Stephanie Reinders Folmer and Richard van Schaik of DLA Piper write:
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued a fine of EUR 725,000 for a company unlawfully processing fingerprints of its employees for attendance and time registration purposes.
Under the GDPR, biometric data (e.g. fingerprints) processed for the purpose of identifying a natural person are considered a special category of personal data. Consequently, processing of such data is prohibited under article 9 of the GDPR, unless an exception applies. There are two exceptions that can – in principle – be relied upon with respect to the processing of biometric data: 1) explicit consent, or 2) the processing is necessary for authentication or security purposes. The latter is an exception provided for in the Dutch Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, “UAVG”).
Read more on Privacy Matters.