The Personal Data Authority (AP) has concluded after an investigation that the company should not have processed employees' fingerprints and is therefore imposing a fine of €725,000. This is the first time the AP has issued a fine for using a fingerprint scan. It is immediately the highest fine the regulator has ever issued.

Stricter rules apply to biometric personal data as they are special personal data.

The AVG (25-05 2018) provides that the processing of biometric personal data is a processing of special personal data. According to the AVG, processing biometric data to identify a person is in principle prohibited. The Netherlands has laid down additional conditions on this in the UAVG. The ban on processing biometric data in the Netherlands is not applicable if the processing is necessary for authentication or security purposes. But the question here is; do the security purposes outweigh the privacy laws? The company can initiate the 'prior consultation process' with the Personal Data Authority. These will then determine whether it is permissible yes or no.

The AVG still has a lot of open standards because it is a new law. Future case law will shape the law further. Safety (security) versus invasion of privacy will be the consideration here. The data controller has to weigh up or look at alternatives here. For example, the use of access tags / codes or passes are much less of an invasion of privacy and could be used by many companies. However, this is more susceptible to fraud.

See also Securitynews.co.uk and security.co.uk