Consent, a legal basis… but not always sufficient
The GDPR recognizes consent as one of the six legal bases for processing personal data (Art. 6).
In theory, it might seem sufficient: if a person agrees to the use of their biometric data (e.g., fingerprints, facial recognition), why should that be a problem?
In practice, the answer is more nuanced. Biometric data fall within the category of sensitive data (Art. 9 GDPR), which benefit from enhanced protection. Their processing is, in principle, prohibited — except in strictly regulated cases.
The example of employees and fingerprint-based access control
Let’s imagine a company wishing to secure its premises through an access control system based on employees’ fingerprints.
Even if all employees stated their agreement, this consent would not be considered free and valid within the meaning of the GDPR.
Why? Because the employer/employee relationship is a relationship of subordination: the employee is not in a position to refuse without fearing negative consequences. Consent is therefore presumed to be constrained.
The CNIL’s position: a restrictive approach
The CNIL emphasizes that biometrics must remain an exceptional measure. They may only be used when no less intrusive solution is available to achieve the same security objective.
The CNIL specifically regulates, among others:
-
biometric access control systems in workplaces,
-
biometric time-tracking devices,
-
facial recognition in public spaces.
In most cases, the CNIL favors alternative solutions: badges, reinforced passwords, multi-factor authentication.
A mandatory step: the Data Protection Impact Assessment (DPIA)
Before implementing any biometric system, a Data Protection Impact Assessment (DPIA) is mandatory.
It serves to assess:
-
the necessity and proportionality of the system,
-
the risks to individuals’ rights and freedoms,
-
the possible security and minimization measures.
Only after such an assessment can an organization determine whether the processing is legally and ethically justifiable.
Conclusion
Consent alone does not legitimize the use of biometrics, particularly in the workplace.
Between the general prohibition under the GDPR and the strict limitations set by the CNIL, any organization considering biometrics must anticipate a demanding process: strict justification, exploration of alternatives, and a completed DPIA.
Biometrics can be a powerful security tool, but their use must remain the exception rather than the rule.
