The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued a fine of EUR 725,000 for a company unlawfully processing fingerprints of its employees for attendance and time registration purposes.
Under the GDPR, biometric data (e.g. fingerprints) processed for the purpose of identifying a natural person are considered a special category of personal data. Consequently, processing of such data is prohibited under article 9 of the GDPR, unless an exception applies. There are two exceptions that can – in principle – be relied upon with respect to the processing of biometric data: 1) explicit consent, or 2) the processing is necessary for authentication or security purposes. The latter is an exception provided for in the Dutch Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, “UAVG”).
The Dutch DPA concluded that the company in question could not invoke either of these two exceptions. First of all, the employer was not able to provide prove of having obtained explicit consent of employees. On the contrary, the AP deemed it questionable whether consent would have been given freely given the fact that employees refused to provide their fingerprints, a meeting was scheduled with the director. It appeared that eventually all employees had provided their “consent.’ Taking into account that a number of employees had told the Dutch DPA that they experienced the recording of their fingerprints was mandatory, the Dutch DPA concluded that consent was not freely given.
Secondly, the Dutch DPA concluded that the “necessity” exception can only be relied upon when buildings and information systems need to be secured in such a way that this cannot be done without using (only) biometrics. In other words: less privacy invasive measures should not be available. This was not the case here. The Dutch DPA refers to the Explanatory Memorandum to article 29 of the UAVG that gives the example that accessing a garage of a repair shop is not an activity for which the processing of biometric data is necessary and proportionate. In present case, the Dutch DPA states that the activities at stake (which have been marked as confidential) are alike and therefore the use of biometric data is not necessary and proportionate.
We agree with the Dutch DPA that in this particular case, consent could not be relied upon. However the Dutch DPA also stressed that employee consent in principle will not be valid as employees depend on their employer and will often not be in a position to refuse. In our view, this general statement is a little too blunt and this is to be assessed on a case-by-case basis. We understand that consent in an employer/employee relationship cannot easily be given, but employees should be able to freely give consent as long as they have a genuine choice to use their fingerprint or an alternative (such as a badge or phone) and there are no adverse consequences either way.
The company announced it will appeal against to Dutch DPA’s decision.