Mandating that companies use fingerprint or facial recognition as a login method or time control can count. The Spanish Data Protection Agency (AEPD) has changed the criteria regarding the use of biometric systems for access control, both for work and non-work purposes (such as in gyms or private clubs). From now on, the Agency will treat them as prohibited systems unless there are exceptional circumstances that justify their use over methods that do not use “high risk” data.
Agency published This change in criteria in its recent “Guidance on the treatment of presence control through biometric systems”, which details the interpretation that will be carried out from now on to assess whether these methods comply with data protection regulations. An update that justifies the rapid evolution of this technology, which now “even allows us to collect information without the cooperation of people” or their knowledge, as well as the use of artificial intelligence “can be used to infer additional information about people.”
Source: El Diario