Why firms using tools like fingerprint scanners could soon be in a legal minefield

New EU data protection rules mean companies have to reassess how they handle biometric info.

By Lynda Nyhan Associate, Mason Hayes & Curran

COMPANIES DEPLOYING SECURITY systems that require employee biometric data, such as fingerprints, must consider how they process this data to be compliant with new EU data protection rules when they come into force in May.

In order to be legally compliant with the General Data Protection Regulation (GDPR), an employer must have a “lawful basis” or justifiable reason to process an employee’s personal data.

As required under the current data protection regime, and in the GDPR, these reasons could include:

  • Employee consent;
  • Where the processing is necessary for the performance of a contract to which the data subject has agreed to;
  • For compliance with an employer’s legal obligation;
  • Where the processing is necessary for the purposes of legitimate interests pursued by the employer;
  • In the public interest.

No consent

Even under current data protection law, consent has not been a reliable basis on which to legally legitimise data processing in the context of employment.

According to recent guidance, employees are rarely in a position to freely give, refuse or revoke consent. This is because of the imbalance of power between employee and employer.

Employees can only give ‘free’ consent in rare circumstances, those being when no consequences at all are connected to an acceptance or rejection of an offer.

For this reason, an employer may be on unstable legal ground if relying on general employee consent.

If an employer were to offer a biometric system as an option for access rather than requiring the employee to use it, consent might be considered as being freely given.

However allowing employees to ‘opt out’ of the use of the biometric system goes against the practical reasons for secure access in the first place.

Legitimate interests

Under the current data protection regime, an employer’s legitimate interests can be cited as a legal ground to process an employee’s biometric data.

In this situation, an employer must conduct a proportionality test prior to deploying any monitoring tool. As part of the test, the employer should consider:

  • If all data is necessary;
  • Whether this processing outweighs the general privacy rights that employees also have in the workplace;
  • What measures must be taken to ensure that infringements on the right to private life and the right to secrecy of communications are limited to the minimum necessary;
  • What is acceptable in one case may not be in another and an employer seeking to rely upon this ground must always take into account the potential effect on employee privacy rights.

Limited scope under GDPR

Unlike under the current data protection regime, biometric data is considered to be a special category of personal data under the GDPR. Processing of special categories of personal data is prohibited unless an ‘exception’ applies.

Explicit consent given by the data subject to process their biometric data is one of these exceptions’ Legitimate interests are not available as an exception to this prohibition.

However, in light of the stricter consent obligations under the GDPR and recent guidance discussed above, an employer should seek alternative bases to explicit consent to process its employees’ biometric data.

Once the GDPR is implemented, employers will be unable to rely upon legitimate interests to process biometric data of employees.

Accordingly, employers must rely upon another legal basis in order to use biometric data for secure access to their place of employment.


Unless an employer can make a legitimate argument that it is processing biometric data for the vital interests of its employee, or is doing so in the public interest, no other alternative basis is currently available.

The Irish legislation, as currently drafted, allows for the processing of biometric data for identification and security purposes, subject to appropriate safeguards.

The GDPR also provides scope for Ireland to introduce more specific rules regarding the processing of personal data in the employment context. Legislators will continue to flesh these sections out and issue further interpretative guidance in 2018.

For now, employers should exercise caution when deploying these systems. They will need to consider other less invasive methods to ensuring secure employee access to their place of employment come May.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Lynda Nyhan is an associate on the employment and benefits team at Mason Hayes & Curran. This article was co-authored by Emily Mahoney.

If you want to share your opinion, advice or story, email opinion@fora.ie.