CNIL Supervises the Use of Biometrics in the Workplace

Legal with the application of the GDPR, biometric data is considered sensitive. However, biometric access solutions are developing within companies. The CNIL has been mandated by law to propose a model regulation on these devices. The General Data Protection Regulation (GDPR) will soon be celebrating its first anniversary of the entry into force and the work around this text continues. The CNIL has just published a model regulation related to the use of biometrics in the workplace. The law on the protection of personal data has given the Commission the task of publishing, in consultation with the public and private bodies representing the actors concerned, “model regulations to ensure the security of data processing systems of a person and to regulate the processing of biometric, genetic and health data.

Concretely, biometrics is often used for access to certain sites and applications. It is an alternative to the traditional password. Biometrics in information systems means the process of verifying the identity and authentication of an individual by using characteristics inherent to his person (eg. his face, his gait, his fingerprint, etc.). The generated data is considered sensitive according to the GDPR. In its model regulations, the CNIL incorporates several provisions. There is thus a framework for the use of biometrics for purposes of controlling access to premises, equipment or work applications; the obligation of the organization to justify the use of biometrics, by specific considerations (context, issues, specific technical and regulatory constraints, etc.) that are particularly detailed for the types of biometrics presenting the highest risk.

In addition, it requires data controllers to carry out a ‘data protection impact assessment’. Frequently asked questions to deepen the various provisions of the Model Regulations are available on the CNIL website. The parties concerned will find information on the type of storage that is relevant for the biometric data, the template, the obligation or not of the employees’ consent, etc. On the same subject The CNIL model regulation on workplace biometrics.