For any processing of personal data, there must be a legal basis for the processing given in Article 10, paragraph (1) of the Law on Protection of Personal Data.
Identify the legal basis for the processing, document it and inform individuals about it within your privacy policy/notice/statement.
It should be borne in mind that if you rely on the consent of natural persons as a legal basis for the processing of personal data, then you should ensure that all conditions prescribed by law are met.
Also, if the processing involves special categories of personal data (e.g., biometric data, genetic data, health-related data), you should refer to the legal basis for the processing given in Article 10, paragraph (1) of the Law for the protection of personal data, and to one of the exceptions for the processing of such data given in Article 13 of the Law on the Protection of Personal Data.
Example:
A company introduces an electronic fingerprint scanning system to enter its premises. This system represents processing of biometric data for identification of working hours of employees. The company should fulfill the appropriate conditions for processing the special category of personal data (legal basis given in Article 10, one of the exceptions for processing such personal data given in Article 13, plus fulfillment of the conditions prescribed in Article 84 of the Law on the Protection of personal data).
