Controlling Working Times and Attendance via the Processing of Biometric Data: Guidelines by the Spanish DPA

In November 2023, the Spanish data protection authority (AEPD) unveiled new guidelines regarding the use of biometric data in the workplace to ensure companies’ compliance with data protection laws while implementing attendance control systems such as fingerprint scanners. Let’s take a look at what it says.

Understanding Biometric Data

Biometric data, like fingerprints, retina scans, and facial recognition technology, is categorized as special category of personal data under the General Data Protection Regulation (GDPR).

The definition of biometric data excludes any mere representation of a person; it pertains only to data that enables a foolproof biometric analysis for the unique identification of an individual. To illustrate, consider a regular photograph. While it allows humans to identify the depicted person with a certain level of accuracy, it does not fall under the realm of biometric data. In contrast, the facial measures employed in facial recognition technology are solely interpretable by machines and showcase a remarkable precision that exceeds the capabilities of human interpretation. While the former is considered personal data, the latter is personal biometric data.

Legality of Using Biometric Data for Attendance Control

Article 9 of the GDPR establishes a general prohibition on processing biometric data due to its classification as a special category of personal data. Despite this restriction, certain exceptions exist.

One such exception is outlined in Article 9.2.a, which permits the processing of biometric data with the explicit consent of the data subject. However, obtaining consent within the realm of employment relationships is complex due to the inherent power imbalance between employers and employees. Should employers opt for consent as the legal basis, they must demonstrate that employees who choose not to provide their authorization face no adverse consequences and that viable alternatives were presented.

Even when these conditions are fulfilled, the legality of the use of biometric data is still shaky: if viable alternatives exist, why not use those alternatives for all the workforce? A crucial consideration when evaluating high-risk activities is whether the data processing is necessary to achieve a purpose.  If alternatives are available, it challenges the argument for the necessity of biometric data processing.

Another exception, as per Article 9.2.b, pertains to fulfilling the controller’s obligations in the realm of employment, social security, and social protection law. Many countries, including Spain, mandate the monitoring of employees‘ working hours to prevent unfavorable working conditions, as stipulated in Real Decreto-Ley 8/2019. However, this obligation alone does not automatically justify the processing of biometric data if less intrusive means to fulfill this requirement are available to employers.

Indeed, uncovering a legal justification for the utilization of biometric data in attendance control is a challenging task, often proving to be insurmountable in many instances. The assessment of whether a biometric system for time and attendance control aligns with the exceptions outlined in Article 9.2 requires a thorough, case-by-case analysis by a data protection expert. This evaluation should consider the specific features of the technology in use and the unique circumstances of the employing company.

Key Considerations for Biometric Attendance Control

1. Data Minimization: Controllers must limit their processing to only the data indispensable for achieving the intended purpose. Therefore, for hours control, only the necessary data should be processed. If the same purposes can be achieved with a less intrusive method, then the necessity of the more intrusive processing has to be well justified. According to this principle, attendance control systems that do not process biometric data, such as access cards, should be preferred.
2. Purpose Limitation: The processing of biometric data must be limited to the purpose for which the data was collected. For example, if fingerprint data was collected for security and access control, it should not be used for performance evaluations. If the controller wishes to process biometric data for several purposes, the legality of each of them has to be assessed independently.
3. Automated Decision-Making: In some cases, decisions that significantly affect individuals can be made based solely on biometric processes. For example, implementing access controls can result in an employee being denied access to a certain zone, affecting their salary or employment. Decisions that significantly affect individuals must not be made without human intervention.
4. Data Processing Impact Assessment (DPIA): The use of biometric technologies for attendance control is considered high-risk processing due to involving special categories of personal data and utilizing innovative technologies. This makes the performance of a DPIA mandatory. To do this, it is necessary to assess the necessity and proportionality of the processing with regards to its purpose, along with the assessment of the risks to the rights and freedoms of data subjects. This task is a complex compliance analysis better performed by a data protection expert.

Recommendations and Risk Minimization

If you are considering implementing biometric data processing, the AEPD suggests a set of practical measures to minimize associated risks, including:

• Inform Employees: Keep your employees well informed about the biometric processing and its related risks. Always comply with the transparency principle and the rules laid out in Article 13 of the GDPR.
• Identity Revocation: Use technologies that enable the revocation of the link between biometric templates and individuals, offering an added layer of control.
• Encryption Methods: Employ robust encryption methods to safeguard the confidentiality, availability, and integrity of biometric data, ensuring it stays secure.
• Prevent Database Interconnection: Implement measures that deter unauthorized interconnection of biometric databases, maintaining the integrity of the collected data.
• Conscious Data Collection: Ensure data collection is conscious, involving positive actions from individuals to initiate biometric data processing. For instance, a deliberate fingerprint scan is active, while passive collection, like automatic facial recognition on all individuals present in a particular space, should be avoided.
• Automated Data Deletion: Integrate automated data deletion mechanisms, ensuring that data is promptly removed when it no longer serves its intended purpose.

Final Note

Using biometric data for access control and working hours is a high-risk processing activity and, in most cases, it is preferable to make use of other methods that do not collect special categories of personal data, such as access cards, passwords, smart keys, or other solutions.

Furthermore, since the recommendations were posed by the Spanish authority, data controllers should be wary of the use of these technologies in other jurisdictions that may have more stringent requirements. For example, these tools would require Work Council approval in countries like Germany.