Can employers process employees’ fingerprints?

Well, that’s a tricky question; actually, there is no one-size-fits-all answer.

According to the European General Data Protection Regulation (GDPR), the processing of biometric data, i.e. “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person”, such as fingerprints, is prohibited, except for the terms and conditions provided for in Article 9 (2) of the GDPR.

In its recent draft Recommendation on the processing of biometric data, the Belgian Data Protection Authority (DPA) finds that, generally speaking, an employer may not rely on the employees’ consent to processing their fingerprint models mainly due to the inherent imbalance of power between the parties: “it is unlikely that this consent is freely given” (p. 21).

So, are there any other options an employer should consider?

Unfortunately, unlike several of its neighboring countries (footnote 16), Belgium has not chosen (yet) to provide a general legal basis for the processing of biometric data for identification or authentication of an individual for security purposes (p. 27).

That being said, the DPA is aware of the current problematic use of a large amount of biometric data and therefore urges the Belgian legislator to enact a clear legal framework, inviting the sectors concerned to mobilize on this issue as soon as possible. Meanwhile, taking into account the good governance principles, upon publication of its Recommendation, a transitional period of one year would be foreseen during which the current processing of biometric data would be “tolerated” in accordance with the former rules and the DPA would not intervene “proactively” (p. 28 and 29).

In any case, the employer concerned must demonstrate the necessity and the proportionality of processing biometric data (p. 27 and 35), while transparency to employees is key (p. 39).

Finally, the DPA has pointed out the need to carry out a Data Protection Impact Assessment (DPIA) as required under Article 35 of the GDPR whenever processing is likely to result in a high risk to the rights and freedoms of individuals (p. 40).

Until 1st September 2021, everyone can give their opinion on this draft Recommendation which can be found here: