GDPR For Access Control Guide

By: IPVM Team, Published on Jul 03, 2018

Electronic access control is common in businesses plus organizations are increasingly considering biometrics for access control. With GDPR coming into force this Spring, it is important to understand how this will impact these systems.

IPVM has already published an extensive guide about the GDPR’s effect on video surveillance. This new 13-page guide covers GDPR’s effect on the access control industry since much of the data collected for access control purposes – e.g., names, addresses, fingerprints – are personal data whose processing is clearly regulated by the GDPR.

The guide has the following core sections:

  • Where Access Control Providers Fit into GDPR categories of controllers and processors
  • Why Processors Aim To Keep Distance
  • Legal Basis for Processing Access Control
  • Impact of Biometrics on Access Control GDPR Requirements
  • Dealing With Employees Who Refuse Biometrics Consent
  • Access Control Systems Excluded From Biometrics Claim
  • Guidelines for Storing Access Control data
  • Handling Right to be forgotten/Right to information requests for access control systems
  • Encrypting / Anonymizing access control information
  • Concerns with AD / LDAP integrations
  • Data breach response for access control
  • Data Protection Impact Assessments for access control systems
  • Dealing with Data Specific to Access Control, e.g. Physical Activity Log
  • Manufacturer GDPR guides including Avigilon, Brivo, Genetec, Lenel, Paxton, RS2, S2, Tyco

Introduction

To start, it’s important to realize that the GDPR is a broad set of regulations which do not mention particular industries, including access control or its products.

Therefore, anyone claiming to provide “GDPR certification” for particular products in access control or any other industry is wrong. (See IPVM’s previous report: Dahua Products Are Not GDPR Compliant, No Products Can Be.)

Data Controller and Data Processors

The GDPR creates two distinct categories – data controllers and data processors. Controllers are the firms which gather and control the use of peoples’ personal data, and processors are the ones who process that data on behalf of controllers.

The distinction is important as data controllers typically have more responsibilities under the GDPR; for example, only controllers have a duty to report data breaches to authorities.

Access Control GDPR Category Examples

As in video surveillance, access control end users would typically be considered “data controllers.” For example, if a pharmaceutical company buys an access control system for a new building and its employees, the pharma company is the data controller.

Data processors are the companies which handle the personal data collected by end users. For access control, in most cases this means firms like Genetec, Lenel, Software House, S2 Security, etc..

Access control integrators/installers could also be considered data processors depending on whether they handle their end users’ personal data or not. For example, an integrator with temporary access to employees’ personal addresses for maintenance purposes would be considered a data processor in this instance.

Processors Keep Distance

Many data processors in the access control industry emphasize that they can only provide the means to comply with the GDPR’s provisions, rather than assuring compliance in and of themselves.

Because access control involves data which is very easy to immediately identify people with (unlike video surveillance), processors are keen to distance themselves from end users/data controllers in case those end users mishandle the data.

For example, S2 Security says in its public GDPR guide that it may not be considered a data processor in some cases because “on-premises deployments of access monitoring and video management systems often do not involve a Data Processor because the Data Controller handles all personal data.” S2 is correct when it comes to on-premise deployments. UPDATE: as pointed out by a commenter, even on-premise deployments could see themselves as processors under the GDPR if they access personal data for maintenance or other reasons.

However, it is worth remembering that firms providing cloud-connected access control solutions would be considered data processors under the GDPR. Moreover, as more systems are moving to the cloud, either for hosting, management or access, access control providers are more likely to fall under the data processor category.

Main Points of Compliance for Access Control

Legal Basis of Processing

*** ****’******** ******* ******* ***** ***** for **** **********, ** which *** ** *** following ***** ** ****** control:

  • *** **** ******* *** given********* *** ********** ** his ** *** ******** data *** *** ** more ******** ********
  • ********** **necessary *** *** *********** ** * ********** ***** *** **** subject ** *****
  • ********** ** ********* *** the *********** ** * task ******* ***in *** ****** ********** ** *** ******** of ******** ********* ****** in *** **********
  • ********** ** ********* *** thepurposes ** *** ********** ********* ******* ** *** ********** ** ** * ***** *****, ****** ***** **** interests *** ********** ** the ********* ** *********** rights *** ******** ** the **** ******* ***** require ********** ** ******** data, ** ********** ***** the **** ******* ** a *****.

Biometrics *** *******

********** (************, **** *****, facial ***********, ***) *** an **** **** **** likely **** ****** ******* firms ******* ** ****** with *** ****’* ********* consent ************.

********** ********* ** ********** under *** **** **** several **********. *** **** that ***** ***** ** access ******* *** “*********** public ********” *** “******** consent.”(******* *).

*********, ****** ** ****** control **** *** *********** their ********** ********* *** a “*********** ****** ********,” it ***** **** ** make *****, ******-*****, *** informed ******* * ********. That *****:

  • ******* ***** **** ** written** * *******, ***********, intelligible *** ****** ********** form, ***** ***** *** plain ********(******* *)
  • **** ******** *** ******* and ***“******** *** ** *** consent ** *** ****” with ****(******* *)
  • ** ****** ********* *, *** ******* ***** must ******* **** **** of ********** *** ***** used *** ***
  • ******* **** ** “****** given”, *.*. “******* ****** *** ** regarded ** ****** ***** if *** **** ******* has ** ******* ** free ****** ** ** unable ** ****** ** withdraw ******* ******* *********.” (******* **.)

**** ***** ** * consulting **** ** ********** access ******* *** *** employees ***** ******** **** scans, ** ***** ** obtain ********, *****, *** freely-given ******* **** ****.

******: ********* ***** * *********, "****** given" ******* **** ***** there ** **** ** no ********* ** *****, and *** ******** ********** has******* ********** "** ********* ** power **** ****** ** the ********** *******". **** means **'* ******** * European *** ***** ******* iris ** ****-***** ****** control *** ** ******** unless **** ** ******** by *** *** * specific ********* ******.

Refusing ******* *** **********

************* *** **** * problem **** ********* ** people ** ***** *********-***** access ******* ****** ********* ********:

******* ****** *** ** regarded ** ****** ***** if *** **** ******* has ** ******* ** free ****** ** ** unable ** ****** **withdraw ******* ******* *********. [emphasis added]

** **** ***, ** is ******** **** ** organization *** **** ** punish ***** *** ** not **** ******* *** their ********* *********** ** be ****. ** *********** may ******* ***-********* ***** access ******* *** ***** who **** *******.

**** *****, ** **** of ** ***** *** contesting **** *** ** will ****** ******* ******* challenging **** ******** *** clear ******** ** **** application. *******, ************* ****** carefully ******** *** ************ of ******* ** **** using ********** *** ****** control.

Access ******* ******* ******** **** **********?

**** ****** ******* ****** providers ******* **** ***** systems ** *** **** under **** ******* ******* they **** ***** **** that ****** ** **** to ******** ****** – unlike ******* * **** image ** * **** or ***********, *** *******. This *** ** ****** as * **** ** anonymization.*** **** ***** ********* applications, *** **** ********* and ****** ** *** reader ** ******** ** the ****** ******* ****** entirely, *** *** **** data ******** ** *** access ****** ** * Wiegand ** **** **** string *********** * **********.******, **** ********* ******* (like ***** **** ** ‘verification’ *****) *** *** store ********* **** ** the ****** ****** ** all, *** ****** ********* and **** *** ****** on ********** ***** ** inside ******-***** *********.

**** ** * ***** and ******** ******** ** the **** ****** **** not **** *** ********** to **** ** ********* to ** ********* ****, as **** ** ** is “********* **** *** the ******* ** ******** identifying * ******* ******” (******* *) - ******* **’* anonymized ** ***.

****** ******* ********* ****** err ** *** **** of ******* **** ******* with *** ********** ***** its “******* ******** ** personal ****” ****** ** the ****. ** *** take * **** *********/******* to ***** ******* ******* things **** **** **** strings *** ********** ********** under *** **** ** not.

Storage ****** ******* ***********

*** **** *** ** precise ********** ** *******, but******* ****** ** ***** **** personal **** ****** *** be ****** *** "****** than ** ********* *** the ******** *** ***** the ******** **** *** processed".

** ****** *******, **** would **** ****** ***** policies ***** ******* *** making **** **'* *** kept ****** **** ** indefinitely ****** *** *** prove **'* *** “****** interest, **********, ** ********** research ********”. **** ***** employees *** ***** * firm ****** **** ***** data ******* ********.

**** ******* ** *** personally ************ ***********, **** as ****** **** ********* when * ******** ****** goes ******* * **********. However, ** **** ****** data ** *** **** to * ******** ******, it ***** ****** *** fall ***** *** **** and **** ** ******** storage **********. (*** **** on ****, *** “***** ** **** ******** to ****** *******.” *****)

Right ** ** *********/***** ** *********** ********

*** **** ***** ***** rights *** ****** ** access *** ****** ***** personal **** ********** *******, ** ****** ******* firms **** ** **** established ********** ** ******* these ******** *** *** users **** ** ***** of *** ** *** them.

***** *** **** ******** to ****** ******** **** require **** ************** **** simply ********* *** ****, and **** ******* ** least *** ***********, **** whether *** **** ** “no ****** ********* ** relation ** *** ******** for ***** **** **** collected” (******* **.)

*** ****** ******* **** told **** **** **** struggling **** *** ** implement *** ****’* ****** and ******** ************. ** would ********* **** ****** end ***** *** ***** within ***** ****** ******* software ** ***** **** subjects ** *******, ****, and ****** ***** *** data. *** *******, ******** from **** ******* ****’* identity ********** **** ****** individual ********* ******** ***** “****** **” requests.

*** ****** ******* *******, most ********* ** ****** allow *** ******** ** all **** *********** *** activity, ******** *** ***** needed ** ** **** are ***** ****** ****** ‘user *******’ ********* ****** operators *** ***** ** management *******.

*** ****** ** ‘*********** destroy’ *** ******* ** a ****** *** ******* a ***** ****, *************, or ******* ********** ****** simple ******** ** ****** records, *** ** ***** records *** ****** **** other ***********, **** ** ‘Time & **********’ ** ‘Visitor **********’****, **** ******** record ******** *** ******* interaction **** ******** *******.

***** ********* **** *** right ** ** ********* and *** ***** ** their ******** ****. *** that ******* ** **** the **** ******** *** data, *** *** **** subject’s ********** ******. *******, this ***** *** ** possible ** *** ********’* personal **** *** **** deleted ********* *** ** her ********* **** * firm – ** ****** be **** ** ********** with *** ****’* ******* recommendations (*** “*******.”)

*******, **** ** **** that ***** ***** ** need ** ******* ** information ********, **** **** 1 ***** ** ** so, ***** *** ** extended ** ********** * months. **** **** ** not **** ** ******* them ** **** *** “manifestly ********* ** *********.” (******* **.)

Encryption *** *************

******* ****** ******* ********* handle *********** ******* ** sensitive *** ******* ******** data, ****** ********** ** key. *** **** ********** encourages ****** ********** ********* **** ****** *******’ ******** data ** *********, ** it’s ****** ********* *** access ******* ********* *** users ** **** **** they *** ******** ***** passwords *** ******** ****-**** practices **** ******* ****** Sign **.******* **** ********** ***** two-factor **************, ********* ***** Security, ** ******* *********, etc.

*******, **** ****** ******* systems ******* ************ **** Microsoft ****** ********* ** LDAP ** ******** ***** processes, *** ***** ******* utilities *** *** ** Article ** **********. ** proxy, ****** ******* *******, especially ***** **** ** large ********** *** *****-******** deployments **** *****, ******** House, *******, **, *** Avigilon *** *** ** at ****.

*************/**************** ** **** ********** by *** ****. ***** these **********, ***** ****** leaked **** ***’* ** immediately **** ** ****** people, ** ****** ** it ******* ********* ************ in **** ** * breach. *** *******,******* *********** **** ********** **** subjects *** *** **** to ** ********* ** appropriate ************* ********** *** used.

****** ******* ********* ***** anonymize/blur *********** **** ** lessen *** ****** ** a ******, *** ********. Names *** **** ** anonymized ** ********* **** person * ****** *** instead ** ********* ** them ******** ** ***** full ****.

Data ******** – ********** ***** *** ******* ******

****** **** ** ****** control, *** ***** *** most ****** ** ** considered **** ***********, ***** larger ****** ******* ***** like ******* *** **** likely ** ** ********** data **********.

***** *** ****, *********** have ** ***** ** inform *********** ** *** case ** * ******. Controllers **** *********** **** inform ********** **** ******** as **** ** **** the ****** ***** “* **** **** ** the ****** *** ******** of ******* *******”(******** **&**.)

**** *********** **** ****** in * *** ************ communication **** ****** ********** or ****** **** *** exist ** *******. ************* of **** ******** *** non ********, ********, ** highly ********** **** ******* distributions, *** **** **** introduce ********* *** ******* breach ************ ************.

****** ******* ********* ***** biometrics ****** **** *** special ********* ** ****** reporting ************, ** *** EU’s ******* ** ******* Party, ** ******** ** advisory ****,*** ********* ****** ********* ********** ** particularly **** ****, **** requiring ************ ** ********** data ******** ***** **** authorities:** ******* ********** ** personal **** [**********] *** disclosed ******, *** ********** should *** ******* ***** delay ** ******* *** breach *** ** *********** it ** *** *********** concerned.”

**** ********** **** **** responsibility ** *** ***** that **** *** **** obliged ** ******* **** controllers, ****** **** *********** and **** ********, ****** 72 ***** ** ******* to * ****** ***** discloses ******** **** **** controllers.

Data ********** ********

***** ** ** *** mandatory *** *** ****** control ***** ** ******* a *** (******* ****** with ********** **** **********), an ****** ******* **** using ********** *** **** to ** **.

*** **** **** *** 3 ********* ********* ****** **** **** ** be *********, ********* **** *** **** ********** ** the ********** ** *** processor ******* ** ********** on * ***** ***** of ******* ********** ** data [**** ******** **********]”.

***** **** ****** ******* providers’ ********** *** ** biometric ***********, ********** * DPO ***** ** ****. This **** *** ** especially **********, ** *** GDPR ****** **** * DPO *** ** ********** or ** ** ******** employee ****** **** *** more ****.

Data ********** ****** ***********

******* ******** **** ***** *** required ** ***** “****** ** ****** ** a **** **** ** the ****** *** ******** of ******* *******”, ********** **** "********** on * ***** ***** of ******* ********** ** data [*.*. **********]" ***** place.

*******, ***** **** *** GDPR *****’* ****** “***** scale” *** **** ********** based ** ******* ** “legitimate ********” – **** access ******* – ** not ****** ** ****** in * **** ** people’s ********, ** ***** unlikely ***** ***** ** required ** ***** ******** of ****** *******.

******* ** ***** **** yet ** *** *** EU ********* **** ***** these **** ************ ** practice, **** ***** ******. So *** **** *** seen ** ******** ** access ******* ***** ********* for ********* *****.

Data ******** ** ****** *******, *.*. ******** ******** ***

*** **** ********* ******** data, ** "*********** ******** to ** ********** ** identifiable ******* ******". (******* *). *******, ***** *** types ** **** ** access ******* ***** **** under * **** ****, specifically *** **** ** physical ******** **** ****** every **** ******* **** a ********* ** ***** a ********, *** *******.

****** ******* ***** ********* by **** **** **** did *** ******** **** sort ** **** ** be ******** ** ********* data, ***** ** *** exist ************* ** * specific ****** *** ***** not ** **** ** identify *******. **** ***, if *** ******* ** employee ****** * *******, the **** ********** ***** delete *** ******** *********** but **** *** *********** anonymous ******** *** (** is ******* *** ******** for **** *****).

***** *** ********** ** personal **** ***** ** the ****, **** ******** makes *****. *******, ** remains *** **** ********* realize **** *** **** they ******* ***** *** be **** ** ******** a ******** ****** ***** under *** ****** ******* of *** ****.

GDPR ********** ** ****** ******* *****

**** ****** ******* ******** providers **** ********* **** statements, ****** ********* **** are ***** ** *** specifics ** ****'* ****** on ****** ******* *******. Below *** ***** ** ****** **** statements ** ****** ******* firms, **** ******** **** commentary:

******** **** *********: [**** no ****** *********]******** ********** (**** ** Avigilon ******* ****** (***) video ********** ********) ****** itself ** **** *********, all ********** ********* **** consider *** ***** ******** and ********* *** ****** enterprises ** ********* *** operating * **** ********* system. ******** *** ***** care ** ****** **** its ***** ******** ********* include ******** *** ************* that **** ******* **** compliance.”

**** *******: ******** ********* states **** *** **** is ** ******* *** means ** **** ********** rather **** *** ********** itself.

***** **** *********:“*********** **** **** ****** in ***** ***** ** individuals ***** ***** ************ are ********** **** ********. Brivo ***-***** *** ** some ***** ***** ********* are ********** **** ***********. Brivo ** * **** Processor.”

**** *******: **** *** **** *********** ** the **** ***** ******* to ****** *******. **** that ***** ** *** statement, ***** ********* ** has ********* * *** and ***** ** ***** to ******* **** **** GDPR *******.

******* ****** **** *****:“**** ******* *** ***** requirements *** ********* ***** to ********* *** ****** data ******** **** ****** PII. ****** **** *** data *** ******* ** protected ******* ************ ****** is *** ***** **** in ********* *** ****. Our ********* ******* *** the ***** *** **** to ****** **** *** PII ******** *** ****** by *** ******** ******* is ***** *******.”

“**** ****, *********** *** now ******* ****** ** a **** ** *** data ** ************ *** collected ***** ****. ********** *********™ ******* ******** ********** platform ***** **** *** are ***** ** ******* to ***** ********. ** provides * ****** ***-***** portal ***** *** *** easily *** *********** ***** private ****. ** **** you ******* *********** ****** to ***** ******** *********** in * ********** *** common ******.”

**** *******: * ******** of *******’* ***** ** its ******* ***** ************ rather **** ****** ******* solutions, ******* ** ******** identifies *** ********** ** strong ************* ********* *** offering ******** ** **** GDPR ********** ******.

***** **** *****: “***** *** ******** *** products ** ***** ********* to *** **** ** GDPR-compliant ****. ***** ******* offers ******* ****** ** security ** ******* *** Personal **** ** ********* and ********. ********* ******** standards *** ***-********* ********** methods *** ** ********** in *** ***** ******* system **** ** ******* between **** *** ******, OSDP ******* ****** *** controller, ****.* ******* ********** and ******, *** ***** for * ****** ******** experience. ********, ***** ******* supports ************* ****** ************ to ***** ****** ** authorised ********* *** ******** the *********** ** ******* data ******, ** **** which ** ********* ******** for *** ****** ** function.”

**** *******: *****'* ***** was *** ** *** most ******** *** ******** about ****'* ****** ** access *******.

****** **** *********: “** **** **** **** that *** ******** **** provide *** ***** ******** to ***** ********** ** used *********, *******, ****** is *** *********** *** a ****’* ********** **** GDPR *** ** *** offer ****** ** *** to ** *********.”

**** *******: ****** **** correctly ***** **** ***** it *** **** *** means ** ****** **** GDPR, *** ******** ****** automatically ****** **.

*** **** *********: “** *** **** ** access ** ***** *** other ******** **** ** hold ***** ***, ** to ******* **** ** delete *** *********** ***** you, *** *** ******* us ** ******** ***@***.***. We **** *********** **** request ****** *******-*** (**) hours *** ****** ** promptly. *** ******** *.*.*. will ******* ** ***** requests ****** * *****, with * *********** ** extend **** ****** *** particularly ******* ******** ** accordance **** ********** ***. We **** ****** **** information *** ** **** as **** ******* ** active, ** ****** ** provide *** ********, ** to ****** **** *** legal ***********, ******* ******** and ******* *** **********.”

**** *******: **’* *** actually ********* *** *********** or ********** ** ******* to ***** ******** ****** 72 *****, ***** ** the **** ******** ** report ********. *** **** gives *********** *** ********** up ** * ****** to ******* ** ***** requests.

** **** *****: “*** ******** ********** ****** falls ** *** **** Controller, *** ****** **** decides ***** ******** **** to ******* *** *** the ******** ************** *** safeguarding **.”

“********* **** ****** ***** regarding ******** **** *** prevent ****** ******. ****** the ***** ****** ** personal **** *** **** for ******** **********. ****** that *********** *** *** shortest ****** ** **** necessary. ***, ******* **** importantly, ** *********** ***** your ******** **** *********.”

**** *******: ***** *** all ******* ********** *** underline *** ******* ********** burden *** ****** ******* end *****/***********.

*** / **** ************ Kantech *** ******** ***** offer *** **** **** guides (*.*.*****) *** ***** ****** control ***** ****** ***** it ** *** ***** surveillance:“** ** ********* ** note **** ******* ***/** product ********* *** *** by ********** **** *********. Any ******* **** ** subject ** *** **** will **** ** ****** what ******** *** ********** are ******** ** ****** with ***** **************** ***** the **********, *** ** procure, ********* *** *** products ***/** ******* ********* in * ****** **** is *********.”

“******* ********’ ***** ******* portfolio ******** * ****** of ******** *** ********* that *** **** **** aspects ** **** ********** ************ *** ************ for ******** *** ********** of **** *********. **** features *** ******* **********, role-based ****** ******* ** limit ***** ***** *** access ****, *** **** to ***** ******* ***** trails *** **** ****** and *********. *******, ********** with *** **** *** only ** ******** ******* deployment ******* *** ******** policies ******* ************ ** meet *** *********** ***** of **** ********** ********. Therefore, **** ********** ****** be ****** ** * product’s ******* ***. ***** the *******’* ******* *** can **** **** ********** easier ** *******, ***** will ********** ** ********** specific *** ******** ******** actions ******** ** ****** compliance **** *** ****. GDPR ******* **** **** contain ************ ***** ***** data ** ******, **** information ** ****** *** user ******* ************ **** product ******** ****** *******.”

**** *******: **** ******* and ******** *****, **** owned ** ******* ********, offer *** ******* ******* of ****** ******* ***** distancing ********** **** *** users **** ** ***** to **** **********, ****** that ******* ******** ***** cannot ****** **********.

Future *******

**** **** ******* ******* updates ** *** **** related ****** ******* *********** arises *** ** ***** impacting **** *** ****** control *** *******.

Comments (6)

Avatar

Piotr Powazka

ERATRUST.PL
03/03/20 11:51am

Hi, I would like to point certain clarification that should be added to the paragraph:

"For example, S2 Security says in its public GDPR guide that it may not be considered a data processor in some cases because “on-premises deployments of access monitoring and video management systems often do not involve a Data Processor because the Data Controller handles all personal data.” S2 is correct when it comes to on-premise deployments" It is partially true when it comes to on-premise deployments. Still companies providing full service agreement even for on-site solution will have access to stored data. The same applies in cases of one off access due to some database/software problems with on-site deployment. If so the service/provider company is processing data (they do database backup, check records, sort out database records etc.) Therefore, when we look at a definition of art. 4(2) GDPR: "‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction", the data controller should have a data entrustment agreement in place with a service/solution provider company. They are simply instructed to perform activities on data and should be considered as processors anyway. If the nature of the work/agreement involves processing activity on data on behalf of the data controller we can almost be certain that someone is processor there, whether they like it or not.

Avatar

Charles Rollet

In reply to Piotr Powazka | 03/04/20 08:11am

Hi Piotr,

Thanks for your comment. Yes, you are correct. As soon as personal data is accessed by the access control provider - even for routine maintenance - the GDPR kicks in, and this also applies to on-premise deployments. I've updated the article to reflect that.

Avatar

Piotr Powazka

ERATRUST.PL
In reply to Charles Rollet | 03/04/20 08:17am

Hi Charles,

Your welcome.

Avatar

Piotr Powazka

ERATRUST.PL
03/03/20 12:58pm

Further comment regarding this section: "This means if a consulting firm is installing access control for its employees which includes iris scans, it needs to obtain informed, clear, and freely-given consent from them." Please note that European Data Protection Board as well member states' Supervisory Authorities emphasize a significant imbalance between employees and employers with regards to consent given. The Guidelines on Consent under Regulation 2016/679 (wp259rev.01) refer to Elements of valid consent under Article 4(11) of the GDPR stipulates that consent of the data subject means any:

- freely given,
- specific,
- informed and
- unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

"An imbalance of power also occurs in the employment context. Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera-observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent. Therefore, WP29 deems it problematic for employers to process personal data of current
or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1)(a)) due to the nature of the relationship between employer and employee."

Unless there is a legitimate basis for biometrics use in the workplace such as local law due to national security critical infrastructure (cybersecurity) where just RFID cards are not enough the use of consent is not the right choice for an employer.

Avatar

Charles Rollet

In reply to Piotr Powazka | 03/04/20 08:15am

That's a good point too. We've seen Data Protection Authorities take into account imbalances of power when considering consent for biometric systems, e.g. when the Swedish DPA banned face rec at a school because students could not give freely-given consent since:

it is clear that the student is in a dependent position to the school in terms of grades, funding, education, and thus future work or study opportunities.

I've updated the article.

Avatar

Piotr Powazka

ERATRUST.PL
In reply to Charles Rollet | 03/04/20 09:05am

Absolutely they do look at it. The same applies to recent case in Dutch court where a shopping mall installed fingerprints in order to unlock tills and monitor work time of their employees. There must be an alternative solution first considered or at least an option which does not "force" a person to use it. In terms of CCTV the stance of regulatory body like European Data Protection Board is the fact, that private CCTV monitoring public area, eg. close to our property, is subject to GDPR to. There is a lot of discussion about it and some doubts but it is how they perceive it. I wrote an article about it and how to minimize the impact of video surveillance during the design thus not in English.

Read this IPVM report for free.

This article is part of IPVM's 6,538 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Door Fundamentals For Access Control Guide on Aug 24, 2020
Doors vary greatly in how difficult and costly it is to add electronic access...
Startup Solink $17 Million USD Fund Raise Expands To Mass Market on Jun 24, 2020
Solink has raised ~$17 million USD, a sizeable round for the company that...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
Network Cable Usage Statistics 2020 (Cat 5e vs Cat 6 vs Cat 6a) on Sep 02, 2020
Integrators are split between using Cat 5e, 6, and 6a but 2 of them have...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
Dedicated Vs Converged Access Control Networks Statistics 2020 on Sep 10, 2020
Access control is a crucial system where the network used can impact life...
IPVM Editorial Staff on Aug 01, 2020
IPVM has the largest and most experienced editorial team covering video...
Idemia Presents AI Facial Recognition Access Reader on May 18, 2020
Idemia presented its VisionPass AI Facial Recognition Access Reader at the...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...