Why it is almost never allowed to use biometrics

The action hero runs down the corridor. She has just dodged a thousand lasers and is now arriving at the door to the vault. Unfortunately, it opens only with a fingerprint and an iris scan. So now what? We have all seen this scene in a film at some point. This kind of biometric security also permeates our own lives. For example, DigiD added additional login capabilities (in Dutch) with facial recognition and fingerprints by the end of 2024.

Handy for businesses 

Biometric security can be useful, not only for individual users, but also for businesses. Perhaps you are a contractor, and workers and subcontractors come onto and leave your construction site. Or are you a shop owner who is affected by fraud with your point-of-sale system. Then facial recognition or fingerprint locking can help. You then record who is on site at what time, or who has opened the till. 

Strict rules 

So biometrics can be useful for your company’s security, but you are not allowed to use it just like that in the Netherlands. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) is quite strict. In 2024, 8 holiday parks received a warning (in Dutch). This was because they were using facial recognition at the entrance to swimming pools and playgrounds. The holiday parks had to change this practice quickly or they would be fined heavily.

Highly sensitive 

Why are the rules so strict? That is because of the the European privacy law GDPR (General Data Protection Regulation). If you want to recognise your employee’s fingerprint, you need to store it. And that is not allowed because your fingerprint is in the category of special personal data. Examples of special personal data are medical data, biometric data, or data revealing your race, religion, or sexual orientation. Such data is so sensitive that you have to follow strict rules if you want to keep it.

Consent 

Still, there is opportunity for SMEs to use biometrics. If people give you explicit permission to store their body characteristics, it is allowed. Think of your customers or suppliers. Asking your employees for permission is more complicated. Employees may feel pressured to agree if, for instance, a good evaluation depends on it. Then there is no free consent.

But if you give your employees a suitable alternative to biometrics, you can indeed speak of free consent. If your employee enjoys logging in with biometrics, that is allowed. But as an employer, you must also offer alternatives, such as logging in with a card or PIN code. In such a case, your goal is not primarily security, but convenience for your employees.

Necessary 

If biometric security is really necessary for the security of your company, your employees, or third parties, the law also allows you to use it without permission. A nuclear power plant processes such dangerous material, you can plausibly argue that facial recognition or an iris scan is needed for security. If you have a warehouse, you cannot. Indeed, there are non-biometric alternatives with which you can adequately secure a warehouse, such as cards, PINs or passwords. 

Appropriate security 

The more sensitive the data you process, the better you need to secure it. Think carefully before processing biometric data as an organisation, as this also involves hefty and costly security measures. The GDPR does not prescribe specifically what those measures are. But a simple password is not enough. So, always discuss that form of security with a security specialist. 

Ask for advice 

In summary, using biometrics to secure your business is not allowed just like that in the Netherlands. But if you follow strict rules, there are opportunities for SMEs. Seek advice from GDPR experts, and make sure you always involve your employees. Because you should not just put an iris scanner in front of the door, like in the film.