The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection, hereinafter: Slovenian DPA) has received your inquiry concerning the use of biometric authentication in gyms.
We wish to inform you that Slovenian DPA has not conducted any inspections reviewing the use of biometrics in gyms after May 25, 2018, so we share our general stand regarding the topic in question.
Our national legislation (Personal Data Protection Act) poses strict limitations on use of biometrics (Art. 78-81) and Slovenian DPA plays an important role in the process. The private sector may implement biometric measures only if they are necessarily required for the performance of activities, for the security of people or property, or to protect secret data or business secrets. Biometric measures may only be used on employees if they were informed in writing thereof in advance.
If the implementation of specific biometric measures in the private sector is not regulated by statute, a data controller intending to implement biometric measures shall prior to introducing the measures be obliged to supply the national DPA with a description of the intended measures and the reasons for the introduction thereof. DPA shall on receipt of information be obliged within two months to decide whether the intended introduction of biometric measures complies with the Personal Data Protection Act.
Biometric measures in the private sector may, as stated above, only be used on employees (if they were informed in writing thereof in advance) and not on other individuals. Therefore these measures may not be used on customers of the gym so we could not allow the use of fingerprints in the form of a biometric measure as the only possibility to enter the gym.
Personal Data Protection Adviser
Information Commissioner of the Republic of Slovenia