On April 18, 2018, CNIL outlined its policy on biometric data (source document in French). According to the policy, the following conditions are required: (i) the processing of such data must be necessary for the purposes of the process; (ii) the data subject must be free to choose between biometric technology and an alternative authentication process; and (iii) biometric data must remain under the exclusive control of the data subject.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.