The Dutch Data Protection Authority (DPA) has imposed a fine of EUR 725,000 on a company that processes biometric data of employees, one of the highest GDPR fines yet in the Netherlands. This company made employees use their fingerprints to enter and leave the workspace. According to the company, the objective was to reduce fraudulent time recording. The Dutch DPA concluded that the processing of the biometric data was not necessary for authentication or security purposes and, as the employees had not given their explicit consent, the processing was deemed unlawful.
Biometric data under the GDPR
Under the GDPR, biometric data is a special category of personal data defined under Article 4(14) as: “[…] personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
Biometric data are unique to each person. The most common and applied forms of biometrics are fingerprints, iris or retina scans, voice recognition and facial recognition. Biometric data cannot be changed, unlike a password. It is therefore important to protect this type of data properly.
As such, under Article 9(2) GDPR biometric data may only be processed in certain cases, for example when the data subject has given explicit consent to the processing, when the processing is necessary for reasons of substantial public interest, or for reasons of public interest in the area of public health.
The general difficulties with using consent as a lawful basis for processing employee personal data due to the likely imbalance in the employer employee relationship (as outlined in more detail here) are magnified when explicit consent is required under Article 9.
The Dutch DPA's views on processing employee fingerprint data
Back to the case that led to the fine. Employees of the (unnamed) company had their fingerprints scanned for attendance and time registration from 2017 until 2019. Although the bar for valid consent in an employment context is high, there is no explicit prohibition on relying on it where it can be obtained, so the Dutch DPA looked at whether the employees had given valid permission for their fingerprints to be processed.
Secondly, it examined whether the processing of the fingerprints was indeed necessary or proportionate for authentication or security purposes and whether it was proportionate as required under the GDPR.
With regard to consent, the Dutch DPA considered it was relevant that the employment contract did not contain any information on the use of fingerprints. The registration of the fingerprints came as a surprise to the employees, it was not announced, and the company had no documentation available showing that the employees had given their consent. The Dutch DPA concluded that explicit consent should have included the signature of the data subject, or the sending of an email by the data subject containing the consent. Due to a lack of documentation, the company was unable to demonstrate it had received any consent, much less explicit consent.
Furthermore, the consent could not have been freely given. According to the company, employees had the option to refuse to provide their fingerprints but had to speak to the director of the business to opt out. In the few recorded cases where an employee had initially refused consent, the employee ended up agreeing to provide their fingerprints after the interview with the director. This was a clear indication that consent was not freely given as there appeared to be no meaningful choice or control for data subjects.
Necessary for authentication or security purposes
Under Article 29 of the Dutch GDPR Implementation Act, the processing of biometric data is permitted if the processing is necessary for authentication or security purposes. However, the employer will have to assess whether the use of biometrics is necessary for securing buildings and information systems. In addition, the processing of biometric data must also be proportionate in relation to the purpose of the processing. The use of fingerprints for accessing a database containing a large collection of (sensitive) personal data could be lawful, but such use for accessing a garage area in the company building is unlikely to be.
According to the Dutch DPA, the company had not considered this prior to implementing its procedures. It appeared that the activities of the company, (not revealed in detail), did not indicate a need for processing biometric data. The processing was implemented to avoid fraudulent timekeeping by the employees rather than for proper authentication and security purposes. The company could have used other means, which would have been less invasive to the privacy of its employees, to fulfil the same function. The company itself indicated that, as an alternative to the fingerprint scan, it was also possible to have the employees clock in and out with a key.
What are the lessons for processing employee biometric data?
- In principle, the processing of biometric data is forbidden.
- Lawful processing of employee biometric data on the basis of consent is highly unlikely to be valid. If consent is used, the process for obtaining it and the consent itself need to be properly documented.
- When processing biometric data on the basis that it is necessary for authentication or security purposes, companies should assess whether there are any less invasive ways to fulfil the purposes.
- Companies should take appropriate security measures to store any biometric data and delete it immediately the employment contract is terminated.