Biometric data is personal data of every natural person that can be used to uniquely and unambiguously identify that person (e.g., fingerprint, facial biometrics). Based on the GDPR and Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain acts, biometric data is classified as a special category of personal data, i.e. sensitive personal data.
Based on Article 9(1) of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the processing of special categories of personal data is prohibited. Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
According to Article 9(2) of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the prohibition on processing sensitive personal data does not apply if one of the following conditions is met:
a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject;
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law; where permitted by Union or Member State law or by a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject;
c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) processing is carried out in the course of its lawful activities with appropriate safeguards by a foundation, association or any other non-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to members or former members of the body or to persons who are in regular contact with it in connection with its objectives, and that the personal data will not be disclosed outside that entity without the consent of the data subject;
e) the processing relates to personal data which are manifestly made public by the data subject;
f) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
g) processing is necessary for reasons of substantial public interest on the basis of Union law or the law of a Member State which are proportionate to the aim pursued and respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
h) processing is necessary for the purposes of preventive or occupational medicine, assessing the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to a contract with a health professional, and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring a high level of quality and safety of health care and of medicinal products or medical devices; on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) 1) on the basis of Union or Member State law which are appropriate to the purpose, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
It is clear from the above exceptions to the GDPR that the processing of biometric data is only possible in exceptional cases. Legitimate processing of personal data using biometrics includes, for example, companies/organizations that operate scientific research laboratories or handle information with the highest level of confidentiality, etc. The processing of employee biometric data for the purposes of maintaining an attendance system for payroll and human resources information systems is therefore not considered appropriate for achieving the purpose. Less intrusive ways of interfering with employee privacy can also be found (e.g., using photographs of employees' faces or PINs).
Any intention to use biometric technology should be consulted in advance with the responsible person (if the controller has appointed one) and the controller should respect their advice and guidance on legalizing the intention related to the practical use and deployment of biometric technology or its replacement.with an alternative option with less impact on the privacy of the data subjects, and must also be subject to a data protection impact assessment (DPIA), where it is essential to focus on the risks to the rights and freedoms of the data subjects.
