Datatilsynet (Denmark) - 2021-431-0145: Difference between revisions

From GDPRhub
No edit summary
(Explanation of the word "reprimand" and "serious criticism")
 
(One intermediate revision by one other user not shown)
Line 62: Line 62:


=== Facts ===
=== Facts ===
FysioDanmark, a Danish company, intended to use a facial recognition system to enable entrance to its gym by customers and employees. A camera would be set up at the gym entrance. It could scan faces and compare them with photographs already stored in the system. The purpose is to enable customers and employees to enter the gym without cards or passwords. FysioDanmark intended the system to be voluntary and based on consent. Consent is given when the customer or employee agrees to be registered in the system and a picture of their face is taken. In addition to enabling entrance to the gym, the system is also used to collect information about customers for statistics and business optimisation purposes.   
FysioDanmark, a Danish company, intended to use a facial recognition system to enable entrance to its gym by customers and employees without using cards or passwords. To do so, a camera would be set up at the gym entrance. It could scan faces and compare them with photographs already stored in the system. FysioDanmark intended the system to be voluntary and based on consent. Consent is given when the customer or employee agrees to be registered in the system and a picture of their face is taken. In addition to enabling entrance to the gym, the system was also meant to collect information about customers for statistics and business optimisation purposes.   


=== Holding ===
=== Holding ===
The Danish DPA issued a warning in respect of the intended use of the facial recognition system by FysioDanmark.  
The Danish DPA issued a warning in respect of the intended use of the facial recognition system by FysioDanmark.  


The system processes biometric data for the purpose of uniquely identifying a natural person. Consequently, the DPA held that the system could be compliant with the GDPR only if based on data subjects‘ consent under [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]]. No other legal basis under [[Article 9 GDPR|Article 9 GDPR]] is possible.  
The system would process biometric data for the purpose of uniquely identifying a natural person. Consequently, the DPA held that it could be compliant with the GDPR only if based on data subjects‘ consent under [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]], [[Article 4 GDPR#11|Article 4(11) GDPR]] and [[Article 7 GDPR]]. No other legal basis under [[Article 9 GDPR|Article 9 GDPR]] were possible. The DPA accepted the proposed use of the system as long as it would be truly voluntary and the customers and, given the existing imbalance, especially employees could opt for access via cards or passwords instead.  


The DPA accepted the proposed use of the system for enabling entrance as long as it is truly voluntary and the customers and employees can opt for access via cards or passwords instead. This is especially necessary in respect of employees, since there is typically a power imbalance between employers and employees. A declaration of consent must comply with [[Article 4 GDPR#11|Article 4(11) GDPR]] and [[Article 7 GDPR|Article 7 GDPR]].  
However, the DPA held that the customers should also be given consent specifically to their data being processed for statistical and business optimisation purposes. Normally, information about the amount of time that customers spend in the gym could be processed on the basis of [[Article 6 GDPR]]. However, here it constitutes derived information from the processing of biometric data. For this reason, such processing as well must be based on consent under [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]]. On this matter, the DPA emphasized that consent could not be freely given if the data subject cannot consent to different processing activities separately.  


However, the DPA held that the customers must also give consent specifically to their data being processed for statistical and business optimisation purposes. Normally, information about the amount of time that customers spend in the gym could be processed on the basis of [[Article 6 GDPR|Article 6 GDPR]]. However, here it constitutes derived information from the processing of biometric data. For this reason, such processing must be based on consent under [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]]. The DPA emphasized that consent is not voluntary if the data subject cannot consent to different processing activities separately.
Lastly, the DPA held that the system would violate [[Article 9 GDPR]] because it would process biometric data even of those persons that did not consent to it. Although there is no facial recognition of persons whose picture was not previously taken with their consent, the system is active at all times. The DPA pointed out that it is the purpose, not the actual unique identification, that determines whether it is covered by [[Article 9 GDPR]]. Hence, to avoid violating [[Article 9 GDPR]], FysioDanmark should enable the data subject to trigger the facial recognition themselves, such as by pushing a button.  
 
Lastly, the DPA held that the system would violate [[Article 9 GDPR|Article 9 GDPR]] because it processes biometric data even of those persons that did not consent to it. Although there is no facial recognition of persons whose picture was not previously taken with their consent, the system is active at all times. The DPA pointed out that it is the purpose, not the actual unique identification, that determines whether it is covered by [[Article 9 GDPR|Article 9 GDPR]]. Hence, to avoid violating [[Article 9 GDPR|Article 9 GDPR]], FysioDanmark should enable the data subject to trigger the facial recognition themselves, such as by pushing a button.  


== Comment ==
== Comment ==
''Share your comments here!''
The Danish DPA uses the term "alvorlig kritik" (serious criticism) in its decisions. The official Danish-language version of the GDPR uses the word "kritik" (criticism) in place of the English word "reprimand" in Article 58(2)(b). For this reason, we use the technical word "reprimand" instead of "serious criticism" in our summaries. There remain some doubts as to the significance of the difference between "alvorlig kritik" and "kritik" which we are currently seeking to clarify. 


== Further Resources ==
== Further Resources ==

Latest revision as of 12:46, 13 April 2022

Datatilsynet (Denmark) - 2021-431-0145
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(11) GDPR
Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Danish Data Protection Act
Type: Investigation
Outcome: Other Outcome
Started:
Decided: 17.03.2022
Published:
Fine: None
Parties: FysioDanmark
National Case Number/Name: 2021-431-0145
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: ea

The Danish DPA issued a warning against a company related to its intended use of a facial recognition system. The DPA held that the company may only process biometric data in this way with the data subjects' consent under Article 9(2)(a) GDPR.

English Summary

Facts

FysioDanmark, a Danish company, intended to use a facial recognition system to enable entrance to its gym by customers and employees without using cards or passwords. To do so, a camera would be set up at the gym entrance. It could scan faces and compare them with photographs already stored in the system. FysioDanmark intended the system to be voluntary and based on consent. Consent is given when the customer or employee agrees to be registered in the system and a picture of their face is taken. In addition to enabling entrance to the gym, the system was also meant to collect information about customers for statistics and business optimisation purposes.

Holding

The Danish DPA issued a warning in respect of the intended use of the facial recognition system by FysioDanmark.

The system would process biometric data for the purpose of uniquely identifying a natural person. Consequently, the DPA held that it could be compliant with the GDPR only if based on data subjects‘ consent under Article 9(2)(a) GDPR, Article 4(11) GDPR and Article 7 GDPR. No other legal basis under Article 9 GDPR were possible. The DPA accepted the proposed use of the system as long as it would be truly voluntary and the customers and, given the existing imbalance, especially employees could opt for access via cards or passwords instead.

However, the DPA held that the customers should also be given consent specifically to their data being processed for statistical and business optimisation purposes. Normally, information about the amount of time that customers spend in the gym could be processed on the basis of Article 6 GDPR. However, here it constitutes derived information from the processing of biometric data. For this reason, such processing as well must be based on consent under Article 9(2)(a) GDPR. On this matter, the DPA emphasized that consent could not be freely given if the data subject cannot consent to different processing activities separately.

Lastly, the DPA held that the system would violate Article 9 GDPR because it would process biometric data even of those persons that did not consent to it. Although there is no facial recognition of persons whose picture was not previously taken with their consent, the system is active at all times. The DPA pointed out that it is the purpose, not the actual unique identification, that determines whether it is covered by Article 9 GDPR. Hence, to avoid violating Article 9 GDPR, FysioDanmark should enable the data subject to trigger the facial recognition themselves, such as by pushing a button.

Comment

The Danish DPA uses the term "alvorlig kritik" (serious criticism) in its decisions. The official Danish-language version of the GDPR uses the word "kritik" (criticism) in place of the English word "reprimand" in Article 58(2)(b). For this reason, we use the technical word "reprimand" instead of "serious criticism" in our summaries. There remain some doubts as to the significance of the difference between "alvorlig kritik" and "kritik" which we are currently seeking to clarify.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Danish Data Protection Agency has made a decision in a case concerning the use of a face recognition system

Date: 17-03-2022

Decision Private companies

The Danish Data Protection Agency has made a decision in a case which concerned the processing of information on biometric data using a face recognition system. The purpose of the treatment was i.a. to control access to the company's facilities.

Journal number: 2021-431-0145

Summary

In a case that the Danish Data Protection Agency started up of its own accord, the Authority has related to FysioDanmark Hillerød ApS 'intended use of a face recognition system, which was to be used i.a. to conduct access control with customers and employees.

Based on the circumstances of the case and the information provided by the company, the Danish Data Protection Agency assessed that the system - which was based on the data subject's consent - could be used within the framework of the data protection rules.

However, the Danish Data Protection Agency found reason to warn the company that it would probably be in breach of the rules in the Data Protection Regulation if the company used the system without the consent of the company's customers.

Furthermore, the Danish Data Protection Agency warned that it would probably be in breach of the rules in the Data Protection Regulation if the company did not ensure that the system was not used in relation to persons who had not given their consent.

Decision

The Danish Data Protection Agency hereby returns to the case where, on 7 July 2021, the Authority of its own motion chose to investigate FysioDanmark Hillerød ApS '(hereinafter FysioDanmark) processing of personal data using a face recognition system.

In the decision, the Danish Data Protection Agency only considered whether Articles 6 and 9 of the Data Protection Regulation can form the basis for the processing of personal data, and the Authority has thus not taken a position on any other data protection law issues.

The Danish Data Protection Agency issues a warning to FysioDanmark that it will probably be in breach of the Data Protection Regulation [1] if FysioDanmark:

For statistical and business optimization purposes, biometric data shall be processed for the purpose of uniquely identifying a data subject without the consent of the data subject pursuant to Article 9 (1) of the Data Protection Regulation. 2, letter a. Uses the face recognition system in the planned manner, as this will process biometric data with the aim of uniquely identifying a natural person about the persons who did not want to consent to the treatment, which is prohibited, as there is no an exception to this can be identified in Article 9 (1) of the Regulation. 2.

The warning is issued in accordance with Article 58 (2) of the Data Protection Regulation. 2, letter a.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.

2. Information provided by FysioDanmark for use in the case

2.1.

FysioDanmark has stated that on 24 September 2020, FysioDanmark has entered into a collaboration with the company Justface ApS, which has delivered a system based on facial recognition (the “system”).

The system has not yet been put into use.

The system works in the way that a camera is set up at the entrance to the gym, which can scan the faces of customers and employees, after which the result is held up against images already uploaded in the system.

Once the system has been put into use, the system is "online" uninterrupted.

FysioDanmark is the data controller for the processing of personal data that takes place, and Justface ApS is the data processor.

The purpose of using the system - and the consequent processing of personal data - is, firstly, to offer customers and employees to use the system as access control rather than access control with physical access card and password.

The processing of biometric information (facial order) in connection with access control is based on the customer's / employee's consent. It is thus voluntary whether customers and employees want to use the system as access control.

Consent is given when the customer / employee is to be created in the system - either physically in the center or online. In this connection, a picture of the person's face is uploaded to the system. In addition, the person in question agrees via an electronic consent form that the treatment may take place. The declaration of consent has the following wording:

“Declaration of consent

By checking the consent boxes below, I give my consent for FysioDanmark Hillerød, Milnersvej 39, 3400 Hillerød to process the following personal information about me for the purposes described below. FysioDanmark Hillerød encourages that the consent statement be read thoroughly before consent is given.

I hereby consent that FysioDanmark Hillerød may process my personal data for the following purposes:

What categories of personal information are being processed?

General personal information (we only request this information if it is not already filled in at your gym)

Name Date of birth Address E-mail Portrait image

Confidential and sensitive personal information

Biometric information in the form of facial scans

For what purposes is your personal data processed?

Your personal information is processed for the purpose of verifying the validity of your membership upon access to the fitness center.

How is your personal information collected?

We collect your personal information from your user profile at the fitness center and from yourself in such a way that you will be asked to update your information via your user profile in our app or website. This is to ensure that the gym always has the correct information on their members.

Biometric scan takes place at the entrance to the gym. The scan is used to compare your image with the profile picture you have uploaded to your user profile at the fitness center, so we can validate your membership at the fitness center.

How is your personal information processed?

The processing of personal data takes place on the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR") and the Danish data protection law.

Your personal information will be passed on to the fitness center you use, as well as to the fitness center's (data) administration company - it can be FlexyBox ApS, Sport Solution A / S or Globus Data ApS. These are in each case responsible for the processing of your data in their own systems. We therefore also refer to the fitness centre's and the management companies' respective personal data policies for further information about their processing of personal data.

Your personal information is processed by Justface in accordance with the purposes described above, and only to the extent strictly necessary.

Your personal information will only be available to relevant and specially designated persons at Justface, and will only be passed on to others if required by the purposes described or if required by law.

Further information about Justface's privacy policy can be found on our website: www.justface.dk

[…]

Withdrawal of consent

Consent is voluntary and you are entitled to revoke your consent at any time. If you wish to revoke your consent, simply contact Support@justface.dk who will then contact the fitness center and the management company to register that your consent has been revoked.

If you do not want to give consent, or if you revoke your consent, then it is not possible to use a biometric scan and we therefore ask you to contact your fitness center to inquire about alternative solutions.

[…] ”

In FysioDanmark's opinion, the consent is obtained in accordance with the data protection regulation's conditions for a (valid) consent, as:

it is voluntary for the customer / employee whether the person in question will give consent or not, which is explicitly stated in the consent declaration, it is stated on the consent declaration that a consent can be revoked at any time, the data subjects receive information about what the purposes of consent are, and the registered persons must tick separate consent boxes in relation to the respective purposes, and a link has been inserted in the consent text for further information on how FysioDanmark processes information about customers and employees, respectively.

If a customer or employee does not want to use the system, a physical access card and password can be used instead. If this is the case, there is no face recognition of the person in question, as the system must use a stored image to perform the face recognition.

In these cases, the use of the system can therefore rather be equated with ordinary TV surveillance - with the difference that the images from the surveillance are not stored in the system's memory and that the images from the system can not be accessed and / or monitored by the fitness center staff (or Justface) .

The possible processing of personal data carried out in relation to persons who have not given consent is not covered by Article 9 of the Data Protection Regulation. Such processing could therefore be carried out on the basis of e.g. Article 6 (1) of the Data Protection Regulation 1, letter f.

2.2.

In addition to access control, the system is used to collect and process information about FysioDanmark's customers for statistics and business optimization, including optimization of staff allocation in relation to the fitness center's peak periods.

Information about the period during which the customer is in the fitness center is collected by the system registering when a customer enters the door of the fitness center and when the customer walks out the door to the fitness center. The information is therefore only collected if the customer has given consent to use the system.

This information, which is collected solely for statistical purposes and for business optimization, is not covered by Article 9 of the Data Protection Regulation.

The information in question may be collected and processed on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter f.

The information is not collected about the employees.

3. The Danish Data Protection Agency's justification

3.1. Relevant legal rules

According to Article 2 (1) of the Data Protection Regulation, 1, applies to the processing of personal data carried out in whole or in part by means of automatic data processing, and to other non-automatic processing of personal data which is or will be contained in a register.

Article 6 (1) of the Data Protection Regulation 1, it appears that treatment is only lawful if and to the extent that at least one of the following conditions applies:

The data subject has given consent to the processing of his personal data for one or more specific purposes. Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken at the request of the data subject prior to the conclusion of a contract. Processing is necessary to comply with a legal obligation incumbent on the data controller. Processing is necessary to protect the vital interests of the data subject or another natural person. Processing is necessary for the purpose of performing a task in the interest of society or which falls within the exercise of public authority, which has been imposed on the data controller. Processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms requiring the protection of personal data take precedence, in particular if the data subject is a child.

Pursuant to Article 9 (1) of the Data Protection Regulation 1, there is a ban on the processing of special categories of information, including the processing of biometric data for the purpose of uniquely identifying a natural person.

According to Article 4 (14) of the Data Protection Regulation, biometric data means personal data which, as a result of specific technical processing concerning the physical, physiological or behavioral characteristics of a natural person, enable or confirm an unambiguous identification of the person, e.g. face image or fingerprint information.

The prohibition in Article 9 (1) of the Data Protection Regulation 1, finds according to the provision para. 2, does not apply if one of the following conditions applies:

The data subject has expressly consented to the processing of such personal data for one or more specific purposes, unless it is provided by Union law or the national law of the Member States that the The prohibition referred to in paragraph 1 may not be lifted with the consent of the data subject. Processing is necessary in order to comply with the labor, health and social security obligations and specific rights of the data controller or data subject, in so far as it is governed by Union law or the national law of the Member States or a collective agreement under the national law of the Member States necessary guarantees of the data subject's fundamental rights and interests. Processing is necessary to protect the vital interests of the data subject or another natural person in cases where the data subject is not physically or legally unable to give consent. Treatment shall be carried out by a non-profit-making foundation, association or other body whose purpose is of a political, philosophical, religious or trade union nature, as part of the body's legitimate activities and with the necessary guarantees, and on condition that the processing only concerns members of the body, former members or persons who, due to the purpose of the body, are in regular contact with it, and that the personal data is not passed on outside the body without the consent of the data subject. Processing concerns personal data which is clearly published by the data subject. Processing is necessary for legal claims to be established, asserted or defended, or when courts act in their capacity as a court. (g) Processing is necessary in the interests of the public interest under EU law or the national law of the Member States and is proportionate to the objective pursued, respects the essential content of the right to data protection and ensures appropriate and specific measures to protect it. fundamental rights and interests of data subjects. Treatment is necessary for the purpose of preventive medicine or occupational medicine to assess the worker's ability to work, medical diagnosis, provision of social and health care or treatment or management of social and health care and services on the basis of EU law or national law of the Member States or in under a contract with a healthcare professional and subject to the conditions and guarantees referred to in paragraph Treatment is necessary in the interests of society in the field of public health, e.g. protection against serious cross-border health risks or ensuring high quality and safety standards for healthcare and medicines or medical devices on the basis of EU law or national law of the Member States, which lays down appropriate and specific measures to protect the data subject's rights and freedoms, in particular professional secrecy. Processing is necessary for archival purposes in the interest of society, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1). 1, on the basis of EU law or the national law of the Member States and is proportionate to the objective pursued, respects the essential content of the right to data protection and ensures appropriate and specific measures to protect the data subject's fundamental rights and interests.

By a consent within the meaning of Article 6 (1) of the Data Protection Regulation Article 9 (1) (a) and Article 9 (1) For the purposes of Article 4 (2) (a), any voluntary, specific, informed and unequivocal expression of the consent of the data subject shall be understood to mean that the data subject, by declaration or clear confirmation, agrees that personal data relating to the data subject shall be made subject to treatment.

Article 7 of the Data Protection Regulation contains a number of conditions for consent. It appears from this:

If processing is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of his personal data. If the data subject's consent is given in a written statement which also relates to other matters, a request for consent must be submitted in a way that is clearly distinguishable from the other matters, in an easily understandable and easily accessible form and in a clear and simple language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the lawfulness of the treatment based on consent before the withdrawal. Before consent is given, the data subject must be informed that the consent can be withdrawn. It must be as easy to withdraw his consent as to give it. When assessing whether consent has been given freely, the greatest possible consideration is given, e.g. on the performance of a contract, including on a service, is made conditional on consent to the processing of personal data which is not necessary for the performance of this contract.

It follows from the Data Protection Act, section 12, subsection 3, that the processing of personal data in employment may take place on the basis of the data subject's consent in accordance with Article 7 of the Data Protection Regulation

3.2. Processing of personal data of customers who wish to make use of face recognition

3.2.1. Processing for use in access control

When processing personal data in the form of images in connection with face scanning, biometric data is processed in accordance with Article 4 (14) of the Data Protection Regulation.

FysioDanmark has stated that the system works in the way that a camera is set up at the entrance to the Fitness Center, which can scan the customer's face, after which the result is held up against images already uploaded in the system.

Thus, biometric information about the customer in question (collected at the time of identification) is compared with a number of biometric templates, which are stored in a database.

Thus, one or more match processes take place, and it is therefore a matter of processing biometric data for the purpose of uniquely identifying a natural person.

It is in principle prohibited to process such information in accordance with Article 9 (1) of the Data Protection Regulation. 1, unless an exception to this prohibition can be identified in the provision's paragraph. 2.

In this connection, the Danish Data Protection Agency agrees with FysioDanmark that the customer's express consent, cf. Article 9 (1) of the Data Protection Regulation. Article 9 (2) (a) is the most appropriate exception to the prohibition, as none of the other exceptions in Article 9 (2) of the Data Protection Regulation 2, is seen to apply.

The Danish Data Protection Agency assumes that FysioDanmark will, in applying the customer's express consent, comply with the obligations under Article 7 of the Regulation, and as a result the Authority finds no basis for overriding FysioDanmark's assessment that the consent given by the data subject in this connection is fulfilled. to the rules on consent in the Data Protection Regulation, including the requirement that consent must be voluntary in Article 4 (11) of the Regulation.

The Danish Data Protection Agency has emphasized the design and content of the submitted declaration of consent, and that it is optional for the customer whether he or she wishes to use face recognition as an access control, as the customer - if he or she does not wish to use face recognition - can use an access card instead. and code.

3.2.2. Processing for business optimization

It is stated in the case that FysioDanmark - in addition to processing biometric data in connection with access control - collects information via the system for use in statistics, including information about the length of time the customers are in the fitness center.

In this connection, the Danish Data Protection Agency agrees with FysioDanmark that the information on the length of time a customer is in the fitness center is in itself information which is only covered by Article 6 of the Data Protection Regulation.

However, the Danish Data Protection Agency is of the opinion that this information is in the nature of “derived” information, as the information is provided through the use of face recognition.

Information about the time period is thus collected by the face recognition system registering when a customer walks in the door of the gym and when the customer leaves the gym again.

It is therefore a matter of processing biometric data for the purpose of uniquely identifying a natural person covered by the prohibition in Article 9 (1) of the Data Protection Regulation. 1.

As is the case in relation to access control, it is the Danish Data Protection Agency's assessment that the only possible exception to the prohibition in Article 9 (1) of the Data Protection Regulation. 1, the data subject's consent is in accordance with Article 9 (1) of the Data Protection Regulation. 2, letter a, as none of the other exceptions in the provision are seen to apply.

On that basis, the Danish Data Protection Agency must issue a warning to FysioDanmark that it will probably be in breach of the Data Protection Regulation if FysioDanmark processes biometric data for the purpose of statistics and business optimization for the purpose of uniquely identifying a data subject without obtaining consent from the data subject. pursuant to Article 9 (1) of the Data Protection Regulation 2, letter a.

The warning is issued in accordance with Article 58 (2) of the Data Protection Regulation. 2, letter a.

If FysioDanmark intends to comply with the above, the customer's consent will have to be obtained for processing biometric data about him or her in connection with conducting access control with customers and keeping statistics on how long customers stay in the fitness center.

In this connection, the Danish Data Protection Agency may state for information that a consent is not assumed to have been given voluntarily if the procedure for obtaining consent does not give the registered person the opportunity to give separate consent to various processing activities concerning personal data, and thus forced to consent for all purposes . The consent must therefore be granulated (divided up).

Thus, if a processing of information serves several purposes, the data controller must obtain separate consent for each individual purpose, which must be processed on the basis of the data subject's consent. The data controller must therefore offer the data subject the opportunity to consent to one purpose, but not consent to other purposes.

In practical terms, this can happen e.g. in the form of a comprehensive statement, where the data subject can mark the purposes for which he or she will accept the processing of information.

3.3. Processing of personal data of employees who wish to make use of face recognition

FysioDanmark has stated in the case that employees are also offered to use face recognition as access control, and that this is used if the employee agrees to this.

For the reasons stated in section 3.2.1, in relation to employees, there is also a processing of information on biometric data with the purpose of unambiguously identifying a natural person, which it is in principle prohibited to process, cf. Article 9 (1) of the Data Protection Regulation 1, unless an exception to this prohibition can be identified in the provision's paragraph. 2.

In this connection, the Danish Data Protection Agency agrees with FysioDanmark that the employee's express consent, cf. Article 9 (1) of the Data Protection Ordinance. Article 9 (2) (a) is the most appropriate exception to the prohibition, as none of the other exceptions in Article 9 (2) of the Data Protection Regulation 2, is seen to apply.

However, this is only consent within the meaning of the Data Protection Regulation, which can form the basis for the processing of personal data if the consent is voluntary. The assessment of whether a consent is voluntary includes, among other things, whether there is an unequal relationship between the data controller and the data subject. A consent is not normally considered to have been given voluntarily if there is a clear imbalance between the data subject and the data controller.

In employment relationships, inequality typically occurs between the employer and the employee.

In this connection, the Danish Data Protection Agency has previously stated that an employee's consent for an employer to process information about his or her fingerprints in connection with time control, ie. for the purpose of controlling employees' arrival / departure times, the clear starting point of which cannot be considered to have been given voluntarily, unless there are special circumstances.

It thus depends on a concrete assessment whether the employee can voluntarily give a consent, which can form the basis for processing information about the person in question.

FysioDanmark has stated that - as is the case for customers - it is also voluntary in relation to employees whether the person in question wishes to make use of a facial order in connection with access to the fitness center. If an employee does not wish to use the system, he or she may instead use a physical access card and password.

The Danish Data Protection Agency also assumes, on the basis of the information in the case, that the system only registers information about the employee in connection with the person's access to the center. Thus, no information is registered about the employee's movements in the center in general, including when he or she leaves the workplace, which is why the information is not seen to be suitable for use in time registration.

In these circumstances, the Danish Data Protection Agency does not find sufficient grounds to override FysioDanmark's assessment that the employee's express consent, cf. Article 9 (1) of the Data Protection Regulation. 2, letter a, cf. the Data Protection Act § 12, para. Article 9 (3) may be used as an exception to the prohibition in Article 9 (1). 1.

3.4. Processing of personal data about persons, including customers and employees, who do not wish to make use of facial recognition

FysioDanmark has stated that the camera, which is set up at FysioDanmark's entrance, is "online" uninterrupted.

On this basis, the Danish Data Protection Agency assumes that the camera - and the face recognition technology stored therein - is thus also active and used in relation to persons who have not consented to the treatment in question when they move within the camera's field of vision. The system thus does not have to be "activated" first - e.g. when using keystrokes or the like.

In this connection, FysioDanmark has stated that if a person does not wish to make use of a face recognition, there will be no face recognition of the person in question, as the system must use a stored image to make the face recognition. In these cases, the use of the system can therefore rather be equated with ordinary TV surveillance - with the difference that the images from the surveillance are not stored in the system's memory and that the images from the system can not be accessed and / or monitored by the fitness center staff (or Justface) .

The possible processing of personal data carried out on persons who have not consented to the use of a face order is therefore, in FysioDanmark's view, not covered by Article 9 of the Data Protection Regulation.

However, the Danish Data Protection Agency's assessment is that there will also be a processing of biometric data with a view to unambiguous identification of persons who have not consented to the processing.

This is because, according to the wording of Article 9 (1), 1, the purpose of the processing itself - for the purpose of uniquely identifying the data subject (s) using biometric data - determines whether the processing is covered by Article 9 of the Regulation. whether a unique identification actually takes place.

This is also the case, although the treatment has a rather volatile (short-term) nature.

In this connection, the Danish Data Protection Agency also refers to EDPB's guide 3/2019 [2], of which the following i.a. appears:

A controller manages access to his building using a facial recognition method. People can only use this way of access if they have given their explicitly informed consent (according to Article 9 (2) (a)) beforehand. However, in order to ensure that no one who has not previously given his or her consent is captured, the facial recognition method should be triggered by the data subject himself, for instance by pushing a button. To ensure the lawfulness of the processing, the controller must always offer an alternative way to access the building, without biometric processing, such as badges or keys. ”

As the face recognition technology is used continuously, and as biometric data is thus processed for the purpose of uniquely identifying the person concerned about all data subjects who are captured by the camera's field of view, the use of face recognition technology presupposes the data subjects' express consent, cf. PCS. 2, letter a, as none of the other exceptions apply.

However, this is not possible, as in relation to this group of data subjects, these are persons who have not wished to give consent.

Against this background, the Danish Data Protection Agency issues a warning to FysioDanmark that it will probably be contrary to the Data Protection Ordinance if FysioDanmark uses the face recognition system in the planned way, as this will process biometric data with the aim of uniquely identifying a natural person about the persons. , who did not wish to consent to the processing, which is prohibited, as no exception to this can be identified in Article 9 (1) of the Regulation. 2.

The warning is issued in accordance with Article 58 (2) of the Data Protection Regulation. 2, letter a.

It is up to FysioDanmark to comply with the announced warning, but the Danish Data Protection Agency may advise FysioDanmark to consider arranging the solution in such a way that "activation" of the system only takes place when the customer or employee who wishes to have a face scan , has activated the system - e.g. at the touch of a button.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).

[2] EDPB’s guidelines 3/2019 on processing of personal data through video devices, version 2.0, 29. January 2020, section 5.1., General considerations when processing biometric data.