Electronic access control is common in businesses plus organizations are increasingly considering biometrics for access control. With GDPR coming into force this Spring, it is important to understand how this will impact these systems.
IPVM has already published an extensive guide about the GDPR’s effect on video surveillance. This new 13-page guide covers GDPR’s effect on the access control industry since much of the data collected for access control purposes – e.g., names, addresses, fingerprints – are personal data whose processing is clearly regulated by the GDPR.
The guide has the following core sections:
Where Access Control Providers Fit into GDPR categories of controllers and processors
Why Processors Aim To Keep Distance
Legal Basis for Processing Access Control
Impact of Biometrics on Access Control GDPR Requirements
Dealing With Employees Who Refuse Biometrics Consent
Access Control Systems Excluded From Biometrics Claim
Guidelines for Storing Access Control data
Handling Right to be forgotten/Right to information requests for access control systems
Encrypting / Anonymizing access control information
Concerns with AD / LDAP integrations
Data breach response for access control
Data Protection Impact Assessments for access control systems
Dealing with Data Specific to Access Control, e.g. Physical Activity Log
The GDPR creates two distinct categories – data controllers and data processors. Controllers are the firms which gather and control the use of peoples’ personal data, and processors are the ones who process that data on behalf of controllers.
The distinction is important as data controllers typically have more responsibilities under the GDPR; for example, only controllers have a duty to report data breaches to authorities.
Access Control GDPR Category Examples
As in video surveillance, access control end users would typically be considered “data controllers.” For example, if a pharmaceutical company buys an access control system for a new building and its employees, the pharma company is the data controller.
Data processors are the companies which handle the personal data collected by end users. For access control, in most cases this means firms like Genetec, Lenel, Software House, S2 Security, etc..
Access control integrators/installers could also be considered data processors depending on whether they handle their end users’ personal data or not. For example, an integrator with temporary access to employees’ personal addresses for maintenance purposes would be considered a data processor in this instance.
Processors Keep Distance
Many data processors in the access control industry emphasize that they can only provide the means to comply with the GDPR’s provisions, rather than assuring compliance in and of themselves.
Because access control involves data which is very easy to immediately identify people with (unlike video surveillance), processors are keen to distance themselves from end users/data controllers in case those end users mishandle the data.
For example, S2 Security says in its public GDPR guide that it may not be considered a data processor in some cases because “on-premises deployments of access monitoring and video management systems often do not involve a Data Processor because the Data Controller handles all personal data.” S2 is correct when it comes to on-premise deployments. UPDATE: as pointed out by a commenter, even on-premise deployments could see themselves as processors under the GDPR if they access personal data for maintenance or other reasons.
However, it is worth remembering that firms providing cloud-connected access control solutions would be considered data processors under the GDPR. Moreover, as more systems are moving to the cloud, either for hosting, management or access, access control providers are more likely to fall under the data processor category.
Hi, I would like to point certain clarification that should be added to the paragraph:
"For example, S2 Security says in its public GDPR guide that it may not be considered a data processor in some cases because “on-premises deployments of access monitoring and video management systems often do not involve a Data Processor because the Data Controller handles all personal data.” S2 is correct when it comes to on-premise deployments" It is partially true when it comes to on-premise deployments. Still companies providing full service agreement even for on-site solution will have access to stored data. The same applies in cases of one off access due to some database/software problems with on-site deployment. If so the service/provider company is processing data (they do database backup, check records, sort out database records etc.) Therefore, when we look at a definition of art. 4(2) GDPR: "‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction", the data controller should have a data entrustment agreement in place with a service/solution provider company. They are simply instructed to perform activities on data and should be considered as processors anyway. If the nature of the work/agreement involves processing activity on data on behalf of the data controller we can almost be certain that someone is processor there, whether they like it or not.
Thanks for your comment. Yes, you are correct. As soon as personal data is accessed by the access control provider - even for routine maintenance - the GDPR kicks in, and this also applies to on-premise deployments. I've updated the article to reflect that.
Further comment regarding this section: "This means if a consulting firm is installing access control for its employees which includes iris scans, it needs to obtain informed, clear, and freely-given consent from them." Please note that European Data Protection Board as well member states' Supervisory Authorities emphasize a significant imbalance between employees and employers with regards to consent given. The Guidelines on Consent under Regulation 2016/679 (wp259rev.01) refer to Elements of valid consent under Article 4(11) of the GDPR stipulates that consent of the data subject means any:
- freely given, - specific, - informed and - unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
"An imbalance of power also occurs in the employment context. Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera-observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent. Therefore, WP29 deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1)(a)) due to the nature of the relationship between employer and employee."
Unless there is a legitimate basis for biometrics use in the workplace such as local law due to national security critical infrastructure (cybersecurity) where just RFID cards are not enough the use of consent is not the right choice for an employer.
That's a good point too. We've seen Data Protection Authorities take into account imbalances of power when considering consent for biometric systems, e.g. when the Swedish DPA banned face rec at a school because students could not give freely-given consent since:
it is clear that the student is in a dependent position to the school in terms of grades, funding, education, and thus future work or study opportunities.
Absolutely they do look at it. The same applies to recent case in Dutch court where a shopping mall installed fingerprints in order to unlock tills and monitor work time of their employees. There must be an alternative solution first considered or at least an option which does not "force" a person to use it. In terms of CCTV the stance of regulatory body like European Data Protection Board is the fact, that private CCTV monitoring public area, eg. close to our property, is subject to GDPR to. There is a lot of discussion about it and some doubts but it is how they perceive it. I wrote an article about it and how to minimize the impact of video surveillance during the design thus not in English.