GDPR and biometrics

With GDPR, the use of Biometry at the work place for Physical Access Control is allowed.

To be compliant with the regulation, the employer shall:

• Define a dedicated Privacy Impact Assessment document (DPIA),
• Get the consent of users and offer an alternative for people not willing to use Biometry (eg Badge + PIN)
  • In some cases, the consent of users can be replaced by the Legitimate interest (eg very sensitive or classified site)
• To support you and your Partners, a set of documents for GDPR compliancy is available upon request

Our Biometric readers have been designed in compliance with ‘Privacy by design & by default’ principles as required by GDPR regulation

• Fingerprint or Face images are NOT stored, and no reverse engineering attempts on encrypted templates are possible
• User explicit gesture is needed to show her/his intention:
  • VisionPass starts facial acquisition as soon as the user enters the intention area and looks at the reader. In addition, a deliberate trigger can be used (eg card, PIN…)
  • MorphoWave compact: The user will wave her/his hand in the reader
• All of the personal user data are hosted and controlled ONLY by the end-customer
• As mandated by GDPR, the “right to be forgotten or consent withdrawal” for a user can be performed easily
• Concerning the Template storage, this is possible to store them in the user badge or in the Biometric Reader