Skip to content
GDPR Obligations calendar_today Updated: 7 April 2026 schedule 4 min read

Fingerprint Scans for Attendance Tracking: Is It Allowed Under the GDPR?

More businesses are considering biometric systems for time tracking. But fingerprints are special category data under the GDPR. Is it permitted, and if so, under what conditions?

summarize Key Takeaways
  • check_circle Fingerprints are biometric data and fall under the strictest category of the GDPR
  • check_circle Processing biometric data is prohibited by default, unless a specific exception applies
  • check_circle Employee consent is rarely considered 'freely given' in an employment relationship, making it an invalid legal basis
  • check_circle Less intrusive alternatives such as badges or PIN codes are almost always available

Biometric data: the strictest category

Fingerprints are biometric data. Under the GDPR, biometric data falls into the category of “special categories of personal data”, alongside health data, religious beliefs, and ethnic origin. Processing this category of data is prohibited unless a specific exception applies.

This makes the threshold for using fingerprint scans for something as routine as attendance tracking extremely high.

The most obvious exception is “explicit consent”. But in an employment relationship, consent is problematic. The GDPR requires consent to be freely given, meaning the data subject must be able to refuse without negative consequences.

In an employer-employee relationship, that freedom rarely exists. An employee who refuses to provide their fingerprint may fear consequences for their position. Supervisory authorities in multiple EU countries have ruled that consent in an employment context is not a valid basis for biometric processing.

Case law

In the Netherlands, the Amsterdam court ruled in 2019 that an employer could not mandate a fingerprint system for time tracking. The court found that less intrusive alternatives were available (badges, PIN codes) and that biometric processing was not proportionate.

This ruling sets a clear direction: if an alternative achieves the same goal without biometric data, a fingerprint scan is not permitted.

When it may be allowed

There are situations where biometric access control can be justified:

  • High-security environments - data centres, laboratories, military facilities
  • Legal requirements - where legislation mandates biometric identification
  • Essential security - where no alternative provides a comparable level of security

Even in these cases, a Data Protection Impact Assessment (DPIA) is mandatory, and you must demonstrate that the processing is necessary and proportionate.

Alternatives that work

For the vast majority of businesses, sufficient alternatives exist:

  • Badges or access cards - simple, affordable, and privacy-friendly
  • PIN codes - no biometric data involved
  • Digital clock systems - logging in via an app or computer
  • Combinations - badge plus PIN code for added security

These alternatives achieve the same goal without the legal risks of biometric processing.

What if you already use a fingerprint system?

If you already use a biometric system for time tracking, assess whether you have a valid legal basis. If not, switch to an alternative. Delete the stored biometric data and document the change.

auto_awesome Document your processing activities correctly

GDPRWise helps you document all processing activities, including the legal basis and a necessity assessment.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.