Recently, the Dutch Data Protection Authority (AP) imposed a large fine, namely 725,000 euros, on a company that scanned fingerprints of employees for attendance and time registration. Biometric data, such as a fingerprint, are special personal data within the meaning of Article 9 GDPR. These are unique characteristics that can be traced back to one specific person. However, this data often contains more information than is necessary for, for example, identification. Their processing therefore poses great risks in the area of fundamental rights and freedoms of people. If these data get into the wrong hands, this could potentially lead to irreparable damage. Biometric data are therefore well protected, and processing thereof is prohibited under Article 9 GDPR, unless there is a legal exception for this. In this case, the AP concluded that the company in question was not entitled to an exception for processing special personal data.
Fingerprint
About the fingerprint in the context of the GDPR and one of the exceptions, namely necessity, we previously wrote in one of our blogs: ‘Fingerprint in violation of GDPR’. This blog focuses on the other alternative ground for exception: permission. When an employer uses biometric data such as fingerprints in his company, can he, with regard to privacy, suffice with the permission of his employee?
By permission is meant a specific, informed and unambiguous expression of will with which someone accepts a processing of his personal data with a statement or unambiguous active action, according to Article 4, section 11, GDPR. In the context of this exception, the employer must therefore not only demonstrate that his employees have granted permission, but also that this has been unambiguous, specific and informed. Signing the employment contract or receiving the personnel manual in which the employer has only recorded the intention to clock in completely with the fingerprint, is insufficient in this context, the AP concluded. As evidence, the employer must, for example, submit policy, procedures or other documentation, which shows that his employees are sufficiently informed about the processing of the biometric data and that they have also given (explicit) permission for the processing thereof.
If the permission is granted by the employee, it must furthermore not only be ‘explicit’ but also ‘freely given’, according to the AP. ‘Explicit’ is, for example, written permission, signature, sending an email to give permission, or permission with two-step verification. ‘Freely given’ means that there must be no coercion behind it (as was the case in the case in question: when refusing to have the fingerprint scanned, a conversation with the director/board followed) or that permission may be a condition for something different. The condition ‘freely given’ is in any case not met by the employer when employees are obliged or, as in the case in question, experience it as an obligation to have their fingerprint recorded. Generally, under this requirement, the AP considered that given the dependency resulting from the relationship between the employer and employee, it is unlikely that the employee can freely grant his or her consent. The opposite will have to be proven by the employer.
Does an employee request permission from their employees to process their fingerprint? Then the AP learns in the context of this case that in principle this is not allowed. After all, employees depend on their employer and are therefore often not in a position to refuse. This is not to say that the employer can never successfully rely on the permission ground. However, the employer must have sufficient evidence to make his appeal on the basis of consent successful, in order to process biometric data of his employees, such as fingerprints. Do you intend to use biometric data within your company or does your employer ask you for permission to use your fingerprint, for example? In that case, it is important not to act immediately and to grant permission, but to first be properly informed. Law & More lawyers are experts in the field of privacy and can provide you with information. Do you have any other questions about this blog? Please contact Law & More.