fbpx

Recent Developments in the Protection of Biometric Data

The use of biometric recognition systems has become widespread in recent years across a wide range of sectors, from workplaces to gyms, and from public institutions to digital services. Technologies such as fingerprint recognition, facial recognition and iris scanning are used for purposes such as identity verification, access control and time and attendance tracking. However, the fact that biometric data is unique to the individual, immutable and, in the event of a breach, often impossible to restore or replace, has led to this data occupying a special position under data protection law.

Whilst technological advancements are expanding the scope of biometric data usage, data protection authorities are increasingly emphasising the principles of necessity, proportionality and data minimisation in relation to the processing of such data. In particular, the legal basis and necessity of using biometric data are being scrutinised more closely in situations where the same objective can be achieved through less intrusive methods.

International Approaches to the Protection of Biometric Data

There is a strict approach to the processing of biometric data worldwide. In many countries, particularly within the European Union, data protection authorities and courts, acting on the premise that biometric data constitutes sensitive data requiring special protection, consider the processing of such data permissible only under specific conditions. In particular, the principles of necessity, proportionality and data minimisation stand out as key criteria in the assessment of biometric data processing activities.

Biometric Data in European Union Data Protection Law

Indeed, Article 4(14) of the GDPR defines biometric data as “data resulting from specific technical processing methods relating to the physical, physiological or behavioural characteristics of a natural person, which allow for the unique identification or authentication of that person”. Biometric data processed for the purpose of uniquely identifying an individual is classified as “special categories of personal data” under Article 9 of the GDPR, and its processing is, as a general rule, prohibited. In the context of employment relationships, the processing of biometric data is only permissible where one of the exceptions set out in Article 9(2) of the GDPR applies; in particular, Article 9(2)(b) may be applicable where data processing is necessary for the fulfilment of rights and obligations in the fields of employment law, social security and social protection. However, for the processing of biometric data to be considered lawful, the mere existence of a legal basis is not sufficient. The processing must also comply with the fundamental principles of the GDPR, namely lawfulness, purpose limitation, data minimisation, necessity and proportionality. Consequently, under European Union law, it is accepted that the use of biometric data is not necessary—and would be incompatible with the principle of data minimisation—where the same objective can be achieved using less intrusive means, such as card-based access systems, password authentication methods or similar alternatives.

United Kingdom: High Standard of Necessity for Biometric Data

The UK Information Commissioner’s Office (ICO) also emphasises that biometric data constitutes a special category of personal data and that employers must carry out a data protection impact assessment (DPIA) before commencing the processing of such data. According to the ICO, employers must assess whether biometric systems are genuinely necessary and should avoid processing biometric data where the same outcome can be achieved using card-based access systems or other identity verification methods. In particular, it is noted that employees’ explicit consent may not always constitute a valid legal basis due to the imbalance of power in employment relationships.

Germany: A Restricted Approach to the Use of Fingerprints for Time and Attendance

One notable example of this approach can be seen in Germany. In its ruling on a fingerprint system used for time and attendance tracking, the Berlin-Brandenburg Regional Labour Court held that the processing of biometric data can only be deemed lawful if it is necessary and proportionate; furthermore, it concluded that the processing of biometric data cannot be considered necessary where the same result can be achieved using less intrusive methods, such as staff ID cards. Consequently, the court concluded that employees cannot be compelled to provide their fingerprints for the purpose of working time monitoring.

France: Biometric Systems May Only Be Used in Exceptional Circumstances

Similarly, the French Data Protection Authority (CNIL) restricts the use of biometric systems in the workplace – such as fingerprint, vein or iris scanning – to situations where there is a high security need and where the same objective cannot be achieved by alternative means. The CNIL also requires that a data protection impact assessment be carried out in relation to biometric data processing activities and that robust technical and organisational measures be implemented.

China: Alternatives to Facial Recognition Systems Must Be Provided

A similar approach has been adopted in China. In a judicial interpretation published by the Supreme People’s Court of China in 2021, it was emphasised that facial data obtained through facial recognition systems is of a sensitive nature; it was stated that individuals cannot be compelled to share their facial data and that alternative verification methods must be offered to those who refuse facial recognition.

Developments in Türkiye

The Personal Data Protection Board Publishes a Principle Decision on the Use of Biometric Data

The Personal Data Protection Board (“the Board”) has shared its assessments regarding the processing of biometric data for the purpose of monitoring working hours with the public under Principle Decision No. 2026/921, published in the Official Gazette on 2 June 2026. The Decision is significant in that it establishes that biometric systems such as fingerprint and facial recognition, used by employers, cannot be justified solely on the basis of a single data processing condition; they must also be assessed in terms of the principles of necessity, proportionality and data minimisation. The Board has adopted a highly restrictive approach to the use of biometric data for working time monitoring, placing particular emphasis on the imbalance of power in the employer-employee relationship.

The Foundations of the Principle Decision: The Gym Cases

The Board’s approach to the use of biometric data for working time monitoring is not new. Indeed, one of the Board's first significant assessments regarding biometric data regarding the processing of biometric data was set out in its 2019 decisions concerning the use of hand and palm prints for entry and exit control of members at gyms. In these decisions, the Board noted that access control for gym members could also be achieved without the processing of biometric data, using alternative methods such as card-based access, RFID tags or similar, and concluded that the use of biometric data was not compatible with the principle of proportionality. Furthermore, it was assessed that making the use of the service conditional upon the provision of explicit consent to the processing of biometric data made it difficult to accept that such consent had been given of one’s own free will. In this context, the Board decided that the processing of biometric data should be suspended and that the biometric data already processed permanently deleted.

 

The 2026 Principles Decision also maintains the same approach, reiterating that the use of biometric data may only be considered in cases where it is genuinely necessary and where no less intrusive methods are available.

 

The Concept of Biometric Data

By explicitly referring to the definition of biometric data set out in the GDPR, the Board has not limited its assessment of biometric data solely to fingerprint or facial recognition data. In this context, it has been stated that, alongside traditional biometric data such as fingerprints, facial recognition, retinal and iris data, data derived from behavioural characteristics—such as voice data, signature dynamics, keyboard usage habits, handwriting style and similar features—may also qualify as biometric data provided they enable the unique identification of an individual. It is thus evident that the Board’s approach to the concept of biometric data has expanded in line with technological developments.

Data Classified as Biometric Data in the Decision

The scope of the concept of biometric data has also been clarified in the Principle Decision. The Board has stated that biometric data is not limited solely to fingerprint or facial recognition systems; it has indicated that data derived from physical, physiological and behavioural characteristics that enable the unique identification of an individual may also be classified as biometric data. In this context, fingerprints, facial geometry, retinal and iris data, and voice data were cited as examples of biometric data; it was also noted that data derived from behavioural characteristics, such as signature dynamics and keyboard usage habits, may also qualify as biometric data.

Does Explicit Consent Constitute a Valid Legal Basis for Time and Attendance Monitoring?

One of the notable aspects of the decision concerns the assessment of whether explicit consent constitutes a sufficient legal basis for the processing of biometric data for the purpose of working time monitoring. The Board has stated that, by the very nature of the relationship between the employee and the employer, there is no equality of position between the parties; that the employee may reasonably anticipate adverse consequences should they refuse to give consent; and that, for this reason, it is debatable whether the consent given is always based on free will. Within this framework, it has been concluded that basing time and attendance tracking on explicit consent carries significant legal risks.

Assessments from the Employers’ Perspective

The Board’s approach, as set out in its decisions from 2019 onwards, that explicit consent may not be valid in relation to biometric data has been reinforced by Principle Decision No. 2026/921, indicating that the legal compliance of biometric systems used by employers for working time monitoring and access control will continue to be subject to rigorous scrutiny in the future . In accordance with the decision, it is not considered sufficient for the processing of biometric data to be based solely on a single condition for data processing; the processing in question is also assessed to determine whether it is necessary, proportionate and in accordance with the principle of data minimisation. It is therefore important for employers to consider whether the same objective can be achieved using alternative methods, such as card-based access control or PIN verification, before continuing to use biometric systems such as fingerprint or facial recognition. Particularly in cases where the processing of biometric data is based on explicit consent, the risks regarding the validity of such consent—owing to the imbalance of power between the employee and the employer—must also be taken into account. In this context, the ruling indicates that employers must reassess their current biometric data processing activities and, where necessary, turn to alternative solutions.

Case-by-Case Assessment in Biometric Data Processing

However, the Principle Decision should not be interpreted as imposing an absolute ban on all biometric data processing activities. The lawfulness of biometric data processing activities will continue to be assessed within the framework of the specific circumstances of each individual case. In particular, the necessity and proportionality of biometric authentication systems may be assessed differently in situations such as national security, public safety, the protection of critical infrastructure, defence industry facilities, or certain work environments requiring high security. However, the Board’s latest Decision on Principles clearly sets out that the use of biometric data in routine workplace practices will now be subject to a much stricter scrutiny of necessity and proportionality.

Stay Informed

Subscribe to stay up to date on the latest legal insights and events of your choice.

×

Marking four decades defined by excellence, integrity, and a globally respected presence in the legal profession. Discover our story.