Current situation regarding the use of biometric data
It is evident that technology is advancing at a much faster pace than legal regulations, especially in highly sensitive areas such as biometric data processing, artificial intelligence, and automated surveillance. This regulatory gap creates significant legal uncertainty and challenges in the protection of fundamental rights, as technological solutions are often implemented without a clear regulatory framework to ensure their ethical, proportional, and lawful use in line with principles of transparency and legality.
Gap between technological advancement and current regulation
The current situation regarding the use of biometric data in Spain is marked by significant legal and technological tension. Although the General Data Protection Regulation (GDPR) allows for the processing of biometric data under strict conditions, the reality is that many companies have adopted facial recognition, fingerprint, or iris scanning systems for access control and time tracking without always complying with requirements of proportionality, necessity, or appropriate legal basis.
This scenario becomes even more complex with the rise of artificial intelligence, which enhances the scope and sensitivity of biometric processing, increasing the risks to fundamental rights, particularly privacy. Simultaneously, the recent reform by the Ministry of Labor — which strengthens employers’ duty to ensure a reliable, objective, and accessible digital timekeeping system — may encourage the use of invasive technologies in the absence of clear regulatory guidance on which tools comply with the law.
In this context, the mismatch between technological progress and existing regulation becomes evident, creating legal uncertainty for both businesses and workers and posing an urgent challenge for legislators and supervisory authorities. The key will lie in establishing precise limits and effective oversight mechanisms that allow for a balance between innovation, labor compliance, and data protection.
Recommendations for the use of biometric data in companies
The use of biometric data in companies — such as fingerprint or facial recognition for access control or time management — involves the processing of a special category of personal data under the GDPR. Therefore, before implementing such systems, it is essential to conduct a Data Protection Impact Assessment (DPIA). This assessment is not only a legal requirement when the processing may pose a high risk to individuals’ rights and freedoms, but also a crucial preventive tool to ensure the technology used is proportionate, necessary, and compliant with the current legal framework.
The DPIA is a structured process that enables the identification and analysis of the risks associated with personal data processing, particularly when sensitive data such as biometrics are involved. Its purpose is to anticipate potential negative effects on the data subjects’ privacy and to establish measures to mitigate them.
The DPIA must include, among other elements, a detailed description of the intended processing, its purpose, the legal basis used, an assessment of the necessity and proportionality of the processing, and a risk analysis along with the security measures applied to reduce them. In some cases, if significant risks remain, prior consultation with the Spanish Data Protection Agency (AEPD) will be necessary. In short, the impact assessment not only protects workers but also provides companies with a solid roadmap for responsible and transparent regulatory compliance.
In conclusion, although the use of biometric data in the corporate sector has been significantly restricted following the AEPD’s 2023 publication of the Guidelines on the Use of Biometric Systems for Timekeeping, which set very strict criteria regarding legality and proportionality, it is clear that the technological landscape is evolving rapidly. New solutions allow for safer, less intrusive, and more technically optimized processing, highlighting the need to reassess the current restrictive approach. In this context, it is crucial that the AEPD updates its position and issues a new statement that takes into account technological advances and the real needs of businesses, enabling a proportionate and rights-compliant use of biometric systems within the framework of the GDPR. A coherent and flexible regulatory revision would not only provide legal certainty, but also make it possible to reconcile innovation with the protection of fundamental rights.
Paula Ferrándiz es abogada especialista en Propiedad Intelectual e Industrial, Nuevas Tecnologías y Derecho de la Competencia.
Apasionada del sector digital y las redes sociales presta asesoramiento legal a todo tipo de clientes tanto nacionales como internacionales en materia de protección de datos, comercio electrónico, publicidad y marketing digital entre otras.
More from my site
Is it biometric data processing if it is not stored? APDCAT’s response
Facial Recognition at Airports: maximum control over biometric data
Biometric data and free cryptocurrencies. Precautionary measures imposed by the AEPD
X changes its privacy policy: it can now collect your biometric data
Data protection in biometric identification
Challenges of biometric identification in data protection