Biometric data are personal data of any natural person that can be used to identify that person uniquely and unambiguously (e.g., fingerprints, facial biometrics). Under the GDPR and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts, biometric data falls into a special category of personal data; it is therefore considered sensitive personal data.
Pursuant to Article 9(1) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the processing of special categories of personal data is prohibited. Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
According to Article 9(2) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the prohibition on the processing of sensitive personal data does not apply if one of the following conditions applies:
(a) the data subject has given explicit consent to the processing of such personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject;
b) processing is necessary for the purposes of fulfilling the obligations and exercising the specific rights of the controller or the data subject in the field of employment law, social security law, and social protection law, provided that this is permitted by Union law or the law of a Member State or by a collective agreement under the law of a Member State providing appropriate safeguards for the protection of the fundamental rights and interests of the data subject;
c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association, or any other non-profit entity with political, philosophical, religious, or trade union focus, provided that the processing relates exclusively to members or former members of the entity or to persons who have regular contact with it in connection with its objectives, and that personal data will not be disclosed outside this entity without the consent of the data subject;
e) the processing relates to personal data which the data subject has demonstrably made public;
f) the processing is necessary for the establishment, exercise, or defense of legal claims, or whenever courts are exercising their judicial authority;
g) processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued, respects the essence of the right to data protection, and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
h) processing is necessary for the purposes of preventive or occupational medicine, the assessment of an employee’s fitness for work, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services, based on Union or Member State law or pursuant to a contract with a health professional, and is subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring a high level of quality and safety of healthcare and medicines or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1), based on Union or Member State law which is proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
It is clear from the above exceptions in the GDPR that the processing of biometric data is permitted only in exceptional cases. Legitimate processing of personal data using biometrics includes, for example, companies or organizations that operate scientific research laboratories or handle information classified at the highest level of secrecy, and so on. Processing an employee’s biometric data for the purpose of maintaining an attendance system for the payroll and HR information system is therefore not considered proportionate to achieving the purpose. Less intrusive methods of accessing an employee’s privacy can also be found (e.g., by photographing the employee’s face or using a PIN).
Any intention to deploy biometric technology should be consulted in advance with the responsible person (if the controller has appointed one) and the controller should respect their advice and guidance aimed at legalizing the intention related to the practical use and deployment of biometric technology or its replacement with an alternative option having a lesser impact on the privacy of data subjects, and must also be subject to a data protection impact assessment (a so-called DPIA), where it is essential to focus on the risks to the rights and freedoms of data subjects.
