Application for biometric measures
+ -Biometrics in the private sector
The processing of biometric personal data in the private sector may only be carried out in accordance with the provisions of Article 83 of the ZVOP-2 if it is strictly necessary for the performance of the activity, for the safety of persons, the security of property, the protection of classified information or the protection of business secrets. The processing of biometric personal data must be certified in accordance with Article 52 of the ZVOP-2.
A private sector person may also process biometric personal data in order to protect the accuracy of the identity of its customers. Such processing is permissible if, for the permissible purposes, this is provided for by another law, if it is specifically provided for in a contract or if the parties have given their explicit consent. Where biometric personal data are processed on the basis of a contract with a consumer, the controller must provide the data subject with a means of identification without processing the biometric personal data.
The processing of biometric personal data in the private sector may also be carried out provided that the processing operations of the customer are under the customer's exclusive control or authority and certified in accordance with the certification powers of the supervisory authority referred to in Article 52 of the ZVOP-2 and allow the customer to explicitly authorise the processing of these data by other processors and controllers for the purpose of proving the accuracy of his identity (Article 83(3) of the ZVOP-2).
Before the processing of biometric personal data begins, individuals must be informed in writing and, in the case of employees, the controller must carry out prior consultation with the employees on the proportionality of the processing (Article 83(4) of the ZVOP-2).
According to the provision of Article 83(5) of the ZVOP-2, a private sector person intending to process biometric personal data shall, prior to the commencement of the processing, provide the supervisory authority with a description of the intended processing and the reasons for its initiation (see Form for notification of biometric measures to the Information Commissioner). The controller of personal data may only implement biometric measures after receiving the decision of the Information Commissioner authorising the implementation of biometric measures. There is no right of appeal against the decision of the Information Commissioner, but an administrative dispute is allowed.
The ZVOP-2 also provides for a possible exception, i.e., a private sector person does not need to obtain a decision if the biometric measures are carried out in the manner referred to in above mentioned Article 83(3) of the ZVOP-2.
Article 84 of the ZVOP-2 defines the prohibition of obtaining biometric personal data in the context of marketing, namely that in the context of marketing or similar other commercial activities, biometric personal data may not be requested, obtained or further processed in exchange for certain services, even if those services are free of charge to the data subject.
Biometrics in the public sector
Article 82 of the ZVOP-2 provides that the processing of biometric personal data in the public sector may only be provided for by law if it is strictly necessary for the security of persons, the security of property or the protection of classified information, for the identification of missing or deceased individuals or for the protection of business secrets, and if these purposes cannot be achieved by less restrictive means.
The processing of biometric personal data in the public sector may exceptionally also be carried out provided that the processing operations are certified in accordance with the certification powers of the supervisory authority referred to in Article 52 of the ZVOP-2 in a manner that ensures that the processing and use of such data is under the sole control or exclusive authority of the data subject and that the data subject is given the opportunity to explicitly authorise the processing of such data by other processors and controllers for the purpose of proving the accuracy of his identity (Article 82(2) of the ZVOP-2).
The processing of biometric personal data may be provided for by law if it is for the fulfilment of obligations under a binding international treaty or for the identification of individuals when crossing state borders.
The processing of biometric personal data in the public sector may also be provided for by law for the purpose of identification of individuals when issuing electronic means of identification in accordance with the law governing electronic means of identification and if such identification has been requested by the individual (Article 82(4) of the ZVOP-2).
In the public sector, the processing of biometric personal data relating to the entry into a building or parts of a building may exceptionally be introduced by another law, subject to the reasonable application of Article 83(4), (5) and (6) of this Act, if it is strictly necessary for the safety of persons, the security of property, the protection of classified information or the protection of business secrets (Article 82(5) of the ZVOP-2). For these purposes, a decision of the Information Commissioner must be obtained, individuals must be informed in writing and, in the case of employees, the controller must carry out prior consultation with the employees on the proportionality of the processing.