French data protection regulator issues rules on the use of biometric data at work

In January 2019, the French data protection regulator, the Commission nationale de l'informatique et des libertés (CNIL), issued its first set of rules following the entry into force of the 2018 French Data Protection Act. The Act updates French data protection legislation in light of the 2016 EU General Data Protection Regulation (GDPR) and gives the CNIL the responsibility to define and publish rules on the processing of biometric, health and genetic data, which the GDPR regards as constituting sensitive data.

Employers, including international organisations with operations in France, will need to assess their use of biometric information for access to the workplace (for example, by means of fingerprints or finger veins) in accordance with the rules' test described below.

The requirements

The rules define the requirements in respect of:

• the processing of biometric data that public or private employers use to control access to the workplace; and
• the use of devices and applications by employees, agents, interns or contractors.

The GDPR defines biometric data as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data".

The CNIL also considers that the output resulting from the recording and processing of raw biometric data by means of algorithms without the possibility to reconstitute the raw data (output) constitutes secondary biometric data.

Some of the key points in the rules are:

Prohibited biometric data: the authentication by means of biological samples, such as saliva or blood, is strictly prohibited.

Choice of biometric data: employers must justify and document why they have chosen one means of biometric authentication over another means (iris, fingerprints, finger veins etc.)

Levels of control of the biometric data: the CNIL identifies three levels (Types) of control of the output, between the employer and the data subject.

• Type 1: the output is under the control of the data subject, who holds the device, such as a pass or a chip card.
• Type 2: the output jointly controlled, where the employer has custody of the device and the data subject is the holder of the secret allowing the use of the device.
• Type 3: the output outside the control of the data subject, where it is held by the employer and can be used without a pass or a secret.

For all those levels of control, the data controller must be able justify its use of the data.

In addition, special circumstances must justify the use of an output other than a Type 1 output:

Type 2 output: the data controller must be able to show that the equipment storing the data dedicated only to Type 1 output is not adapted to the system architecture and the context of use;

Type 3 output: the data controller must be able to show that the equipment storing Type 1 or Type 2 output is not adapted to the system architecture and the context of use. It is worth noting that a Privacy Impact Assessment is required.

Retention period:

• Raw biometric data cannot be retained.
• Secondary biometric data cannot be retained after the data subject no longer has access rights.

Journaling of access: journaling data can be retained on an active database no longer than six rolling months from the date of registration. The data can be archived on databases with restricted access when retention is required by law or is needed in the event of a dispute.

Notice to data subjects: the employer must inform, in writing and on an individual basis, each data subject prior to processing the data.
Data security: The rules impose enhanced security measures, including encryption of the biometric data, use of integrity codes (hashing or signature).

Employers take note

Employers should be aware of the new CNIL rules and reassess their need to use biometric information in order to control the physical or electronic access to the workplace by data subjects.

Employers should also note that the data subjects referred to in the CNIL rules are not only employees, but are also third parties having access to the workplace, such as interns, trainees, agents and contractors.

Employment contracts tend to be the primary means of information relating to data processing, in addition to notices sent to employees individually or collectively, including through employee representatives, so when dealing with non-employees, data controllers will need to ensure that those third parties are also duly informed.

Biometric equipment can be seen as an appropriate solution for organisations wishing to reinforce security, including data security as prescribed in the GDPR.

However, even when security is the reason behind the use of biometric equipment at the workplace, such use must be balanced, with the rights of the data subjects.

It is important that procurement decisions to purchase biometric tools for or on behalf of a French-based organisation are preceded by a careful assessment of the lawfulness of such use, otherwise the data controller could be exposed to CNIL sanctions in addition to having invested time and resources in (possibly costly) material that turned out to be unusable.

Next steps

Please contact us if you have any questions on the CNIL rules or if you would like to know what steps your organisation needs to take to ensure compliance.

Authored by Aissatou Sylla