processing of these data is in principle prohibited, unless the company could invoke one of the legal exceptions listed in article 9.2. of the GDPR.  

Two possible exceptions are "explicit consent" and "substantial public interest".

Consent was previously accepted by the DPA as the legal basis and exception for processing biometric data for access control in an employment relationship, notwithstanding the general point of view of both the Belgian DPA and the European Data Protection Board (EDPB) that employees could in principle not freely give their consent given the hierarchical relationship with the employer. For this reason, consent as legal basis for data processing in an employment relationship should be avoided as much as possible. However, for certain specific data, such as biometric data and images, consent could be the only possibility.

With regard to biometric data, in order to guarantee as much as possible the free nature of the consent, the DPA advised to provide for an alternative by lack of consent (e.g. a classic access badge). However, the DPA now seems to take a different view, again insisting on the strict conditions for the validity of the consent (i.e.  freely given, specific, informed, and unambiguous / explicit) and stating that it is unlikely that employees could freely give their consent for the processing of biometric data.

Additionally, one should keep in mind that the employee could withdraw his or her consent at any time. Therefore "consent" could anyhow not be considered a "solid" basis for processing.

The exception of "substantial public interest" is also addressed by the DPA in its recommendation.

Questioning the exception of ‘consent’, especially in the relationship between employer and employee, indeed implies invoking ‘substantial public interest’ as exception for processing biometric data instead. However, this exception could only be invoked in specific cases provided for by law. The only law that currently explicitly provides for the processing of biometric data is the Act of 19 July 1991 on population registers, identity cards, foreigners cards and residence documents.

Unlike some of our neighboring countries, such as the Netherlands, the Belgian legislator did not provide in a general legal basis authorizing the processing of biometric data in the context of the unique identification or authentication of a person for security purposes.

With the exception of processing of biometric data in the context of the eID (electronic identity card) and passport, the DPA underlines that there is a gap in Belgian law such that any other processing of biometric data in the context of authentication of persons is currently without legal basis.

The DPA therefore concludes that although the processing of biometric data in the framework of the identification or authentication of persons can be justified in certain cases (i.e. authentication of persons for security purposes, etc.), basing a processing on the legal basis of substantial public interest without any legal provision to that effect seems incompatible with Article 9(2)(g) of the GDPR.

However, the DPA recognizes that these new requirements result in a split with the regime prior to the entry into force of the GDPR when the processing of biometric data was not principally prohibited.

Therefore, taking into account the principles of good governance, as soon as its final recommendation is published, the DPA wants to provide a transition period of one year during which the processing of biometric data will be tolerated in accordance with the old standard. During this period, the DPA will not proactively intervene. This one-year period should allow data controllers and the legislator to provide a legal basis to bring the processing of biometric data into compliance with the provisions of the GDPR.

The DPA also recalls that, when dealing with biometric data, the general principles of the GDPR should always be complied with, including:

• Purpose limitation: The DPA emphasizes that even with explicit consent, biometric data may not be used for any other purpose, for example simply because it is easy for the controller. The processing must be necessary for the intended purpose and the benefit for the controller must outweigh the disadvantages and risks for the data subject. Furthermore, where biometric data can be processed for a specific purpose (e.g. access control), they cannot be processed for other purposes (e.g. time registration);

• Proportionality: even if the controller has a legal basis for processing personal data, such data must always be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. For example, in order to secure the registration of access control, the processing of biometric data must be limited to the areas for which this processing is necessary;

• Security: the controller must use the appropriate technical (e.g. encryption, integrity code, ...) and organizational (limited access on a strict need-to-know and least-privilege basis, training, ...) measures to secure biometric data and limit their storage. The DPA also recalls that a data protection impact assessment (DPIA) is required when processing biometric data;

• Transparency: data subjects (employees) must of course be well informed about what, how and why their biometric data are processed.

Finally, the DPA confirms that the domestic use of biometric data (e.g. on smartphones or apps) falls outside the scope of the GDPR.

What to do now?

Many employers currently use the legal basis of “explicit consent” to process their employees’ biometric data, which seemed to be tolerated by the DPA. However, in its draft recommendation, the DPA now questions the 'free' nature of consent in the context of the employer-employee relationship due to the relationship of subordination between the employer and employee. Pending an appropriate legal ground for exception, free consent – obtained via a specific consent form - currently is the only possible basis for the processing of biometric data (provided, however, that all conditions are met for such consent to be considered 'valid'). In addition, the general principles of the GDPR should always be considered and a DPIA should be carried out.

Let’s hope that the Belgian legislator intervenes during this transitional period, making an end to this situation of uncertainty. To be continued ...

Leen Peeters

Senior Associate at Claeys & Engels