The employee in this case was first employed as a temporary worker and then as an employee of the employer. The employer used a time recording system based on fingerprints. The provider of the system was a subsidiary of a group headquartered in Japan. The employee feared a violation of the GDPR, in particular because of the risk of data being transferred to a non-EU country where data protection rules are less stringent.
Biometric data are personal data resulting from specific technical processing of a person’s physical, physiological or behavioural characteristics, on the basis of which that person can be identified, such as facial images or fingerprint data. This is a special category of personal data within the meaning of the GDPR, which benefits from enhanced protection.
The Litigation Chamber confirmed in its decision that when processing special categories of personal data, the controller must have both a legal basis and a ground for exception.
The employer invoked several legal bases during the proceedings, but ultimately argued that the processing was allowed based on the workers’ consent. The Litigation Chamber examined whether this consent had been validly obtained and found that this was not the case, in particular for the following reasons:
The employer argued that no objection had been raised by other workers and that this non-opposition demonstrated that consent had been freely given. However, the Litigation Chamber rejected this argument. It held, in line with the European Data Protection Board guidelines on consent, that the imbalance of power between the employer and the worker makes free consent very difficult in a work context. Employees, due to their dependent position, are less likely to object to an obligation imposed by their employer. It can be inferred that the Litigation Chamber does not de facto exclude consent as a legal basis in an employment relationship, but that it interprets the notion of consent quite strictly in this context.
The Litigation Chamber also noted that the purposes of the working time recording system were not always indicated in the available documentation. The purposes should be determined and disclosed before collecting the data. The other purposes invoked by the employer before the Litigation Chamber were only added later.
In its defence, the employer invoked the high security requirements of its customers. In order to obtain certain certifications, it would have to meet very restrictive conditions, which led it to use the system of recording working time by means of fingerprints. However, this did not convince the Litigation Chamber.
The Litigation Chamber stated that there were many alternatives to biometric recording of working time which could achieve the desired purposes with less interference with workers’ privacy, such as time clocks, dedicated staff cards or access codes. It therefore held that the processing of fingerprints was not necessary to achieve the desired purposes. However, it stressed that the use of biometric data could be permitted when less stringent measures are not sufficient, for example in areas where security is particularly important (e.g. the handling of foodstuffs or dangerous substances). However, it noted that this was not the case here.
The Litigation Chamber held that the use of biometric data for the recording of workers’ working time was likely to give rise to a significant risk to the rights and freedoms of the data subjects, and that a Data Protection Impact Assessment was therefore mandatory. The employer should have carried out this analysis before starting the processing of biometric data. By failing to do so, the employer violated the GDPR.
The employer was fined EUR 45,000 for the above-mentioned offences, as well as for other offences.
Employers should exercise caution when processing employees’ biometric data (such as fingerprints). Only in exceptional cases will the consent given by an employee be accepted as a legal basis for processing such data. In addition, the principles of purpose limitation and minimal data processing must be respected, and a data protection impact assessment will be necessary.
Discover more about employee data privacy on our Global HR Law Guide