BIOMETRIC DATA PROCESSING OF EMPLOYEES UNDER FRENCH LAW

Abstract

The General Data Protection Regulation of the European Union, known as GDPR, prohibits unique human identification but provides exemption conditions for specific circumstances, such as employment, in Article 9, paragraph 2 (b). Member-States are also given priority to specify national legislation indications under paragraph 4. However, biometric data processing under this exemption in an employment relationship requires specific legislation, as demonstrated in French Law No. 2018-493 of 20 June 2018 and Délibération n° 2019-001 of 10 January 2019. This poses a challenge for employers, as biometric data is classified as personal data and requires further clarification on its use in the workplace. A manuscript aims to investigate French law on data protection regarding biometrics and assist employers in complying withGDPR. The research evaluates possible solutions after considering criteria in a workplace. It concludes that installing biometric systems should not compromise employee data protection and privacy. While the French approach to fingerprint processing for time management is functional, a risk assessment is necessary to protect employee biometric data and balance parties' interests. The manuscript recommends that employers shall levy the necessity of a valid legal basis, obtain explicit consent for a limited purpose, consider alternatives, respect fundamental rights, and implement appropriate measures to process biometric data in the workplace and comply with GDPR. While deploying a biometric system is usually for all employees, its use should not be limited to a few data subjects and, therefore, shall value overall company policy.