The AEPD publishes its Guide to Implementing Biometric Data in Attendance and Access Control

 

The Spanish Data Protection Agency (AEPD) has recently published the “Guide on the Treatment of Presence Control through Biometric Systems,” a document that establishes criteria for the application of biometrics in access control, both in work and non-work environments. This report details the necessary measures to ensure that the processing of personal data through this technology complies with the General Data Protection Regulation (RGPD) and other relevant regulations.

The AEPD considers the processing of biometric data, whether for identification or authentication purposes, as a high-risk process that involves special categories of data. According to RGPD, the processing of these categories requires the existence of circumstances that lift the prohibition on their handling, as well as conditions that legitimize it.

In the context of timekeeping and access control in work environments, lifting the prohibition based on Article 9.2.b) of the RGPD requires the responsible party to have a specific legal norm authorizing the use of biometric data for these purposes. The Guide emphasizes that, in these cases, consent cannot override the prohibition or be the basis for determining the lawfulness of the processing, due to an imbalance between the affected person and the data controller.

In situations outside the work scope, consent also cannot lift the prohibition, as it involves high-risk processing and does not meet the necessity requirement (Article 35.7.b).

The Guide also establishes restrictions for biometric treatments involving automated decision-making without human intervention, with legal or significant impact on the affected person.

In all cases, before initiating the processing of biometric data, a Data Protection Impact Assessment is required. This assessment must demonstrate the successful completion of the suitability, necessity, and proportionality analysis of the treatment.

Finally, the AEPD provides a set of measures to follow once all the requirements are met in accordance with the principles of the RGPD. These include providing adequate information to the affected individuals, the possibility of revoking biometric identification, using encryption to protect information, deleting data not linked to the original purpose, implementing data protection from the design phase, and applying data minimization practices.

If you would like to expand your knowledge, you can contact addwill‘s labor department by phone at +34 487 52 00 or by email at laboral@addwill.eu. Alternatively, you can contact us through our form by clicking here.