If you want to use biometrics as a means of access control, it is almost always prohibited.
You may use biometrics only if your situation is covered by a legal exception to the prohibition on using biometric data for identification.
The two most common exceptions are:
- The use of biometrics is necessary for authentication or security.
- You have obtained explicit consent from the people concerned. This exception does not apply in the relationship between employer and employee. This one is not equal.
As an employer, you should only use biometrics for access control if it is necessary. This requires you to make a trade-off; does your building or area really need to be so well secured that there is no other way to do it but by using biometrics. However, that necessity is not likely to come easily. There must be a compelling public interest. For example, the security of a nuclear power plant or state secret information.
Before you are allowed to start using biometric data for access control, you should first carry out a data protection impact assessment (DPIA).
If you are going to process biometric data for access control, make sure you comply with biometric data security requirements.
The General Data Protection Regulation (GDPR) stipulates that processing biometric personal data to uniquely identify a person is a processing of special personal data. This means that strict rules apply to the use of biometric data, as it is in principle forbidden to process special personal data. Unless a statutory exception applies.
Biometric data poses high privacy risks because it is unique, which is why biometric data used for identification are extra protected in privacy legislation. A privacy risk comes into play, for example, in case of data theft. It is not possible to modify a facial image or fingerprint. However, this can be done with a PIN or password.
Furthermore, biometric data often also contain more information than is strictly necessary for the purpose of data processing, such as identification. For example, certain body characteristics also reveal a person's health condition or ethnicity.
Source:
https://www.autoriteitpersoonsgegevens.nl/themas/identificatie/biometrie/toegangscontrole-met-biometrie
https://www.autoriteitpersoonsgegevens.nl/themas/identificatie/biometrie/regels-voor-gebruik-biometrie#beveiligen-biometrische-gegevens
