Our remarks • The decision emphasizes that biometric data • Consent given by employees is not normally within the meaning of GDPR, Article 4(14) includes considered voluntary, given the unequal nature the processing of individuals’ facial images or of the relationship between the employer and fingerprint data. the employee. However, in this specific case, the • The Danish DPA clarifies that the data subject’s employee’s consent was considered voluntary for consent pursuant to GDPR, Article 9(2) is the only two reasons. Firstly, because employees had the possible legal basis for processing biometric data option of using an access card and code instead of the nature in question. However, if the data are of the facial recognition system, and secondly, to be used for different purposes, the data subject because the system only registered information is required to be able to give granular consent, i.e., about the employees in connection with his or to give separate consent for different processing her access to the center, and not about their purposes. This requirement can be met, for movements in the center in general. example, by allowing the data subject to specify • Use of the system would also require that the purposes for which he or she agrees to the customers and employees who did not wish to processing of data in a consent form. use the facial recognition system could avoid the processing in question by accessing the center. According to the Danish DPA, this can be accommodated by organizing the system in such a way that the system is only ’activated’ when a customer or employee who wishes to perform a face scan activates the system - e.g., by pressing a key. 128