Facial recognition in Germany under AI Act and GDPR
compliance

Is Facial Recognition Legal in Germany? AI Act & GDPR Rules

Short answer

Facial recognition in Germany is not generally banned, but it is tightly restricted. Real-time biometric identification in public spaces and database scraping are prohibited under Article 5 of the EU AI Act. Most private-sector uses such as access control or identity verification are high-risk and also trigger GDPR Article 9, a DPIA, and often German works council rules.

  • Public-space live identification and biometric database scraping are prohibited under Article 5 AI Act rules already in force.
  • Access control, KYC, and similar deployments are usually high-risk AI and must be ready for the 2 August 2026 compliance deadline.
  • Biometric data is special-category data under GDPR Article 9, so Article 6 alone is not enough.
  • Employee-facing deployments usually need a DPIA, a works agreement, and a real non-biometric alternative.

Facial recognition in Germany is legal only in limited use cases. The short answer is: public-space live identification is prohibited, most commercial use cases are high-risk, and biometric data triggers GDPR Article 9 from the start. If your business wants to use facial recognition for access control, KYC, or workforce purposes, you should assess legality under the EU AI Act, the GDPR, and, where employees are affected, the German Works Constitution Act (BetrVG) before rollout.

The practical first question is not “Which vendor should we buy?” but “Is this use case prohibited, high-risk, or merely difficult?”

Use caseStatus in GermanyWhat matters most
Real-time identification in public spacesProhibitedArticle 5 AI Act; no normal commercial exception
Scraping face images to build a databaseProhibitedArticle 5 AI Act; Clearview-style models are the obvious example
Office or site access controlUsually lawful but high-riskArticle 9 GDPR, DPIA, non-biometric alternative, often works agreement
Customer identity verification / KYCUsually lawful but high-riskArticle 9 GDPR, vendor diligence, conformity work, retention limits
Employee attendance or behaviour trackingHigh-friction and often challengedBetrVG co-determination, proportionality, DPA scrutiny
Age estimation without identificationLegally sensitiveGDPR still applies if personal data is processed

That table is the core answer many searchers want: Germany does not ban all facial recognition, but it bans the most intrusive uses and makes the rest expensive to justify and operate.

What the EU AI Act Prohibits

For most businesses, the most important prohibition layer is Article 5 of the EU AI Act.

The main prohibited facial-recognition uses are:

  • Real-time remote biometric identification in publicly accessible spaces, outside narrow law-enforcement exceptions.
  • Building or expanding biometric databases by scraping images from the internet or CCTV footage.
  • Untargeted biometric surveillance practices that move toward mass tracking rather than a specific, justified use case.

For legal and product teams, this is the first gate. If the project falls into a prohibited category, the right response is not a better policy or stronger contract package. It is to stop the deployment model.

When Facial Recognition Is High-Risk Instead of Prohibited

Many commercial deployments are not banned, but they are still difficult. Access control, identity verification, and similar identification workflows are usually treated as high-risk AI rather than low-risk convenience tools.

That means the business should expect work on:

  • a documented risk-management process
  • technical documentation and logging
  • human oversight and escalation paths
  • testing and review of system performance and bias
  • a realistic conformity and implementation timeline before 2 August 2026

If you are still in procurement, this is why early vendor diligence matters. Our related guides on AI facial recognition compliance, AI biometric identification, and the AI Act August 2026 deadline checklist go deeper on those implementation steps.

GDPR Article 9: Why Biometric Data Changes the Analysis

Facial recognition is not only an AI Act topic. It is also a special-category data topic under Article 9 GDPR.

In practice, a German deployer usually needs:

  1. An Article 6 GDPR legal basis.
  2. A separate Article 9 GDPR exception.
  3. A documented proportionality analysis.
  4. A completed Data Protection Impact Assessment (DPIA) before launch.

One recurring mistake is relying on legitimate interest as if Article 6 alone were enough. It is not. If the processing is biometric identification, the Article 9 layer does not disappear.

For procurement and contract work, it is also sensible to review the vendor’s data processing agreement and your broader GDPR AI procurement workflow before any pilot becomes a production deployment.

German Workplace Rules Make Employee Deployments Harder

If the system touches employees, Germany adds another major rule set: works council co-determination.

Under Section 87(1) no. 6 BetrVG, systems capable of monitoring employee behaviour or performance usually require a works agreement. Facial recognition nearly always creates that risk, even where the stated purpose is only entry control.

For workplace deployments, the legal baseline is usually:

  • a signed works agreement
  • a DPIA
  • a clear purpose limitation
  • restricted access to logs
  • a meaningful non-biometric alternative
  • no repurposing for performance scoring or disciplinary analytics

This is why facial recognition for simple attendance tracking is much harder to defend than many teams expect. Related pages on AI employee monitoring and AI recruitment screening cover adjacent employment-law risks.

What Businesses Should Do Before 2 August 2026

If your facial-recognition use case is not prohibited, the next question is whether you can make it operationally defensible before the 2 August 2026 high-risk milestone.

Use this short checklist:

  1. Classify the use case under the AI Act before procurement.
  2. Map both GDPR layers: Article 6 and Article 9.
  3. Run the DPIA early, while the design can still change.
  4. Check employee impact and involve the works council where relevant.
  5. Demand vendor evidence: technical documentation, risk controls, registration status, and contractual support.
  6. Design an alternative path for people who do not want biometric enrollment.
  7. Set retention and deletion rules before launch.

The main commercial mistake is treating facial recognition as a standard IT purchase and leaving the legal analysis until after pilot success. In Germany, that sequence often fails.

Market Context: Why the Topic Keeps Growing Anyway

Germany still matters commercially for facial recognition because demand remains strong in:

  • regulated identity verification
  • enterprise access control
  • airport and transport infrastructure
  • public-sector and border-related biometric systems under separate legal frameworks

That commercial growth does not soften the legal analysis. It only means the companies that can document legality, governance, and procurement discipline have a stronger path to deployment than those relying on product marketing alone.

FAQ

Yes, but only in narrow scenarios. Public-space live identification and biometric database scraping are prohibited. Access control and identity verification may still be lawful if GDPR, DPIA, and AI Act requirements are met.

What is prohibited under the AI Act?

The clearest examples are real-time biometric identification in publicly accessible spaces and scraping images to build biometric databases. Those uses are treated as prohibited practices, not ordinary compliance problems.

Not in every abstract scenario, but for many private-sector deployments it is the most defensible Article 9 route. You still need to test whether consent is truly free, specific, informed, and revocable.

Why is workplace use harder?

Because Germany layers employment law onto GDPR and AI Act compliance. Once employees are affected, co-determination, proportionality, and monitoring risk all become central.

Is a DPIA mandatory?

In most real facial-recognition deployments, yes. The more the system identifies people systematically or at scale, the harder it is to argue that a DPIA is unnecessary.

What should a vendor due-diligence pack include?

At minimum: system classification, technical documentation, AI Act compliance roadmap, GDPR support materials, retention logic, logging design, and contract terms that match the actual data flows.


Compound Law advises businesses on facial recognition law in Germany, including AI Act classification, GDPR Article 9 analysis, DPIAs, works council negotiations, and vendor diligence. This page provides general information only and does not replace legal advice for a specific deployment.

Related Compliance Guides

EU AI Act timeline Germany with 2026 2027 and 2028 dates
compliance

EU AI Act Timeline Germany: 2026, 2027 and 2028

EU AI Act timeline Germany: what applies on 2 August 2026, 2 December 2027 and 2 August 2028 for AI procurement and compliance.

Communication APIs Germany GDPR data residency retention comparison
compliance

Communication APIs for Germany: GDPR, Data Residency, Retention

Compare communication APIs, voice APIs, and CPaaS vendors for Germany by DPA terms, EU data residency, retention controls, subprocessors, and support.

AI hiring tools compliance checklist for Germany
compliance

AI Hiring Tools in Germany: EU AI Act, GDPR and Works Council

AI hiring tools in Germany need EU AI Act, GDPR Article 22, DPIA, and works council review before rollout. Use this buyer checklist before procurement.

Frequently asked questions

Yes, but only in narrow and well-documented scenarios. Real-time biometric identification in publicly accessible spaces and biometric database scraping are prohibited under Article 5 of the EU AI Act. Private-sector uses such as access control or identity verification can be lawful, but they usually require a GDPR Article 9 exception, a DPIA, and high-risk AI Act compliance before 2 August 2026.

The clearest prohibited uses are real-time remote biometric identification in publicly accessible spaces, scraping face images from the internet or CCTV to build databases, and broader untargeted biometric surveillance practices. These rules apply under the EU AI Act and are not limited to large platforms or government vendors.

Usually yes. Facial recognition processes biometric data used to identify a person, which is special-category data under Article 9 GDPR. That means a company needs both an Article 6 legal basis and a separate Article 9 exception, with explicit consent often being the most defensible route for private-sector deployments.

In most German workplace deployments, yes. Section 87(1) no. 6 BetrVG gives works councils co-determination rights where a system can monitor employee behaviour or performance. Even access-control deployments usually need a works agreement before go-live.

For most high-risk facial recognition systems, businesses should be prepared for the 2 August 2026 compliance milestone. By that point deployers and providers need the required risk-management, documentation, oversight, and conformity steps in place for covered systems.

Almost always. Systematic biometric identification is a classic Article 35 GDPR scenario and is commonly treated by German supervisory authorities as DPIA-mandatory processing. The DPIA should be completed before deployment, not after procurement or pilot launch.

Book Free Call