Persónuvernd - 2020010343

From GDPRhub
Persónuvernd - 2020010343
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 4(2) GDPR
Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(c) GDPR
Article 9(1) GDPR
Article 58(2)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.08.2020
Published: 04.09.2020
Fine: None
Parties: Húsasmiðjan
National Case Number/Name: 2020010343
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: n/a

The Icelandic DPA held that an employer did not lawfully process the fingerprint data of its employees for the purpose of logging in and out the employees in the company's payroll system.

English Summary

Facts

The lawyer of the company acting as data controller, Húsasmiðjan, contacted the Icelandic DPA (Persónuvernd) with regards to the installation of a fingerprint scanner system for the company's employees. The controller announced the DPA that it is using the system, and asked for the DPA's opinion on the legality of the processing operation.

The company had used the fingerprint scanner system for the logging in and out of employees in the company's payroll system. When an employee arrived at work they would have to scan their fingerprint, which created a number sequence with a timestamp that was linked to other information on the employee.

The image of the fingerprint itself was not stored and could not be retrieved from the number sequence stored in the system. In this aspect, the number sequence works similarly to an employee's ID number, and is not personally identifiable except for when the system performs the identity verification. Furthermore, encryption (256bit AES) was also used to make it difficult to reverse the process and identify individuals through the raw fingerprint image.

Dispute

Did the data controller lawfully process the biometric data of its employees for the purpose of logging in and out the employees in the company's payroll system?

Holding

The Icelandic DPA held that the processing of biometric data by Húsasmiðjan was not lawful. In its reasoning on using consent as a legal basis, the DPA also referred to Recitals 42 and 43 and pointed towards the power imbalance inherent in the nature of most employment relationships. This difference of positions between employer and employee would mean that the consent is not freely given especially considering that in the particular case, the employees were not not informed of any other option for logging in to the workplace that did not involve the use of their biometric information. It was therefore unclear what the consequences would be for an employee if they would refuse to provide their fingerprint data. Since the use of the biometric system was not optional for employees, the DPA held that the data could not be processed based on consent.

The DPA then examined whether the lawfulness of the processing could be based on the necessity for compliance with a legal obligation to which the controller is subject, namely labour legislation and legislation on social security and social protection. In this context, the DPA held that less intrusive methods could also be used to achieve the same goals without processing sensitive data. Examples of such alternatives can be employee cards, access tags, or access codes. Therefore, the DPA decided that the processing of the fingerprint data was not necessary to achieve the company's goal, as this could have been achieved through less intrusive means which did not involve the systematic processing of biometric data.

As a consequence, the Icelandic DPA used its corrective powers and ordered the data controller to stop using the fingerprint scanning system, as well as delete the biometric information of its employees.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Decision on the use of Húsasmiðjan ehf. on the fingerprint scanners when logging in and out of employees in the company's salary system
Case no. 2020010343
4.9.2020
The Data Protection Authority has made a decision on the occasion of the announcement of Húsasmiðjan ehf. on the use of fingerprint scanners when logging in and out of employees in the company's payroll system. In light of the circumstances of the parties, the purpose of the processing and the many resources available to operators to monitor the work contribution of employees who are not based on the processing of sensitive personal information, it has been concluded that the use of Húsasmiðjan ehf. on the fingerprint scanners for unique identification is not in accordance with Act no. 90/2018. The Data Protection Authority also issued an instruction that Húsasmiðjan ehf. shall discontinue use of the fingerprint scanner and delete employee biometric information.

Decision
On 27 August 2020, the Board of the Data Protection Authority approved the following decision in case no. 2020010343:


I.
Procedure

1.
Outline of case
On 25 June 2019, the Data Protection Authority received a complaint from the lawyer of Húsasmiðjan ehf., Smári Hilmarsson, Attorney at Law. The presentation included, on the one hand, the announcement of Húsasmiðjan ehf. that the company had used the fingerprint scanners when logging in and out of employees in the company's payroll system, and on the other hand it was requested that the Data Protection Authority give its opinion on whether the use of the fingerprint scanners in question complied with Act no. 90/2018 on personal protection and processing of personal information. With a presentation by Húsasmiðjan ehf. was accompanied by an announcement to the company's employees about the above together with the agent's information about the system.

In an announcement to the employees of Húsasmiðjan ehf. states, among other things, that the purpose of setting up the fingerprint scanner is to check in and check out employees in and out of work, which should better ensure the interests of employees. It is not specified what those interests are. The announcement also states that when an individual's fingerprint is scanned, the number sequence in the timepiece will be created and stored and linked to other information of the employee. The fingerprint image is not stored and the image cannot be retrieved from the sequence of numbers stored in the system. The number sequence therefore works in a similar way to the employee's ID number, except that it is nowhere personally identifiable except when the system identifies the employee's identity. It is also stated that the number sequence is only stored in the clocks and cannot be connected to other clocks.

In a letter from Agent Suprema Inc. about the system, dated July 8, 2009, states, among other things, that the fingerprint scanner takes a picture of a user's fingerprint (raw image) and transforms it into comparative information (number sequence or template; "template") and does not store the fingerprint image (raw life) in the system. When storing the template (sequence of numbers), encryption methods (256bit AES) are used, which make it very difficult to obtain information to reverse the process. It is impossible to recreate the original fingerprint image (raw life identifier) ​​to identify an individual with the help of a fingerprint specialist. It also states that the company offers another option for those who are concerned about privacy. The option calls an agent template-on-card, thus avoiding maintaining a database of personal or bioidentical information. This is a template, ie. fingerprint counters, placed on a card carried by an employee and used for identification. It is not stated in the statement of Húsasmiðjan ehf. that the aforementioned option is available to its employees.

The Data Protection Authority contacted Húsasmiðjan's lawyer by telephone on 9 June 2020 in order to obtain information on whether and when the fingerprint scanner had been used by the company. The reply was sent by e-mail on 10 cm, confirming that the fingerprint scanner had been taken into use on 19 June 2019.


II.
Assumptions and conclusion

1.
Scope - responsible party
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679 (hereinafter the Regulation), cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is automatic in part or in full and the processing by other methods than automatic of personal data that are or are to become part of a file.

Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him or her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 of the Act and point 1. Article 4 of the Regulation.

Processing refers to an operation or series of operations where personal information is processed, whether the processing is automatic or not, cf. Number 4 Article 3 of the Act and point 2. Article 4 of the Regulation.

This case concerns the processing of biometric information, ie. fingerprint information, in order to uniquely identify an individual. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the scope of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. According to point 6. Article 3 of the Act refers to an individual, legal entity, government authority or other party that decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 of the Regulation. As such, Húsasmiðjan ehf. be responsible for the processing in question.

According to para. Article 39 Act no. 90/2018, the Data Protection Authority may deal with individual cases and take a decision on its own initiative or according to the complaint of a person who believes that personal information has not been processed in accordance with this Act and rules set in accordance with it or individual instructions. The report of Húsasmiðjan ehf. received the Data Protection Authority as a notification, but with reference to the substance of the case and instructions, this is a binding decision of the Data Protection Authority.

2.
Legality of processing
All processing of personal data must be subject to one of the authorization provisions of Article 9. Act no. 90/2018. According to point 1. Article 9 of the Act, personal data may be processed if the data subject has given his or her consent for the processing of personal data for the benefit of one or more specific purposes. It is also permitted according to point 2. Article 9 of the Act to process personal data, the processing is necessary to fulfill a contract to which the data subject is a party or the processing is necessary due to legitimate interests that the guarantor or third party may pursue unless the interests or fundamental rights and freedoms of the data subject that require protection of personal data prevail, cf. 6. tölul. same articles.

In addition, the processing of sensitive personal data must comply with one of the additional conditions of the first paragraph. Article 11 Act no. 90/2018. According to point 1. Paragraph 1 of the article that the processing of sensitive personal data is permitted if the data subject has given his or her unequivocal consent to the processing for the benefit of one or more specific purposes. Furthermore, according to Art. 2. tölul. the same articles to deal with sensitive personal data if the processing is necessary for the responsible party or the data subject to be able to meet its obligations and exercise certain rights under labor law and legislation on social security and social protection and carried out on the basis of laws that provide for relevant and specific measures to protect the fundamental rights and interests of the data subject.

In addition to the authorization according to the above, the processing of personal information must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, Coll. Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal information shall be processed in a lawful, fair and transparent manner towards the data subject (point 1); that they shall be obtained for clearly defined, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2); and that they shall be sufficient, appropriate and not in excess of what is necessary for the purpose of the processing (point 3). These rules apply to the processing of any kind of personal information, but should be interpreted in the light of the nature of the information in question at any given time, such as whether it is considered sensitive.

According to a statement from Húsasmiðjan ehf. is using fingerprint scanners to work with fingerprint information, in order to uniquely identify individuals. According to the agent's information, the identification of the fingerprint scanner takes place, either when using a template or a template on a map, on the basis of information about fingerprints, ie. biometric information, which is considered sensitive personal information, cf. point e of point 3. Article 3 Act no. 90/2018.

In the first paragraph. Article 11 Act no. 90/2018 and the first paragraph. Article 9 of the Regulation prohibits the processing of personal data concerning, inter alia, biometric data in order to identify a person in a unique manner, unless one of the conditions of Art. 9 is met. of the Act and furthermore any exemption provision 1.-11. tölul. Paragraph 1 Article 11 of the Act according to further instructions in Article 9. of the Regulation.

To assess whether there is an authorization under Act no. 90/2018, it is necessary to first look at the provisions of Article 11. of the Act, but if there is no authority there, there is no need to look further at Art. the same law or the principles of the law. The points that are most relevant in the case in question are points 1 and 2. Paragraph 1 Article 11 of the Act.

In point 1. Article 11 of the Act states, as stated above, that the processing of sensitive personal data is permitted if the data subject has given his or her unequivocal consent to the processing for the benefit of one or more specific purposes. Such consent must be an unforced, specific, informed and unequivocal declaration of intent by the data subject regarding the processing of personal information about him, cf. 8. tölul. Article 3 Act no. 90/2018. It is also stated in the comments with the bill that became Act no. 90/2018 that when obtaining consent, when assessing whether consent is given voluntarily, the utmost consideration shall be given to whether it is a condition for the implementation of an agreement that consent is given for the processing of personal data that is not necessary for the agreement.

In practice, consent has generally been required to be free and unenforceable. The preamble to Regulation (EU) 2016/679 explicitly states that consent should not be considered to have been given voluntarily and voluntarily if the data subject has not had a real or free choice or has not been able to refuse or withdraw consent without being damage (item 42 of the foreword). It also states that in order to ensure that consent is given voluntarily and voluntarily, it should not be considered a sufficient authorization in cases where there is a clear difference of position between the data subject and the responsible party (item 43 of the foreword), which is often the case in an employment relationship.

The Data Protection Authority believes that the employment relationship between employees and employers must be taken into account, the differences that that relationship entails and that confirmation of when employees come to work can be considered related to employees' duties. It is not mentioned in Húsasmiðjan ehf.'S presentation that employees have any other options for methods of logging in to the workplace that do not require the use of their biometrics. It is therefore unclear what the consequences will be for an employee if he refuses to provide the biometric information processed in the login system. In view of all this, the Data Protection Authority does not consider it possible to claim that in the circumstances above consent can be considered granted. "Of their own free will", as stated above, it will not be seen that it is optional for the employee to accept the conditions in question. It is therefore not possible in the case in question to base the processing of personal data on the use of fingerprint scanners based on fingerprint information, ie. biometric information, by consent.

It is then examined whether the processing of sensitive personal information can, as is the case here, take place on the basis of point 2. Paragraph 1 Article 11 Act no. 90/2018. It states that sensitive personal information may be processed if the processing is necessary for the responsible party or the data subject to be able to meet its obligations and exercise certain rights in accordance with labor legislation and legislation on social security and social protection.

As stated above, the purpose of Húsasmiðjan ehf. using the fingerprint scanner logging in and out of employees in the company's payroll system. As stated above, the basic requirement in point 2 is made. Paragraph 1 Article 11 of the Act that processing is necessary for the responsible party to be able to meet its obligations, cf. also the proportionality requirement of point 3. Paragraph 1 Article 8 of the Act. When assessing the need to use sensitive personal information, such as biometrics, to maintain working time records, the available resources should be considered and achieve the same goal with less intrusion on employees' privacy. It can be assumed that operators are offered numerous resources for logging in and out of employees in a payroll system that is not based on biometrics or other sensitive personal information. Examples include time clocks, employee cards, access tags and access codes. Furthermore, the above-mentioned remedies can be mixed with a so-called random inspection or inspection body at the entrance to the workplace. It is the opinion of the Data Protection Authority that the processing of sensitive personal information is not necessary to achieve the goal of Húsasmiðjan ehf., I.e. to monitor the work contribution of its employees and that this can be achieved through other and less severe measures that do not require systematic processing of employees' biometric information.

The Data Protection Authority emphasizes that the use of biometric information to identify a person in a unique way is generally subject to very strict restrictions. It is particularly relevant where other less severe measures are not sufficient and could be relevant when the processing is intended for access control of certain areas in the workplace due to special safety considerations such as food handling or hazardous substances.

It will not be seen that other authorizations on the basis of para. Article 11 Act no. 90/2018 but earlier articles may apply here. According to all of the above, it must be considered that Húsasmiðjan ehf. is not permitted according to Act no. 90/2018 to work with the biometrics of their employees in the fingerprint scanners for their registration and check-out in the company's salary system. For that reason alone, the Data Protection Authority does not consider it necessary to discuss whether such processing complies with the general rules of Article 9. or the principles of the first paragraph. Article 8 Act no. 90/2018.

In Article 42 Act no. 90/2018, Coll. also the second paragraph. Article 58 of the Regulation deals with the instructions of the Data Protection Authority on corrective measures. In point 6. Article 42 of the Act states that the Data Protection Authority may prescribe remedial measures, including restricting or prohibiting processing temporarily or permanently, cf. paragraph 2 (f) Article 58 of the Regulation.

With reference to the above, it is proposed that Húsasmiðjan ehf. to stop the use of the fingerprint scanner and delete the biometric information of employees. Húsasmiðjan ehf. send the Data Protection Authority confirmation that the agency's instructions have been complied with before 10 September next.

This case has been delayed due to work by the Data Protection Authority.


On the decision word
The processing of Húsasmiðjan ehf. on biometric information based on information about employees' fingerprints for logging in and out of the company's payroll system is not in accordance with Act no. 90/2018 on personal protection and processing of personal information.

It is proposed that Húsasmiðjan ehf. to stop the use of the fingerprint scanner and delete the biometric information of employees.

Húsasmiðjan ehf. send the Data Protection Authority confirmation that the agency's instructions have been complied with before 10 September next.

In Privacy, August 27, 2020

Björg Thorarensen
chairman


Ólafur Garðarsson Björn Geirsson


Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson