Rb. Amsterdam - 7728204 CV VERZ 19-9686
|Rb. Amsterdam - 7728204 CV VERZ 19-9686|
|Court:||Rb. Amsterdam (Netherlands)|
|Relevant Law:||Article 9(2) GDPR
Article 29 of the Dutch GDPR Implementation Act (“UAVG”)
|Decided:||12. 8. 2019|
|Published:||15. 8. 2019|
|Parties:||Manfield Schoenen B.V.|
|National Case Number:||7728204 CV VERZ 19-9686|
|European Case Law Identifier:||ECLI:NL:RBAMS:2019:6005|
|Original Source:||de Rechtspraak (in NL)|
The Amsterdam Court of First Instance decided that the shoe store Manfield cannot compel an employee to use a fingerprint-based authorization system for the cash register.
Mansfield introduced an obligatory employee fingerprint scanner on cash registers in its stores. One of the employees objected to the use of this technology based on [Article 9 GDPR] and Article 29 of the Dutch GDPR Implementation Act (“UAVG”). The store employee did not agree that the processing of the fingerprint was necessary for the authentication and security purposes.
The parties asked the Court to clarify whether the use of fingerprint scanner in this case violated the right to privacy of the store sales assistant.
The judge found that a fingerprint constituted indeed personal data (same authorisation system was also used for time registration purposes, which means there was a clear link between the fingerprint and a person) and that Manfield was not allowed to process fingerprints to enhance its security and fraud prevention measures. It also found that Article 29 of the Dutch GDPR Implementation Act was not applicable in this case because Manfield could not demonstrate necessity and proportionality of this processing.
The additional exemption for the authentication and necessity purposes in the Dutch GDPR Implementation Act was introduced because the local legislator recognised the difficulties of obtaining consent in employment context. For this exemption to apply, certain conditions need to be met, such as: • The processing of biometrics must be necessary to comply with the strict building or equipment access rules (for example, at a nuclear plant); • The processing of biometrics must be proportionate.
Memorie van Toelichting (Tweede Kamer, 2017-2018, 34851 nr. 3, blz 108 onderaan): Link
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.
DECISION 1. As stated and not (sufficiently) refuted, the following is fixed. 1.1. applicant 2] is or has been employed as a sales representative at the Manfield branch office in [place] . 1.2. Manfield has recently, after a test phase, implemented a fingerprint scanning authorisation system for its cash register system in all its branches. In this authorisation system, an employee has to identify himself and log on to the cash register system by placing his finger on a scanner surface of a device, which then reads the fingerprint, converts it into a code, compares this code with an already known code in the cash register system and - if the code is the same - provides access to the cash register system. By using the fingerprint scanning authorisation system, Manfield employees can only gain access to the cash register system if they scan their fingerprint. Without this access it is not possible for the workers to carry out their checkout work feed. 1.3. The fingerprint scanning authorisation has been introduced to replace an authorisation system in which Manfield employees are required to enter a personal numerical code in order to access the cash register system. The fingerprint scanning authorisation systems have been introduced in the branches of Manfield installed under the supervision of an expert. The expert explained the operation of the system to the employees and the reason why why this system was installed. 1.4. [applicant 2], unlike the other employees of Manfield, has opposed the use of her fingerprint for the fingerprint scanning system. It claims that this method of authorisation infringes its privacy rights because it involves biometric personal data and Article 9(1) of the General Data Protection Regulation (GPR) prohibits in principle the processing of special personal data, including biometric data. The exception of Article 29 of the GDPR Implementation Act (UAVG), namely that the collection of biometric data may be necessary for authentication or security purposes, does not apply here. Request 2. The parties request the Subdistrict Court to rule on whether the use of a finger scanning authorisation system as implemented by Manfield constitutes an unlawful invasion of [applicant 2]'s privacy. Position of Manfield 3. According to Manfield, there is a need to use a fingerprint scanning system. This necessity consists first and foremost of securing sensitive information, which can be accessed via its cash register system. The cash register system not only provides access to (sensitive) financial information, but also to personal data of Manfield employees. At the same time, the personal details of customers are transparent. In view of Article 24 of the GDPR, Manfield, as controller, is obliged to take appropriate technical and organisational measures. Now that technology is not at a standstill, there is also an obligation for Manfield to take appropriate technical and organisational measures. security technology constantly renewing. The previous system, where a code had to be entered, can no longer be considered as an appropriate measure to protect a cash register/computer system connected to the Internet and located in a publicly accessible place (i.e. in a Manfield branch). This poses a double danger; a third party can remotely access the employee's personal code via the Internet, for example by means of a so-called "key-logging program". In addition, a third party who is in the branch present will see the entered code if it is entered by the employee. 4. Manfield also has a business interest in implementing the system. Manfield has recently been confronted with a number of cases of fraud involving employees. These fraud cases occurred at several locations of Manfield, and its affiliated companies. It is therefore a serious one, organization-wide problem. In these fraud cases, employees unlawful withdrawal of cash from the till by means of fictitious return bookings. In investigating these cases, Manfield found out that it was customary among some employees to use the login code of a other employee logged in, whether or not with the approval of the other employee, so the theft of the cash couldn't be traced back to them. As a result, not only has Manfield itself been harmed in its interests (after all, it has done a lot of incur costs in detecting the fraud and the persons involved responsible), but also the workers concerned who are responsible for them. have provided login code to their colleagues, whether or not unconsciously, have been confronted with, as it turned out, false accusations. This situation is prevented by a personal, inalienable authorisation method organisation wide in feed. 5. Manfield has considered another method of authorisation that is less invasive of its employees' privacy, such as logging in using a physical pass. Although this method limits the risk of unauthorised remote access, it does maintain the risk of unauthorised access at the store location itself and of (unsolicited) lending of the pass by colleagues. 6. In Manfield's view, the need to introduce a system of finger-scan authorization by its employees proved satisfactory. It cannot achieve the same level of protection of its interests, the interests of its employees and the interests of its customers in any other, less intrusive, way. Manfield adds that it the use of fingerprint scanning authorisation has become more and more common over the years to secure data. For example, the current generation smartphones almost always the ability to use a finger scan to access to get to the device's functions. Using the finger scan is part of today's streetscape and has long since been used in practice on its own for the protection of objects with a high security risk, such as a nuclear power plant, the example mentioned in the Explanatory Memorandum to article 29 UAVG. Position [applicant 2] 7. (applicant 2) takes the view that a fingerprint scanning system constitutes an unjustified invasion of its privacy. Moreover, [applicant 2] contends that there has been no communication whatsoever with her and/or other employees about the introduction, so that at some point she has been presented with a fait accompli. In her opinion, Article 9 GDPR prohibits the processing of biometric data with a view to the unique identification of a person. An exception to the processing prohibition is only possible if the processing is necessary for authentication or security purposes or for reasons of substantial public interest. 8. According to [applicant 2], fingerprint data can certainly be considered as biometric data, referring to Article 4 GSC. The processing of such data is in principle excluded. Only in case of a possible need would Manfield be entitled to process these biometric data of its employees. According to [applicant 2], there is no such need. 9. applicant 2] refers to the Explanatory Memorandum to article 29 UAVG. This states, in short, that in the case of identification with biometric data, it should always be considered whether this is necessary for authentication or security purposes and whether the processing of biometric data is proportionate. In this case, according to [applicant 2], this means in concrete terms an assessment of whether the purpose, in this case access control, cannot be achieved in any other way than by using (part of) the fingerprints of employees. According to [applicant 2], this necessity does not exist, since there are plenty of ways that are less intrusive for the privacy of employees. Think of the use of an access pass, employee card or (numerical) codes, whether or not in combination with each other, so that if necessary a double guarantee is built in (e.g. a necessary combination of access pass/employee card and numerical code), so that unauthorized access is certainly not to be feared. In her opinion, it is clear that other systems can also be devised than with just a pass or code, which - in contrast to finger scanning authorisation - do not infringe the privacy of employees. In any case, there is no evidence whatsoever that Manfield has been properly informed and has researched sound alternatives. 10. According to [applicant 2], the fingerprint scanning system does not work optimally either. It has emerged that there were several colleagues who logged on and another one who did not. got to see your name. According to [applicant 2], a watertight system can thus not be spoken to. 11. In addition, according to the opinion of [applicant 2], in the case of a shoe shop such as the one operated by Manfield, there is clearly no question of a situation requiring very far-reaching strict security, as is the case, for example, in the case of a nuclear power station, according to the Explanatory Memorandum. Privacy-sensitive information is involved only to a certain extent, since only customer and employee data is involved, which is the case for every retailer. In its opinion, Manfield is not an exceptional case where such a measure would be necessary. Possible specific incidents do not make this any different. Now that Manfield can achieve its intended purpose in another way, there is no necessity and Manfield's interest does not outweigh that of its employees, so that this processing is not only unnecessary but also disproportionate. Therefore, this measure is not authorised. 12. For the purposes of the possible assessment of (dis)proportionality, [applicant 2] points out, for the sake of completeness, that there is no provision whatsoever for any other form of security in the branch of Manfield in which it operates. There is no camera security, there are no alarm gates at the entrance (the only alarms that are present, alarms are on some bags) and there are no lockers for the staff present. In that light, the need for the use of a finger scan as security device all the more incomprehensible. 13. The fact that the use of fingerprint scanning authorization has become more and more common in recent years is not an argument for [applicant 2] that justifies this infringement, since it is is not affected. Even if it would become more socially accepted that individuals facilitate the release of their biometric data and the use of fingerprint scanning would become more part of the streetscape, not only does [applicant 2] consider this to be a very bad trend, but moreover, it indicates this rather as a lack of ignorance and naivety than to a sign of (conscious) acceptance. Furthermore, [applicant 2] also points this out, that in the context of the employer-employee relationship, it is important that there is no voluntariness, as is the case with the use of smartphones, for example. Intended users of smartphones voluntarily choose to be authorised in this way, but this is not the case in a work situation such as that of [applicant 2]. Moreover, in all cases there is an alternative option not to use a finger scan, namely by using a (pin) code. 14. applicant 2] points out that the Explanatory Memorandum to Section 29 UAVG (Parliamentary Papers II 2017/2018, 34 851, no. 3), published in December 2017 and therefore less than one and a half years old, raises high thresholds with regard to any permissible exceptions. applicant 2] fails to see why that very reserved line should be abandoned. In addition, she refers to the recent response to Parliamentary questions to the State Secretary for Social Affairs and Employment of 29 March 2018 (Parliamentary Papers II 2017/2018, no. 1618). Here, the State Secretary explicitly reiterated the principle that the collection of fingerprints is prohibited, unless an exception can be invoked, after which she emphasized the need to have an alternative for the fingerprint at hand. Applicant 2] considers the measures taken by Manfield to be manifestly contrary to the intention of the legislator and sees these measures as an erosion of the GDPR's unequivocally negatively formulated principle. 15. In conclusion, [applicant 2] points out that any security measures may prevent the use of do not justify biometric data. Indeed, before the assessment of the appropriateness of any security devices (Article 32 of the GDPR requires appropriate security measures to be taken in each case) must after all, it is first necessary to assess and weigh up whether the data are being processed is allowed or not at all. The fact that the data may then are adequately secured, is irrelevant to the assessment of whether the concerning data processing is permissible in itself. Moreover, [applicant 2] may also fail to verify whether and to what extent adequate safety measures are actually in place taken that would sufficiently safeguard its privacy, the fingerprint scanning system would be judged legally valid. 16. At the hearing, Manfield added, upon request, that the fingerprint scanning system is also used for time registration of the employee concerned and that, in this sense, a direct link can be established between the fingerprint issued. Assessment 17. The Subdistrict Court held that European regulations in the field of privacy and the resulting regulations at the national level constitute the framework within which the present case must be assessed. As cited by the parties, the GDPR, which came into effect on 25 May 2016, plays an important role in this respect. After an implementation period of two years, companies such as Manfield, among others, will be required to apply the GDPR rules to the processing and protection of personal data with effect from 25 May 2018. Now that the provisions of the GDPR have been incorporated into a Regulation, they have direct effect. Nevertheless, in the Netherlands, data is (in addition) implemented through the UAVG in accordance with the provisions of the GDPR. 18. The first question is whether a finger scan/fingerprint is personal data within the meaning of the GDPR. The Subdistrict Court answered this question in the affirmative. Biometric data can be regarded as information relating to a natural person, since they are data which, by their nature, provide information about a particular person. By means of a biometric data such as a fingerprint, the person is identifiable and can be distinguished from another person. Article 4 of the GDPR also confirms this in so many words in the definition provisions. 19. The general principle is that, in deviation from the situation at the time of Directive 95/46/EC where biometric data were not considered as special personal data, the processing of biometric data is prohibited. This general principle is laid down in Article 9(1) of the GDPR. In particular, it is prohibited to process biometric data for the unique identification of a person. Article 9(2) of the GSC contains a number of exceptions, including the situation where the data subject does not consent to the processing in question. 20. Furthermore, Article 9(2) GDPR provides that an exception may also be provided for the purpose of carrying out obligations and exercising specific rights of the controller or the data subject in the areas of labour law and social security and protection law, to the extent permitted by Union law or Member State law or by collective agreements based on Member State law providing adequate safeguards for the fundamental rights and interests of the data subject. 21. Article 29 of the UAVG gives substance to the scope left by Article 9(2) of the GDPR, as mentioned above, for introducing an exception to the prohibition to process biometric data for the unique identification of a person. This prohibition does not apply if the processing is necessary for authentication or security purposes. The Explanatory Memorandum (Lower House of Parliament, 2017-2018, 34851 no. 3, p. 108 at the bottom) demonstrates the insight that in an employee-employer relationship it will not soon be possible to speak of consent that has been given entirely freely. This is why the aforementioned exception is made possible, even if the consent in question has not been obtained. However, according to the explanatory memorandum, a number of preconditions do apply, which were also the subject of debate at the hearing in the present case: - it should be considered whether identification with biometric data is necessary for authentication or security purposes, giving the example of access which should be (very) limited for persons authorised to do so, for example at a nuclear power plant. - the processing should be proportionate, giving the example of access to a garage of a repair company. In that case, the need for security will not be such that employees will all have access with biometrics. On the other hand, however, the example of the security of information systems which themselves contain a lot of personal data and where unauthorised access, including by employees, has to be avoided is mentioned. 22. The interim conclusion is therefore that the main rule is that the processing of biometric data, subject to consent, is prohibited, unless the exception of Section 29 UAVG is complied with. 23. Insofar as Manfield has argued that in the present case there is no processing of data at all, since these data are not kept or processed, this defence is rejected. It emerged at the hearing that the authorisation system is also used for time registration purposes. This means that a link is made in the system between carrying out the finger scan and the person concerned. In the opinion of the Subdistrict Court, this already constitutes processing of personal data within the meaning of the GDPR. 24. Manfield's reliance on the company interest is rejected. Manfield referred in this respect to a number of recent cases of fraud by its own staff. With the previously used system of login codes it would be easy to log in under a different name and possible theft cannot be traced back to the actual perpetrator. A system of fingerprint scanning authorisation introduces a personal, inalienable, authorisation method, which makes it possible to prevent the practice referred to above. Naturally, Manfield is free to take action against such forms of loss of turnover, but its actions must be in accordance with the GDPR. In the opinion of the Subdistrict Court, this is not the case now that this type of business interest cannot be regarded as 'necessary for authentication or security purposes' within the meaning of Section 9(2) of the GDPR. The Subdistrict Court also had doubts about proportionality. [applicant 2] unquestionably argued that there is no provision whatsoever for security in the Manfield branch in which it operates. There is no camera security, there are no alarm gates at the entrance and there are no safety deposit boxes for the staff present. 25. Manfield has further argued that the need for the use of a fingerprint scanning authorisation system is to secure sensitive information accessible through its cash register system; information that relates to both finance, customer and employee personal data. Manfield further points out that it also has an interest in the implementation of the fingerprint scanning authorisation system on the basis of its obligation to process the aforementioned data as securely as possible. This will prevent unauthorised logging in by third parties from outside and/or the unauthorised 'cheating off' of a login code. 26. (applicant 2) challenged the need to introduce a fingerprint scanning system in this respect. Alternatives such as access passes, employee cards and/or numerical codes, whether or not in combination with each other, were, in its view, insufficiently investigated. If necessary, such a system could be used to provide a 'double' guarantee which, in its view, does not infringe privacy. In the opinion of the Subdistrict Court, Manfield did not, or insufficiently, challenge this argument of [the applicant 2], nor did it substantiate, for example on the basis of documents, why, weighing the pros and cons of different systems, it opted for the fingerprint scanning authorisation system. In order to be able to assess the conditions of necessity and proportionality which Article 29 UAVG imposes on the granting of an exception to the main rule of the prohibition of processing biometric data, this would have been on its way. 27. The foregoing leads to the conclusion that, in the circumstances referred to above, it is the same for [applicant 2]. It is therefore decided to report as after. 28. According to the application, the parties have agreed that, irrespective of the outcome of these proceedings, each party will bear its own costs, but that Manfield will bear the Registry's costs. 29. The parties have no interest in a possible enforceable stock declaration now that they have agreed to waive any appeal against this decision.