Biometric data is the personal data of any natural person by which the person can be uniquely and unmistakably identified, for example: fingerprint, face biometry. Pursuant to the GDPR Regulation and Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain laws, biometric data are classified in a specific category of personal data as sensitive personal data.
Pursuant to Article 9 (1) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) processing of specific categories of personal data shall be prohibited. Specific categories of personal data are data that reveal racial or ethnic origin, political views, religious beliefs, philosophical beliefs, trade union membership, genetic data, biometric data, health data or data relating to a person’s sexual life or sexual orientation .
Pursuant to Article 9 (2) REGULATIONS (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Protection Regulation) data), the prohibition on processing sensitive personal data does not apply if one of the following conditions is true:
(a) the data subject has expressly consented to the processing of such personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject;
(b) processing is necessary for the purposes of fulfilling the duties and exercising the special rights of the operator or of the person concerned in the field of labor law and social security and social protection law where permitted by Union or Member State law or by collective agreement under the law of a Member State providing adequate safeguards the fundamental rights and interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is not physically or legally capable of expressing his consent;
(d) processing is carried out within the framework of its lawful activity with reasonable assurance by the foundation, association or any other non-profit making entity with a political, philosophical, religious or trade union orientation in condition, and that processing relates exclusively to members or former members of the with regard to its objectives and that personal data will not be disclosed outside the data subject without the consent of the data subject;
(e) the processing relates to personal data demonstrably disclosed by the data subject;
(f) processing is necessary to establish, enforce or defend legal claims or whenever the courts exercise their jurisdiction;
(g) processing is necessary for reasons of substantial public interest, based on Union law or the law of a Member State, which are proportionate to the objective pursued, respect the substance of the right to data protection
and establish appropriate and concrete measures to safeguard the fundamental rights and interests of the data subject;
(h) the processing is necessary for the purpose of preventive or occupational medicine, the assessment of the occupational competence, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services under Union or Member State law or under a health contract workers, and subject to the conditions and guarantees referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health threats or ensuring a high level of quality and safety of healthcare and medicines or medical devices, under Union law or Member State law establishing appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, or for the purposes of scientific or historical research or for statistical purposes pursuant to Article 89 (2). Article 4 (1) on the basis of Union law or the law of a Member State, be proportionate to the objective pursued, respect the essence of the right to data protection and lay down appropriate and concrete measures to safeguard the data subject’s fundamental rights and interests.
It is clear from the above exceptions to the GDPR that biometric data processing is only possible in exceptional cases. For example, companies / organizations that operate scientific research laboratories, information with the highest level of confidentiality and the like are considered to be eligible for biometric processing of personal data. The processing of an employee’s biometric data for the purposes of maintaining the commuting system for the wages and human resources information system is therefore not considered adequate to achieve the purpose. It is also possible to find less vigorous ways to interfere with employee privacy (for example, take pictures of the employee’s face or PIN).
Any intention to deploy biometric technologies should be consulted beforehand by the responsible person (if assigned by the controller), and the controller should respect its advice and guidelines to legalize the intent associated with the practical use and deployment of biometric technology or replace it with an alternative option with less impact on the protection of the privacy of data subjects and must also be subject to a data protection impact assessment (DPIA), where it is essential to address the risks affecting the rights and freedoms of data subjects.