Tertiary biometrics: fingerprint and facial recognition
GDPR article 9 and the 2019 CNIL model regulation restrict biometrics to 3 legitimate cases
Biometrics is a security tool for critical areas, not a tertiary access control system. GDPR article 9 and the CNIL model regulation, deliberation no. 2019-001 of 10 January 2019, restrict its use to three legitimate cases (data center, trading floor, R&D under IGI 1300): only a minority of the access control projects delivered by Kytom include a biometric component, always on 1 to 3 doors maximum. Fingerprint and facial recognition concentrate the most demanding legal constraints in tertiary access control, with CNIL penalties ranging from 20,000 to 200,000 EUR for improper generalisation (public deliberations 2019-2023, case law available on cnil.fr). This article sets out the legal conditions for authorisation, the 5-step Kytom method over 12 to 16 weeks, the comparison between fingerprint on badge and 3D facial recognition, and the post-delivery obligations that apply throughout the entire lifespan of the system.
GDPR (EU regulation 2016/679, article 9-1) classifies biometric data used for unique identification purposes among sensitive data, prohibited as a matter of principle except in strictly framed cases. The CNIL model regulation on biometrics in the workplace, deliberation no. 2019-001 published in the Journal officiel on 28 March 2019, imposes three cumulative conditions:
- justification of a specific context (documented high-security area),
- a DPIA (Data Protection Impact Assessment) documented according to the CNIL methodology published in 2018 (CNIL DPIA guide, February 2018 edition),
- preference for systems without centralised storage (template on an individual medium held by the employee).
The model regulation cites three legitimate cases: protection of persons (P3-P4 laboratories according to the INRS ND 2105 classification), protection of high-value assets (vaults, trading floors), protection of strategic information (R&D under defence secrecy within the meaning of IGI 1300, centralised health data). Conventional access control using a 13.56 MHz Mifare DESFire EV2 RFID badge covers the vast majority of tertiary needs without any GDPR article 9 issue. The CNIL processing time in the event of a prior referral can reach several months, which must be factored into the project schedule.
For the IT department: biometrics is not an IAM building block. Contrary to a widespread practice among certain security integrators, biometrics does not replace an identity directory or an IAM policy. Our practical reading of delivered projects shows that biometrics is a physical authentication factor on a critical area, added to the badge + AD/LDAP chain, never a substitute for it. Industry conventional wisdom underestimates the cost of IT integration: OSDP v2 interface to the security SCADA, SIEM logging (GDPR article 30), revocation procedure when an employee leaves, alignment with the ISSP. At a standard tertiary headquarters with no specifically identified sensitive asset, the additional biometric investment cost (typically several thousand euros per door) is not justified compared to an encrypted DESFire EV2 badge, whose unit cost remains significantly lower: the return on investment typically exceeds several years. Our default recommendation remains the encrypted badge: biometrics is only worth discussing from the point of a specific, specifically identified asset.
The 5-step Kytom method deploys biometrics in 12 to 16 weeks
Compliant biometric deployment is organised in five sequential steps, with no possible shortcut:
- Needs qualification with the DPO and the security management: mapping of areas, inventory of industrial and financial risks, written justification of the necessity (week 1-2).
- DPIA drafted according to the CNIL methodology in the February 2018 guide, incorporating the 9 G29 criteria (WP248 guidelines of 4 April 2017 endorsed by the EDPB) and consultation of staff representatives via the CSE with a minimum legal period of 1 month (Labour Code article L.2312-15) (week 3-7).
- Technology choice: fingerprint with template on an individual badge (decentralised architecture favoured by the 2019 CNIL model regulation), or 3D infrared facial recognition on 1 to 2 doors (week 8).
- Integration with the existing access control system via OSDP v2 protocol encrypted with AES-128 (SIA OSDP v2.2 specification), with a mandatory badge + code degraded mode in the event of reader failure (week 9-13).
- Final documentation: GDPR article 30 record of processing activities, written individual notice (GDPR articles 13 and 14), withdrawal procedure, retention period capped at employment contract + 3 months (week 14-16).
For the DPO and the CISO: CSE consultation weighs more than the technical side. The 12 to 16 week schedule includes a significant margin for the social phase (CSE consultation), which systematically constitutes the critical path of the deployment. The DPIA and CSE consultation phase commonly accounts for 5 to 7 weeks, compared with 4 to 6 weeks of actual technical implementation: it is the DPO and the HR department who determine the critical path, not the integrator. Any schedule announced under 8 weeks by a security supplier generally conceals a rushed DPIA or a sidestepped CSE consultation, which the CNIL penalises directly (deliberation SAN-2021-013, 200,000 EUR for an insufficient DPIA). Kytom has coordinated the client’s DPO, the security integrator and the landlord across all sensitive projects since 2006.
Fingerprint on badge or 3D facial: 3,000 to 8,000 EUR per door depending on the architecture
The 2019 CNIL model regulation (deliberation no. 2019-001) favours architectures without a centralised database. Fingerprint with a template stored on the individual badge keeps the employee in control of their biometric data: it is the most compliant option and the fastest to deploy (8 to 10 weeks versus 14 to 16). 3D infrared facial recognition by design requires a centralised database of templates, which calls for enhanced justification.
| Criterion | Fingerprint on badge | 3D infrared facial |
|---|---|---|
| CNIL architecture | Decentralised (preferred) | Centralised (enhanced justification) |
| Project duration | 8 to 10 weeks | 14 to 16 weeks |
| Investment per door | 3,000 to 5,000 EUR | 5,000 to 8,000 EUR |
Throughput times and adoption rates vary depending on the equipment and usage contexts; our teams can share feedback from comparable projects. User adoption at 6 months is generally better with fingerprint on badge, whose ergonomics are perceived as less intrusive than facial recognition. The investment ranges per door are drawn from our experience on recent tertiary projects, excluding DPIA and change management costs.
Limits of the biometric choice. Fingerprint on badge loses its operational value on high-traffic access points with hands occupied (laboratories, cleanrooms, production floors): the gesture of presenting a finger on the reader slows the flow and causes a non-negligible first-read failure rate according to our observations. 3D facial then becomes technically preferable, at the cost of a heavier DPIA.
Frequently asked questions
Is biometrics authorised in a standard tertiary headquarters?
Not by default. The standard CNIL 2019 framework (deliberation no. 2019-001) restricts biometrics to 3 cases: protecting people in P3-P4 laboratories, safeguarding high-value assets (vaults, trading floors), and protecting strategic information under IGI 1300. For the vast majority of tertiary headquarters, with no specifically identified sensitive asset, the encrypted DESFire EV2 badge meets the need without falling under Article 9.