The growing use of biometric systems in workplaces has brought new challenges for data protection, especially with the General Data Protection Regulation (GDPR) in Europe. A recent case in Belgium highlights these issues after a company introduced a fingerprint-based time-tracking system without properly adhering to GDPR rules.

Facts

In 2020, a Belgian company began using a fingerprint-based time-tracking system to track employees‘ work hours. The system covered about 200 employees, ranging from temporary workers to permanent staff. An employee filed a complaint, arguing that their consent was neither voluntary nor informed, raising concerns about how the biometric data was collected, stored, and potentially shared with third countries.

The Belgian Data Protection Authority (DPA) ruled in favor of the employee, finding several GDPR violations.

The DPA’s Key Findings

The DPA conducted a thorough investigation into the company’s use of biometric data. Their findings revealed several critical GDPR violations. Below are the main issues identified by the DPA.

  • Unlawful Processing of Biometric Data: Fingerprints are classified as biometric data under the GDPR, which means they require a legal basis for collection. The company used consent as the legal ground but failed to prove it was valid due to the power imbalance in employment relationships. Employees often feel they cannot refuse to give consent, making it invalid.
  • Lack of Transparency: The company didn’t provide enough information about how long the data would be kept, how it would be used, or employees’ rights regarding the data. This lack of transparency violated GDPR rules.
  • Inadequate Alternatives: The DPA pointed out that using fingerprints for time tracking and security was disproportionate. Less intrusive methods like badges could have been used.
  • Failure to Conduct a Data Protection Impact Assessment (DPIA): The GDPR mandates a DPIA when processing sensitive data like biometrics, but the company failed to do so, further violating the regulation.

Suggestions for the compliant use of biometric data

Since biometric data is classified as sensitive personal information under the GDPR, organizations must exercise heightened caution when handling it. This case emphasizes the critical need for strict compliance with GDPR regulations when processing such data. To avoid potential violations, employers should:

  • Ensure valid legal grounds: Obtaining consent in employment settings can be challenging, as the inherent power dynamics between employer and employee often make it difficult to ensure that consent is truly voluntary. Consider alternatives like legitimate interest or offer non-biometric options (e.g., badges).
  • Be transparent: Provide clear, accessible information to employees about data collection, retention, and rights.
  • Perform a DPIA: Always assess the risks associated with processing sensitive data before implementation.

Conclusion

The ruling in the biometric time-tracking case elaborates how to ensure GDPR compliance in the use of sensitive personal data in the workplace. It underscores the necessity for companies to ensure that biometric data processing adheres to strict legal requirements, such as obtaining valid consent, conducting thorough Data Protection Impact Assessments, and maintaining transparency with employees. This case serves as a reminder for organizations across the EU to align their data protection practices with GDPR standards or risk facing substantial fines and reputational damage.