The Czech Data Protection Authority has proposed an amendment to the Czech Labour Code that would enhance the ability of employers to process the biometric personal data of their staff.
This proposal comes as employers in the Czech Republic are showing increasing interest in gaining access to advanced attendance and access systems, but are prevented from doing so by current regulations that limit the processing of employee personal data, especially biometric data.
Biometric personal data (e.g. fingerprints, facial and iris scans) are considered a special category of personal data, and processing it is generally prohibited and allowed only under specific conditions.
Currently, the only legal basis for processing biometric data is direct consent by the subject. In labour law, however, giving this consent is problematic since the relationship between the employer and the employee is considered a subordinated one. This means that if an employer requires such consent and if the employee’s failure to give this consent could result in adverse consequences, the consent cannot be considered freely given or revocable.
Currently, biometric personal data processing is only allowed in the Czech Republic under the Nuclear Act and a relevant decree, which stipulates that biometric data (e.g. a finger print scan) is necessary for the entry of authorised personnel into guarded and protected facilities or for accessing specialised equipment. This regulation, however, deals with a specific form of national security. There is no general approach to accessing employee biometric data at present.
In comments about the proposed Labour Code amendment, the Office for Personal Data Protection offered a possible solution, suggesting that a new provision should be inserted into the Labour Code that would allow for the processing of biometric data to control access to operational facilities and employer premises.
Specifically, employers would only be able to process basic employee data, such as employee identification information, operational data for biometric identification and authentication devices and data generated by these devices. In this way, employers could use an employee's morphological characteristics (i.e. fingerprints) only for biometric verification. Biological sampling would not be allowed.
This proposal is being seen as a compromise in this debate since it limits employer access to biometric data. For example, under this scheme an employer could not use data to monitor or collect evidence of worker attendance.
Instead, biometric data would be used to ensure the authentication and authorisation of persons who work with certain protected equipment or technology or persons entering specific facilities (i.e. production halls, warehouses) where this equipment or technology is installed. The proposal allows for no other reason for processing biometric data, although it does not specify what kind of equipment or technology the employer can protect or the specific conditions where such protections would be justified, which – if not altered – increases the risk that this processing could be abused.
The bill already underwent review for comment by the public and stakeholders. After this process is concluded, the government will then introduce it to parliament. If passed into law, this amendment is not expected to go into force before mid-2020.