This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
The change in criteria by the AEPD regarding the use of access control systems that collect and store biometric patterns such as fingerprints or facial recognition has led companies to consider new methods for employee identification and timekeeping.
Until November 2023, the AEPD accepted explicit consent from the employee as the basis for legitimizing the use of their biometric data. From now on, companies must offer an alternative method, and the AEPD will only allow the use of biometric data if its necessity is objectively demonstrated through a risk analysis, impact assessment, and BIA (Business Impact Analysis) to verify suitability, adequacy, and proportionality.
In this scenario, B-FY's decentralized biometric solution offers companies a system that integrates into their existing architectures, swiftly and simply, and aligns with the new requirements of the AEPD.
Unlike centralized biometric systems that store user data on servers, B-FY's solution does not collect or store any biometric data or patterns. Instead, it utilizes the biometric solution of the user's mobile device for authentication.
Thus, data always remains in the hands of the user, ensuring their privacy and compliance with security standards and requirements established by the AEPD.
In Europe, the regulation governing the collection of biometric data, as well as other types of personal and biographical data - such as date of birth, marital status, gender, name, or address - is the General Data Protection Regulation (GDPR), which came into force in 2016 and has been applicable since May 25, 2018.
The GDPR is mandatory across the EU's 27 member states and protects around 500 million people, including EU citizens and long-term residents. Regarding biometric data, the GDPR defines it as "special categories of personal data" and establishes a general prohibition on processing especially protected data in Article 9.1 unless there is a legitimate basis for its use outlined in Article 9.2.
Following the decision of the European Data Protection Board to consider biometric data as especially protected data for use in authentication and identification, the AEPD has decided to restrict and monitor the use of access control systems that collect and store biometric patterns such as fingerprints or facial recognition. This new provision has brought about a significant change in how companies record their employees' working hours.
This change implies a reassessment of methods for recording working hours in search of alternatives that comply with the privacy and security standards established by European regulations.
The public interest or security requirements established by the AEPD imply that centralized biometric systems for controlling presence must be justified by fundamental security reasons and cannot disproportionately interfere with the protection of personal data.
These requirements seek to balance the need for access control with respect for individuals' privacy.
The AEPD's Guide on attendance control treatments through biometric systems provides clear guidelines for attendance control treatment using biometric systems, in line with the General Data Protection Regulation (GDPR). It emphasizes the importance of minimizing the collection of biometric data and ensuring that individuals' rights, including the right to privacy and data protection, are respected.
B-FY offers a decentralized biometric solution that complies with the AEPD's new regulations. Our system does not store any biometric data or patterns on servers.
By using B-FY's system to identify its users, our clients integrate our library service into their application. To verify the user's identity, we only need their email and phone number, so the device is associated with a single person.
Unlike other applications where the person accesses the service with a password and then associates a biometric pattern such as a fingerprint or face with that password, in the case of B-FY, there are no passwords that can be stolen or hacked.
With B-FY, a person's biometric pattern is associated with the device they have registered as their own, and their data always remains in the hands of the user. Thus, no one can access a service protected with B-FY by entering the password on a phone other than the one registered as theirs and associating a different biometric pattern because there is no such password as part of the identification protocol.
The regulatory evolution in the field of biometric registration has created the need to find alternatives that comply with the privacy and security standards established by European legislation.
With the restriction on the use of traditional biometric systems, solutions like B-FY offer a secure and efficient option for recording working hours, ensuring the protection of users' personal data.
Want to learn more? Request a free demo here.