AP (The Netherlands) - Boete vingerafdrukken personeel: Difference between revisions

AP - Boete vingerafdrukken personeel
Authority:	AP (The Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 9(1) GDPR Article 9(2)(a) GDPR Article 9(2)(g) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	05.07.2018
Decided:	04.12.2019
Published:
Fine:	725000 EUR
Parties:	n/a
National Case Number/Name:	Boete vingerafdrukken personeel
European Case Law Identifier:	n/a
Appeal:	Appealed - Partly Confirmed AP (The Netherlands) Woo-besluit 2023-223656: Boete vanwege vingerafdrukscan werknemers
Original Language(s):	Dutch
Original Source:	Dutch DPA (in NL)
Initial Contributor:	CBMPN

A company was fined €725,000 for scanning fingerprints of employees to track their work frequency. Upon objection, the fine was later reduced to €50,000.

English Summary

Facts

A company (the controller) with 337 employees processed biometric data (fingerprints) of its employees to track their working hours using fingerprint scanners. On 5 July 2018, the Dutch DPA received a notification that employees at the controller were required to have their fingerprints scanned. This processing took place from 25 May 2018 to 16 April 2019.

The DPA launched an investigation and concluded that employees were clocking in and out using their fingerprints for the purpose of time registration.

Five scanning stations are present and active at the company, three of which have a fingerprint scanner. One of these three is used for testing and recording fingerprints, the other two for clocking in and out. All these scanning stations exchange data with a software program, which, in addition to checking presence and absence, provides insight into working hours, absenteeism and overtime.

After the fingerprint has been recorded, the templates of those fingerprints are stored as a text file in a digital folder. These templates of fingerprints that have been recorded since the beginning of 2017.

Holding

Under Article 9(1) of the GDPR, the processing of biometric data for the purpose of uniquely identifying individuals is prohibited, unless an exception applies.

Article 9(2)(a) GDPR: Explicit consent is required for processing biometric data. The AP found that the company had not obtained valid consent, as employees were not adequately informed, and consent was not freely given due to the imbalance of power between employer and employee.
Article 9(2)(g) GDPR: Processing biometric data is allowed if it is necessary for authentication or security purposes. The AP concluded that the company's use of fingerprints for time registration did not meet this exception, as less intrusive methods (e.g., ID cards) were available. The company argued that the processing was necessary to prevent time fraud, but the AP determined that this did not meet the threshold for being considered a "necessary" measure under the GDPR.

The DPA applied its 2019 Fine Policy Guidelines, which categorize violations of Article 9 GDPR as Category IV (the most severe category), with a base fine of €725,000. Considering the nature, severity, and duration of the violation (over 10 months), as well as the number of affected individuals (337 employees), the violation was deemed serious.

After an administrative appeal, the fine was lowered to €50,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Confidential/Registered
[CONFIDENTIAL]
Date
December 4, 2019
Subject
Our reference
[CONFIDENTIAL]
Contact person
[CONFIDENTIAL]
Decision to impose an administrative fine Dear [CONFIDENTIAL],
The Dutch Data Protection Authority (AP) has decided to impose an administrative fine of €725,000 on [CONFIDENTIAL]. The AP is of the opinion that [CONFIDENTIAL] violated the prohibition in Article 9, paragraph 1, of the General Data Protection Regulation from May 25, 2018 to April 16, 2019 by processing biometric data of its employees.
The decision is explained in more detail below. Chapter 1 provides an introduction and Chapter 2 describes the legal framework. In Chapter 3, the AP assesses whether there is processing of biometric data, processing responsibility and the violation. Chapter 4 elaborates on the (amount of the) administrative fine and Chapter 5 contains the operative part and the legal remedies clause.
Dutch Data Protection Authority
Postbus 93374, 2509 AJ Den Haag Bezuidenhoutseweg 30, 2594 AV Den Haag T0708888500-F0708888501 autoriteitpersoonsgegevens.nl
1

Date Our reference
December 4, 2019 [CONFIDENTIAL]
1. Introduction
1.1 Legal entities involved and reason for investigation
[CONFIDENTIAL] is a company with its registered office at [CONFIDENTIAL]. [CONFIDENTIAL] is registered in the trade register of the Chamber of Commerce under number [CONFIDENTIAL]. [CONFIDENTIAL].
On July 5, 2018, the AP received a notification that employees at [CONFIDENTIAL] are required to have their fingerprints scanned. From the report, supervisors of the AP concluded that employees were clocking in and out using a fingerprint for the purpose of time registration. Following this signal, the AP initiated an ex officio investigation into [CONFIDENTIAL]'s compliance with Article 9 of the General Data Protection Regulation (GDPR), which concerns, among other things, the use of processing biometric data, such as a fingerprint.
1.2 Procedural history
On 6 September and 12 October 2018, the AP contacted the reporter by telephone to ask questions about his report on (the obligation to) use and the locations of the fingerprint scanning equipment at [CONFIDENTIAL]. Following this, the AP received documents from the reporter on 22 October 2018.
On 6 November 2018, the AP conducted an unannounced investigation at [CONFIDENTIAL]. The reports on this investigation and the statements taken from employees were sent to [CONFIDENTIAL] on 11 February 2019. [CONFIDENTIAL] indicated that it had no comments on these documents.
On 18 March 2019, the AP conducted a new investigation at the offices of [CONFIDENTIAL]. The reports on this investigation and the statements taken from employees were sent to [CONFIDENTIAL] on 9 May 2019.
On 13 June 2019, the AP sent a draft report to [CONFIDENTIAL]. [CONFIDENTIAL] provided its opinion on this on 3 July 2019. Taking this response into account, the AP adopted the final report. This report was sent to [CONFIDENTIAL] by letter dated 4 September 2019.
By letter dated 16 September 2019, the AP sent [CONFIDENTIAL] an intention to enforce. Having also been given the opportunity to do so by letter dated 16 September 2019 by the AP, [CONFIDENTIAL] submitted its written views on this intention and the final report on which it is based on this on 21 October 2019.
2/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
2. Legal framework
2.1 Scope of the GDPR
Pursuant to the first paragraph of Article 2 of the GDPR, this Regulation applies to the processing of personal data wholly or partly by automated means, as well as to the processing of personal data contained in a filing system or intended to be contained in a filing system.
Pursuant to the first paragraph of Article 3 of the GDPR, this Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not. Pursuant to Article 4 of the GDPR, for the purposes of this Regulation:
1. “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); [...].
2. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means [...].
7. “Controller” means the [...] legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data; [...].
2.2 Prohibition on processing biometric data
Article 9, paragraph 1, of the GDPR defines special categories of personal data as follows, insofar as relevant: “[...] personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation [...]”
According to Article 4, paragraph 14, of the GDPR, biometric data are personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.
According to Article 9, paragraph 1, of the GDPR, the processing of biometric data for the purpose of uniquely identifying a natural person is prohibited. Exceptions to the prohibition on processing special categories of personal data are set out in Article 9, paragraph 2, of the GDPR, insofar as relevant:
3/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
“Paragraph 1 shall not apply if one of the following conditions is met:
a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
[...]
g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which ensures proportionality with the aim pursued, respects the essence of the right to protection of personal data and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject; [...]”
According to Article 4, paragraph 11, of the GDPR, consent is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
According to Article 7, paragraph 1, of the GDPR, the controller must be able to demonstrate that the data subject has given consent to the processing of his or her personal data if the processing is based on consent. According to Article 7, paragraph 3, of the GDPR, the data subject has the right to withdraw his or her consent at any time. Before giving consent, the data subject shall be informed thereof.
According to Article 29 of the Implementing Act General Data Protection Regulation (UAVG), in view of Article 9, paragraph 2, point (g) of the Regulation, the prohibition on processing biometric data for the purpose of uniquely identifying a person does not apply if the processing is necessary for authentication or security purposes. 2.3 Administrative fine
Pursuant to Article 58, paragraph 2, opening sentence and under i, in conjunction with Article 83, paragraph 5, opening sentence and under b, of the GDPR and Article 14, paragraph 3, of the UAVG, the AP is authorised to impose an administrative fine for infringements of the GDPR.
2.3.1 GDPR
Pursuant to Article 83, paragraph 1, of the GDPR, each supervisory authority shall ensure that the administrative fines imposed pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each case effective, proportionate and dissuasive. Pursuant to the second paragraph, administrative fines shall, depending on the circumstances of the specific case, be imposed in addition to or instead of the measures referred to in Article 58, paragraph 2, points (a) to (h) and (j). 4/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
It follows from the fifth paragraph, opening sentence and under a, that an infringement of the basic principles of processing as set out in Article 9 of the GDPR is subject to an administrative fine of up to €20,000,000 or, for an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher, in accordance with paragraph 2.
2.3.2 GDPR
Pursuant to Article 14, third paragraph, of the GDPR, the AP may impose an administrative fine of up to the amounts specified in Article 83, fourth, fifth or sixth paragraph, of the Regulation in the event of an infringement.
3. Assessment
3.1 Processing of biometric personal data
3.1.1 Facts
Five scanning stations are present and active at [CONFIDENTIAL], three of which have a fingerprint scanner. One of these three is used for testing and recording fingerprints, the other two for clocking in and out [CONFIDENTIAL]. All these scanning stations exchange data with a software program, which, in addition to checking presence and absence, provides insight into working hours, absenteeism and overtime.1
[CONFIDENTIAL] has stated that fingerprints have been taken and recorded from two of its employees' fingers. The scanning station calculates a template of the fingerprint and stores it in the software program. This means that unique dots are identified in the lines of the print using a photographic scan. The dots together form the basis for a mathematical calculation to calculate the quality of the fingerprint template.2
[CONFIDENTIAL] has fingerprints of employees recorded as soon as they start work, so that they can clock in.3 Statements from the employees of [CONFIDENTIAL] show that they were called in to come by to have their fingerprints taken.4
On 18 March 2019, during the investigation at [CONFIDENTIAL], the AP established that [CONFIDENTIAL] has a digital folder containing all fingerprint templates of fingerprints
1 Report of technical investigation during on-site investigation (dated 6 November 2018) of 12 November 2018, screenshot of supplier's website of 29 January 2019 and report of technical investigation including appendices A to H (appendix G (digital content of folder bio_templates) and appendix H (digital photo files) of 19 March 2019.
2 Report of technical investigation during on-site investigation (dated 6 November 2018) of 12 November 2018.
3 Minutes of conversation with director of [CONFIDENTIAL] of 9 November 2018.
4 First three minutes of conversation with employees of [CONFIDENTIAL] of 7 November 2018 and minutes of conversation with employees of [CONFIDENTIAL] of 19 March 2019.
5/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
of employees who were once scanned at [CONFIDENTIAL]. These templates are stored as text files.5
The AP has determined that the contents of this folder can be used to deduce the period within which fingerprints of employees were recorded. The fingerprint templates are stored in this folder as [CONFIDENTIAL] files. The [CONFIDENTIAL] files belong to employees who are employed by [CONFIDENTIAL]. The [CONFIDENTIAL] files belong to former employees of [CONFIDENTIAL]. When the fingerprint templates of the employee in question were created can be deduced from the date in the separate text files of the templates. In addition, the storage date for [CONFIDENTIAL] files corresponds to the date of recording the fingerprint, which is in the text file itself. The first fingerprint templates were saved on 23 January 2017. Templates were saved regularly from that moment on. The last fingerprint templates of employees date from 8 November 2018. The storage data of the [CONFIDENTIAL] files shows that fingerprint templates were created for 39 employees after 25 May 2018. The storage data of the [CONFIDENTIAL] files shows that fingerprint templates were created for 31 employees after 25 May 2018. The contents of the [CONFIDENTIAL] files indicate that fingerprint templates were created for 17 employees after 25 May 2018. In total, fingerprints were recorded and stored for (39+31+17=) 87 employees after 25 May 2018. The AP has determined that a total of 1348 fingerprint templates (as [CONFIDENTIAL] files) were stored in this folder on 18 March 2019. Because four fingerprint templates are stored per employee, these are the fingerprints of (1348:4=) 337 (former) employees of [CONFIDENTIAL].6
[CONFIDENTIAL] has stated that the fingerprint templates of employees who had their fingerprints recorded and who were employed on 18 March 2019 were also actually active in the software program and the scanning stations on 18 March 2019.7 The AP has also established this by checking a personnel card of an employee who was employed at that time. Fingerprint templates are active on the personnel card in question. The personnel card also shows that there is a quality indication of the finger scans and that the fingerprints of this employee were recorded on 8 November 2018.8
[CONFIDENTIAL] has also stated that there are no longer any fingerprint templates in the software program and the scanning stations for employees who are no longer employed and were processed as such in the software program on 18 March 2019. If an employee leaves the company, his/her data is retained according to [CONFIDENTIAL], but blocked in the software program.9 This has
5 Technical investigation report including appendices A to H (appendix G (digital content folder bio_templates) of 19 March 2019.
6 Technical investigation report including appendices A to H (appendix G (digital content folder bio_templates) of 19 March 2019.
7 Technical investigation report including appendices A to H of 19 March 2019.
8 Technical investigation report including appendices A to H, appendix E (printout of file “people in service with finger scan.pptx”) p. 9, of 19 March 2019.
9 Interview report with [CONFIDENTIAL] at [CONFIDENTIAL] of 9 November 2018.
6/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
[CONFIDENTIAL] also illustrated to the AP using a number of personnel cards of persons who were out of service on 18 March 2019.10
On 18 March 2019, the AP made 160 screenshots of personnel cards of employees whose fingerprint templates were active in both the software program and the scanning stations.11 [CONFIDENTIAL] also concluded from the number of [CONFIDENTIAL] files in the relevant folder that on 18 March 2019, fingerprint templates of 160 employees were active in the software program and the scanning stations.12
Based on the above, the AP concludes that after the fingerprint has been recorded, the templates of those fingerprints are stored as a text file in a digital folder. These templates of fingerprints that have been recorded since the beginning of 2017 are therefore still stored there. This also applies to fingerprint templates of employees who are out of service, although they are then blocked and are therefore no longer active in the software program and the scanning stations.
Production workers at [CONFIDENTIAL] can only use their fingerprint and the droplet (an identification tag) separately and next to each other for clocking in and out, and do so regularly. Their identity is confirmed on the device using the template in the software program. The time registration in the software program does not show whether a fingerprint or a drop was used to clock in or out.13
[CONFIDENTIAL] stated that the fingerprint scanning equipment had only been in continuous use for a year on November 6, 2018.14 Several employees of [CONFIDENTIAL] stated that the scanning stations had been in use since 2017.15
During the visit on March 18, 2019, [CONFIDENTIAL] indicated that after the visit of the AP on November 6, 2018, [CONFIDENTIAL] stopped scanning the fingerprints of (new) employees, because it was no longer known whether or not it was permitted.16 The AP also noted on March 18, 2019 that [CONFIDENTIAL] had not recorded any new fingerprints since November 8, 2018.
[CONFIDENTIAL] received instructions from the supplier on April 16, 2019 about removing the software and the files contained therein. [CONFIDENTIAL] stated that she was flat
10 Technical investigation report including appendices A to H of 19 March 2019, p. 2 and 3.
11 Technical investigation report including appendices A to H, appendix E (printout of file “people employed with finger scan.pptx”), dated 19 March 2019.
12 Technical investigation report including appendices A to H (appendix G (digital content folder bio_templates) dated 19 March 2019.
13 First three interview reports with employees of [CONFIDENTIAL] dated 7 November 2018, interview report with director of [CONFIDENTIAL] dated 9 November 2018, interview report with [CONFIDENTIAL] at [CONFIDENTIAL] dated 9 November 2018 and technical investigation report during on-site investigation (dated 6 November 2018) dated 12 November 2018.
14 Interview report with director of [CONFIDENTIAL] dated 9 November 2018.
15 Second and third interview reports with employees of [CONFIDENTIAL] of 7 November 2018 and conversation report with [CONFIDENTIAL] at [CONFIDENTIAL] of 9 November 2018.
16 Report of official proceedings on-site investigation at [CONFIDENTIAL] (dated 6 November 2018) of 12 November 2018.
7/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
subsequently deleted the biometric data of its (former) employees and provided log files as evidence of the deletion.17 It can be concluded from the log files that the biometric data were actually deleted, but the exact date on which this happened cannot be derived from this.18 In view of this, the AP assumes that the violation continued at least until 16 April 2019. 3.1.2 Assessment
According to the first paragraph of Article 4 of the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, by reference to, for example, one or more factors specific to the physical or physiological identity of that natural person.
According to the fourteenth paragraph of Article 4 of the GDPR, biometric data include personal data resulting, inter alia, from specific technical operations relating to the physical characteristics of a natural person, which allow or confirm the unique identification of that natural person. Fingerprint data are explicitly mentioned as an example of biometric data.
Article 4, second paragraph of the GDPR defines the concept of processing as any operation performed upon personal data, such as collection, recording, storage, retrieval, consultation or use. The AP has established that [CONFIDENTIAL] stored fingerprints of 337 (former) employees from 23 January 2017 to at least 16 April 2019. As is apparent from the facts, these fingerprints were stored as templates and remain stored there, even after employees have left the company. The fingerprint templates of employees who are (still) employed are linked to a software program, so that they can clock in and out with their fingerprint. Since 2017, employees of [CONFIDENTIAL] have regularly used their fingerprint on the fingerprint scanner to clock in and out, whereby their identity is confirmed on the basis of the template in the software program. By simply recording the fingerprints of employees, further processing of the fingerprint can take place, such as using the fingerprint to clock in and out. The AP concludes that the data stored by [CONFIDENTIAL] can identify natural persons, namely its employees. The data are the result of a specific technical processing operation relating to the physical characteristics of a natural person (the fingerprint), on the basis of which the unique identification of that natural person is possible, which is confirmed to employees via the fingerprint scanner. Therefore, there is biometric data within the meaning of Article 4, paragraph fourteen, of the GDPR. As far as [CONFIDENTIAL] argues
17 Written response from [CONFIDENTIAL] of 13 November 2019, question 2 and appendix 2.
18 Written response from [CONFIDENTIAL] dated 13 November 2019, question 1 and log file.
8/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
that the code, which is created on the basis of the fingerprint, cannot be traced back to an employee, the AP does not share this conclusion of [CONFIDENTIAL].19
[CONFIDENTIAL] has stored the fingerprint data digitally and processes it partly by means of the finger scanning equipment when taking the fingerprint and when employees scan their finger to be able to clock in and out. The AP concludes that [CONFIDENTIAL] has thereby (partially) automatically processed biometric data within the meaning of Article 4, section two, of the GDPR.
3.1.3 Conclusion
[CONFIDENTIAL] had stored biometric data of 250 employees on 25 May 2018, which was gradually supplemented to 337 employees. [CONFIDENTIAL] processed the biometric data up to and including 16 April 2019. In view of the foregoing, the AP concludes that [CONFIDENTIAL] processed biometric data of employees from 25 May 2018 up to and including 16 April 2019 within the meaning of Article 4, section fourteen, of the GDPR.
3.2 Controller
The AP is of the opinion that [CONFIDENTIAL] determined the purposes and means for processing the biometric data. [CONFIDENTIAL] made the decision to use (and finance) the fingerprint scanner equipment as a means to process biometric data of its employees.20
[CONFIDENTIAL] also determined the purpose of the processing, namely to reduce abuse when clocking in and out for the purpose of time registration. According to [CONFIDENTIAL], it has happened regularly in the past that one employee clocked in for two employees while only one person was present. According to [CONFIDENTIAL], there were also practical purposes. For example, there are no costs for purchasing, losing or damaging droplets.21 Employees also state as reasons that the system offers a closed attendance registration, that the system with finger scanners must replace the outdated system with drop scanners and that it can be part of the security of the computer network in the future (hacking attempts, industrial espionage).22
19 See also Rb. Amsterdam 12 August 2019, ECLI:NL:RBAMS:2019:6005, in which it was ruled that a fingerprint that had been converted into a code is (biometric) personal data within the meaning of the GDPR. 20 Minutes of conversation with director of [CONFIDENTIAL] of 9 November 2018, minutes of conversation with [CONFIDENTIAL] at [CONFIDENTIAL] of 9 November 2018, overview list and copied documents during on-site investigation (dated 6 November 2018) of 12 November 2018 document no. 17 and no. 18, and report of technical investigation during on-site investigation (dated 6 November 2018) of 12 November 2018.
21 Minutes of conversation with director of [CONFIDENTIAL] of 9 November 2018 and report of official proceedings during on-site investigation (dated 18 March 2019) at [CONFIDENTIAL] of 19 March 2019.
22 Minutes of conversation with [CONFIDENTIAL] at [CONFIDENTIAL] of 9 November 2018 and report of technical investigation during on-site investigation (dated 6 November 2018) of 12 November 2018.
9/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
Based on the above, the AP designates [CONFIDENTIAL] as the controller as referred to in Article 4, section 7, of the GDPR.
3.3 Prohibition on processing biometric data
3.3.1 Introduction
In recent years, the importance of biometric data for the identification of persons has increased significantly. What is new compared to previous legislation is the fact that the GDPR also designates biometric data that are processed with a view to the unique identification of a person as a special category of personal data.23
Personal data that are particularly sensitive deserve specific protection, because their processing can entail high risks for fundamental rights and freedoms. The processing of special categories of personal data is therefore prohibited under Article 9, paragraph 1, of the GDPR, unless a statutory exception applies.24
The AP will assess below whether [CONFIDENTIAL] can successfully rely on exceptions relevant to this case as referred to in Article 9, paragraph 2, under a and g, of the GDPR. This concerns processing based on “explicit consent” or that is “necessary for authentication or security purposes” respectively.
3.3.2 Facts
The employment contracts used by [CONFIDENTIAL] do not contain any information about the use of fingerprints.25 The applicable personnel handbooks at the time, dated July 2017, state the following: “[CONFIDENTIAL]”.26
On 6 November 2018, the AP received a copy of a draft version of adjustments to the production personnel handbook. The above paragraph on attendance registration had remained unchanged.27 In a revised version of the manuals, dated January 2019, the sentence “[CONFIDENTIAL]” was omitted.28
Several employees of [CONFIDENTIAL] stated that the recording of the fingerprints came as a surprise, had not been announced and that they had not received any information about this.29 The AP requested documentation of policy or procedures for or evidence
23 See Parliamentary Papers II 2017/18, 34851, 3, p. 40 and 108 (MvT).
24 See recital 51 of the GDPR.
25 Summary list and copied documents during on-site investigation (dated 6 November 2018) of 12 November 2018, no. 3, 4, 5 and 6.
26 Summary list and copied documents during on-site investigation (dated 6 November 2018) of 12 November 2018, no. 7 and 8. 27 Summary list and copied documents during on-site investigation (dated 6 November 2018) of 12 November 2018, no. 9.
28 Summary list and copied documents during on-site investigation (dated 18 March 2019) of 19 March 2019.
29 First three minutes of interviews with employees of [CONFIDENTIAL] of 7 November 2018 and first minute of interviews with employee of [CONFIDENTIAL] of 19 March 2019.
10/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
of granting permission for taking fingerprints and refusing to do so. Such documentation was not available.
The director of [CONFIDENTIAL] stated that he has no idea whether permission is requested from employees for processing fingerprints, but that it is a free choice.30 The [CONFIDENTIAL] stated that employees do not give permission for the use of their fingerprint, but that scanning the fingerprint is not mandatory. They do sign for receipt of the drop.31
The [CONFIDENTIAL] further indicates that there is a possibility to refuse taking fingerprints. To do so, the employee concerned must then discuss this with the director. In practice, this hardly ever happens. In the few cases where this occurred, the employee still provided his or her fingerprint after the conversation with the director.32
A [CONFIDENTIAL] stated that with regard to consent, the employment contract and the personnel handbook should be consulted, on the basis of which she believes that employees are aware that [CONFIDENTIAL] wants to work with fingerprints in the future.33
There is a mixed picture among employees on the work floor regarding the answer to the question of whether consent is requested for taking fingerprints. On the one hand, employees indicate that scanning the fingerprint was mandatory. On the other hand, there are two employees who state that they gave verbal consent.34
The following facts are relevant to the assessment of whether the processing is necessary for authentication or security purposes.
The business activities of [CONFIDENTIAL].35 [CONFIDENTIAL].36
As stated in paragraph 3.1.1., [CONFIDENTIAL] uses a software program for time registration and – on the basis of that – the administration of salary, leave and illness. In the past, employee attendance was only recorded by clocking in and out with droplets at scanning stations.37
30 Minutes of conversation with director of [CONFIDENTIAL] dated 9 November 2018.
31 Minutes of conversation with [CONFIDENTIAL] at [CONFIDENTIAL] dated 9 November 2018.
32 Report of technical investigation during on-site investigation (dated 6 November 2018) dated 12 November 2018.
33 Minutes of conversation with [CONFIDENTIAL] at [CONFIDENTIAL] dated 9 November 2018.
34 First three minutes of conversation with employees of [CONFIDENTIAL] dated 7 November 2018 and minutes of conversation with employees of [CONFIDENTIAL] dated 19 March 2019.
35 Chamber of Commerce extract [CONFIDENTIAL] dated 15 October 2018.
36 Report of technical investigation during investigation on site (dated 6 November 2018) of 12 November 2018.
37 Minutes of conversation with director of [CONFIDENTIAL] of 9 November 2018 and minutes of conversation with [CONFIDENTIAL] at [CONFIDENTIAL] of 9 November 2018.
11/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
The director of [CONFIDENTIAL] has decided to expand the time registration system with the finger scan equipment. He took the decision independently in his capacity as general manager of [CONFIDENTIAL].38 As stated in paragraph 3.2, the reason for this was to reduce abuse when clocking in and out for the purpose of time registration. According to [CONFIDENTIAL], there were also practical advantages. For example, there are no costs for purchasing, losing or damaging drops. Employees also state that the system offers a closed attendance registration, that the system with finger scanners must replace the outdated system with drop scanners and that it can be part of the security of the computer network in the future (hacking attempts, industrial espionage). Finally, by using finger identification, only persons who are trained to use advanced equipment can enter.
3.3.3 Assessment
3.3.3.1 Explicit consent
According to Article 4, paragraph 11, of the GDPR, consent is a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
In order for consent to be given with full knowledge of the facts, the data subject must be informed, among other things, of the identity of the controller, the purpose of the processing, the (type of) data that is being processed and the existence of the right to withdraw consent.39
A data subject must also be able to give consent freely. The Guidelines on consent under the GDPR state the following in this regard:
“A lack of consistency also occurs in the context of employment relationships. Given the dependency resulting from the relationship between employer and employee, it is unlikely that the data subject would be able to withhold his or her consent to data processing without fear or real threat of adverse consequences as a result of a refusal. It is unlikely that the employee would be able to freely respond to a request for consent from his/her employer for, for example, activating surveillance systems such as CCTV in the workplace, or completing performance appraisal forms, without feeling pressure to consent. Therefore, WP29 considers that it is problematic for employees to process personal data of current or prospective employees on the basis of consent, as it is unlikely to be freely given. For the majority of such workplace data processing, the legal basis cannot and should not be the employee’s consent (Article 6(1)(a)) due to the nature of the employer-employee relationship. However, this does not mean that employers can never rely on consent as a legal basis for processing. There may be situations where the employer can demonstrate that consent is in fact freely given. Given the imbalance between an employer and its staff, employees can only give their consent freely in exceptional circumstances, namely when
38 Minutes of conversation with the director of [CONFIDENTIAL] of 9 November 2018, minutes of conversation with [CONFIDENTIAL] at [CONFIDENTIAL] of 9 November 2018 and report of technical investigation during on-site investigation (dated 6 November 2018) of 12 November 2018.
39 See recital 42 of the GDPR, the Guidelines on consent under Regulation 2016/679 of 28 November 2017, p. 15 and Article 7, paragraph 3, of the GDPR.
12/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
there are no negative consequences if they give their consent or not. [...] Imbalances are not limited to public authorities and employees, they can also occur in other situations. As WP29 has stressed in several Opinions, “consent” can only be valid if the data subject has a genuine choice and there is no deception, intimidation or coercion and the data subject does not run the risk of significant negative consequences (for example significant additional costs) if he or she does not consent. Consent is not freely given in cases where there is any element of coercion, pressure or inability to exercise free will”.40
Furthermore, under Article 7(1) GDPR, the controller must be able to demonstrate that the data subject has given consent to the processing of his or her personal data.
The conditions of Article 7 GDPR also apply to the concept of consent in Article 9 GDPR.41 In order to meet the condition of Article 9(2)(a) GDPR for an exception to the prohibition on processing biometric data in Article 9(1) GDPR, the data subject must give explicit consent – in addition to the conditions that Article 7 GDPR imposes on consent. According to the Guidelines on consent under the GDPR, explicit consent refers to the manner in which consent is expressed by the data subject. According to the Guidelines, this may include written consent, signing (possibly with electronic signature), sending an e-mail by the data subject or consent with two-step verification. In theory, the use of oral declaration may also be sufficient to obtain valid explicit consent, but it may be difficult for the controller to prove that all conditions for valid explicit consent were met when recording the declaration.42
Based on the following facts, the AP concludes that [CONFIDENTIAL] has not demonstrated that its employees have given explicit consent to the processing of their biometric data. The free, specific, informed and unambiguous expression of the will of the employees of [CONFIDENTIAL] has not been established. [CONFIDENTIAL] as the controller has not demonstrated that its employees have given (explicit) consent to the processing of biometric data, which is mandatory under Article 7, paragraph 1, of the GDPR. After all, paragraph 3.3.2 shows that [CONFIDENTIAL] has no documentation of policies or procedures for or evidence of the granting and refusal of consent to the recording of fingerprints. In addition, several employees stated that scanning fingerprints was mandatory and that no consent is requested for this, not even in the context of the signing of the employment contract or receipt of the employee handbook. Two employees stated that
40 Guidelines on consent under Regulation 2016/679 dated 28 November 2017, pp. 7-8. Last revised and adopted by the Article 29 Working Party on 10 April 2018.
41 Guidelines on consent under Regulation 2016/679 dated 28 November 2017, p. 23.
42 Guidelines on consent under Regulation 2016/679 dated 28 November 2017, pp. 20-22.
13/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
they have given their oral consent for their fingerprints to be recorded. However, [CONFIDENTIAL] has also not been able to demonstrate the existence of any oral statements regarding consent. [CONFIDENTIAL] has therefore not been able to demonstrate that its employees have given their explicit consent within the meaning of Article 9, paragraph 2, point (a) of the GDPR for the processing of their biometric data.
For the sake of completeness, the AP notes that [CONFIDENTIAL] has also not been able to demonstrate that its employees were sufficiently informed about the processing of biometric data and that they gave their consent freely. As stated in paragraph 3.3.2, the employment contract did not include any information about the use of fingerprints. Employees were only informed via the personnel handbook of July 2017 that [CONFIDENTIAL] intended to clock in entirely with fingerprints. The most recent personnel handbook of January 2019 no longer contains any information about the intention to switch entirely to time registration with fingerprints. Several employees of [CONFIDENTIAL] have also stated that the recording of fingerprints had not been announced and that they had not received any information about this. In addition, [CONFIDENTIAL] has not demonstrated that any consent given was given freely by its employees. Moreover, employees of [CONFIDENTIAL] have stated that scanning the fingerprint was mandatory. And [CONFIDENTIAL] and an employee stated that if they refused to have their fingerprint scanned, a conversation with the director/board followed, after which in practice (almost) everyone had their fingerprint scanned.
It follows from the above that – despite the fact that [CONFIDENTIAL] believes that employees had a freedom of choice to clock in and out using their fingerprint – several employees experienced it as an obligation to have their fingerprint recorded. There is a hierarchical relationship between the employer and the employee. Given the dependency resulting from the relationship between employer and employee, it is unlikely that the employee can freely give his or her consent. [CONFIDENTIAL] has also not demonstrated that consent was freely given in this case.
[CONFIDENTIAL] must demonstrate, pursuant to Article 7, paragraph 1, of the GDPR, that a data subject has given consent to the processing of his or her personal data. The conditions of Article 7 of the GDPR also apply to the concept of consent in Article 9 of the GDPR. Based on the above, the AP is of the opinion that [CONFIDENTIAL] has not been able to demonstrate that its employees have given explicit consent within the meaning of Article 9, paragraph 2, under a, of the GDPR for the processing of their biometric data.
Opinion [CONFIDENTIAL] and AP response
[CONFIDENTIAL] is of the opinion that the employees have given permission for the use of their fingerprints and that no one has ever objected to this. Many employees also found the system with the droplet inconvenient. [CONFIDENTIAL] has always been very open
14/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
about the use of the fingerprint scanning system and only had good intentions. It has also never been an obligation to clock in and out with the fingerprint scan; this could also always be done with the droplet. [CONFIDENTIAL] is therefore of the opinion that the employees were able to give their consent freely. It is also not at all correct that employees who did not want to have their fingerprints taken, had a conversation with management. According to [CONFIDENTIAL], no one was forced to use the finger scans and the possibility to use the drip system has always remained. In fact, of the 4 drip clocks present, only 2 are additionally equipped with the finger scan option.
[CONFIDENTIAL] states that, after the first visit by the AP on 6 November 2018, it took immediate measures and stopped clocking in and out using fingerprints. After that date, no more fingerprints were recorded. After the second visit by the AP on 18 March 2019, [CONFIDENTIAL] contacted the supplier of the fingerprint equipment and had the fingerprint scans taken and the program relating to the registration with fingerprints deleted. [CONFIDENTIAL] wanted to ensure that all biometric data would be destroyed as soon as possible, so that [CONFIDENTIAL] would not run any further risks. The supplier indicated to [CONFIDENTIAL] that the use of the fingerprint scan is permitted in this case, because it is not mandatory and there are 2 scanning options offered by [CONFIDENTIAL]: the fingerprint scan and the drop.
The AP interprets the view as meaning that [CONFIDENTIAL] is of the opinion that the employees were able to freely give their consent for the processing of the fingerprints. The AP does not follow [CONFIDENTIAL]'s view. Given the dependency resulting from the relationship between employer and employee, it is unlikely that the employee can freely give his or her consent. If in this exceptional case there was free consent, [CONFIDENTIAL] should have demonstrated this. [CONFIDENTIAL] has not provided evidence that its employees gave consent for the processing of the fingerprints, let alone that the consent was given freely and in an informed manner. Moreover, despite the freedom of choice for employees to clock in and out using their fingerprint, several employees have experienced it as an obligation to have their fingerprint recorded.
3.3.3.2 Necessary for authentication or security purposes
Article 9, paragraph 2, under g, of the GDPR allows for an exception in national law to the prohibition on processing biometric data for reasons of substantial public interest. In the Netherlands, this has been implemented in Article 29 of the GDPR, by allowing the processing of biometric data if the processing is necessary for authentication or security purposes.
Furthermore, the Explanatory Memorandum to Article 29 of the GDPR states that it is undesirable not to include a national exception for the processing of biometric data. It also states: “A consideration must be made as to whether identification with biometric data is necessary for authentication or security purposes. The employer will then have to consider whether the buildings and information systems must be secured in such a way that this must take place with biometrics. This will be the case if access must be limited
15/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
to certain persons who are authorized to do so, such as at a nuclear power plant. The processing of biometric data must also be proportionate. In the case of access to a repair shop garage, the need for security will not be such that employees can only gain access using biometrics and that this data is recorded to exercise access control. On the other hand, biometrics can sometimes be an important form of security for information systems, for example, which themselves contain a lot of personal data, where unlawful access, including by employees, must be prevented. In order to make this assessment possible in circumstances where consent cannot be given freely, the bill includes a provision that allows an exception to the prohibition on processing biometric data for the purpose of identifying the data subject, if this is necessary for authentication or security purposes”.43 As the Explanatory Memorandum states, a consideration must be made as to whether identification using biometrics is necessary and proportionate for authentication or security purposes. [CONFIDENTIAL] should have considered whether the buildings and information systems of [CONFIDENTIAL] should be secured in such a way that this should be done using biometric data. A strict test applies to this. For example, biometrics may be used for access control at a nuclear power station. There, the importance of security is very great and only certain people may have access. [CONFIDENTIAL] should also have considered whether processing fingerprints of employees at [CONFIDENTIAL] is proportionate. The use of biometric personal data when accessing, for example, the garage of a repair company cannot pass this test. After all, the need for security is not so great that people should be able to gain access by using biometrics. In addition, security can also be guaranteed in other less far-reaching ways.
As stated in paragraph 3.3.2, the business activities of [CONFIDENTIAL] include [CONFIDENTIAL]. According to [CONFIDENTIAL], simple work is performed in [CONFIDENTIAL], such as [CONFIDENTIAL]. According to [CONFIDENTIAL], advanced equipment is also used to make these.
[CONFIDENTIAL] uses the relevant software program for time registration and – based on that – the administration of salary, leave and illness. In the past, the presence of employees was only registered by clocking in and out with drops at scanning stations. The director of [CONFIDENTIAL] independently decided to expand the time registration system with the finger scanner equipment. As stated in paragraph 3.2, the reason for this was to reduce abuse when clocking in and out for the purpose of time registration. According to [CONFIDENTIAL], there were also practical advantages. For example, there are no costs for purchasing, losing or damaging droplets. Employees also state as reasons that the system offers a closed attendance registration, that the system with finger scanners must replace the outdated system with drop scanners and that it can be part of the security of the computer network in the future (hacking attempts, industrial espionage). Finally, by using finger identification, only persons who are trained to use advanced equipment can enter.
43 Parliamentary Papers II 2017/18, 34851, 3, p. 94-95 (MvT). 16/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
The AP is of the opinion that the processing of biometric data in the context of (preventing abuse of) time registration, attendance control and authorized use of equipment at [CONFIDENTIAL] is not necessary and proportionate. The previously described activities at [CONFIDENTIAL], including [CONFIDENTIAL], are more like the activities within a garage of a repair company, where according to the Explanatory Memorandum to Article 29 of the UAVG it is not necessary and proportionate to process biometric data. Although [CONFIDENTIAL] has an interest in working with fingerprint scanning equipment for (preventing abuse of) time registration, given this purpose and the business activities of [CONFIDENTIAL], that interest does not justify an exception to the prohibition on processing biometric data. As with a garage, the need for security at [CONFIDENTIAL] is not such that employees must be able to gain access using biometrics and that this data is recorded to exercise access control. In addition, other methods that infringe less on the privacy of employees can also achieve this. 
On the AP's draft report of findings, [CONFIDENTIAL] indicated that it agrees with the AP that the exception 'necessary for security or authentication' may not apply to [CONFIDENTIAL]. According to [CONFIDENTIAL], this is the main reason to stop using biometric data for access control at [CONFIDENTIAL]. [CONFIDENTIAL] did not provide an opinion on this exception on the final report of findings. 
Based on the above, the AP is of the opinion that there is no need at [CONFIDENTIAL] to justify the ban on processing biometric data in the context of authentication or security purposes. [CONFIDENTIAL] cannot therefore rely on the exception possibility of Article 9, paragraph 2, under g, of the GDPR in conjunction with Article 29 of the UAVG with regard to the processing of fingerprints.
3.3.4 Conclusion
Based on Article 9, paragraph 1, of the GDPR, it is in principle prohibited to process biometric data. The AP concludes that the processing of biometric data under the responsibility of [CONFIDENTIAL] does not meet the conditions for an exception to the prohibition of Article 9 of the GDPR, specifically not the conditions referred to in Article 9, paragraph 2, under a, of the GDPR or Article 9, paragraph 2, under g, of the GDPR in conjunction with Article 29 of the UAVG. [CONFIDENTIAL] has thereby violated the prohibition of Article 9, paragraph 1, of the GDPR. 3.4 Final conclusion
The AP concludes that [CONFIDENTIAL] as the controller violated the prohibition of Article 9, paragraph 1, of the GDPR from 25 May 2018 to 16 April 2019 by processing biometric data of its employees.
17/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
4. Fine
4.1 Introduction
[CONFIDENTIAL] violated the prohibition of Article 9, paragraph 1, of the GDPR from 25 May 2018 to 16 April 2019 by processing biometric data of its employees.
For the established violation, the AP uses its authority to impose a fine on [CONFIDENTIAL] on the basis of Article 58, paragraph 2, opening sentence and under i and Article 83, paragraph 5, of the GDPR, read in conjunction with Article 14, paragraph 3, of the UAVG. The AP uses the Fine Policy Rules 2019 for this purpose.44
The AP will first briefly explain the fine system, followed by the motivation for the fine amount in the present case.
4.2 Fine Policy Rules Dutch Data Protection Authority 2019 (Fine Policy Rules 2019)
Pursuant to Article 58, paragraph 2, opening sentence and under i and Article 83, paragraph 5, of the GDPR, read in conjunction with Article 14, paragraph 3, of the UAVG, the AP is authorised to impose an administrative fine on [CONFIDENTIAL] in the event of a violation of Article 9, paragraph 1, of the GDPR of up to €20,000,000 or up to 4% of the total worldwide annual turnover in the preceding financial year, if this figure is higher. The AP has established Fine Policy Rules 2019 regarding the implementation of the aforementioned authority to impose an administrative fine, including determining the amount thereof.45
Pursuant to Article 2, under 2.2, of the Fine Policy Rules 2019, the provisions regarding violations for which the AP may impose an administrative fine of up to €20,000,000 or, for a company, up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher, are classified in Annex 2 into category I, category II, category III or category IV. The fine categories are ranked according to the severity of the violation, with category I containing the least serious violations and category III or IV the most serious violations.
In Annex 2, Article 9 of the GDPR is classified in category IV. Pursuant to Article 2, under 2.3, the AP sets the basic fine for violations for which a statutory maximum fine of €20,000,000 applies or, for an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher, [...] within the following fine range:
Category IV: Fine range between €450,000 and €1,000,000 and a basic fine of €725,000. [...].
44 Stcrt. 2019, 14586, 14 March 2019. 45 Idem.
18/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
Pursuant to Article 6, the AP determines the amount of the fine by adjusting the amount of the basic fine upwards (up to a maximum of the bandwidth of the fine category linked to an infringement) or downwards (down to a minimum of that bandwidth). The basic fine is increased or reduced depending on the extent to which the factors mentioned in Article 7 give cause for this.
Pursuant to Article 7, the AP takes into account, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act (Awb), the factors derived from Article 83, paragraph 2, of the GDPR and in the Policy Rules mentioned under a to k:
a. the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing in question as well as the number of affected data subjects and the extent of the damage suffered by them;
b. the intentional or negligent nature of the breach;
c. the measures taken by the controller [...] to mitigate the damage suffered by data subjects;
d. the extent to which the controller [...] is responsible in view of the technical and organisational measures implemented in accordance with Articles 25 and 32 of the GDPR;
e. previous relevant breaches by the controller [...];
f. the extent of cooperation with the supervisory authority in remedying the breach and mitigating its possible adverse effects;
g. the categories of personal data to which the breach relates;
h. the manner in which the supervisory authority became aware of the breach, in particular whether, and if so to what extent, the controller [...] notified the breach;
i. compliance with the measures referred to in the second paragraph of Article 58 of the GDPR, insofar as they have been taken previously in relation to the controller [...] in question in relation to the same matter; j. adherence to approved codes of conduct pursuant to Article 40 of the GDPR or to approved certification mechanisms pursuant to Article 42 of the GDPR; and
k. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial profits made or losses avoided, whether or not directly resulting from the infringement.
In the present case, this involves an assessment of the nature, seriousness and duration of the infringement in the specific case. In principle, this will remain within the bandwidth of the fine category linked to that infringement. The AP may, if necessary and depending on the extent to which the aforementioned factors give rise to this, apply the fine bandwidth of the next higher or next lower category. In addition, when imposing an administrative fine pursuant to Article 5:46, paragraph 2, of the General Administrative Law Act, the AP assesses to what extent this can be attributed to the offender. 4.3 Fine amount
19/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
4.3.1. Nature, seriousness and duration of the infringement
Pursuant to Article 7, opening paragraph and under a, of the Fine Policy Rules 2019, the AP takes into account the nature, seriousness and duration of the infringement. In assessing this, the AP takes into account, among other things, the nature, scope or purpose of the processing as well as the number of affected data subjects and the extent of the damage suffered by them.
The GDPR offers a high level of protection for particularly sensitive personal data. Personal data that are particularly sensitive deserve specific protection, because their processing can entail high risks for fundamental rights and freedoms. Data subjects must therefore have a high degree of control over their biometric data. The starting point is therefore that the processing of special personal data is in principle prohibited. Only a limited number of exceptions are possible, as laid down in the GDPR. By taking fingerprints and subsequently storing biometric data, [CONFIDENTIAL]x in this case violated the high level of protection offered by Article 9, paragraph 1, of the GDPR.
[CONFIDENTIAL] processed biometric data of its employees from 25 May 2018 to 16 April 2019. This violation took place in a structural manner and continued for a longer period. During this period, [CONFIDENTIAL] also stored the biometric data of former employees, while there was no need to do so. During this period, the persons concerned therefore had no control over their biometric data.
On the one hand, [CONFIDENTIAL] encrypted the biometric data and stated that only a limited number of people had access to the data. On the other hand, the fact that [CONFIDENTIAL] had stored biometric data of 250 employees on 25 May 2018, which number gradually increased to 337 employees, shows that there was a systematic and structural violation. Considering that the violation lasted for more than ten months, affecting 337 data subjects, this was a serious situation. [CONFIDENTIAL] not only stored the biometric data of current employees but also of former employees for a longer period of time without necessity. Furthermore, the employees were insufficiently informed about the processing and it has not been established that they gave their consent (freely), which in the opinion of the AP constitutes a serious violation in which the special data of data subjects were processed under incorrect conditions. This resulted in a large group of employees of [CONFIDENTIAL] not knowing for what purposes the fingerprints were used and that they could withdraw their consent at any time. As a result, data subjects had no control over what happened to their biometric data at [CONFIDENTIAL] for a longer period of time. And it is precisely this control that the GDPR aims to offer data subjects, so that data subjects are able to protect their personal data and freely provide it. Therefore, the AP is of the opinion that there is a serious violation, but sees no reason to increase or decrease the fine in this case.
20/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
4.3.2 Blame
Pursuant to article 5:46, paragraph 2, of the General Administrative Law Act, the AP takes into account the extent to which the offender can be blamed when imposing an administrative fine.
Under article 9, paragraph 1, of the GDPR, it is in principle prohibited to process biometric data. The GDPR has been applicable since May 25, 2018 and dates from April 27, 2016. Data controllers have had two years until May 25, 2018 to bring their processing activities into line with the AP. [CONFIDENTIAL] purchased the fingerprint scanner equipment from a supplier in October 2016, well after the publication of the GDPR. According to [CONFIDENTIAL], this supplier never pointed out a possible conflict with (future) privacy regulations and trusted that this professional party would inform [CONFIDENTIAL] of any changes. The AP is of the opinion that this circumstance does not exonerate [CONFIDENTIAL]. The starting point is that [CONFIDENTIAL] has its own responsibility to comply with the rules set out therein since the GDPR came into effect. [CONFIDENTIAL] failed to assess the processing of the biometric data against the GDPR itself or to obtain legal advice on this matter. Instead, [CONFIDENTIAL] assumed that a third party with a commercial interest in the sale of the equipment would assume this responsibility. A professional party such as [CONFIDENTIAL], also in view of the special nature of the personal data, may be expected to thoroughly satisfy itself of the standards applicable to it and to comply with them. [CONFIDENTIAL] has violated the high level of protection for special personal data by its actions. The AP considers this to be reprehensible.
4.3.3 Opinion [CONFIDENTIAL] and response AP
[CONFIDENTIAL] argues in her opinion that, based on the factors of Article 83, paragraph 2, of the GDPR and the Guidelines for the application and determination of administrative fines of 3 October 2017, a fine is not appropriate and that if a fine is imposed despite this, it should be reduced by the AP. [CONFIDENTIAL] is of the opinion that if there is a violation of the GDPR, it would not be reasonable/opportune to impose a fine. In this case, according to [CONFIDENTIAL], a reprimand is an appropriate measure that is sufficiently effective, proportionate and dissuasive. The AP briefly sets out the points from the opinion of [CONFIDENTIAL] below, with a response from the AP. As regards the nature, gravity and duration of the infringement, [CONFIDENTIAL] is first of all of the opinion that, in the specific circumstances of the case, this infringement does not pose a significant risk to the rights of the data subjects and does not affect the essence of the obligation in question. [CONFIDENTIAL] used a professional company and a professional program for the collection and processing of the fingerprints, whereby the security of the data was guaranteed and was not used for other purposes. According to [CONFIDENTIAL], the data subjects did not suffer any damage in this regard and will not suffer any damage, now that the data in question has now been destroyed. The number of persons involved is also limited in this case according to
21/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
[CONFIDENTIAL], as it concerns employees of [CONFIDENTIAL] in the period January 2017 to November 2018. Immediately after the first visit by the AP, [CONFIDENTIAL] stopped collecting fingerprints and after the second visit in March 2019, [CONFIDENTIAL] ensured that all relevant data was destroyed. Moreover, with regard to the duration, [CONFIDENTIAL] notes that the AP already received a notification about the fingerprint scans on 5 July 2018 (only a little over a month after the GDPR came into effect). The first investigation by the AP was not until 6 November 2018 and the second investigation on 18 March 2019. If [CONFIDENTIAL] had been informed earlier, that is, immediately after the notification (when the GDPR had just entered into force), it could have taken measures earlier. 
The AP does not follow this view of [CONFIDENTIAL]. In this case, [CONFIDENTIAL] should have failed to process the biometric data of its employees. By doing so, [CONFIDENTIAL] violated the essence of this obligation. Because the employees of [CONFIDENTIAL] were insufficiently informed about the processing and it has not been established that they gave their (free) consent, [CONFIDENTIAL] has undermined the protection of the personal data of its employees by processing this data. Given the nature, seriousness and duration of the violation, there is no question of a minor infringement46, which is why the AP considers the imposition of a reprimand to be insufficiently effective, proportionate and dissuasive. The fact that the security of the data was guaranteed does not alter this, because [CONFIDENTIAL] should not have processed the biometric data in the first place. The AP believes that this is a serious violation. That is why the AP considers it appropriate to impose an administrative fine (which is aimed at both special and general prevention) in this case. 
The AP also considers this violation of more than ten months to be a structural infringement, whereby the processing (the storage of the data) did not continue until November 2018 but until 16 April 2019. [CONFIDENTIAL] has its own responsibility to comply with the GDPR and this is not taken away by the fact that the supervisory authority received a signal about unlawful processing, nor by the duration of the AP's investigation. 
Secondly, [CONFIDENTIAL] believes that there was no question of any intent. At the time the software for the fingerprint scans was purchased (in 2016), the Personal Data Protection Act still applied. [CONFIDENTIAL] states that it is aware of the entry into force of the GDPR on 25 May 2018, but was under the impression that what it did was in accordance with privacy legislation, which was (and is) also confirmed to it by the supplier.
Referring to paragraph 4.3.2, the AP sees no reason on this basis to refrain from imposing an administrative fine or to reduce the amount of the fine. As [CONFIDENTIAL] stated, it was aware of the entry into force of the GDPR and [CONFIDENTIAL] had sufficient time to obtain legal advice, for example. A professional party such as [CONFIDENTIAL], also in view of the special nature of the personal data, may be expected to thoroughly satisfy itself of the standards applicable to it and to comply with them. The AP further notes that the violations
46 See also recital 148 of the GDPR. 22/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
prohibition provision of Article 9, first paragraph, GDPR does not require intent as an element. Since this concerns an infringement, it is not required to demonstrate intent in accordance with established case law to impose an administrative fine.47 The AP may assume culpability if the perpetrator has been established.48 The perpetrator is not in dispute between the AP and [CONFIDENTIAL], so that culpability is a given.
[CONFIDENTIAL] further argues that the persons involved have not suffered any damage and that the biometric data were secured. The system is set up in such a way that the privacy of the employees has been guaranteed. The supplier is ISO 9001 certified and the subprocessor is ISO 9001, ISO 27007, 150 14001 and NEN 7510 certified. According to [CONFIDENTIAL], the product purchased by [CONFIDENTIAL] therefore meets the quality standards. Although it concerns biometric data, the code, which is created on the basis of the fingerprint, cannot be traced back to an employee in the opinion of [CONFIDENTIAL]. Immediately after the first visit by the AP, [CONFIDENTIAL] took measures by stopping the clocking in/out using fingerprints and after the second visit by the AP all data was deleted. The AP does not follow [CONFIDENTIAL]'s view in this either. As stated in paragraph 3.1.2, the AP is of the opinion that the data stored by [CONFIDENTIAL] could be used to identify natural persons, namely its employees. The fact that the biometric data were well secured according to [CONFIDENTIAL] is not sufficiently serious in this case, because the violation does not relate to the security of the data but to the fact that it is not allowed to process it as such. [CONFIDENTIAL] also states that the clocking in/out using fingerprints was stopped immediately after the first visit by the AP, but that does not mean that [CONFIDENTIAL] had stopped the processing. After all, according to Article 4, paragraph 2, of the GDPR, processing also includes - without being exhaustive - the collection, recording, organisation, structuring or storage of data. 
[CONFIDENTIAL] finally argues that there are no previous relevant infringements. [CONFIDENTIAL] has also always cooperated with the AP and has taken the matter seriously from the outset. [CONFIDENTIAL] also notes that at no point in the process since 6 November 2018 did the AP give the impression that it might impose a fine and what the amount might be. If [CONFIDENTIAL] had been informed of this earlier by the AP, it would have sought advice earlier and taken measures even more quickly. Given the fact that [CONFIDENTIAL] was not aware of a possible infringement, it did not report it or contact the AP itself. [CONFIDENTIAL] finally argues that there is no question of any financial benefit as a result of the use of the fingerprint scans. 47 cf. Trade and Industry Appeals Tribunal 29 October 2014, ECLI:NL:CBB:2014:395, rov. 3.5.4, 2 September 2015, ECLI:NL:CBB:2015:312, rov. 3.7 and 7 March 2016, ECLI:NL:CBB:2016:54, rov. 8.3; Administrative Law Division of the Council of State 29 August 2018, ECLI:NL:RVS:2018:2879, rov. 3.2 and 5 December 2018, ECLI:NL:RVS:2018:3969, rov. 5.1.
48 Parliamentary Papers II 2003/04, 29 702, no. 3, p. 134.
23/25

Date Our reference
4 December 2019 [CONFIDENTIAL]
The AP does not follow [CONFIDENTIAL]'s view in this respect either. Despite the fact that the AP has not previously established the same infringement at [CONFIDENTIAL] and that, according to [CONFIDENTIAL], there is no financial advantage, the AP sees no reason to refrain from imposing an administrative fine or to reduce the amount of the fine due to the seriousness of the infringement and the culpability of [CONFIDENTIAL]. The AP refers to paragraphs 4.3.1 and 4.3.2 for the reasons for this. The AP is also of the opinion that [CONFIDENTIAL]'s cooperation did not go beyond its statutory obligation to comply with Article 9, paragraph 1, of the GDPR. [CONFIDENTIAL] has not cooperated with the AP in a special way. Finally, the AP notes that it cannot express its opinion on the enforcement measure during the investigation phase, because the facts and the report are still being investigated and established. As previously stated, it remains the responsibility of [CONFIDENTIAL] to investigate and comply with the applicable legislation.
In conclusion, the AP sees no reason in the opinion of [CONFIDENTIAL] to refrain from imposing an administrative fine or to reduce the amount of the fine. The AP considers the fine amount of € 725,000 to be proportionate and there are no other facts and circumstances that require moderation of the aforementioned amount.
4.4 Conclusion
The AP sets the total fine amount at € 725,000. 24/25

Date Our reference
December 4, 2019 [CONFIDENTIAL]
5. Dictum
Fine
The AP imposes an administrative fine of €725,000 (in words: seven hundred and twenty-five thousand euros) on [CONFIDENTIAL] for violating Article 9, first paragraph, of the GDPR.49
Yours sincerely,
Dutch Data Protection Authority,
signed
ir. M.J. Verdier Vice-Chairman
Remedies clause
If you do not agree with this decision, you can file an objection with the Dutch Data Protection Authority digitally or on paper within six weeks after the date of dispatch of the decision. To file a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Objecting to a decision, at the bottom of the page under the heading Contacting the Dutch Data Protection Authority. The address for filing on paper is: Dutch Data Protection Authority, PO Box 93374, 2509 AJ The Hague. Please state ‘Awb objection’ on the envelope and put ‘objection’ in the title of your letter.
In your objection, please include at least:
- your name and address;
- the date of your objection;
- the reference mentioned in this letter (case number); or attach a copy of this decision; - the reason(s) why you disagree with this decision;
- your signature.
49 The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).
25/25