AP (The Netherlands) - 30.04.2020
AP - Fine for processing employees' fingerprints | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 9(2)(a) GDPR Article 9(2)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 30.04.2020 |
Fine: | 725,000 EUR |
Parties: | Unknown |
National Case Number/Name: | Fine for processing employees' fingerprints |
European Case Law Identifier: | n/a |
Appeal: | Pending appeal |
Original Language(s): | Dutch |
Original Source: | AP (in NL) |
Initial Contributor: | n/a |
The Dutch DPA (AP) fined a company 725,000 € for the unlawful processing of biometric data of employees. The company failed to demonstrate that it had obtained the employees' explicit consent.
English Summary
Facts
"Employees of a company have had their fingerprints scanned for attendance and time registration."
Dispute
Holding
"After investigation, the Personal Data Authority (AP) concluded that the company should not have processed fingerprints of employees. Indeed, the company cannot invoke an exceptional ground for processing special personal data. The company will be fined EUR 725,000 for this. [...] For the use of fingerprints, two exceptions to the prohibition could be possible in this case: if explicit consent of the data subjects is requested or if the use of biometric data is necessary for authentication or security purposes. The AP concluded that this company cannot invoke one of these two exceptions for the collection, storage and use of employees' fingerprints. [...] This company has not demonstrated that the employees have given explicit consent. Employees have also experienced the recording of their fingerprint as an obligation."
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Fine for company for processing fingerprints employees News Release/30 April 2020 Category: Biometrics Control of employees Employees of a company have had their fingerprints scanned for attendance and time registration. After investigation, the Personal Data Authority (AP) concluded that the company should not have processed fingerprints of employees. Indeed, the company cannot invoke an exceptional ground for processing special personal data. The company will be fined EUR 725,000 for this. Special personal data Biometric data, such as a fingerprint, are special personal data. An organization may not use special personal information, unless the law provides for an exception. Monique Verdier, vice-president of the AP: 'This category of personal data is extra protected by law. If this data gets into the wrong hands, it can possibly lead to irreparable damage. Such as blackmail or identity fraud. A fingerprint is not replaceable, such as a password. If it goes wrong, the impact can be great and can have a lifelong negative effect on someone'. No exception to prohibition For the use of fingerprints, 2 exceptions to the prohibition could be possible in this case: if explicit consent of the data subjects is requested or if the use of biometric data is necessary for authentication or security purposes. The AP concluded that this company cannot invoke 1 of these 2 exceptions for the collection, storage and use of employees' fingerprints. Security An employer may ask an employee to give a fingerprint for, for example, access control. Sometimes an employee is obliged to give his fingerprint, sometimes not. This depends on whether the processing of the fingerprint is necessary for authentication or security. An employer has to consider whether buildings and information systems have to be so secure that this cannot be done other than by using (only) biometrics. This will often not be necessary, because there are good alternatives. Permission Does an employer ask employees for permission to process their fingerprint? In principle, this is not allowed. Employees are dependent on their employer, so often not in a position to refuse. The privacy law sets strict requirements for requesting explicit permission. Permission must be unambiguous, specific, informed and free. This company has not demonstrated that the employees have given explicit permission. Employees have also experienced the recording of their fingerprint as an obligation. Legal remedies The organisation objected to the AP's decision. The name of the organisation will not be made public by a court decision.