United States: Privacy & Information Security Law Blog: CNIL Publishes Binding Rules On Processing Biometric Data As Workplace Access Control

On March 28, 2019, the French data protection authority ("CNIL") published a "Model Regulation" addressing the use of biometric systems to control access to premises, devices and apps at work. The Model Regulation lays down binding rules for data controllers who are subject to French data protection law and process employee biometric data for such purposes. The CNIL also released a related set of questions and answers ("FAQs").

Background

Article 9(4) of the EU General Data Protection Regulation ("GDPR") allows EU Member States to maintain or introduce specific national rules regarding the processing of genetic, biometric or health data. French law No. 2018-493 of June 20, 2018, amended the French Data Protection Act to authorize the CNIL to adopt such rules via Model Regulations.

This Model Regulation—on the processing of employee biometric data for purposes of controlling access to premises, devices and apps at work—is the CNIL's first Model Regulation, and was adopted following a public consultation held in September of 2018. Employers intending to implement a biometric system within the Model Regulation's scope must comply with its rules when processing the data.

The Model Regulation on Biometrics

The CNIL's Model Regulation delineates how employee biometric data may be processed for workplace access control purposes. Specifically, the Model Regulation (1) gives an exhaustive list of the types of personal data that may be collected and further processed for those purposes; (2) defines the data retention periods; and (3) specifies technical and organizational measures that must be implemented to ensure the security of the personal data. The Model Regulation also requires that data controllers who process the employee biometric data at issue carry out a DPIA and regularly update that DPIA at least every three years.

That said, compliance with the CNIL's Model Regulation does not exempt data controllers from carrying out a DPIA and more generally from complying with all the other provisions of the GDPR, such as those relating to basic data protection principles, data subjects' rights with respect to their personal data and cross-border data transfer restrictions. The CNIL's Model Regulations are intended only to complement the GDPR or further specify some of its provisions. View the full Model Regulation and the FAQs on biometrics (both in French).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.