The new General Data Protection Regulation (GDPR) begins to fully apply on May 25, 2018, and EU Member States have to transpose it into their national law by 6 May 2018. By this Regulation (i.e. by a binding act directly applicable), the European Union regulates the questions of personal data protection in a significantly different and more up-to-date way than regulated by the previous regulations. For the first time, biometric data/are also defined as personal data obtained by a special technical processing related to physical, physiological characteristics, or characteristics of an individual's behaviour, which provide or confirm the unique identification of the individual, such as face recognition or fingerprint identification. Given that these data are very commonly used in access control and time and attendance systems, in this paper, we would like to present the novelties that the GDPR brings, and which will have to be respected by everyone whose access control system or time and attendance systems are based on biometric data.