The inspection authority of the Office for Personal Data Protection carried out an inspection investigating processing of personal data related to the use of facial recognition technology (FaceID) for identifying workers present on construction site (the inspection was carried out at a construction company). FaceID is a timesheet system that allows the user to record the time of arrival and departure of individuals entering and leaving a site (in this case a construction site) based on facial recognition. Using this technology means that a special category of data, that is, biometric data, is processed.
The Office found the use of FaceID was well-founded in this case: the legal ground for processing was compliance with a legal obligation (in particular an employment law obligation). The Office also said that this was a specific case where the inspected entity was able to prove that the processing of biometric data was necessary to ensure protection on a large construction site. The inspected entity was not able to reach this goal by other, less invasive means at the same time, or, more precisely, less invasive means used previously had proved to be ineffective. However, the Office also pointed out that in normal circumstances, employers cannot rely on such a legal ground when processing biometric data.
Taking the above into consideration, we are of the opinion that this is an extraordinary and specific case. The technology in question, in line with the previous opinions of Working Party 29, constitutes an invasive interference with the privacy of monitored subjects. Therefore, no rule that FaceID technology (or other similar technology) may be used on the basis of the fulfillment of a legal obligation as a legal ground for the processing of personal data can be inferred. The reason is that in general, there are other and less intrusive ways (e.g. running a reception, gatehouse, or turnstiles) to ensure workplace safety.