APDCAT (Catalonia) - PS 33/2024: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(One intermediate revision by one other user not shown)
Line 76: Line 76:


=== Facts ===
=== Facts ===
On 1 January 2021, the controller, a municipality, introduced a new timekeeping system for its employees. This system implied that the employees needed to use their fingerprint to record their time.
On 1 January 2021, the controller, a municipality, introduced a new timekeeping system for its employees. This system entailed that the employees needed to use their fingerprint to record their time.


On 13 January 2024, some data subjects filed a complaint with the DPA.
On 13 January 2024, some data subjects filed a complaint with the DPA.
Line 82: Line 82:
The controller argued that the legal basis it can rely on is [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].  
The controller argued that the legal basis it can rely on is [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]].  


Moreover, it pointed out that the system does not completely capture biometric data, but only some of its characteristic features in order to be able to authenticate users and without in any case having biometric data as a unique identifier, reproducible in other systems.  
Moreover, it pointed out that the system does not capture biometric data, but only some of the characteristic features in order to be able to authenticate users. Moreover, it noted that in any case the fingerprint was used as a unique identifier reproducible in other systems.  


Finally, it argued that a DPIA was not necessary since the processing at hand did not involve any kind of sensitive data.
Finally, it argued that a DPIA was not necessary since the processing at hand did not involve any kind of sensitive data.
Line 89: Line 89:
First, the DPA noted that timekeeping systems that use fingerprints are systems that process biometric data.  
First, the DPA noted that timekeeping systems that use fingerprints are systems that process biometric data.  


Moreover, the DPA pointed out that, as also acknowledged by the controller, this system is able to associate the characteristics of a data subject’s fingerprint to a code that identifies only one data subject. This means that the fingerprint serves as “unique identifier”.
The DPA pointed out that, as also acknowledged by the controller, this system is able to associate the characteristics of a data subject’s fingerprint to a code that identifies only one data subject. This means that the fingerprint serves as “unique identifier”.


Therefore, according to the DPA, there are no doubts that fingerprints fall into the definition of biometric data set by [[Article 4 GDPR#14|Article 4(14) GDPR]].
Therefore, according to the DPA, there are no doubts that fingerprints fall into the definition of biometric data set by [[Article 4 GDPR#14|Article 4(14) GDPR]].

Latest revision as of 11:55, 8 October 2024

APDCAT - PS 33/2024
Apdcat-logo.png
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 9(2)(b) GDPR
Article 35(1) GDPR
Article 35(3)(b) GDPR
Article 35(4) GDPR
Article 28(2) LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 13.01.2024
Decided:
Published: 10.09.2024
Fine: n/a
Parties: Ajuntament de la Canonja
National Case Number/Name: PS 33/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Catalan, Valencian
Original Source: APDCAT (in CA)
Initial Contributor: fb

The DPA found that a municipality violated Article 9 GDPR after it implemented a fingerprint timekeeping system for its employees.

English Summary

Facts

On 1 January 2021, the controller, a municipality, introduced a new timekeeping system for its employees. This system entailed that the employees needed to use their fingerprint to record their time.

On 13 January 2024, some data subjects filed a complaint with the DPA.

The controller argued that the legal basis it can rely on is Article 6(1)(c) GDPR.

Moreover, it pointed out that the system does not capture biometric data, but only some of the characteristic features in order to be able to authenticate users. Moreover, it noted that in any case the fingerprint was used as a unique identifier reproducible in other systems.

Finally, it argued that a DPIA was not necessary since the processing at hand did not involve any kind of sensitive data.

Holding

First, the DPA noted that timekeeping systems that use fingerprints are systems that process biometric data.

The DPA pointed out that, as also acknowledged by the controller, this system is able to associate the characteristics of a data subject’s fingerprint to a code that identifies only one data subject. This means that the fingerprint serves as “unique identifier”.

Therefore, according to the DPA, there are no doubts that fingerprints fall into the definition of biometric data set by Article 4(14) GDPR.

Secondly, the DPA recalled that the processing of biometric data falls into the scope of Article 9 GDPR. Therefore, the controller cannot invoke the legal basis provided for by Article 6(1)(c) GDPR, but should prove that the processing falls into one of the exceptions listed in Article 9(2) GDPR.

Since the controller referred to the existence of a legal obligation, the DPA assessed if the processing at hand could rely on Article 9(2)(b) GDPR. The DPA pointed out that the applicable national law and collective agreement does not state that the controller should use such a timekeeping system.

Therefore, the DPA concluded that the processing at hand was not relying on any valid legal basis. As a consequence, it found a violation of Article 5(1)(a) GDPR in combination with Article 9 GDPR.

Thirdly, the DPA did not agree with the controller’s argument regarding the DPIA. In contrast with the controller’s statement, the DPA found that the processing did involve Article 9 GDPR data.

In particular, it pointed out that Article 35(3)(b) GDPR requires a DPIA when a processing on large scale of special categories of data is involved.

Moreover, the DPA recalled that Article 28(2)(c) of the Spanish Data Protection Act (Llei orgànica 3/2018, de 5 de desembre, de protecció de dades personals i garantia dels drets digitals - LOPDGDD) states that a DPIA should be carried out when the processing is not merely incidental or ancillary to the special categories of data referred to in Article 9 GDPR.

Finally, the DPA pointed out that, according to Article 35(4) GDPR, on 6 May 2019 it had published a list of the kind of processing operations which are subject to a DPIA. Among the processing operation listed, one could find processing operations that involve special categories of data including biometric data.

Therefore, the DPA held that the controller would have needed to carry out a DPIA and found a violation of Article 35(1) GDPR.

On these grounds, the DPA ordered the controller to adopt corrective measures consisting in implementing a timekeeping system that does not use fingerprints.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.

File identification

Resolution of sanctioning procedure no. PS 33/2024, referring to the City Council of La

canon


Background

1. On 13/01/2024, the Catalan Data Protection Authority received a
   letter of complaint against the City Council of La Canonja, on the grounds of a presumption

   non-compliance with the regulations on personal data protection. The reporting person
   stated that the City Council would have implemented the registration system by means of the imprint
   typing fact that it considers could contravene data protection regulations
   personal

2. The Authority opened a preliminary information phase (No. IP 26/2024), to determine whether the
   facts were capable of motivating the initiation of a sanctioning procedure, in accordance with
   what is foreseen in article 7 of Decree 278/1993, of November 9, on the procedure

   penalty of application to the areas of competence of the Generalitat, and article 55.2 of the
   Law 39/2015, of 1 October, on the common administrative procedure of administrations
   public (LPAC).

   In this information phase, on 31/01/2024 the reported entity was required
   to confirm the implementation of a fingerprint recognition system for
   record the working day of municipal workers; indicate the legal basis

   legitimizer of the aforementioned treatment; pointed out which workers have the obligation to
   register through this system; and provided a copy of the protection impact assessment of
   personal data (AIPD) in relation to the reported data processing, in case of
   not done

3. On 02/14/2024, La Canonja City Council responded to the request with a
   letter in which he stated the following:


   - That "the City Council has a control system through the fingerprint of the
      workers, but it must be pointed out that this system does not register the fingerprint except in agreement
      with some characteristic features it gives them a code, and this code being the data that is
      it deals with the system used and without fingerprints being stored, OK
      with the principle of data minimization (...)".

   - That "this system has been operational since January 1, 2021 to carry out the control

      of the presence of civil servants, labor staff and casual staff; but not being
      a medium intended for personnel from external companies that can provide their services
      at the City Hall".

   - That, by means of this tool, "biometric data is not captured in full,
      but some characteristic features in order to be able to authenticate the users and nothing else
      if biometric data is available as a unique identifier, reproducible in others
      systems".    - That "the cause that legitimizes its treatment is that determined in article 6.1.c of
       RGPD: "The treatment is necessary to fulfill a legal obligation applicable to
       responsible for the treatment”; and for this reason, as detailed in the point

       above, it is only taken from official and labor personnel, without being taken from
       external persons with whom this link is not available as an employer
       by the City Council".

    - That, "all workers are informed at the beginning of their employment relationship with
       the City Council of their obligations and functions as far as they are data users (...)".

    - That "this system does not capture, store or reproduce fingerprints

       fingerprints of the workers, but the assignment of a worker code that cannot be
       reproduced in other systems and which therefore cannot be qualified as identifiers
       unique
       This fact implies that these category data cannot be considered
       special and therefore, does not comply with any of the requirements established in article 37 of
       the RGPD where it is determined how the corresponding impact assessment on it was perceived
       data processing to be carried out by this City Council".


    The reported entity concluded that the time control system it implemented "does not capture
    biometric data that involve a complete reproduction of these or grant one
    unique identifier for the worker that can be reproduced in other systems".

4. On 27/03/2024, the director of the Catalan Data Protection Authority agreed
    start a disciplinary procedure against the Council of Canonja for two

    alleged infractions: an infraction provided for in article 83.5.a, in relation to the articles
    5 and 9, and another violation provided for in article 83.4.a, in relation to article 35, all of them of
    Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, relating to the
    protection of natural persons with regard to the processing of personal data and freedom
    circulation of this data (RGPD). This initiation agreement was notified to the entity
    charged on 04/03/2024.

5. In the initiation agreement, the imputed entity was granted a term of 10 working days to

    formulate allegations and propose the practice of tests that it considers convenient for
    defend their interests.

6. On 04/05/2024, La Canonja City Council made objections to the agreement
    of initiation, which are addressed in section 2 of the fundamentals of law.

7. On 07/22/2024, the person instructing this procedure formulated a
    resolution proposal, by which it was proposed that the director of the Catalan Authority of
    Data Protection stated that the City Council of La Canonja had incurred, first

    place, in an infringement provided for in article 83.5.a in relation to article 5; and secondly, in
    an infringement provided for in article 83.4.a in relation to article 35, all of them of the RGPD.

     This resolution proposal was notified on 07/22/2024 and a
     period of 10 days to formulate allegations.

8. The deadline has been exceeded and no objections have been submitted.



                                                                                               2/12 Proven facts


1. The Council of La Canonja uses a time control system by means of the imprint
    fingerprint, which involves the processing of the biometric data of its official staff,
    labor and occasional. This system went into operation on 01/01/2021.

2. La Canonja City Council did not carry out a protection impact assessment of
    data (AIPD), due to the implementation of a time control system, by means of
    the fingerprint.

Fundamentals of law


1. The provisions of the LPAC and article 15 of the Decree apply to this procedure
    278/1993, according to the provisions of DT 2a of Law 32/2010, of October 1, of
    the Catalan Data Protection Authority. In accordance with articles 5 and 8 of the Law
    32/2010, the resolution of the sanctioning procedure corresponds to the Director of the Authority
    Catalan Data Protection Authority.

2. The imputed entity has not formulated allegations in the resolution proposal, but it has
    made in the initiation agreement. Regarding this, it is considered appropriate to reiterate the following

    more relevant than the motivated response of the instructing person to these allegations.

   The letter that the entity presented before the agreement to initiate this procedure described
   the time control system implemented and pointed out that "it does not register the fingerprint
   typing but in accordance with some characteristic features gives them a code, and this being this
   code the data that is treated by the system used and without the fingerprints being stored
   fingerprints, in accordance with the principle of minimization (...).

   Then, La Canonja City Council pointed out that, although this system is

   operative from 01/01/2021, to carry out the presence control of officials, from
   labor and casual staff, it is not a medium aimed at people from external companies,
   who provide their services to the City Council. In relation to this end, it indicated that
   the legal basis that would legitimize its treatment is that provided for in article 6.1.c RGPD “el
   treatment is necessary for the fulfillment of a legal obligation applicable to
   responsible for the treatment" reason why "it is only taken from official staff and
   employment, without hiring external people with whom this is not available
   binding as an employer by the City Council."


   Likewise, the entity's allegations also pointed out that "data is not captured
   biometrics in full form, but some characteristic features in order to be able to authenticate
   to users and without biometric data such as an identifier being available in any case
   unique, reproducible in other systems.”

   The entity also argued that it is aware of the change in criteria of the Spanish Agency of
   Personal Data Protection (AEPD) regarding the use of fingerprints, in the month of

   November 2023, and pointed out that, this new legal position exposed to a
   guide of the AEPD, and which is reproduced by this Authority "cannot be considered a
   consolidated criterion." Faced with this scenario, the entity added that the Professional Association


                                                                                            3/12Espanyola de Privacitat has raised an open consultation with the AEPD about this
matter


In the second point of his allegations, presented before the initiation agreement,
the City Council reiterated that the system "does not capture or store or reproduce the
fingerprints of the workers but the assignment of a worker code that is not
can be reproduced in other systems and therefore cannot be qualified as identifiers
unique". For this reason, he argued that none of the requirements “established in
article 37 of the RGPD where it is determined how the corresponding assessment was perceived
of impact on the data processing to be carried out by this Council". respect

of this issue, the allegations expose the entity's disagreement with consideration
that “fingerprint data” are special categories “in that they do not provide a
unique identifier of the interested party reproducible in other systems”, and also does not share that
it is a new technology, given that "this has been a popular technology and
established throughout the Spanish territory in the last 15 years."

Well, the City Council's allegations will be answered immediately, starting from

the analysis of its positioning, with respect to the two imputations formulated.

2.1 On the use of the fingerprint for the purposes of time control and work attendance

Fingerprint registration systems constitute systems of
processing of biometric data, which are configured from the collection of
the fingerprint, and which allow the creation of biometric templates, intended for the

identification of a specific individual.

Article 4.14 of the RGPD defines biometric data as “personal data
obtained from a specific technical treatment, related to the characteristics
physical, physiological or behavioral characteristics of a natural person that allow or confirm the
unique identification of said person, such as facial images or fingerprint data."
In these terms, there is no doubt that the collection of personal data referred to

the fingerprint of a person constitutes the collection of biometric information.

In the same way, the use of a biometric template, which allows one to be identified
specific person, constitutes a processing of personal data. Well, as stated
article 4.1 of the RGPD "any person whose
identity can be determined, directly or indirectly, in particular through a
identifier, como por ejemplo a number, an identification number, data from

location, an online identifier or one or more elements of identity
physical, physiological, genetic, psychological, economic, cultural or social of said person."

Faced with this scenario, the City Council has recognized that, based on distinctive features of
a person's fingerprint, obtains a code that allows them to be identified when accessing
the municipal offices. This personal data processing operation,
allows authenticating a person, using a biometric analysis process. In this sense, the

A biometric template is an instrument that allows you to describe a specific characteristic of a person
natural person, so that a machine can interpret it for control purposes
schedule, presence, among others. In fact, using this template acts as one
unique identifier of a person that, even if it does not allow obtaining or drawing of
the fingerprint of an individual, it does allow him to be uniquely identified. cut off

                                                                                           4/12 for example, acts in the same way as a national identification number. from
   we can't get a person's face from the ID number, but we can
   to identify


   Having said that, there is no doubt that the treatment carried out by the reported City Council, with
   purposes of time control and the presence of its workers, constitutes a treatment
   of special categories of data.

   At this point, recital 51 of the RGPD refers to the treatment derived from the
   image of a person, and highlights the restrictive nature with which he can be admitted

   processing of special categories of data:

       “[…] The treatment of photographs should not be systematically considered treatment
       of special categories of personal data, they are only found
       included in the definition of biometric data when it is to be processed
       with specific technical means allow unique identification or authentication
       of a natural person. Such personal data must not be processed, unless

       allow its treatment in specific situations contemplated in the present
       Regulation, given that the Member States can establish
       specific provisions on data protection in order to adapt the
       application of the rules of this Regulation to the fulfillment of an obligation
       legal or to the fulfillment of a mission carried out in the public interest or in the exercise of
       public powers conferred on the controller. In addition to the requirements
       specific to that treatment, the general and other principles must be applied

       rules of this Regulation, especially in what refers to the conditions of
       legality of the treatment. Exceptions to the must be explicitly established
       general prohibition of treatment of these special categories of data
       personal, among other things when the interested party gives his explicit consent or
       dealing with specific needs, in particular when the treatment is
       carried out in the framework of legitimate activities by certain associations or
       foundations whose objective is to allow the exercise of fundamental freedoms.”


Well, from the account of the allegations presented by the City Council, it can be inferred that the
treatment of the biometric data of municipal staff would be legitimized by the article
6.1.c GDPR. However, the truth is that this Authority differs from this position
legal and maintains that the processing of personal data, based on automated mechanisms,
with the aim of authenticating a person, is not protected by the invoked legal basis
given that it is conditional on the concurrence of one of the exceptions in article 9.2

RGPD, and the City Council has not invoked any that could exempt this treatment.

In any case, given that the City Council invoked that it carries out this treatment of
data given the need to comply with a legal obligation applicable to
responsible for the treatment (art. 6.1.c RGPD), reference must be made to the case provided for in the article
9.2.b RGPD (“the treatment is necessary for the fulfillment of obligations and exercise
of specific rights of the person in charge of the treatment or of the interested party in the field of

Labor law and security and social protection, to the extent that it is authorized by him
Law of the Union of Member States is a collective agreement according to
Member State law that establishes adequate guarantees of respect for them
fundamental rights and interests of the interested party;).


                                                                                            5/12 In effect, article 9.2.b RGPD not only provides that the treatment must be necessary for
to the fulfillment of the obligations of the person in charge, but adds that he must be
authorized by the law of the Union of member states, or of a collective agreement. And, in this

point, it should be noted that the regulations in force in the field of labor law and civil service law,
does not determine any mechanism by which the employer or contracting administration can
control the registration of the working day of its workers, based on data processing
biometrics of its workers. In this same sense, there is no forecast either
that authorizes these personal data operations, to control the presence of the
personal, without it being noted that a specific collective agreement has been adopted that gave
coverage for this action, in terms of time control.


Thus, given the lack of regulatory authorization, the time control by means of the imprint
fingerprinting cannot be protected in article 6.1.c, nor in article 9.2.b; both of the RGPD.

Consequently, it must be concluded that the processing of personal data carried out
La Canonja Town Council is not covered by any of the legal bases of the RGPD.


In addition, it is necessary to respond to the City Council's allegation according to which, given
the modification of the criteria of the AEPD, in its Guide on “control treatments of
presence via biometric systems" dated 23/11/2023, this criterion would not be
"consolidated". Well, this Authority is not subject to the criteria of the AEPD, given
that both control authorities have independence, and are not related through means
of a hierarchical relationship. Secondly, it must be noted that, the criterion adopted by the AEPD in
November 2023, is the consolidated criterion that this Authority has followed since entry

in force of the RGPD (vid. Opinion CNS 21/2020, CNS 2/2022, Resolution of the procedure
sanctioner no. 1/2022). By way of example, in Opinion CNS 21/2020 this Authority already
concluded that:

   "Biometric data subjected to specific technical treatments aimed at
   biometric recognition, either in the form of biometric identification or authentication
   biometric, must be considered as a special category of data. It is considered, for

   as much as a special category data, the fingerprint to which
   a specific technical treatment is applied, when it is used for the purpose of authenticating the
   identity of a natural person."

In fact, the reiterated and consolidated position of this Authority coincides with what has been stated
in Directives 05/2022 of the European Data Protection Committee (CEPD), on the use of
facial recognition in the field of public order forces. These guidelines, to your

section 12, establish that the concept of biometric data refers to "authentication" and
the "identification" of a person. This idea is reinforced by the fact that, even if they are about
different concepts, both have the purpose of identifying a person. As in
consequently, the general prohibition provided for in article 9.1 of the RGPD extends to cases
of identification and authentication, and also affects the cases in which data processing
biometrics is carried out in order to compare the information of a pattern or template
previously established biometric.


Therefore, the City Council's allegation, which maintains that the criterion adopted by the AEPD is not a
consolidated criterion, it cannot succeed for the purposes of exonerating him from responsibility given that, as it should
seen, it is the reiterated doctrine of this Authority that the use of fingerprints to identify
a person, constitutes processing of biometric data. And, in this regard, it should be noted

                                                                                             6/12 that the actions of the City Council fall within the scope of competence of this Authority, and
not from the AEPD.


   2.2 About the data protection impact assessment (AIPD)

As has been advanced, the City Council starts from the premise that the AIPD was not necessary
because it did not deal with special categories of personal data, nor did it use a technology
new

Well, for the reasons set out in the previous point, these allegations, with regard to

treatment of "identifying" data, cannot succeed given that the reported treatment
involves a personal data operation involving biometric data.

Having said that, article 35 of the RGPD provides that an AIPD must be carried out when "it is likely that
a type of treatment, in particular if it uses new technologies, by its nature, scope,
context or purposes, it entails a high risk for people's rights and freedoms
physical, the person responsible for the treatment will carry out, before the treatment, an evaluation of the
impact of processing operations on the protection of personal data. a unique one

evaluation will be able to address a series of similar treatment operations that involve
similar high risks.”

In accordance with the above, the second section of article 35 of the RGPD provides that the AIPD is
will require in particular when the treatment involves:

   "a) systematic and comprehensive evaluation of personal aspects of physical persons who
   it is based on an automated treatment, such as the elaboration of profiles, and about which

   basis decisions are taken that produce legal effects for natural persons or
   that significantly affect them in a similar way;
   b) large-scale treatment of the special categories of data referred to
   article 9, section 1, or personal data relating to convictions and infractions
   criminal offenses referred to in article 10, or
   c) large-scale systematic observation of a public access area.
   4. The control authority will establish and publish a list of the types of operations of

   treatment that require an impact assessment related to data protection
   in accordance with section 1. (...)."

And, in turn, article 28.2 of Organic Law 3/2018, of December 5, on the protection of
personal data and guarantee of digital rights (LOPDGDD) lists some cases in which
the existence of a high risk for the rights and freedoms of people is considered likely, among
which, and for the purposes that are of interest here, sections c and d of this article stand out:


   "c) When the treatment is not merely incidental or accessory to the categories
   special data referred to in articles 9 and 10 of Regulation (EU) 2016/679 and
   9 and 10 of this Organic Law or of the data related to the commission of infractions
   administrative
   d) When the treatment involves an evaluation of personal aspects of those affected with the
   purpose of creating or using personal profiles of these, in particular through analysis or

   prediction of aspects related to your performance at work, your economic situation, the
   your health, your personal preferences or interests, your reliability or
   behavior, their financial solvency, their location or their movements.”

                                                                                             7/12 In accordance with the provisions of article 35 of the RGPD, the Authority published on
06/05/2019 the "list of types of data processing that require impact assessment
relating to data protection" prior to its commencement. As indicated in the reference

document, when the treatment complies with two or more criteria included in this list,
it may become necessary to carry out an AIPD. The more criteria the treatment meets
in question, the greater will be the associated risks and the greater will be the certainty of the need for
perform the AIPD. In this case, the following criteria should be highlighted:

  - Treatments that involve observation, monitoring, supervision, geolocation or
      control of the interested party in a systematic and exhaustive manner, including the collection of data i

      metadata through networks, applications or in public access areas, as well as the
      processing of unique identifiers that allow the identification of service users
      of the information society such as web services, interactive TV,
      mobile applications, etc. (criterion number 3).
  - Treatments that involve the use of special categories of data to which it refers
      article 9.1 of the RGPD, data relating to convictions or criminal offenses to which
      refers to article 10 of the RGPD or data that allow the financial situation to be determined

  - Treatments that involve the use of biometric data for the purpose of identifying
      unique way to a natural person (criterion number 5).
  - Treatments that involve the use of new technologies or an innovative use of
      consolidated technologies, including the use of technologies on a new scale, with
      a new goal or combined with others in a way that involves new forms of
      collection and use of data, with risk to the rights and freedoms of people (criterion
      number 10).


At this point, the need to carry out the AIPD is due to the fact that the City Council of La
Canonja deals with special categories of personal data of all municipal staff (art.
35.3 RGPD) for labor control purposes so that, based on the information that
collects, can adopt decisions with legal relevance on the data holders.

In this regard, already in Guidelines 3/2019, on the processing of personal data by

of video devices, of the European Committee for the Protection of Personal Data, in relation
with the treatment of special categories of personal data a high risk was recognized that
made it necessary to carry out an AIPD:

        "73. The use of biometric data and, in particular, facial recognition entails
        high risks for the rights of those interested. It is fundamental that the
        recourse to said technologies, but duly respecting the principles of

        legality, necessity, proportionality and minimization of data as established by
        RGPD Although the use of these technologies can be perceived as
        particularly effective, those responsible for the treatment must first of all
        evaluate the impact on fundamental rights and freedoms and consider means
        less intrusive to achieve their legitimate purpose of treatment.”

At this point, it cannot be ignored that the implementation of a system that records the

working day from the fingerprint of the staff of a City Council requires that it is
carry out a set of operations that involve the following actions: identification of
the employee; collection of your fingerprint; creation of a biometric template or pattern;
storage and conservation of this information; identification of the natural person in the


                                                                                             8/12 signing process; record of data related to their behavior (inputs and outputs
of work); among others.


In accordance with the above, this set of operations, linked to the processing of data from
City Council staff justify the need to carry out an impact assessment
(AIPD) prior to the start of the data processing, in order to be able to assess in a way
anticipated the potential risks to which the data holders are exposed. As an example,
there are obvious risks in the event that the technology used does not guarantee a way
enough that the template obtained from the biometric data will not match
the use in other similar systems, as well as other risks associated with eventual losses

of data confidentiality.

In this sense, also CNS opinions no. 2/2022 and no. 19/2023 of this Authority,
on the use of biometric data for the control of presence in the workplace, conclude the
need to carry out an AIPD against biometric data processing with the
purpose of controlling the presence or working hours of the workers. In literal terms, the CNS
19/2023 establishes the following:


        "On the basis of article 35 of the RGPD, and of the List of types of treatment of
        data that require published data protection impact assessment
        by this Authority, it is concluded that the treatment proposed by the City Council
        requires carrying out an AIPD in which, among other issues, the
        legitimacy of the treatment and the determination of existing risks and the measures for
        mitigate it.”


And, finally, the need to carry out an AIPD is also evident given that, although the use
of machines that can read the fingerprint has been normalized in recent years, where appropriate
point out that the City Council of La Canonja has made innovative use of a technology, given
that through this has obtained information about the habits of its workers (e.g.:
working hours) that allow him to adopt decisions with legal relevance that may affect the
holders of the data.


In conclusion, despite the fact that the circumstances described required the completion of an AIPD
prior to the reported processing of personal data, in order to be able to know the impact for a
the protection of personal data that could mean opting for the implementation of a system
of fingerprint recognition, to record the working day of their employees
workers, the City Council has not provided any evidence to verify that it carried out
the AIPD. Contrary to this, he has denied the need for this. All this, bearing in mind that,

in addition, the reported treatment is not protected by any legal basis of article 6
RGPD

3. Legal qualification of proven facts

   3.1 Proven fact 1st

   In relation to the facts described in point one of the proven facts section, relating to the
   implementation of a time control system through data processing

   biometrics, it is necessary to go to article 5.1.a of the RGPD, which provides that "personal data
   will be treated in a lawful, fair and transparent manner in relation to the interested party (lawfulness,


                                                                                              9/12 loyalty and transparency)". Likewise, it is also necessary to go to article 9.2 RGPD which provides
   the exceptions that legitimize the treatment of special categories of personal data.

   Well, during the processing of this procedure, the fact described in point 1 has been proven

   of the proven facts section, which is constitutive of the offense provided for in article 83.5.a of
   the RGPD, which typifies the violation of “basic principles for treatment including the
   conditions for consent in accordance with articles 5, 6, 7 and 9" among which there are
   includes the principle of legality, in relation to the treatment of special categories of data
   (articles 5.1.a and 9 RGPD).

    The conduct addressed here has been included as a very serious infraction in article 72.1.e of
    the LOPDGDD, in the following form:


   "e) The processing of personal data of the categories referred to in article 9 of
   Regulation (EU) 2016/679, without any of the circumstances provided for in
   aforementioned precept and article 9 of this Organic Law."

   3.2 Proven fact 2nd

   With regard to the fact described in point 2 of the proven facts section, referring to the lack of
   carrying out an AIPD, it is necessary to refer to article 35 of the RGPD and article 28 LOPDGDD,
   previously transcribed.


    In accordance with what has been explained, the failure to carry out an AIPD constitutes
    the violation provided for in article 83.4.a of the RGPD, which typifies the violation of "the
    obligations of the person in charge and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and
    43", among which there is the one provided for in article 35 RGPD, relating to the AIPD.

    In turn, this conduct has been included as a serious infraction in article 73.t of
    the LOPDGDD, in the following form:

   "t) The processing of personal data without having carried out the impact assessment of the

   processing operations in the protection of personal data in the cases in which
   that is enforceable."


4. Article 77.2 LOPDGDD provides that, in the case of infractions committed by those responsible
    or in charge listed in art. 77.1 LOPDGDD, the data protection authority
    competent:

   "(...) must issue a resolution that declares the violation and establishes, if applicable, the measures

   that should be adopted so that the conduct ceases or the effects of the are corrected
   infraction that has been committed, with the exception of that provided for in article 58.2.i of the Regulation
   (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016.

   The resolution must be notified to the person in charge or the person in charge of the treatment, to the body of the
   which depends hierarchically, if applicable, and to those affected who have the condition
   interested party, if applicable."


   And section 3 of art. 77 LOPDGDD, establishes that:


                                                                                             10/12 "Without prejudice to what is established in the previous section, the data protection authority has
   to also propose the initiation of disciplinary actions when there are sufficient indications
   to do it In this case, the procedure and the sanctions that must be applied are those that

   establishes the legislation on disciplinary or sanctioning regime that is applicable. (...).”

In terms similar to the LOPDGDD, article 21.2 of Law 32/2010, determines the following:

   "2. In the case of infractions committed in relation to publicly owned files, the director or
   director of the Catalan Data Protection Authority must issue a resolution that
   declare the infringement and establish the measures to be taken to correct its effects. (...)”.

By virtue of this faculty, the Town Council of La Canonja must be requested to, as soon as possible

possible, make available to the municipal staff a time registration system and
work presence that does not involve the processing of biometric data (e.g. register
the schedule or attendance through card reading). It is also required
because, within a period of two months, counting from the day after the notification thereof
resolution, confirm the implementation of this measure, without prejudice to the faculty
inspection of this Authority to carry out the corresponding checks.

Finally, it should be remembered that, in relation to the existence of a legitimizing basis for

treatment of biometric data, in the same way that a collective agreement could
constitute a legitimizing legal basis for the processing of staff biometric data
labor, the public administrations in relation to their civil servants, have
mechanisms for determining working conditions, which must be approved with the
participation of workers' representative bodies, which could be configured as a
legal basis, which can legitimize the use of the fingerprint, in a similar way to the agreements
aforementioned groups. In this sense, in the event that, in the future, a base is available

legal entity that legitimizes this processing of personal data, it will be necessary that the City Council of La
Canonja performs the relevant AIPD.



resolution


For all this, I resolve:

1. Declare that the Council of La Canonja has committed two offences: one offence
    provided for in article 83.5.a in relation to article 5; and, another violation provided for in the article
    83.4.a in relation to article 35; all of them from the RGPD.

2. Request the City Council of La Canonja to adopt corrective measures
    indicated in the 4th legal basis and accredit the actions before this Authority
    carried out to fulfill them.


3. Notify this resolution to La Canonja Town Council.

4. Communicate the resolution to the Ombudsman, in accordance with the provisions of the article
    77.5 of the LOPDGDD.

5. Order that this resolution be published on the Authority's website (apdcat.gencat.cat), from
    in accordance with article 17 of Law 32/2010, of October 1.

                                                                                            11/12 Against this resolution, which puts an end to the administrative process in accordance with articles 26.2 of
Law 32/2010 and 14.3 of Decree 48/2003, of February 20, which approves the Statute of
the Catalan Data Protection Agency, with discretion the imputed entity can

file an appeal before the director of the Catalan Protection Authority
Data, within one month from the day after its notification, according to
with what is provided for in article 123 et seq. of Law 39/2015. It can also be interposed
directly an administrative contentious appeal before the administrative contentious courts
of Barcelona, within two months from the day after yours
notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of July 13, regulating
of the administrative contentious jurisdiction.


If the imputed entity expresses to the Authority its intention to file a contentious appeal
administrative against the administratively firm resolution, the resolution will be suspended
precautionary in the terms provided for in article 90.3 of the LPAC.

Likewise, the accused entity can file any other appeal it deems appropriate
to defend their interests.




The director


































                                                                                             12/12