Biometric Data and DPDP: What Every Indian Office Must Know Before It’s Too Late

Biometric Data and DPDP: What Every Indian Office Must Know Before It’s Too Late

Introduction

Face photos at reception. Fingerprint scanners at the turnstile. Liveness detection before a visitor badge prints. Facial recognition that automatically identifies a repeat visitor.

Biometric data processing is increasingly common in Indian offices, factories, and facilities β€” and for understandable reasons. It is fast, accurate, and difficult to forge. A face photo is harder to fake than a signature. A fingerprint cannot be borrowed or forgotten like a PIN.

But biometric data is fundamentally different from a name, a phone number, or even an address. Unlike those data points, biometric identifiers cannot be changed if they are compromised. Your password can be reset. Your face cannot.

Under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules notified in November 2025, the processing of biometric data β€” whether for visitor management, employee attendance, or building access β€” carries some of the highest compliance obligations in the entire framework. Missteps here are not just regulatory risks. They are fundamental violations of individuals’ most permanent personal identifiers.

This article explains exactly what the DPDP Act requires for biometric data processing in the workplace, what the risks are, and what every organisation must do before the May 2027 compliance deadline.

What Counts as Biometric Data Under DPDP?

The DPDP Act does not define biometric data in the same way as GDPR’s Article 9, which explicitly lists biometric data as a “special category.” India’s law takes a principles-based approach: data that identifies or could identify an individual β€” including through unique physical or biological characteristics β€” is personal data subject to the Act’s full requirements.

In practice, these categories qualify as biometric-adjacent personal data under the DPDP framework:

  • Facial images used for identification: A face photo taken specifically for the purpose of identifying a visitor or employee β€” not merely a photo for a printed badge that is immediately discarded, but any image stored and used for verification purposes
  • Facial recognition data: Numerical facial embeddings or templates derived from a face photo through algorithmic processing β€” these are more sensitive than raw images because they are the machine-readable representation of a person’s unique face
  • Fingerprint data: Fingerprint scans used for attendance, access control, or identity verification
  • Iris scans: Used in high-security access control systems
  • Voice prints: Used in phone-based authentication or entry systems
  • Liveness detection data: The underlying biometric analysis used to confirm that a face photo is of a living, present person

The key test is not the technology used but the purpose and function: is this data being used to uniquely identify or verify the identity of an individual based on their physical characteristics? If yes, it is biometric data and deserves the highest level of care in your compliance programme.

Why the DPDP Act Treats Biometric Data With Extra Care

Although the DPDP Act does not create a formal “sensitive data” category like GDPR, biometric data triggers heightened regulatory attention for several reasons embedded in the law’s structure:

1. The Puttaswamy Judgment Foundation

The Supreme Court’s 2017 Puttaswamy ruling β€” the constitutional foundation for the DPDP Act β€” specifically identified biometric data as one of the most sensitive categories of information impacting the fundamental right to privacy. The Court’s observations about biometric data in the context of Aadhaar set a clear precedent: biometric identifiers carry constitutional weight.

2. SDF Designation Trigger

Organisations processing biometric data at scale are explicitly identified in the DPDP framework as likely candidates for Significant Data Fiduciary (SDF) designation. SDF status triggers enhanced obligations: an India-based Data Protection Officer, annual independent audits, annual Data Protection Impact Assessments, and algorithmic due diligence. For a manufacturing plant with 5,000 employees using fingerprint attendance, or a large corporate office with facial recognition at turnstiles β€” SDF designation is a real risk that needs preparation.

3. The Irrevocability Problem

Personal data can be minimised, deleted, and forgotten when its purpose is served. Biometric data β€” once compromised, leaked, or used for an unauthorised purpose β€” creates a permanent, irreversible privacy harm. You can issue a new password. You cannot issue a new face. This irreversibility is why biometric breaches are treated with particular severity internationally, and why the DPDP Act’s breach notification obligations (all breaches, without threshold) are especially significant for biometric data processors.

4. High Harm Potential

Compromised biometric data can be used for identity theft, fraudulent access to secure systems, deepfake creation, and other serious harms. The potential for significant harm to Data Principals β€” one of the key criteria for SDF designation and penalty determination β€” is inherently higher for biometric data than for most other categories.

The Three Contexts of Biometric Data in Indian Workplaces

Context 1: Visitor Management (Face Photo at Check-In)

The most common form of biometric data processing in workplace visitor management is the face photo capture at reception or entry kiosks. In many systems (including Onfra), this includes liveness detection β€” confirming that a real, live person is present (not a printed photo being held up to the camera).

What this typically involves:

  • Camera captures visitor’s face at check-in
  • Liveness check confirms real person
  • Photo is printed on visitor badge
  • Photo may be retained in the visitor record in the cloud platform

The DPDP compliance questions:

  • Is the photo retained after the badge is printed, or deleted immediately? If retained, for how long?
  • Is the visitor told their photo is being taken and retained?
  • Is explicit consent obtained for the photo capture and storage?
  • If the photo is used for any purpose beyond the immediate badge print (e.g., repeat visitor recognition, security audit), is that purpose disclosed and separately consented to?

The compliance requirement:

  • Explicit, standalone consent for face photo capture β€” not bundled with general visit consent
  • Purpose limitation β€” state specifically what the photo is used for; do not use it for unstated purposes (facial recognition for analytics, for example)
  • Retention clarity β€” tell the visitor how long their photo is kept and delete it at the end of that period
  • Data minimisation β€” if the purpose of the photo is solely to print a badge, delete the photo after printing; do not retain it “just in case”

Context 2: Employee Attendance (Biometric Clock-In)

Biometric attendance β€” fingerprint or face-recognition-based time and attendance systems β€” is widespread in Indian manufacturing, retail, and even corporate environments. This is one of the highest-risk biometric processing activities under DPDP.

The legal basis question:
The DPDP Act’s “legitimate use for employment purposes” (Section 7) covers processing necessary for the employment relationship β€” payroll, statutory filings, attendance for salary calculation. Whether biometric attendance falls within this exemption depends on whether it is genuinely necessary for the employment purpose β€” or whether a less intrusive alternative (swipe card, PIN, manual register) could serve the same purpose adequately.

The UK Information Commissioner’s Office issued an enforcement notice in 2024 ordering a major organisation to stop using biometric attendance for 2,000+ workers, finding it unlawfully processed biometric data. Indian regulators are likely to draw on this precedent.

The DPDP-compliant approach to biometric attendance:

  • Assess whether biometric attendance is genuinely necessary for your payroll and attendance purpose β€” or whether a less intrusive alternative exists
  • If biometric attendance is justified, issue a clear privacy notice explaining what biometric data is collected, how it is stored, who has access, and how long it is retained
  • Provide an alternative β€” employees who decline to provide biometric data must have an alternative attendance method available; making biometric attendance mandatory when an alternative exists is problematic
  • Store biometric templates locally where possible β€” on-device biometric matching (the template is stored on the reader, not centrally in the cloud) significantly reduces breach exposure
  • If centrally stored: encrypt with highest available standards; restrict access; define and enforce a retention period tied to the employment relationship; delete upon termination
  • SDF assessment: Large-scale biometric attendance processing is a strong indicator of potential SDF designation; conduct a voluntary DPIA

Context 3: Building Access Control (Turnstile / Gate Biometrics)

Many high-security facilities, data centres, and large corporate campuses use biometric verification for building entry β€” replacing or supplementing access cards with fingerprint or facial recognition at turnstiles and secure doors.

This context shares the same obligations as biometric attendance, with additional considerations:

  • Visitors vs. employees: Different legal bases apply β€” employees may be covered under employment legitimate use; visitors require explicit consent
  • Purpose documentation: The purpose (“verify identity for access to a secure area”) must be documented and specific
  • Retention of access logs vs. biometric data: Access logs (person X entered at time Y) can be retained for security audit purposes under legitimate use; the biometric template itself should be deleted when access privileges are revoked
  • Contractors and temporary staff: Each entry of the biometric to the system represents a new data processing event; consent must be obtained before enrollment; access revoked biometric data must be deleted

The Specific Compliance Requirements for Biometric Data

Based on the DPDP Act, the DPDP Rules 2025, and the broader principles they establish, here is the complete compliance framework for biometric data in workplaces:

1. Explicit, Standalone Consent

Biometric data collection requires explicit consent β€” not bundled with a general privacy agreement. The consent must be:

  • A separate, clear affirmative action specifically for biometric data
  • Preceded by a notice explaining exactly what biometric data is collected and for what specific purpose
  • Informed β€” the individual must understand what “face photo used for liveness verification and badge printing” means in practice
  • Able to be withdrawn β€” if an employee or visitor withdraws consent, processing must cease and the biometric data must be deleted

Example consent language:

“I consent to my facial image being captured and processed for [specific purpose: visitor identity verification / badge printing / building access control]. My facial image will be [retained for X days / deleted immediately after badge printing / stored on the access control reader]. I understand I can withdraw this consent by contacting [data contact].”

2. Purpose Limitation β€” The Most Commonly Violated Principle

Face photos and fingerprint data collected for one purpose β€” attendance, badge printing, building access β€” must not be used for any other purpose without separate consent and disclosure. Common violations:

  • Using visitor face photos collected for badge printing to build a returning visitor recognition database β€” without separate consent
  • Using employee attendance biometrics to profile work patterns, punctuality for performance reviews, or movement analytics β€” beyond the attendance purpose
  • Using facial recognition data from building access logs for security threat profiling beyond the stated access control purpose

Each of these is a purpose limitation violation. Each creates DPBI investigation risk.

3. Data Minimisation β€” Collect What You Actually Need

  • If you need a face photo only to print a badge, do not store it after printing
  • If facial recognition for repeat visitor identification is not a documented security necessity, do not retain facial data for that purpose
  • Fingerprint templates should be stored at the minimum fidelity required for authentication β€” not at maximum resolution that would enable secondary uses
  • Delete enrollment data when the purpose ends: when the visitor leaves, when the employee leaves, when the contractor’s engagement ends

4. Security Safeguards β€” The Highest Standard

For biometric data specifically:

  • Encryption: AES-256 or stronger for any biometric data stored centrally
  • Local storage preference: Where technically feasible, store biometric templates on the reader device, not in a central cloud database. A breach of a central database with 10,000 employees’ facial templates is catastrophically worse than a breach of a single reader
  • Access restriction: Only system administrators with a documented operational need should be able to access stored biometric data. Security staff in general should not have biometric data access beyond operational necessity
  • Transmission security: Any transmission of biometric data between devices or to cloud must use TLS 1.3 or equivalent
  • Breach response: A breach involving biometric data must be treated as highest severity β€” immediately activating the 72-hour DPBI notification protocol

5. Conduct a DPIA Before Deploying Biometric Systems

Before deploying any new biometric capability β€” face capture with liveness detection at reception, fingerprint attendance, facial recognition for access control β€” conduct a Data Protection Impact Assessment:

  • What biometric data is collected?
  • What is the specific, justified purpose?
  • Is the processing necessary and proportionate to that purpose?
  • What is the risk to individuals if the data is breached or misused?
  • What technical and organisational safeguards mitigate that risk?
  • Are there less intrusive alternatives that could serve the same purpose?

If the DPIA identifies a high residual risk that cannot be adequately mitigated β€” reconsider whether the biometric capability is justified.

6. Provide Alternatives for Those Who Decline

Biometric data collection should, wherever possible, be opt-in with a viable alternative:

  • Employees who decline fingerprint or facial attendance must be offered a card or PIN alternative
  • Visitors who decline face capture for the badge must be offered a non-biometric check-in process (manual badge, printed name tag)
  • Making biometric participation mandatory with no alternative creates coercion β€” which violates the “free” consent standard

Biometric Data Compliance Checklist

The Bottom Line

Biometric data in the workplace is not going away β€” and for good reason. Liveness detection prevents identity fraud at check-in. Fingerprint attendance eliminates buddy punching. Facial recognition speeds up building access for thousands of employees.

But each of these capabilities comes with a compliance obligation that matches its power. The DPDP Act’s requirements for biometric data β€” explicit consent, strict purpose limitation, data minimisation, highest security standards, and deletion when the purpose is served β€” are not excessive. They reflect the permanent, irrevocable nature of the data involved.

Every organisation that captures a face at reception, scans a fingerprint at a time clock, or stores a facial template in a cloud access control system needs to answer one question clearly: do the people whose biometric data you hold know about it, agree to it, and trust you with it?

If the answer is not “yes” to all three β€” your DPDP compliance programme for biometric data needs to start today.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection professional for specific compliance guidance.

Onfra’s visitor management platform includes face capture with liveness detection. Our DPDP compliance framework provides explicit consent flows for biometric capture, configurable retention policies, and deletion workflows that ensure biometric visitor data is handled responsibly. Explore Onfra’s privacy-compliant check-in β†’