At the end of last year HEMA announced that it was going to stop using fingerprints for its time clocks and sales registers. HEMA had been planning to introduce this fast and reliable method of identification in all its shops. However, it decided to cancel the entire operation because it was contrary to European privacy law as set out in the General Data Protection Regulation.
HEMA wasn’t the first retailer to do away with its fingerprint scanners. The shoe chain Manfield had also been forced to do so after the District Court of Amsterdam ruled that its authorisation system, which used fingerprint scanning to enable access to sales registers, was in breach of the GDPR.
Fingerprint scanning is reliable, but is it allowed?
According to the District Court, fingerprints are biometric data that can be used to identify persons. Biometric data that are processed for uniquely identifying persons are classified as special personal data. Given their sensitive nature, such data enjoy heightened protection. Apart from a number of statutory exceptions, the GDPR prohibits the processing of special personal data.
The District Court ruled that no such exception applied because, according to the Explanatory Memorandum, the following preconditions had to be met:
- identification using biometric data has to be necessary for authentication or security purposes. The employer has to consider whether its buildings and information systems require security to such an extent that biometric data is needed for this purpose. For instance, access to a nuclear power station should be (very) limited;
- the data processing has to be proportionate. The security requirements for gaining access to a repair company’s garage must not be such that employees can only gain access using biometric data, with such data being stored for that purpose. However, biometric data can sometimes provide an important means of security. One example is information systems, which contain a substantial amount of personal data and must be able to withstand unlawful access, including by employees.
A legitimate interest?
Any processing of personal data requires a statutory basis. The GDPR provides six exhaustive bases. One of these is that there has to be a legitimate interest. Manfield invoked its business interest and referred to a number of instances of fraud that had recently been committed by its own employees. Its previous system of login codes had allegedly been too easy to circumvent and it did not enable thefts to be traced to the offenders. However, the District Court made short shrift of that argument. Although it understood that Manfield wanted to take action to prevent lost turnover, that interest was not “necessarily for authentication or security purposes”.
The District Court also held that the use of fingerprint scans was not proportionate, given that Manfield had not installed security in any of its shops: it did not have any camera surveillance or alarm gates at shop entrances, nor did it provide staff with lockers.
Finally, Manfield’s reliance on the need for fingerprint scanning to protect sensitive information that was accessible via its sales registers was to no avail. According to the District Court, Manfield had not adequately investigated possible alternatives, such as access cards, employee passes and/or numerical codes, in combination or separately.
In a nutshell, Manfield did not have the right to oblige its personnel to use fingerprint scanning authorisation systems because they breached privacy legislation.
What is notable is that HEMA was planning to issue its employees with a form requesting consent for using their fingerprints. Consent is also a statutory basis for processing and it has to be freely given, specific, informed and unambiguous. It is almost never freely given in employment relationships and European supervisory authorities on privacy now agree on that. Given that employees are in a dependent position in relation to their employers, they would not readily withhold their consent for fear of repercussions such as their employment contracts not being extended, or not being given a promotion or a salary increase.
Employers would therefore be wise to bear in mind the rule of thumb that consent does not constitute valid grounds for processing under the GDPR.