Alain Bensoussan
Can a company legally use biometric devices in France?
YES. Businesses may use a biometric device, subject to first obtain the prior authorization of the French data protection authority, the CNIL. (Article 25 of the French Data Protection Act (Loi Informatique et libertés))
The CNIL has established simplified notification formalities for some biometric devices, such as:
- Hand geometry recognition for access control, working time management and food catering at the workplace;
CNIL Deliberation No. 2006-101 of April 27, 2006
- Fingerprint recognition with fingerprint exclusively recorded on an individual medium held by the data subject, designed to control access to work buildings;
CNIL Deliberation No. 2006-102 of April 27, 2006
- Vein pattern recognition to control access to work buildings;
CNIL Deliberation No. 2009-316 of May 5, 2009
- Fingerprint recognition to control access to professional laptops.
CNIL Deliberation No. 2011-074 of March 10, 2011
The simplified notification process reduces red tape and eases the administrative burden on companies. A business that wants to use a biometric device eligible for a simplified notification process only has to submit a notification of conformity where it undertakes to strictly comply with the terms laid down in the simplified standard. Such notification may be made online on the CNIL’s website. The CNIL may subsequently carry out on-the-spot investigations to check compliance.
If the biometric device is not eligible for a simplified notification process, the company is required to file an application for authorization.
Can the CNIL refuse the installation of a biometric device?
YES. The application for authorization may be denied by the CNIL if key requirements are not met. To be authorized, a device must comply with 4 guidelines set by the CNIL in relation to its (i) purpose, (ii) proportionality, (iii) reliability and (iv) security.
The CNIL’s decision is taken “based on current technology”. (CNIL Communication of 2007)
Should employees be informed of the biometric device?
YES. Individuals concerned by the biometric device must be individually informed on how the device will be used and why.
Individuals must be given information on the purpose of the processing, the recipients or categories of recipients of the data and the modalities to exercise their rights to access and rectify their data. In assessing an application for authorization, the CNIL always checks if the employees concerned have been informed and if the staff representative bodies have been consulted.
Businesses are thus recommended to:
- Send an information memo to the employees concerned;
- Provide the CNIL with the opinion given by the staff representative bodies.