Poland’s Supreme Administrative Court (SAC) has recently ruled that an employer is not entitled to collect employees’ biometric data in the form of fingerprints in order to record employees’ entrance and exits times, even if the employees consent.
Facts of the case
In company X, employees’ entrance and exit times were recorded using an IT system. Employees could select one of two time recording methods: fingerprints or entrance cards. Most employees chose fingerprints. They consented to having their fingerprints taken, which the employer did. The IT system automatically identified certain fingerprint features and processed them to a binary code. The employees’ first and last names were then assigned to the code and processed in a Microsoft Access database. Working time details were then transferred to working time record cards on paper.
Limited catalogue of personal data
The SAC held that personal data processing in the form of fingerprints processed into a digital code breaches labour law. Pursuant to Art. 22¹ of the Polish Labour Code, an employer may request from employees only personal data specifically provided in the article: first and last name, names of parents, date of birth, place of residence (address for correspondence), education, course of employment, personal ID number (PESEL), and other personal data, including first and last names and dates of birth of children, if the employee enjoys certain entitlements prescribed in the labour law. The legislator deemed that other information about the employee should not be available to the employer unless required by another law. In the case in question, no other law applied.
The court held that using the employee’s consent to justifying biometric data processing, when the law indicates a closed catalogue of data that may be processed, circumvents the law. That an employee consents to the processing of personal data in the form of fingerprints does not make it legal. An employee does not give such data on his or her own initiative but only if requested by the employer.
Employee as a weaker party
The court emphasised that one of the basic features of the employment relationship is employee subordination to the employer. An employee’s written consent to collect and process personal data, given at the request of the employer, infringes the employee’s rights and freedom to express his or her will. The consent stems from the employee’s dependence on the employer. It was because of this imbalance that the Polish legislator in Art. 22¹ of the Labour Code limited what may be requested from the employee. The SAC reasoned that using an employee’s consent to the processing of his or her data to justify the collection of data other than that indicated in Art. 22¹ of the Labour Code would be a breach of that article.
Principle of adequacy
The court held that biometric data processing is not necessary to record working time. The employer thus violates the principle of adequacy from Art. 26 of the Act on Personal Data Protection. That principle was implemented via Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive, implemented into Polish law, is binding on entities collecting and processing personal data. The court also emphasised that the principle of adequacy is expressed as an obligation to process data in a manner appropriate for the aims for which the data was collected. So a risk of infringing freedom and civic rights must be proportional to the aim it serves. As the adequacy principle expressed in Art. 26 of the Act on Personal Data Protection is the main criterion when considering biometric data processing, using biometric data to keep track of employees’ working time is disproportionate to the intended processing aim.
Moreover, the court cited the position of the consulting body, known as Working Group, which stated in the document on biometry that “an employer commits an error if it tries to justify the processing of employee data with the employee’s consent. Consent may be used when, in a given case, an employee is totally free to give it.”
The SAC has ruled that an employer may not freely extend the catalogue of personal data listed in the Labour Code because working time can be recorded otherwise; biometric data is not indispensable to achieving that goal. Even the employee’s consent does not make the practice legal because, as the weaker party, the employee is not truly independent.
That an employee consents to the processing of personal data in the form of fingerprints does not make it legal. An employee does not give such data on his or her own initiative but only if requested by the employer.