The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently imposed a €750,000 fine on a company for unlawful processing of employees’ fingerprints for attendance taking and time registration purposes.
Biometric data, such as fingerprints, qualify as sensitive personal data under the EU General Data Protection Regulation (the “GDPR”) and their processing is subject to more stringent requirements. In this case, the Dutch DPA found that the company should not have processed employees’ fingerprints, as it did not have valid legal grounds to do so. In principle, the processing of sensitive personal data is prohibited, unless one of the derogations provided for under Article 9 of the GDPR or the Member State’s law implementing the GDPR applies. There are two derogations that would have been available to the company to legitimize the processing of biometric data in this case: (1) explicit consent (Article 9(2)(a) of the GDPR) and (2) the necessity of the processing for authentication or security purposes (a derogation introduced by the Dutch law implementing the GDPR, the Uitvoeringswet Algemene Verordening Gegevensbescherming).
According to the Dutch DPA, the company could not rely on either of these two exceptions as:
- Employees’ consent is generally not considered valid, given the relationship of subordination between employer and employee (i.e., consent would not be freely given). Following its investigation, the Dutch DPA found that many employees had felt obliged to agree to the use of their fingerprints; and
- The necessity of the processing for authentication or security purposes can only be relied on when buildings and information systems must be secured in such a way that this cannot be done without the use of biometric data (i.e., biometrics can only be used if there are no less invasive measures available). In this case, the Dutch DPA considered that, even though the activities of the company must remain confidential, the use of biometrics for security purposes was not justified.
Accordingly, the Dutch DPA concluded that the use of fingerprint processing by the company was unnecessary and disproportionate. The defendant announced it will appeal the Dutch DPA’s decision.