Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsDutch Data Protection Authority Fines a Company for Processing Employees’ Biometrics
On April 30, 2020, the Dutch Data Protection Authority announced that it fined a company €725,000 ($790,000) for processing its employees’ fingerprints in violation of the European Union’s General Data Protection Regulation (GDPR). The company required its employees to scan fingerprints for attendance and time registration.
The GDPR designates biometrics as a “special category” personal data — i.e. it generally prohibits processing of biometric data absent specifically enumerated exceptions, such as explicit consent of a data subject or substantial public interest. See GDPR Art. 9.
The Data Protection Authority concluded that the employer could legitimately rely on two exceptions in that case: if the employees are asked for explicit consent or if the use of biometric data is necessary for authentication or security purposes. In the latter case, however, the employer must consider whether the company’s buildings and information systems must be so well secured that this can only be done by using biometrics. The company apparently had other identification methods available that did not include biometrics and therefore could not establish this exception to collection of biometric information.
The Data Protection Authority also concluded that the company failed to demonstrate that its employees “explicitly” consented to collection of their fingerprints. The GDPR requires that consent must be “freely given, specific, informed and unambiguous.” See GDPR Art. 4(11). The burden is even higher where the data subject “explicitly” consent to processing of special category of personal data. Generally, under the GDPR, consent would not be an appropriate basis for collecting personal information in the context of employment since employees are often not in the position to refuse. The Data Protection Authority concluded that the company’s employees experienced recording of their fingerprints as an obligation and that the company therefore has not demonstrated that they have given their express permission to collect their biometrics.
The fined organization, which has not been identified by the Regulator, plans to appeal the fine.
Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653
