Legislation on Biometric Data

In the Netherlands, the rules for access control using biometric data, such as fingerprints, facial recognition, or iris scans, are strictly regulated to protect individuals’ privacy.

Parliamentary Debate on April 15, 2025: Biometric data Now Permitted on Construction Sites

On Tuesday, April 15, 2025, the Dutch House of Representatives held a debate with State Secretary Struycken (Legal Protection) regarding the streamlining of legislation on personal data. The aim of the proposed legislation is to reduce administrative burden by improving and clarifying privacy laws. You can watch the full debate here.

Conclusion: Biometric identification is permitted on construction sites, provided that a number of core rules and legal requirements are met. SaverIT offers both hardware and software solutions that are fully compliant with this legislation.

Employee Consent Required in the Absence of Overriding Public Interest

The explanatory memorandum to the Dutch GDPR Implementation Act (UAVG) highlights the strict conditions under which biometric data may be used for access control in the Netherlands. Article 29 of the UAVG applies only when biometric data processing is necessary for reasons of overriding public interest.

When such an overriding public interest does not apply — as is the case for employees on construction sites — employee consent is required. This consent must be given actively, freely, and can be withdrawn at any time.

At SaverIT, active consent means that an employee digitally signs a consent form within the Portal. The date and time of the consent are automatically logged by the system.

Furthermore, a non-biometric alternative must always be provided, such as an RFID chip. All SaverIT hardware includes both biometric and non-biometric clocking options: employees can clock in and out using fingerprint, facial recognition, or iris scan, as well as via RFID chip.

This gives employees a voluntary choice in how they register their attendance.

Key Rules and Requirements for use of biometric data

• Consent: If the legal basis for using biometrics is consent, this consent must be voluntary, specific, informed, and unambiguous. This means that employees or visitors must be free to choose whether or not to provide their biometric data without negative consequences. SaverIT meets these requirements and logs consent with a signature and timestamp in the Portal.
• Security Measures: The data controller must take appropriate technical and organizational measures to ensure the security of biometric data. This may include encryption, pseudonymization, and restricting access to this data. SaverIT meets these requirements through data encryption and administrator authorization.
• Data Protection Impact Assessment (DPIA): Processing biometric data often requires a DPIA. This is a risk assessment to determine whether the rights of individuals are adequately safeguarded.
• Data Breach Notification Obligation: In the event of a data breach involving biometric data, it must be reported immediately to the Dutch Data Protection Authority, and if there is a high risk to the rights and freedoms of the individuals concerned, also to the affected individuals. SaverIT has a protocol for data breaches.
• Rights of Individuals: People whose biometric data is processed have rights such as access, correction, and deletion of their data. They can also object to the processing of their data. SaverIT meets these requirements; the previously given consent with a signature and timestamp in the Portal can be withdrawn at any time. SaverIT always offers an alternative method of clocking in with an RFID chip.

Supervision and Enforcement

The Dutch Data Protection Authority supervises compliance with these rules and can impose fines for GDPR violations.

Data Protection Impact Assessment (DPIA)

The Explanatory Memorandum reiterates the importance of conducting a DPIA when biometric data is used. This assessment must map potential privacy risks and propose appropriate measures to mitigate those risks. The requirement to conduct a DPIA is particularly relevant when processing is likely to pose a high risk to the rights and freedoms of individuals.

Roles and Responsibilities in a DPIA

SaverIT provides technical input—such as security measures, data flows, and more—for the DPIA. The construction company using our software is responsible for determining whether a DPIA is required and for carrying it out.

Enforcement and Sanctions for use of Biometric data

The Explanatory Memorandum states that the Dutch Data Protection Authority is responsible for supervising and enforcing the rules regarding the processing of biometric data. In case of violations, the Dutch Data Protection Authority can impose sanctions, such as fines, depending on the severity of the infringement.