Is Facial Recognition Legal in Germany? AI Act & GDPR Rules
Short answer
Facial recognition in Germany is not generally banned, but it is tightly restricted. Real-time biometric identification in public spaces and database scraping are prohibited under Article 5 of the EU AI Act. Most private-sector uses such as access control or identity verification are high-risk and also trigger GDPR Article 9, a DPIA, and often German works council rules.
- Public-space live identification and biometric database scraping are prohibited under Article 5 AI Act rules already in force.
- Access control, KYC, and similar deployments are usually high-risk AI and must be ready for the 2 August 2026 compliance deadline.
- Biometric data is special-category data under GDPR Article 9, so Article 6 alone is not enough.
- Employee-facing deployments usually need a DPIA, a works agreement, and a real non-biometric alternative.
Facial recognition in Germany is legal only in limited use cases. The short answer is: public-space live identification is prohibited, most commercial use cases are high-risk, and biometric data triggers GDPR Article 9 from the start. If your business wants to use facial recognition for access control, KYC, or workforce purposes, you should assess legality under the EU AI Act, the GDPR, and, where employees are affected, the German Works Constitution Act (BetrVG) before rollout.
Quick Legal Answer
The practical first question is not “Which vendor should we buy?” but “Is this use case prohibited, high-risk, or merely difficult?”
| Use case | Status in Germany | What matters most |
|---|---|---|
| Real-time identification in public spaces | Prohibited | Article 5 AI Act; no normal commercial exception |
| Scraping face images to build a database | Prohibited | Article 5 AI Act; Clearview-style models are the obvious example |
| Office or site access control | Usually lawful but high-risk | Article 9 GDPR, DPIA, non-biometric alternative, often works agreement |
| Customer identity verification / KYC | Usually lawful but high-risk | Article 9 GDPR, vendor diligence, conformity work, retention limits |
| Employee attendance or behaviour tracking | High-friction and often challenged | BetrVG co-determination, proportionality, DPA scrutiny |
| Age estimation without identification | Legally sensitive | GDPR still applies if personal data is processed |
That table is the core answer many searchers want: Germany does not ban all facial recognition, but it bans the most intrusive uses and makes the rest expensive to justify and operate.
What the EU AI Act Prohibits
For most businesses, the most important prohibition layer is Article 5 of the EU AI Act.
The main prohibited facial-recognition uses are:
- Real-time remote biometric identification in publicly accessible spaces, outside narrow law-enforcement exceptions.
- Building or expanding biometric databases by scraping images from the internet or CCTV footage.
- Untargeted biometric surveillance practices that move toward mass tracking rather than a specific, justified use case.
For legal and product teams, this is the first gate. If the project falls into a prohibited category, the right response is not a better policy or stronger contract package. It is to stop the deployment model.
When Facial Recognition Is High-Risk Instead of Prohibited
Many commercial deployments are not banned, but they are still difficult. Access control, identity verification, and similar identification workflows are usually treated as high-risk AI rather than low-risk convenience tools.
That means the business should expect work on:
- a documented risk-management process
- technical documentation and logging
- human oversight and escalation paths
- testing and review of system performance and bias
- a realistic conformity and implementation timeline before 2 August 2026
If you are still in procurement, this is why early vendor diligence matters. Our related guides on AI facial recognition compliance, AI biometric identification, and the AI Act August 2026 deadline checklist go deeper on those implementation steps.
GDPR Article 9: Why Biometric Data Changes the Analysis
Facial recognition is not only an AI Act topic. It is also a special-category data topic under Article 9 GDPR.
In practice, a German deployer usually needs:
- An Article 6 GDPR legal basis.
- A separate Article 9 GDPR exception.
- A documented proportionality analysis.
- A completed Data Protection Impact Assessment (DPIA) before launch.
One recurring mistake is relying on legitimate interest as if Article 6 alone were enough. It is not. If the processing is biometric identification, the Article 9 layer does not disappear.
For procurement and contract work, it is also sensible to review the vendor’s data processing agreement and your broader GDPR AI procurement workflow before any pilot becomes a production deployment.
German Workplace Rules Make Employee Deployments Harder
If the system touches employees, Germany adds another major rule set: works council co-determination.
Under Section 87(1) no. 6 BetrVG, systems capable of monitoring employee behaviour or performance usually require a works agreement. Facial recognition nearly always creates that risk, even where the stated purpose is only entry control.
For workplace deployments, the legal baseline is usually:
- a signed works agreement
- a DPIA
- a clear purpose limitation
- restricted access to logs
- a meaningful non-biometric alternative
- no repurposing for performance scoring or disciplinary analytics
This is why facial recognition for simple attendance tracking is much harder to defend than many teams expect. Related pages on AI employee monitoring and AI recruitment screening cover adjacent employment-law risks.
What Businesses Should Do Before 2 August 2026
If your facial-recognition use case is not prohibited, the next question is whether you can make it operationally defensible before the 2 August 2026 high-risk milestone.
Use this short checklist:
- Classify the use case under the AI Act before procurement.
- Map both GDPR layers: Article 6 and Article 9.
- Run the DPIA early, while the design can still change.
- Check employee impact and involve the works council where relevant.
- Demand vendor evidence: technical documentation, risk controls, registration status, and contractual support.
- Design an alternative path for people who do not want biometric enrollment.
- Set retention and deletion rules before launch.
The main commercial mistake is treating facial recognition as a standard IT purchase and leaving the legal analysis until after pilot success. In Germany, that sequence often fails.
Market Context: Why the Topic Keeps Growing Anyway
Germany still matters commercially for facial recognition because demand remains strong in:
- regulated identity verification
- enterprise access control
- airport and transport infrastructure
- public-sector and border-related biometric systems under separate legal frameworks
That commercial growth does not soften the legal analysis. It only means the companies that can document legality, governance, and procurement discipline have a stronger path to deployment than those relying on product marketing alone.
FAQ
Is facial recognition legal in Germany?
Yes, but only in narrow scenarios. Public-space live identification and biometric database scraping are prohibited. Access control and identity verification may still be lawful if GDPR, DPIA, and AI Act requirements are met.
What is prohibited under the AI Act?
The clearest examples are real-time biometric identification in publicly accessible spaces and scraping images to build biometric databases. Those uses are treated as prohibited practices, not ordinary compliance problems.
Do I need explicit consent?
Not in every abstract scenario, but for many private-sector deployments it is the most defensible Article 9 route. You still need to test whether consent is truly free, specific, informed, and revocable.
Why is workplace use harder?
Because Germany layers employment law onto GDPR and AI Act compliance. Once employees are affected, co-determination, proportionality, and monitoring risk all become central.
Is a DPIA mandatory?
In most real facial-recognition deployments, yes. The more the system identifies people systematically or at scale, the harder it is to argue that a DPIA is unnecessary.
What should a vendor due-diligence pack include?
At minimum: system classification, technical documentation, AI Act compliance roadmap, GDPR support materials, retention logic, logging design, and contract terms that match the actual data flows.
Compound Law advises businesses on facial recognition law in Germany, including AI Act classification, GDPR Article 9 analysis, DPIAs, works council negotiations, and vendor diligence. This page provides general information only and does not replace legal advice for a specific deployment.