The Autoriteit Persoonsgegevens, Dutch data protection authority, imposed a fine on a company, which relied on scanning their employees’ fingerprints for attendance and time registration.[1]
Facts in a nutshell
In the case at hand, the respective company introduced the new fingerprint system in order to reduce the fraudulent abuse of the previous attendance and time registration system. Although it was theoretically possible for the employees to keep using the older system, the investigation by the authority uncovered that not providing the fingerprints resulted in 1-on-1 discussions with management. Furthermore, it was determined that the respective company did not inform its employees sufficiently enough about the fingerprint system. The authority also points out that fingerprints relating to former employees were still in the system long after they left the company.
Biometric data a bit special
The Autoriteit Persoonsgegevens deems fingerprints to qualify as biometric data in the sense of Art. 4 Nr. 14 GDPR and judge them according to the stricter conditions applicable to the processing of special categories of personal data according to Art. 9 GDPR. According to the DPA, biometric data by its nature is particularly sensitive as the processing is likely to pose significant risks to the fundamental rights and freedoms of people affected (“data subjects”).
Among the special categories, biometric data is particularly “special”. Opposed to the other special categories, Art. 9 GDPR only applies to the processing of biometric data, if, in the particular case, such data is processed in a riskful way, namely with the purpose of unambiguous identification of a person with automated means.[2] Seen as riskful is hence biometric recognition, either through identification or verification. Not to be judged by the strict regime of Art. 9 GDPR, would be a “mere” camera system analyzing the faces of passers in regards to their age and gender to display targeted advertisement, to the extent that the collected information is not uniquely assigned to a particular person by using a unique identifier and stored longer than necessary to display the advertisement.[3]
An attendance and time registration system linked to the fingerprint of an employee has the advantage that only that particular person can log his or her time. On the downside, at least from a data protection perspective, this purpose is intrinsically aimed at identifying the data subject and consequently would fall under the special regime of Art. 9 GDPR.
Legal reasoning by DPA
The authority denied that the processing could have been based on consent, as the data subjects have been not sufficiently informed and the uncovered factual circumstances did not allow for a “free” decision of the employees. Interesting for companies in the Netherlands, the DPA points out Art. 29 of the Dutch implementation act for the GDPR (Uitvoeringswet Algemene Verorderning Persoonsgegegevens or UAVG). The provision is the Dutch implementation of the opening clause in Art. 9 para. 2 lit. g GDPR, allowing the national legislators to introduce laws authorizing the processing of biometric data falling within the scope of Art. 9 GDPR for reasons of considerable public interest. Art. 29 UAVG permits the processing of biometric data, to the extent it is necessary for authentication or security purposes.
The DPA challenges the necessity and proportionality of the measure in light of other less intrusive means and comes to the conclusion that the need for security is not so high that it would justify the use of biometric data in the case at hand.
Similar court decisions in Amsterdam and Berlin
The ruling of the Dutch DPA does nonetheless not come as a surprise, as it reflects two recent court rulings concerning the processing of fingerprints in the employment context by the Labour Court Berlin (Germany) and Sub-District Court Amsterdam (Netherlands).[4] Both, the District Court as well as the Labour Court in line with the Dutch DPA deem fingerprints to qualify as biometric data in the sense of Art. 4 Nr. 14 GDPR and judge them according to the stricter conditions applicable to the processing of special categories of personal data according to Art. 9 GDPR.
The Labour Court had to assess to what extent it was legitimate to switch from a manual (hand written) time documentation process to a fingerprint driven system. The court challenged the necessity of such a system, pointing out that the employer did not provide “evidence of abuse to a not inconsiderable extent” by the employees using the previous process that would justify the use of a more intrusive system.[5]
The justices in Amsterdam had to assess a slightly different finger scan system, which was implemented for the authorization of cash registers. One reason for the change was, to prevent theft by the employees. The previous system only required a PIN and although the PIN was unique per employee, over time employees knew the codes of their colleagues. Consequently, it was not possible to track back who committed the theft from the cash register. The Sub-District Court pointed out alternative measures, which would be less intrusive and could have achieved the same effect and thereby deemed the use of the new system incompliant.
Takeaways
The fine of 750.000 EUR is noteworthy, as Dutch companies have been relying on such technologies, mainly for security reasons, prior to the coming into force of the GDPR, a fact acknowledged even by the Dutch lawmakers.[6] The upside of the recent decision by the DPA is, that it confirms, that companies actually can process biometric data, to the extent that they properly inform their employees about the processing, provide evidence that the processing is necessary for authentication and security purposes as well as try out alternative means that are less intrusive.
To what extent such a processing based on Art. 29 UAVG in light of Art. 9 para. 2 lit. g GDPR would still be for reasons of “considerable public interest” is another but maybe even more interesting question, that will need to be determined by the courts in the future. Unfortunately, the authority does not question the scope of Art. 29 UAVG in light of its opening clause (“reasons of considerable public interest”).
[1] Press release available at https://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-voor-bedrijf-voor-verwerken-vingerafdrukken-werknemers and decision at https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_vingerafdrukken_personeel.pdf (last accessed 7th May 2020).
[2] See Data Protection Conference (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder – DSK), Positionspapier zur biometrischen Analyse (German), page 21, available at https://www.datenschutzkonferenz-online.de/media/oh/20190405_oh_positionspapier_biometrie.pdf (last accessed 7th May 2020).
[3] See DSK page 28 (examplantory case 5).
[4] See District Court Amsterdam (case number 7728204 CV VERZ 19-9686), 08.08.2019 and Labour Court Berlin (case number 29 Ca 5451/19), 16.10.2019.
[5] See Labour Court Berlin, at 34.
[6] See Explanatory Report to Art. 29 Dutch implementation act for the GDPR (Uitvoeringswet Algemene Verorderning Persoonsgegegevens or UAVG): „Withdrawing a national exception for biometrics would, in view of the foregoing, mean that existing developments in the use of biometrics as a means of identification would be severely hampered. Existing processing of biometric data, such as those in the relationship between employer and employee, would lose their legal basis. This is not desirable.“