GDPR and biometrics

Privacy compliancy of our products to protect user personal data

With GDPR, the use of Biometry at the work place for Physical Access Control is allowed.

To be compliant with the regulation, the employer shall:

  • Define a dedicated Privacy Impact Assessment document (DPIA),
  • Get the consent of users and offer an alternative for people not willing to use Biometry (eg Badge + PIN)
    • In some cases, the consent of users can be replaced by the Legitimate interest (eg very sensitive or classified site)
  • To support you and your Partners, a set of documents for GDPR compliancy is available upon request

Our Biometric readers have been designed in compliance with ‘Privacy by design & by default’ principles as required by GDPR regulation

  • Fingerprint or Face images are NOT stored, and no reverse engineering attempts on encrypted templates are possible
  • User explicit gesture is needed to show her/his intention:
    • VisionPass starts facial acquisition as soon as the user enters the intention area and looks at the reader. In addition, a deliberate trigger can be used (eg card, PIN…)
    • MorphoWave compact: The user will wave her/his hand in the reader
  • All of the personal user data are hosted and controlled ONLY by the end-customer
  • As mandated by GDPR, the “right to be forgotten or consent withdrawal” for a user can be performed easily
  • Concerning the Template storage, this is possible to store them in the user badge or in the Biometric Reader

Protected storage of Biometric templates