GDPR For Access Control Guide

Hi, I would like to point certain clarification that should be added to the paragraph:

"For example, S2 Security says in its public GDPR guide that it may not be considered a data processor in some cases because “on-premises deployments of access monitoring and video management systems often do not involve a Data Processor because the Data Controller handles all personal data.” S2 is correct when it comes to on-premise deployments" It is partially true when it comes to on-premise deployments. Still companies providing full service agreement even for on-site solution will have access to stored data. The same applies in cases of one off access due to some database/software problems with on-site deployment. If so the service/provider company is processing data (they do database backup, check records, sort out database records etc.) Therefore, when we look at a definition of art. 4(2) GDPR: "‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction", the data controller should have a data entrustment agreement in place with a service/solution provider company. They are simply instructed to perform activities on data and should be considered as processors anyway. If the nature of the work/agreement involves processing activity on data on behalf of the data controller we can almost be certain that someone is processor there, whether they like it or not.

Further comment regarding this section: "This means if a consulting firm is installing access control for its employees which includes iris scans, it needs to obtain informed, clear, and freely-given consent from them." Please note that European Data Protection Board as well member states' Supervisory Authorities emphasize a significant imbalance between employees and employers with regards to consent given. The Guidelines on Consent under Regulation 2016/679 (wp259rev.01) refer to Elements of valid consent under Article 4(11) of the GDPR stipulates that consent of the data subject means any:

- freely given,
- specific,
- informed and
- unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

"An imbalance of power also occurs in the employment context. Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera-observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent. Therefore, WP29 deems it problematic for employers to process personal data of current
or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1)(a)) due to the nature of the relationship between employer and employee."

Unless there is a legitimate basis for biometrics use in the workplace such as local law due to national security critical infrastructure (cybersecurity) where just RFID cards are not enough the use of consent is not the right choice for an employer.