In this modern age in which we live in today, it is increasingly common to use fingerprints as a means of identification, for example: unlocking a smartphone with a finger scan. But what about privacy when it no longer takes place in a private matter where there is conscious voluntarism? Can work-related finger identification be made compulsory in the context of security? Can an organization impose an obligation on its employees to hand in their fingerprints, for example for access to a security system? And how does such obligation relate to the privacy rules?
Fingerprints as special personal data
The question we should ask ourselves here, is whether a finger scan applies as personal data within the meaning of the General Data Protection Regulation. A fingerprint is a biometric personal data that is the result of specific technical processing of a person’s physical, physiological or behavioral characteristics.[1] Biometric data can be considered as information relating to a natural person, as they are data which, by their nature, provide information on a particular person. By means of biometric data such as a fingerprint, the person is identifiable and can be distinguished from another person. In Article 4 GDPR this is also explicitly confirmed by the definition provisions.[2]
Fingerprint identification is a violation of privacy?
The Subdistrict Court Amsterdam recently ruled on the admissibility of a finger scan as an identification system based on safety regulation level.
The shoe store chain Manfield used finger scan authorization system, that gave employees access to a cash register.
According to Manfield, the use of finger identification was the only way to gain access to the cash register system. It was necessary, among other things, to protect employees’ financial information and personal data. Other methods were no longer qualified and susceptible to fraud. One of the employees of the organization objected to the use of her fingerprint. She took this authorization method as a violation of her privacy, referring to article 9 of the GDPR. According to this article, the processing of biometric data for the purpose of the unique identification of a person is prohibited.
Necessity
This prohibition does not apply where the processing is necessary for authentication or security purposes. Manfield’s business interest was to prevent loss of revenue due to fraudulent personnel. The Subdistrict Court rejected the employer’s appeal. Manfield’s business interests did not make the system ‘necessary for authentication or security purposes’, as stipulated in Section 29 of the GDPR Implementation Act. Of course, Manfield is free to act against fraud, but this may not be done in violation of the provisions of the GDPR. Furthermore, the employer had not provided its company with any other form of security. Insufficient research had been carried out into alternative authorization methods; think of the use of an access pass or numerical code, whether or not a combination of both. The employer had not carefully measured the advantages and disadvantages of different types of security systems and could not sufficiently motivate why he preferred a specific finger scan system. Mainly because of this reason, the employer did not have the legal right to require the use of the fingerprint scanning authorization system on his staff on the basis of the GDPR Implementation Act.
If you are interested in introducing a new security system, it will have to be assessed whether such systems are permitted under the GDPR and the Implementation Act. If there are any questions, please contact the lawyers at Law & More. We will answer your questions and provide you with legal assistance and information.
[1] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/identificatie/biometrie
[2] ECLI:NL:RBAMS:2019:6005