According to Article 13 of the ZZLP, biometric data are a special category of personal data.
The condition for legal processing is the legal basis from Article 10, paragraph (1) of the ZZLP and the existence of one of the exceptions given in Article 13, paragraph (2) of the ZZLP.
For example, the legal basis for processing biometric data for entry into official premises may be express consent.
However, since this represents a relationship between employer and employee (unequal relationship, relationship of dependence), the question should be raised whether the employee voluntarily gives his consent (voluntariness is one of the conditions for consent).
For those reasons, the employer must ensure that the consent is voluntary and must provide the employee with an alternative for a different entrance to the office premises (via card, code, etc.)
In case of approval, the processing of biometric data can be carried out only after prior approval by the AZLP in accordance with Article 84 of the ZZLP, although the processing is carried out after the express consent given by the subject of personal data.
Approval is not required in the event that the processing of personal data is determined by a law that contains security and other measures to protect the rights and freedom of the subjects of personal data.
In such cases, the Agency makes a decision within 90 days from the receipt of the request for approval.