When Biometric Data Meets the Workplace

The relatively recent findings of the National Supervisory Authority for Personal Data Processing (ANSPDCP) highlight a reality many organizations underestimate: regulators intervene not only when a system is deployed, but also when it is merely planned.

In other words, when you explore new technologies, precaution is not optional; it is a compliance requirement.

The Romanian authority investigated a company planning to introduce facial‑recognition access control for employees. Interestingly, the system was not implemented, no biometric data had been processed, and yet the authority still opened a case.

Why did this happen? Because the moment you step into the world of biometric data, you enter one of the most protected zones of the GDPR.

Under the GDPR, biometric data used for identification is classified as a special category of personal data (Art. 9 GDPR). Put simply: you only process biometric data when every other alternative has been exhausted, and you can prove it.

Since, in the case presented by the authority, a functioning card‑based access system was already in place, ANSPDCP concluded that facial recognition did not meet the GDPR requirements of lawfulness, necessity, and proportionality.

In this context, the operator was advised to use less intrusive means to achieve the intended purpose of the processing, methods that would not involve the processing of biometric data.

Ultimately, the authority concluded that the intended processing did not meet GDPR requirements for: (i) lawfulness (Art. 6), (ii) data minimization (Art. 5(1)(c)), and (iii) necessity and proportionality (Art. 5(1)(a)). 

• Lawfulness (Art. 6 + Art. 9 GDPR)

For biometric data, lawfulness requires more than a standard legal basis. The operator would have needed to show a valid Art. 9(2) exception (e.g., substantial public interest, which clearly did not apply), that consent was freely given (unlikely in an employment context), and that the processing was essential for a legitimate, non‑negotiable security need.

• Data Minimization (Art. 5(1)(c))

To comply, the operator should have proven that biometric data were strictly necessary, no alternative (cards, PINs, badges) could achieve the same result, and that the system was configured to collect the minimum biometric data possible.

• Lawfulness, Fairness and Transparency (Art. 5(1)(a))

The operator would have needed to justify why existing controls were insufficient, why biometrics were lawfully and strictly necessary, and how the resulting impact on employees (who are in a structurally imbalanced relationship with the employer) was fair, transparent, and proportionate.

Why Regulators React Early?

Even though no biometric data had been collected, the authority issued a warning.  Not because the company acted in bad faith, but because the proposed system introduced disproportionate risks, lacked a solid legal basis, and could have led to unlawful processing down the line.

This is a reminder that GDPR compliance isn’t only about what you do - it’s also about what you plan to do.

—

The content of this article is general information, not tailored legal advice for your specific situation. It has a strictly informative and general purpose; the information contained does not constitute legal advice.

Every business is different. For personalized consultancy, schedule a consultation call or write to us directly at 📧 anamaria@legallyremote.online.