###
20/10/2017
In connection with the General Data Protection Regulation (GDPR) which is to take effect as of 25th May 2018 the Office for Personal Data Protection has revised its previous opinion concerning access systems based on biometric data recognition (such as finger or palm prints) which are becoming increasingly available and usable for a wider range of purposes. Besides access permission, they are also used for employee attendance monitoring, for instance. Biometric data represent sensitive data which may be processed only upon satisfaction of extraordinary requirements, the individual’s express consent not always being sufficient. Pursuant to the current personal data protection law, so far the Office for Personal Data Protection has differentiated between two biometric data processing technologies, one being accepted by the Office for Personal Data Protection as widely applicable (including for employee attendance systems), the other only as an extraordinary tool for ensuring security of special operations (e.g., nuclear power plants). Having regard to the upcoming date of effectiveness of GDPR, the Office for Personal Data Protection refers in its new opinion to the stricter provisions of GDPR relating to the processing of sensitive data as a new, special personal data category. As the Office for Personal Data Protection has concluded, wider use of identification or authentication methods based on biometric data has basically been rendered impossible under the new provisions, irrespective of the two verification technologies as differentiated currently. Even though at the moment the Office for Personal Data Protection does not provide a detailed explanation for its problematic conclusion with a promise to adopt an updated opinion, complications must be expected in using such systems from May 2018.