- Why did the CNIL adopt a specific regulation for the use of biometric data processing in the workplace?
In accordance with Article 9 (4) of the General Data Protection Regulation (GDPR) which provides that “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health“, the French Supervisory Authority (CNIL) has been granted by the revised French data protection act 78-17 of 6 January 1978 (FDPA), the power to issue “standard regulations to ensure the security of personal data processing systems and to regulate the processing of , genetic data, biometric data and health data”.
Based on such power, the CNIL has adopted on 10 January 2019, further to a sectorial consultation with public bodies and private organisations, its first standard regulation that lays down legally binding rules applicable to data controllers subject to French Law, who use biometric systems to control access to premises, devices and applications at work (the “Regulation“).
The Regulation has been published by the CNIL on 28 March 2019 and is accompanied by a FAQ which provides practical guidance to companies on how to comply with these requirements
- What is the exact scope of such Regulation?
The Regulation prescribes specific requirements for the processing, by a public or private employer, of biometric data to control accesses to work premises, to information systems or applications used in the context of business tasks entrusted to data subjects (i.e., employees, agents, interns and contractors).
The provisions of the Regulation are in line with the CNIL’s previous guidelines regarding the processing of biometric data in the workplace.
The CNIL reminds that the rules resulting from the Regulation do not exclude the application of the general obligations under the GDPR, notably regarding compliance with the general principles for processing personal data, data subject rights and international transfers. The Regulation merely supplements the GDPR and its application is compulsory when an organisation wishes to implement a processing of personal data that falls within its scope.
- What are the requirements set forth by the Regulation?
Given the particular sensitivity of biometric data, the Regulation sets out stringent obligations to data controllers regarding the conditions of processing of such biometric data in the workplace:
- Limited purposes: the purposes of the processing are strictly limited to access control of premises requiring restricted access or access control to a limited number of devices and IT professional applications, which must be clearly identified by the organization.
- Proportionality: the organization must demonstrate that it is not possible to achieve the above purposes by means other than the processing of biometric data. The data controller must document why such a high level of protection is needed given the context at hand and evidence why the processing of biometric data is the most relevant mean to ensure security.
- Data Minimization: the access control system based on biometric data must rely on limited categories of personal data – which are listed in the Regulation – for each of the following categories: (i) identification of the data collected by the employer or its personnel and (ii) data generated by the system (log files).
- Restrictions applicable to biometric data: only biometric authentication based on morphological characteristics of data subjects may be used and the biometric mean selected (e.g., use of iris recognition rather than fingerprints) must be documented and justified. Biometric authentication based on biological sampling (e.g., saliva or blood) is prohibited for the purposes of the Regulation.
- Types of biometric templates: for the purpose of the Regulation, a template is a set of measurements of an individual’s morphological characteristics. The Regulation defines three template types which correspond to various levels of data subject control over the way their biometric data is processed by the employer:
- “Type 1” template is the most protective of individual rights: it is stored on a medium which remains under the individual’s exclusive possession (e.g., token or badge) .
- “Type 2” template is under the shared control between the individual and the employer: there is a centralized template database which is encrypted and may only be activated under the control of the individual at hand.
- “Type 3” template is under the exclusive control of the employer and creates the highest risks for individual privacy in the event of a data breach as there is a centralized template database.
The Regulation specifies that “Type 1” template must be used as a matter of principle, whereas “Type 2” and “Type 3” templates shall only be used under exceptional and justified circumstances for critical environments where the loss of a token or badge would have particularly serious consequences (e.g., access to nuclear plant or surgical suite).
- Restricted access to the data: internal “authorisation profiles” must be implemented to access biometric data. Only the personnel having legitimate business needs, depending on their function, may access biometric data (accesses differ depending on the personnel collecting the biometric data) ;
- Limited retention: the organization must comply with mandatory retention periods and retention modalities: e.g., raw biometric data used to create biometric templates shall be destroyed as soon as a template has been created; the biometric template shall be deleted once the data subject’s access authorisation has stopped or has been withdrawn; log data and identification data shall be retained for 6 months further to the recording thereof – but may be kept in archive mode if required by law of for contentious purpose in compliance with the applicable statute of limitation.
- Data Subject Information: data subject must be provided with specific and individual information prior to the time of enrolment of their biometric characteristics in the system.
- Security measures: the data controller must take any useful precautions, taking in consideration the nature of the data and the risks raised by the processing for data subjects and their rights, to preserve the availability, integrity and confidentiality of the data. The data controller is thus requested to implement a list of measures exhaustively described in the Regulation or to evidence that the measures taken are equivalent thereto. Such measures must include (i) measures related to the data, (ii) measures related to the organization, (iii) measures related to the hardware, (iv) measures related to the software, (v) measures related to the IT channels, including notably state-of-the-art encryption. All these measures must be audited on a yearly basis and be revised in accordance with the CNIL recommendations, as updated from time to time.
- Data Privacy Impact Assessment (DPIA): In line with the CNIL list of data processing activities that require a DPIA (see our previous post on the topic here), any employer who wishes to implement a processing of biometric data within the scope of the Regulation must conduct a DPIA in this respect, and update it at least every three years.
To clarify the reading of Regulation, the CNIL also provides a FAQ (e.g., definition of biometry, of standard regulation, of biometric data processing, the legal ground to use for such data processing, how to determine the status of controller and processor). For more information, please read the Regulation and the FAQ.
For more information, please contact Denise Lebeau-Marianna (Partner) and Alexandre Balducci (Associate), DLA Piper France LLP