The CNIL, the French privacy regulator, has adopted regulations requiring companies that wish to collect and process employees’ biometric data to justify the need for a biometrics-based system, implement significant data protection safeguards, and perform data protection impact assessments. These regulations were adopted pursuant to Article 9 of the GDPR, which gives each EU member state latitude to promulgate local rules on processing biometric, genetic or health data.
According to the rules, French employers seeking to use biometric systems will have to demonstrate that lesser privacy-invasive solutions that do not process biometric data are unable to achieve the imperative purposes for which the biometric system is needed. Employers that meet all these conditions will be able to process biometric data of employees without having to obtain their consent. The rules also favor biometric solution which do not store the biometric data in a centralized database.
CLICK HERE to read the CNIL’s regulations (in French).
This article was published in the Internet, Cyber and Copyright Group’s April 2019 Newsletter.