Hi all,
Due to professional reasons, I will have to insert some kind of biometrics to enter the facilities of the company.
I pushed back but I can’t avoid this. I don’t want, but it has legal basis (it “respects” the GDPR because it’s “legitimate interest”).
However, they purposed a “workaround”:
It can be either Facial Recognition or Fingerprinting.
What would you recommend in my situation?
My thoughts:
Currently, we are being “recorded” without any consent everywhere. In shops, in the street, social media, etc. I guess that I will opt by the facial recognition because of that, but I would like to hear your points (if you have any)
You’re already not anonymous at your work campus/job site anyway.
And although the place has cameras it is likely separate from whatever access control system in use, so I’d say go with the fingerprints. Less likely to be sold/matched to other parties, at least for now imo.
But if it is a combined singular unit with camera+fp reader I guarantee you it takes a picture regardless.
Like @SkewedZeppelin I’d probably opt for the fingerprint. Between the two options you are given, Fingerprint seems like the option that is less likely to be abused without your knowledge.
But apparent from the dcision between the two options, where my focus would be is asking your employer how they protect this information, who can potentially access it, what safeguards are in place.
Hum… so wouldn’t it be better to give out only one method (in this case, if the picture is being taken, I would try to protect the fingerprint)?
Already did. They say it’s strictly confidential, only X persons will have access and that kind of stuff. But it uses the cloud. Besides, I believe that everything online is available for robbery or access by 3rd parties.
I’m really uncomfortable .
Legtimate interest of biometrics is very questionable here but that’s probably not going to help you unless you to go to court. And you are right that this seems to be a generally accepted thing, which in itself is als quite wrong as biometric security is arguably worse.
Anyhow, what you should do is ask for the Data Processing Impact Assessment or DPIA in short. They are required to make such document, in which all risks are addressed. Hopefully this will also give you some more confidence on the implementation.
Probably good to add is that it’s not required for the company to give you access to the DPIA. It is not a required to publish this to the data subjects. However if they do not want to share this information that gives you a good argument for the system not being transparent.
True, but I’d just be uncomfortable having my biometrics stored anywhere by anyone, especially in this instance where the information is stored on a cloud provider. This kind of info gets hacked all the time.