Biometric Data

SaverIT: Always know who’s on-site
get real-time insights on site presence – improve safety and efficiency
SaverIT: Smart document management
track employee certificates, diplomas, and expiry dates with smart alerts
SaverIT: Stay compliant with ease
register and verify according to all legal regulations for working hours and GDPR
SaverIT: Efficient project planning
online planning per subcontractor – structured and efficient
SaverIT: Reliable access control
clock-in systems with built-in internet and 72-hour uptime – no 220V required!
SaverIT: Smart site automation
the complete solution for automated compliance

Using biometric data?

In the Netherlands, the rules for access control using biometric data, such as fingerprints, facial recognition, or iris scans, are strictly regulated to protect individuals’ privacy.

Access control at work

As an employer, you can use one of the exceptions to the ban on processing biometric data.

Exception 1: security or authentication

If you want to use biometric data for access control, you may only do so if it is necessary. To determine whether you have a necessity, you must consider whether your building, area or system must be so well secured that this cannot be achieved other than by using (only) biometrics.

Exception 2: (explicit) consent

The exception of explicit consent in the relationship between employer and employee will rarely provide a solution. Because your employees are dependent on you, they are not in a position to refuse. This means that you cannot meet the requirement that consent must be given freely.

Employee Consent Required in the Absence of Overriding Public Interest

The explanatory memorandum to the Dutch GDPR Implementation Act (UAVG) highlights the strict conditions under which biometric data may be used for access control in the Netherlands. Article 29 of the UAVG applies only when biometric data processing is necessary for reasons of overriding public interest.

When such an overriding public interest does not apply — as is the case for employees on construction sites — employee consent is required. This consent must be given actively, freely, and can be withdrawn at any time.

At SaverIT, active consent means that an employee digitally signs a consent form within the Portal. The date and time of the consent are automatically logged by the system.

Furthermore, a non-biometric alternative must always be provided, such as an RFID chip. All SaverIT hardware includes both biometric and non-biometric clocking options: employees can clock in and out using fingerprint, facial recognition, or iris scan, as well as via RFID chip.

This gives employees a voluntary choice in how they register their attendance.

before signing

after signing

Supervision and Enforcement

The Dutch Data Protection Authority supervises compliance with these rules and can impose fines for GDPR violations.

Data Protection Impact Assessment (DPIA)

The Explanatory Memorandum reiterates the importance of conducting a DPIA when biometric data is used. This assessment must map potential privacy risks and propose appropriate measures to mitigate those risks. The requirement to conduct a DPIA is particularly relevant when processing is likely to pose a high risk to the rights and freedoms of individuals.

Roles and Responsibilities in a DPIA

SaverIT provides technical input—such as security measures, data flows, and more—for the DPIA. The construction company using our software is responsible for determining whether a DPIA is required and for carrying it out.

Enforcement and Sanctions for use of Biometric data

The Explanatory Memorandum states that the Dutch Data Protection Authority is responsible for supervising and enforcing the rules regarding the processing of biometric data. In case of violations, the Dutch Data Protection Authority can impose sanctions, such as fines, depending on the severity of the infringement.

Share this:
Book Online Demo SaverIT