Processing of biometric data (“données biométriques”) pursuant to French law
Biometric data are personal data resulting from specific technical processing, relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm his or her unique identification, such as facial images or fingerprint data (Reg. (EU) 2016/679 of Apr. 27, 2016, art. 4, § 14).
What principle governs the processing of biometric data in France?
The processing of biometric data in France is prohibited in principle as such data is part of sensitive data, but there are exceptions provided for by Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and Directive (EU) 2016/680.
To be authorized, the processing must be based on one of these exceptions and be necessary and proportionate.
Special obligations also apply, such as keeping a register of processing activities, a data protection impact assessment and the appointment of a data protection officer if the processing is carried out on a large scale.
Automated individual decisions may not be based on the processing of biometric data without appropriate measures to protect the rights and freedoms of the data subjects and their explicit consent or important public interest reasons.
In what areas is processing of biometric data authorized in France?
Article 9, § 4 of Regulation (EU) 2016/679 gives Member States the freedom to maintain or impose additional conditions for the processing of biometric data.
French Law No. 78-17 authorizes the processing of biometric data necessary to control access to work premises and to professional computer equipment and applications, subject to standard regulations drawn up in consultation with public and private bodies. The processing of biometric data justified by the public interest must be authorized by a decree of the French Council of State (“Conseil d’Etat”), issued after consultation with the French authority on data protection (“CNIL”).
They must be proportionate to the objective pursued.
Processing operations based on the exception of the explicit consent of the data subject must comply with the conditions applicable to consent set forth in Article 7 of the General Data Protection Regulation. Processing carried out in the context of a strictly personal or domestic activity is excluded from the scope of the Regulation (EU) 2016/679.
For mobile biometric authentication devices, the CNIL states that the domestic exemption applies if the user uses the device privately, stores the biometric template in the device in an encrypted manner, and only transmits data indicating the success or failure of recognition of the biometric presented.
French legal texts governing biometrics :
- Reg. (EU) 2016/679 of 27 Apr. 2016, art. 4 § 14.- C. personal data
- Reg. (EU) 2016/679 of 27 Apr. 2016, art. 9.- C. personal data
- Dir. (EU) 2016/680 of 27 Apr. 2016, art. 10.- C. personal data
- L. n° 78-17 of Jan. 6, 1978, art. 6.- C. personal data
Main French Court Decisions:
- TA Marseille, Feb. 27, 2020, No. 1901249
- CNIL, deliber. N° 2019-001, Jan. 10, 2019