AP (The Netherlands) - 30.04.2020

From GDPRhub
Revision as of 17:12, 12 December 2023 by Ar (talk | contribs) (Ar moved page AP - Fine for processing employees' fingerprints to AP (The Netherlands) - 30.04.2020)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AP - Fine for processing employees' fingerprints
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 9(2)(a) GDPR
Article 9(2)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 30.04.2020
Fine: 725,000 EUR
Parties: Unknown
National Case Number/Name: Fine for processing employees' fingerprints
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Dutch
Original Source: AP (in NL)
Initial Contributor: n/a

The Dutch DPA (AP) fined a company 725,000 € for the unlawful processing of biometric data of employees. The company failed to demonstrate that it had obtained the employees' explicit consent.

English Summary

Facts

"Employees of a company have had their fingerprints scanned for attendance and time registration."

Dispute

Holding

"After investigation, the Personal Data Authority (AP) concluded that the company should not have processed fingerprints of employees. Indeed, the company cannot invoke an exceptional ground for processing special personal data. The company will be fined EUR 725,000 for this. [...] For the use of fingerprints, two exceptions to the prohibition could be possible in this case: if explicit consent of the data subjects is requested or if the use of biometric data is necessary for authentication or security purposes. The AP concluded that this company cannot invoke one of these two exceptions for the collection, storage and use of employees' fingerprints. [...] This company has not demonstrated that the employees have given explicit consent. Employees have also experienced the recording of their fingerprint as an obligation."

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Fine for company for processing fingerprints employees
News Release/30 April 2020
Category:

    Biometrics
    Control of employees

Employees of a company have had their fingerprints scanned for attendance and time registration. After investigation, the Personal Data Authority (AP) concluded that the company should not have processed fingerprints of employees. Indeed, the company cannot invoke an exceptional ground for processing special personal data. The company will be fined EUR 725,000 for this.
Special personal data

Biometric data, such as a fingerprint, are special personal data. An organization may not use special personal information, unless the law provides for an exception.

Monique Verdier, vice-president of the AP: 'This category of personal data is extra protected by law. If this data gets into the wrong hands, it can possibly lead to irreparable damage. Such as blackmail or identity fraud. A fingerprint is not replaceable, such as a password. If it goes wrong, the impact can be great and can have a lifelong negative effect on someone'.
No exception to prohibition

For the use of fingerprints, 2 exceptions to the prohibition could be possible in this case: if explicit consent of the data subjects is requested or if the use of biometric data is necessary for authentication or security purposes.

The AP concluded that this company cannot invoke 1 of these 2 exceptions for the collection, storage and use of employees' fingerprints.
Security

An employer may ask an employee to give a fingerprint for, for example, access control. Sometimes an employee is obliged to give his fingerprint, sometimes not. This depends on whether the processing of the fingerprint is necessary for authentication or security.

An employer has to consider whether buildings and information systems have to be so secure that this cannot be done other than by using (only) biometrics. This will often not be necessary, because there are good alternatives.
Permission

Does an employer ask employees for permission to process their fingerprint? In principle, this is not allowed. Employees are dependent on their employer, so often not in a position to refuse.

The privacy law sets strict requirements for requesting explicit permission. Permission must be unambiguous, specific, informed and free.

This company has not demonstrated that the employees have given explicit permission. Employees have also experienced the recording of their fingerprint as an obligation.
Legal remedies

The organisation objected to the AP's decision. The name of the organisation will not be made public by a court decision.