“The use of biometric data in the workplace is permitted only if explicitly provided by specific legal provisions that protect employees’ rights. Such processing must serve a public interest and meet the criteria of necessity and proportionality with respect to the pursued objective”. This was reaffirmed by the Italian Data Protection Authority (i.e. “Garante Privacy”) in its provision No. 167 of March 27, 2025, published in the official newsletter on June 25, 2025.
First, it is important to recall that biometric data are defined by Regulation (EU) 2016/679 (the “GDPR”) as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data” (Art. 4, point 14). When used to uniquely identify individuals, they fall within the “special categories” of personal data under Article 9 due to their sensitivity, stemming from their close and stable connection with a person’s identity.
The general rule is that the processing of biometric data is prohibited, with exceptions listed under Article 9, paragraph 2, of the GDPR. In the employment context, such processing is lawful only when it is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”, provided it is authorized by Union or member State law or a collective agreement under member State law, with appropriate safeguards in place to protect the fundamental rights and interests of the data subject.
In other words, processing biometric data in the workplace is lawful only when based on a valid legal provision that serves as an appropriate legal basis. Currently, there are no specific Italian laws authorizing the use of biometric data for the purpose of tracking employee attendance, nor do such provisions define the necessary safeguards.
This lack of a legal basis cannot be overcome by obtaining employee consent. In the words of the Authority: “Given the power imbalance inherent in the employment relationship and the resulting need to verify, in each case, the employee’s genuine freedom of consent, such consent does not, as a rule, constitute a valid lawful basis for the processing of personal data in the workplace, regardless of whether the employer is a public or private entity”.
Other related insights:
