The General Data Protection Regulation (GDPR) applicable since 25 May 2018 , modifies the legal rules on the use of biometric data. The processing of biometric data for the purpose of "uniquely identifying a natural person" is, as a matter of principle, prohibited under Article 9 GDPR . Amongst the authorised exceptions is the processing "necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment [...] in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject "

To adapt the national law to this evolution of the European rules, the French legislator modified the French Data Protection Act in June 2018 . The new provisions provide that biometric access control devices using biometric data may be implemented by employers provided that they comply with a standard norm published by the CNIL. The norm has to be is established by the CNIL “in consultation with the public and stakeholder representatives”.

The CNIL has thus launched on 3 September a public consultation on draft regulation on “work biometrics”.

The consultation period will run until 1 October 2018. The amended draft, taking into account the comments received, will then be submitted for consideration by the plenary meeting of the CNIL.

The draft regulation and the consultation may be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.